[Full-disclosure] Surgemedia Cms Sql Injection Vulnerability
.__.__.__ __ |__| | _ __ __| |__ _ | | __ ___ | | | / \| | \ | \\__ \ _/ ___\| |/ // __ \_ __ \ | | |_| Y Y \ | / Y \/ __ \\ \___|\ ___/| | \/ |__|/__|_| //|___| ( /\___ __|_ \\___ __| \/ \/ \/ \/ \/\/ .org Archieve an Resource About Hacking ### # # Exploit Title: Surgemedia Cms Sql Injection Vulnerability # Author: Netrondoank Aka netron # home Page: http://www.ilmuhacker.org # Forum : http://www.indonesiansecurity.info and http://indotek.or.id # Vendor or Software Link: http://www.surgemedia.com.au/work/design-projects.aspx # Version: N/A # Category:: webapps # Google dork: Powered by ADICD # Tested on: Linux Back Track 5 # Proof Of Concept [POC] http://site/project-detail.php?id=[Sqli] http://site/shop.php?cid=[Sqli] http://site/product-detail.php?id=[Sqli] http://site/news_details.php?news_id=[Sqli] http://site/residential-building-projects.php?cid=[Sqli] # #Greetz To: Allah swt .free dom For Palestine .Indonesiansecurity.info, 1337day.com packetstormsecurity.org, Exploit-id.com ,securityreason.com , securityfocus.com ## ### Archieve an Resource About Hacking--Ilmuhackerdotorg .__.__.__ __ |__| | _ __ __| |__ _ | | __ ___ | | | / \| | \ | \\__ \ _/ ___\| |/ // __ \_ __ \ | | |_| Y Y \ | / Y \/ __ \\ \___|\ ___/| | \/ |__|/__|_| //|___| ( /\___ __|_ \\___ __| \/ \/ \/ \/ \/\/ .org Archieve an Resource About Hacking ### # # Exploit Title: Surgemedia Cms Sql Injection Vulnerability # Author: Netrondoank Aka netron # home Page: http://www.ilmuhacker.org # Forum : http://www.indonesiansecurity.info and http://indotek.or.id # Vendor or Software Link: http://www.surgemedia.com.au/work/design-projects.aspx # Version: N/A # Category:: webapps # Google dork: Powered by ADICD # Tested on: Linux Back Track 5 # Proof Of Concept [POC] http://site/project-detail.php?id=[Sqli] http://site/shop.php?cid=[Sqli] http://site/product-detail.php?id=[Sqli] http://site/news_details.php?news_id=[Sqli] http://site/residential-building-projects.php?cid=[Sqli] # #Greetz To: Allah swt .free dom For Palestine .Indonesiansecurity.info, 1337day.com packetstormsecurity.org, Exploit-id.com ,securityreason.com ,securityfocus.com ## ### Archieve an Resource About Hacking--Ilmuhackerdotorg ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] mbliss Webdesign Sql Injection Vulnerability
.__.__.__ __ |__| | _ __ __| |__ _ | | __ ___ | | | / \| | \ | \\__ \ _/ ___\| |/ // __ \_ __ \ | | |_| Y Y \ | / Y \/ __ \\ \___|\ ___/| | \/ |__|/__|_| //|___| ( /\___ __|_ \\___ __| \/ \/ \/ \/ \/\/ .org Archieve an Resource About Hacking ### # # Exploit Title: mbliss Webdesign Sql Injection Vulnerability # Author: Netrondoank Aka netron # home Page: http://www.ilmuhacker.org # Forum : http://www.indonesiansecurity.info and http://indotek.or.id # Vendor or Software Link: http://mbliss.co.uk/ # Version: N/A # Category:: webapps # Google dork: Web design by mbliss.co.uk # Tested on: Linux Back Track 5 # Proof Of Concept [POC] http://site/product.asp?id=[Sqli] http://site/about.asp?id=[Sqi] # #Greetz To: Allah swt .free dom For Palestine .Indonesiansecurity.info, 1337day.com packetstormsecurity.org, Exploit-id.com ,securityreason.com , securityfocus.com ## ### Archieve an Resource About Hacking--Ilmuhackerdotorg .__.__.__ __ |__| | _ __ __| |__ _ | | __ ___ | | | / \| | \ | \\__ \ _/ ___\| |/ // __ \_ __ \ | | |_| Y Y \ | / Y \/ __ \\ \___|\ ___/| | \/ |__|/__|_| //|___| ( /\___ __|_ \\___ __| \/ \/ \/ \/ \/\/ .org Archieve an Resource About Hacking ### # # Exploit Title: mbliss Webdesign Sql Injection Vulnerability # Author: Netrondoank Aka netron # home Page: http://www.ilmuhacker.org # Forum : http://www.indonesiansecurity.info and http://indotek.or.id # Vendor or Software Link: http://mbliss.co.uk/ # Version: N/A # Category:: webapps # Google dork: Web design by mbliss.co.uk # Tested on: Linux Back Track 5 # Proof Of Concept [POC] http://site/product.asp?id=[Sqli] http://site/about.asp?id=[Sqi] # #Greetz To: Allah swt .free dom For Palestine .Indonesiansecurity.info, 1337day.com packetstormsecurity.org, Exploit-id.com ,securityreason.com ,securityfocus.com ## ### Archieve an Resource About Hacking--Ilmuhackerdotorg ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security Tool - Video] INSECT Pro 2.6.1 available
