Next Page >>
username
Exploit (1)
Log into bytehoard using a non privileged user.
Perform any desired actions, then log out.
Click on the "Lost Details" link.
Input the desired username you want to have access to ("admin" to get
administrator access) and submit the data.
The system will either return an error message or a "mail sent" message.
Ignore the last message and go directly to the index.php page (easily
obtained by erasing the "?page=passreset" part)
You should have access to the desired account.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
8- [User] can delete all of gateway information.
9- [User] can enable or disable pay type.
10- [[User] can see all usernames in the server by "fp2000/NEWSRVR.asp".
11- [User] can find Hosting Controller setup directory.
12- [User] can import unwanted plan or change the plans.
13- [Remote Attacker] can find web site path.
14- [Remote Attacker] can enable or disable all Hosting Controller forums by SQL Injection.
15- [User] can change other's host headers.
2. Reboot to activate the new settings by using the following command:
shell# reboot
Changing the Management Console Username and Password
+----------------------------------------------------
Complete these steps:
1. Open the following file in a text editor:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
PR07-31: Unauthenticated SQL Injection, XSS and Username Enumeration on
DPSnet Case Progress
Vulnerabilities Found: 23 May 2007
Vendor Contacted: 10 July 2007, 31 August 2007, 17 September 2007, 12
December 2007
#
#-------
#NEED:
#-------
#
#**valid username
#
#**real captcha code/img
#
#**maybe PHPSESSID (with securimage captcha plugin)
#
#!/usr/bin/perl
#
#------------------------------------------------------------------------
#(Post Form var 'username') BLIND SQLi exploit --S-CMS <= v-2.0 Beta3-->
#------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.matteoiammarrone.com/public/s-cms/
#-->DOWNLOAD: http://www.matteoiammarrone.com/public/s-cms/
function WS_authenticate()
{
global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
$uid = '';
$username = '';
$password = '';
$status = -1;
if (isset($_SERVER['PHP_AUTH_USER'])) {
Wordpress 2.5
Overview:
An attacker, who is able to register a specially crafted username on
a Wordpress 2.5 installation, is able to generate authentication
cookies for other chosen accounts.
This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
. Use a different web browser to navigate untrusted web sites.
Additionally, although disabling file sharing if it is not necessary and
filtering outbound SMB connections at the endpoint or network perimeter
may not prevent exploitation it is generally a good security measure to
prevent disclosure of sensitive information such as valid usernames of
endpoint users.
Microsoft has issued a patch to fix the vulnerability and a detailed
description of how to implement the workarounds on IE. It is available
as Security Bulletin http://go.microsoft.com/fwlink/?LinkID=150860.
230 User %') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
from ftp # logged in
SQL log output:
query "SELECT username, password, uid, gid, homedir, shell FROM ftp
WHERE (username='{UNKNOWN TAG}') and 1=2 union select
1,0x24312452565a583533784324716a304d4d6b4670426b4b486177644264756634392f,uid,gid,homedir,shell
from ftp #') LIMIT 1"
> Hi,
Routines in these files generate user session cookies in roughly the following
way:
SECRET = SERVER_ADDRESS + STATIC_VALUE
HASH = md5(USERNAME + SECRET + CLIENT_ADDRESS + CURRENT_TIME)
COOKIE = USERNAME + ACCESS_RIGHTS + CLIENT_ADDRESS + CURRENT_TIME + HASH
In the above pseudocode, the SERVER_ADDRESS represents the VCS system's IP
address, STATIC_VALUE represents a fixed string which is hard-coded into the
application source, USERNAME is the authenticated user name, CLIENT_ADDRESS is
Details:
If you could log on the server successfully, take the following steps and the ftp server will stop responding:
first socket connection:
1.sock.connect((hostname, 21))
2.sock.send("user %s\r\n" %username)
3.sock.send("pass %s\r\n" %passwd)
4.sock.send("PORT 127,0,0,1,122,107\r\n")
5.sock.send("APPE "+ test_string +"\r\n")
6.sock.close()
During a penetration test, RedTeam Pentesting discovered that the emails
sent by the IceWarp WebMail Server when using the "Forgot Password"
function are generated on the client side. Furthermore, the server
expands certain keywords in these emails to users' full names, usernames
and passwords. This allows for advanced social engineering attacks and
the potential disclosure of usernames and passwords.
Details
=======
On 12/08/08 23:59, Jan Minář wrote:
> Vim: Netrw: FTP User Name and Password Disclosure
>
> 1. SUMMARY
>
> Product : Vim -- Vi IMproved
> Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109
> Impact : Credentials disclosure
> Wherefrom: Remote
> Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
Hi,
On Tue, 2009-02-10 at 19:49 +0000, gat3way@gat3way.eu wrote:
> Just found out a problem with proftpd's sql authentication. The problem is easily reproducible if you login with username like:
Could you please provide the version number which is affected by this?
Running ProFTPD Version: 1.3.0 (stable) on Linux (Debian etch) I cannot
reproduce your report.
> USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --
>
# Lokasi : Indonesia | http://newhack.org
# Penjelasan :
#
# Kutu pada berkas "user.php" direktori "/content"
#---//---
# 59. if (!$nama || preg_match("/[^a-zA-Z0-9_-]/", $nama)) $error .= "Karakter Username tidak diizinkan kecuali a-z,A-Z,0-9,-, dan _<br />";
# 60. if (strlen($nama) > 10) $error .= "Username Terlalu Panjang Maksimal 10 Karakter<br />";
# 61. if (strrpos($nama, " ") > 0) $error .= "Username Tidak Boleh Menggunakan Spasi";
# 62. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />";
# 63. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT user FROM temp_useraura WHERE user='$nama'")) > 0) $error .= "Error: Username ".$nama." sudah terdaftar , silahkan ulangi.<br />";
# 64. if ($koneksi_db->sql_numrows($koneksi_db->sql_query("SELECT email FROM useraura WHERE email='$email'")) > 0) $error .= "Error: Email ".$email." sudah terdaftar , silahkan ulangi.<br />";
browser that could collect the user/pass without any interaction or
visible indication.
