Archive for 11 Şubat 2013

IRIS Citations Management Tool (post auth) Remote Command Execution

IRIS Citations Management Tool (post auth) Uzaktan komut çalıştırma açığı bulunmuş olup aşağıdaki url den exploit dosyasını indirip test edebilirsiniz.

Here is a bug that I finally found time to write about 🙂

https://infosecabsurdity.wordpress.com/2013/02/09/iris-citations-management-tool-post-auth-remote-command-execution/

The attached contains my mini framework, exploit and screenshot.

Cheers!

~ aeon

# I Read It Somewhere (IRIS) <= v1.3 (post auth) Remote Command Execution # download: http://ireaditsomewhere.googlecode.com # Notes: # - Found this in my archive, duno how long this has been 0Day for... but I had no use for it obviously. # - Yes! ..the code is disgusting, but does the job # - Sorry if I ripped your code, it worked for me and I dont reinvent wheels so thank you! # ~ aeon (https://infosecabsurdity.wordpress.com/) # # Exploit requirements: # ~~~~~~~~~~~~~~~~~~~~~ # # - A valid account as at least a user # - The target to have outgoing internet connectivity Exploit: http://www.exploit-db.com/sploits/24480.tar.gz [/sourcecode]

IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability

IP.Gallery 4.2.x and 5.0.x Persistent XSS Açığı bulunmuş olup, açığın olupum yeri ve açık hakkında açıklamalar şu şekildedir;

# Exploit Title: IP.Gallery 4.2.x and 5.0.x persistent XSS vulnerability

# Date: 8/2/2013

# Exploit Author: Mohamed Ramadan


# Vendor Homepage: http://www.invisionpower.com/

# Software Link: http://www.invisionpower.com/apps/gallery/

# Version: IP.Gallery 4.2.x and 5.0.x


image title is vulnerable to persistent XSS vulnerability which allow any
normal member to hack any administrator account or any other member account.

we contacted the vendor and reported this issue to them and they fixed it
and released this patch:

http://community.invisionpower.com/topic/379028-ipgallery-42x-and-50x-security-update/


Here is a video demonstrating the attack in action :


https://docs.google.com/file/d/0B_cpjifQmPbZMmxVcEdqU3A1aU0/edit?usp=sharing


and here is another video demonstrating how to bypass httponly cookies :


https://docs.google.com/file/d/0B_cpjifQmPbZemFsbFJDRnVkVTA/edit?usp=sharing


 

TP-LINK Admin Panel Multiple CSRF Vulnerabilities

TP-LINK Admin Panel Multiple CSRF Açığı bulunmuş olup, açığın kullanımı ve açık hakkında açıklamalar şu şekildedir;

Advisory Name: Multiple Cross Site Request Forgery vulnerabilities in
TP-LINK Admin Panel

Internal Cybsec Advisory Id: 2013-0208-Multiple CSRF vulnerabilities in
TP-LINK

Vulnerability Class: Cross Site Request Forgery (CSRF)

Release Date: 02/08/2013

Affected Applications: Firmware v3.13.6 Build 110923 Rel.53137n; other
versions may also be affected.

Affected Platforms: WR2543ND or any running the vulnerable firmware.

Local / Remote:  Remote

Severity: Medium � CVSS: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Researcher: Juan Manuel Garcia

Vendor Status: Acknowedged / Unpatched

Release Mode: User released

Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf

Vulnerability Description:

Multiple Cross Site Request Forgery vulnerabilities were found in TP-LINK
Admin Panel, because the application allows authorized users to perform
certain actions via HTTP requests without making proper validity checks to
verify the source of the requests. This can be exploited to perform
certain actions with administrative privileges if a logged-in user visits
a malicious web site.

Proof of Concepts:

1)	New Storage Sharing and FTP Server user:
http://server/userRpm/NasUserAdvRpm.htm?nas_admin_pwd=hacker&nas_admin_confirm_pwd=hacker&nas_admin_authority=1&nas_admin_ftp=1&Modify=1&Save=Save

2)	Disable the Router&#39;s Stateful Inspection Firewall:
http://server/userRpm/BasicSecurityRpm.htm?stat=983040&Save=Save

Impact:

An affected user may unintentionally execute actions written by an
attacker. In addition, an attacker may change router settings or gain
unauthorized access
Vendor Response:

2012-10-10 � Vulnerability is identified.
2012-10-11 � Vendor is contacted.
2012-10-12 � Vulnerability details are sent to vendor.
2012-10-17 � Vendor confirms vulnerability and states �This vulnerability
has been escalated to our RD engineer but under current web server
framework it is hard to fix. Our engineer team will modify the web server
framework to fix this. Currently it is under process but will take time�.
2012-10-25 � Cybsec asks the vendor for the planned publication date for
the update.
2012-10-26 � Vendor states �I have no detailed schedule yet�.
2012-12-12 � Cybsec asks if there are any news regarding the solution of
reported vulnerabilities.
2012-12-12 � Vendor states �The fix of this reported vulnerability is not
included in the last firmware upgrade because the web server framework
change is still under development�.
2013-02-01 � Cybsec tells the Vendor that the security advisory will be
published on Wednesday February 6.
2013-02-08 � Having received no reply from TP-Link, vulnerability is
released.