Insect Pro - Now with an integrated 1.21 gigawatt Flux Capacitor! If you make a pentest at 88 miles per hour you can go back in time! On Wed, Aug 3, 2011 at 3:17 AM, root ro...@fibertel.com.ar wrote: Dude you just released INSECT Pro 2.7 less than a week ago. I swear to god I'm being serious. On 08/02/2011 08:48 PM, Juan Sacco wrote: INSECT Pro 2.6.1 is worldwide available right now Check the new cool features: http://www.youtube.com/watch?v=EcgPMyjHVbQ * Run Faster: Because to make a good security testing is not enough * Load Better: Major graphical interface and optimisation features were implemented * Module Search: This version includes a new built-in search feature * Improvements and Changes: Many more optimisations and updates were added * Lots of bugs were patched Start here: http://www.insecurityresearch.com Regards Juan Sacco -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.6.1 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security Tool - Video] INSECT Pro 2.6.1 available
Haha Again, this ridiculous tool comes to our lives :-) , hey i am all for it, but not when ya see 'trial' , on a FD list :P~~ just bit 'wrong'. Anyhow it speaks for itself.. ; * Run Faster: Because to make a good security testing is not enough --- Because,obviously the author cannot spell or sensibly merge the words 'security' with 'testing' * Load Better: Major graphical interface and optimisation features were implemented --- Because, it obviously, was NOT doing its job, before. * Module Search: This version includes a new built-in search feature --- It now uses open source (because obv these guys CANNOT code a Pentesting tool) * Improvements and Changes: Many more optimisations and updates were added --- Because, it was not full of enough crap that first pass,now there is some nicer 'new' features wich allows others to 'remotely' assist!!YES! * Lots of bugs were patched --- Because the code,sucks. Simple,and there will be more,many many more.. OK, so for a paid tool, wich needs REG to just look at, and, wares crews are not even bothering to crack this one (yes, i have seen that almost every 'decent' pack is either OPEN src,or cracked online somewhere)... this tool is old, it is called Nessus :) , only, these guys are hiding stuff obv, the fact it is so buggy, after all these socalled 'releases,id like to hope anyone who has purchased this rubbish, to consider lobbying for a free/updated exe of this, i would not take less, and +6months of prescribed key, for such a crappy thing it seems to now be, see, they did disclose things, they just did it in a stupid way. Saint is vuln-scanner also for http ,free,small,yet it still beats this rubbish! Id also, love to see why it is closed src, they could have disclosed src, they are most probably using some codeproject.com snippet :P~~ ha. ohwell,ppl will try to make money anyhow they can and, putting a shitty closed src app up, is pretty good way to get alot of people who just need something 'fast' ,and theyre target market, would be already wary after somany bugs. Fix it, make it free, and people might even addon to it and help this crap from becoming, totally uselessIve seen these tools endyup on that scrap heap tomany times... this is headed straight to it. xd-- / NOT an Insect pro user but IS a Nessus Beta tester :-) .. On 3 August 2011 20:42, Mario Vilas mvi...@gmail.com wrote: Insect Pro - Now with an integrated 1.21 gigawatt Flux Capacitor! If you make a pentest at 88 miles per hour you can go back in time! On Wed, Aug 3, 2011 at 3:17 AM, root ro...@fibertel.com.ar wrote: Dude you just released INSECT Pro 2.7 less than a week ago. I swear to god I'm being serious. On 08/02/2011 08:48 PM, Juan Sacco wrote: INSECT Pro 2.6.1 is worldwide available right now Check the new cool features: http://www.youtube.com/watch?v=EcgPMyjHVbQ * Run Faster: Because to make a good security testing is not enough * Load Better: Major graphical interface and optimisation features were implemented * Module Search: This version includes a new built-in search feature * Improvements and Changes: Many more optimisations and updates were added * Lots of bugs were patched Start here: http://www.insecurityresearch.com Regards Juan Sacco -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.6.1 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DZYGroup Portal Remote Sql Injection Vulnerability