Note: The Password Manager bug is often misunderstood for how it work.
The reason is that there are numerous subtle variations on how the
username and password show up. The following highlights some of these:
1. If there is only one username stored in the password manager for the
specific, it will automatically show up in the username field. If there
is more than one username stored in the Password Manager, a user would
normally type in or select the specific username for the site, which
>> http://www.semicomplete.com/projects/pam_captcha/
>>
>> A site with a screen shot:
>> http://www.michaelboman.org/how-to/securing-ssh-access-with-pam-captcha
>>
>> I found a security problem with the pam_captcha. If you enter a username
>> that is not a valid user followed by the correct CAPTCHA, you do not get
>> prompted for a password. You simply get prompted for another CAPTCHA.
>> However, if you enter a username that is a valid user followed by the
>> correct CAPTCHA, you will get prompted for a password. This means an
>> attacker, or a script/bot could easily harvest a list of valid usernames
####################
- Vulnerability:
####################
+--> SQL Injection
The username, in the login form, is one-parenthesis single-quoted
injectable. For details check
the PoC section.
+--> Reflective XSS
Whenever login failed, the username will be printed without
if its configuration is similar to the following:
parser view <view name>
<Definition of the CLI view>
!
username <user ID> view <view name> secret <some secret>
!
ip scp server enable
In the above configuration snippet, the parser view command defines a
view that specifies what commands users in that view can execute. The
- -----------/
Cookies are stored in independent text files (one for each domain)
inside the cookies folder (usually located at '\Documents and
settings\USERNAME\Cookies' in all Windows NT based implementations). The
cookie file name is structured in the following manner:
/-----------
USERNAME@full.domain.name[X]
Syhunt: HFS (HTTP File Server) Username Spoofing and Log
Forging/Injection Vulnerability
Advisory-ID: 200801163
Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 1.5g to and including 2.3(Beta Build
#174); and possibly HFS version 1.5f
Non-Affected Applications: HFS 1.5e and earlier versions
Class: Log Forging/Injection, Username Spoofing
Vim: Netrw: FTP User Name and Password Disclosure
1. SUMMARY
Product : Vim -- Vi IMproved
Versions : Tested with Vim 7.1.266, 7.2, autoload/netrw.vim v131, v109
Impact : Credentials disclosure
Wherefrom: Remote
Original : http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
[-] Requisites: magic_quotes_gpc = off
[-] File affected: comment.php
All queries are vulnerable.
This bug allows a guest to view username and the
password of a registered user.
$id = (isset($_GET['id']) && $_GET['id'] !='') ? $_GET['id'] : getlastid();
$SQL = "SELECT comment,author,contact,date FROM `cblog_comments`
#!/usr/bin/perl
#
#------------------------------------------------------------------------
#(Post Form login var 'username') BLIND SQLi exploit--Open Biller 0.1-->
#------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://sourceforge.net/projects/geekbill/
#-->DOWNLOAD: http://sourceforge.net/projects/geekbill/
It's true that injection takes place easily in this case, but leveraging it is not so easy using traditional injection technique. Since an excess slash will corrupt the query structure and causes error (actually "Syntax error (missing operator) in query expression...").
For example consider this query:
SELECT * FROM Users WHERE Username = '$user' AND Password = '$pass'
If the attacker enters the usual "a' OR 'a'='a" as username and password, the query would be like the following, which causes syntax error:
SELECT * FROM Users WHERE Username = 'a\' OR \'a\'=\'a' AND Password = 'a\' OR \'a\'=\'a'
Advisory Title: Mobile Rediff Username and Password Disclosure
Advisory ID: FSSA-2009-0402
Author: Gursev Kalra (gursev.kalra@foundstone.com)
Application: MobileRediff 1.04 by http://www.rediff.com/
Vendor Contact Date: 4/24/2009 (Vendor notified by email)
Release Date: 7/15/2009
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Medium (Information Disclosure)
Vendor Status: No Response received
[-] Requisites: magic_quotes_gpc = off
[-] File affected: comment.php
All queries are vulnerable.
This bug allows a guest to view username and the
password of a registered user.
$id = (isset($_GET['id']) && $_GET['id'] !='') ? $_GET['id'] : getlastid();
$SQL = "SELECT comment,author,contact,date FROM `cblog_comments`
-----------------------------------------------------------------------
Talsoft S.R.L. Security Advisory
WordPress User IDs and User Names Disclosure
-----------------------------------------------------------------------
I. Advisory information
Title: WordPress User IDs and User Names Disclosure
Advisory Id: TALSOFT-2011-0526
Advisory URL: http://www.talsoft.com.ar/index.php/research/security-advisories/wordpress-user-id-and-user-name-disclosure
Date published: 2011-05-26
> > > built-in local administrator account from local or remote connections.
> > > The user will also share the Administrator's desktop and profile. When
> > > inspected by system administrators, the regular user always looks like
> > > it is just part of the built-in user's group. The attacker can also
> > > make the regular user account hard to detect by creating a user with
> > > the username of "ALT-0160", for blank space. Events in the audit log
> > > pertaining to the hidden account will be created if the system
> > > administrator has enabled auditing, but the user name fields are all
> > > blank. Once a system has been compromised, the attacker would need to
> > > ensure the Task Scheduler service is enabled only when starting the
> > > method. This method can be used to masquerade as any user account on
Next Page>>
|