Contact Information:

For more information regarding the vulnerability feel free to contact the
researcher at
jmgarcia  <at>  cybsec  <dot>  com

About CYBSEC S.A. Security Systems

Since 1996, CYBSEC is engaged exclusively in rendering professional
services specialized in Information Security. Their area of services
covers Latin America, Spain and over 250 customers are a proof of their
professional life.

To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is
associated with other software and/or hardware provider companies.

Our services are strictly focused on Information Security, protecting our
clients from emerging security threats, maintaining their IT deployments
available, safe, and reliable.

Beyond professional services, CYBSEC is continuously researching new
defense and attack techniques and contributing with the security community
with high quality information exchange.

For more information, please visit www.cybsec.com
(c) 2010 - CYBSEC S.A. Security Systems

Coyote cms_site Sql injection Vulnerability

Coyote cms_site Sql injection Vulnerability

Sql injection on cms website 


he we Goo !! 


Google Dork : 'inurl:cms.php?id="

Demo site:
http://www.fedaso.com/FR/cms.php?id=33
http://www.chateaudeseneffe.be/FR/cms.php?id=8
http://www.matchandplay.eu/cms.php?id=1


# Special Greetz : Mr.Benladen & X-Line & Azar36.Exe & Biksoft & xMjahd & KhalidMoro

WordPress p1m media manager plugin SQL Injection Vulnerability

WordPress p1m media manager plugin SQL Injection açığı ve açık bulucunun açık hakkındaki değerlentirmeleri şu kekildedir;

================================================================================
____ _    _    ____ _  _    ____ _  _ ___  ____ ____ 
|__| |    |    |__| |__|    |__| |_/  |__] |__| |__/ 
|  | |___ |___ |  | |  |    |  | | \_ |__] |  | |  \ 
                                                     
================================================================================
####
# Exploit Title: WordPress p1m media manager plugin SQL Injection Vulnerability
# Author: KinG Of PiraTeS
# Facebook Profile: www.fb.me/cr4ck3d
# Facebeook Page : www.fb.me/serial.crack
# Facebeook Page : www.fb.me/Cars2Luxe
# E-mail: t5r@hotmail.com / cr4ck3d@offdr5cax.dz
# Web Site : www.1337day.com | www.inj3ct0rs.com 
# Category:: webapps
# Google Dork: inurl:"/wp-content/plugins/p1m-media-manager/"
# platform : php
# Vendor: NA
# Version: x.x.x
# Security Risk : High
# Tested on: [Windows 7 Edition Intégrale 64bit ]
####


##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3   |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | * ------>  KinG Of PiraTeS * The g0bl!n <-------- * | 
# | ------------------------------------------------- < |
###

# 
1)Introduction
2)Vulnerability Description
3)Exploit

>> ----------------------------------------------------------------
1)Introduction
==============
2)Vulnerability Description
===========================

U can inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. 
Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. 
With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

3)Exploit
=========/{Path}/wp-content/plugins/p1m-media-manager/player.php?id=-208


[~] P0c [~] :
============

Vuln file in :

http://Localhost/{Path}/wp-content/plugins/p1m-media-manager/player.php  <<-----|

[~] D3m0 [~] :
=============/wp-content/plugins/p1m-media-manager/player.php?id=295[Inj3ct Here]
http://www.greatdividecalvary.com/wp-content/plugins/p1m-media-manager/player.php?id=208[Inj3ct Here]
.
.

####

Peace From Algeria

####
=================================**Algerians Hackers**===============================================
# Greets To : 
   KedAns-Dz & Caddy-Dz & kalashinkov3 **All Algerians Hackers** , Kondamne ,  errajol ettayeb
   (exploit-id.com) , (1337day.com) , (Sec4ever.com) , (h4ckforu.com) , (alboraaq.com)
   All My Friendz: Hanixpo , Caddy-Dz , Indoushka , Jago-dz ,saoucha , BriscO-Dz
   Over-X , Kha&miX ,Ev!LsCr!pT_Dz , T0xic ,TrOon , Tn_Scorpion , ..others ?___?
=====================================================================================================