.__.__.__ __ |__| | _ __ __| |__ _ | | __ ___ | | | / \| | \ | \\__ \ _/ ___\| |/ // __ \_ __ \ | | |_| Y Y \ | / Y \/ __ \\ \___|\ ___/| | \/ |__|/__|_| //|___| ( /\___ __|_ \\___ __| \/ \/ \/ \/ \/\/ .org Archieve an Resource About Hacking ### # # Exploit Title: DZYGroup Portal Remote Sql Injection Vulnerability # Author: Netrondoank Aka netron # home Page: http://www.ilmuhacker.org # Forum : http://www.indotek.or.id # Vendor or Software Link: http://www.dzygroup.com/portfolio.php # Version: N/A # Category:: webapps # Google dork: Powered by DZYGroup # Tested on: Linux Back Track 5 # Proof Of Concept [POC] http://site/[path]/newsDetail.asp?idNews=[Sqli] http://site/[path]/articledetail.php?id=[Sqli] http://site/[path]/prodetail.asp?Lang=ENID_Product=[Sqli] http://site/[path]/subcategory.asp?Lang=ENID_Category=22ID_SubCategory=[Sqli] http://site/[path]/newsdetail.php?id=[Sqli] # #Greetz To: Allah swt .free dom For Palestine .Indonesiansecurity.info, 1337day.com packetstormsecurity.org, Exploit-id.com ,securityreason.com , securityfocus.com ## ### Archieve an Resource About Hacking--Ilmuhackerdotorg .__.__.__ __ |__| | _ __ __| |__ _ | | __ ___ | | | / \| | \ | \\__ \ _/ ___\| |/ // __ \_ __ \ | | |_| Y Y \ | / Y \/ __ \\ \___|\ ___/| | \/ |__|/__|_| //|___| ( /\___ __|_ \\___ __| \/ \/ \/ \/ \/\/ .org Archieve an Resource About Hacking ### # # Exploit Title: DZYGroup Portal Sql Injection Vulnerability # Author: Netrondoank Aka netron # home Page: http://www.ilmuhacker.org # Forum : http://www.indotek.or.id # Vendor or Software Link: http://www.dzygroup.com/portfolio.php # Version: N/A # Category:: webapps # Google dork: Powered by DZYGroup # Tested on: Linux Back Track 5 # Proof Of Concept [POC] http://site/[path]/newsDetail.asp?idNews=[Sqli] http://site/[path]/articledetail.php?id=[Sqli] http://site/[path]/prodetail.asp?Lang=ENID_Product=[Sqli] http://site/[path]/subcategory.asp?Lang=ENID_Category=22ID_SubCategory=[Sqli] http://site/[path]/newsdetail.php?id=[Sqli] # # Demo http://www.kasintorn.com/en/newsDetail.asp?idNews=901 http://j-plan-motor.com/web/articledetail.php?id=%277 http://www.dzygroup.com/otherwebsite/sakaeo/EN/prodetail.asp?Lang=ENID_Product=%27224 http://www.starone-marketing.com/en/subcategory.asp?Lang=ENID_Category=22ID_SubCategory=%2771 http://www.aubergine.in.th/en/newsdetail.php?id=27%27 # #Greetz To: Allah swt .free dom For Palestine .Indonesiansecurity.info, 1337day.com packetstormsecurity.org, Exploit-id.com ,securityreason.com ,securityfocus.com ## ### Archieve an Resource About Hacking--Ilmuhackerdotorg ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x02
Hello everyone and welcome to day two of MOHSEP. Thank you everyone for your joyous submissions, we appreciate each and every single one. We have spent most of today on the phone with various google lawyers, trying to explain the basic European right to free speech and the basic fact of Herr Esser living up to his tribal sterotype in trying to ruthlessly censor ours. We would also like to point out that we are not affiliated with blackhats.com nor did we profit from the selling of any tshirts. Were merely enjoy irony as much as the next man. As long as he's not german, apparantly. Today's submissions can be found here: http://mohsepblog.blogspot.com/2011/08/tuesday-august-2nd-2011.html Free topiary! -Herr E Balls ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VBulletin adminCP Cross Site Scripting
*Advisory Information* Title: vBulletin Cross Site Scripting Vulnerability Date published: 02-08-2011 Vendors contacted: vBulletin team *Vulnerability Information* Class: XSS flaw Vulnerable page: Admin Login Page (admincp) Remotely Exploitable: Yes Locally Exploitable: No *Vulnerability Description* vBulletin is a community forum solution for a wide range of users, including industry leading companies. A XSS vulnerability has been discovered that could allow an attacker to carry out an action impersonating a legal user, or to obtain access to a user's account. This flaw allows unauthorized disclosure and modification of information, and it allows disruption of service. *Vulnerable versions* 4.1.3pl3, 4.1.4pl3 4.1.5pl1 *Non-vulnerable Packages* . vBulletin prior to 4.1.3 *Vendor Information, Solutions and Workarounds* vBulletin team has released patches for this flaw and patch is released on 02-08-2011. https://www.vbulletin.com/forum/showthread.php/385133-vBulletin-4.1.3-4.1.4-and-4.1.5-Security-Patch *Credits* This vulnerability was discovered by Muhammad Haroon from Innovative Solutions KSA. OWASP Chapter Lead of Pakistan. haroon [at] live [dot] it *Proof of Concept Code* This is a Cross Site Scripting (XSS) vulnerability within vBulletin community forum solution. In order to exploit this flaw following vector would be used. http://www.example.com/forums/admincp/?;scriptalert('Xss_found_By_M.Haroon')/script *Report Timeline* 30-07-2011: Notifies the vBulletin team about the vulnerability. 31-07-2011: vBulletin Team ask for technical description about the flaw 31-07-2011: Technical Details sent to vbulletin team 02-08-2011: vBulletin notifies that a fix has been produced and is available to the users on 2nd August 2011 03-08-2011: Vulnerability publicly disclosed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Why Block Mail-archive.com?
On Sat, 23 Jul 2011 03:12:56 +0300 Sabahattin Gucukoglu m...@sabahattin-gucukoglu.com wrote: What have mail-archive.com done to you that you must block them in DNS, by setting up an empty authority zone for it? There is plenty of material on mail-archive.com that is offensive to various interests in Turkey. Google any issue considered contentious in Turkey with site:mail-archive.com and you'll find plenty of content. http://www.mail-archive.com/pnews-l@yahoogroups.com/msg00205.html http://www.mail-archive.com/proletar@yahoogroups.com/msg23515.html http://www.mail-archive.com/osint@yahoogroups.com/msg74437.html http://www.mail-archive.com/osint@yahoogroups.com/msg70438.html You may even approve of the block by the time you're done :) ... Yes, using another DNS server works, only it turns out there's no UI on the iPhone to change the DNS servers used while on 3G. Bloody thing. That's Apple of late - no user serviceable parts inside, and warranty void if the sticky bit is removed. ~tr ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Telstra Thomson router - news item for CSO.com.au
Hello to those who responded, My MAIN concern with this was the actual reporting of it, and since i am actually a BP customer, it puts me in an awfully compromising position at the moment, as i do not want to end up stuffed up,. for disclosing what shuild have been done maybe a month ago.. albeit, the bug was only found the day i did post it. At the moment, it seems all the gateways on Bigpond are affected... and all the models tested,sofar allow this, leading me to not even test any older models.. It is a bug,it must be fixed... PLEASE read on... it is important. i do not know how else to say this but, PLEASE, patch this up , it is not really any good to people without some knowledge of atleast how a router forwards traffic and manages your internet. For this reason, as i stated earlier In the PoC code. I was genuiley worried about disclosing this, but i had to, because idf rather be on this side of the fence than sitting in the middle not knowing HOW to go about reporting. I have reported atleast 10 bugs on various things, even one freebsd kernel patch is through me, however, those are well structured secuity teams who DONT arrest the person who finds the bugs, rather they are reqarded for at the last disclosure. As you well kow, this could be nasty in the right hands, but at the ssame time, I would like to urge telstra to take the Lead and setup a REAL security team/forum/rules-for-disclosure. I urge CSO/technicolor, to help me do this. The second you have this for me, I would be very happy in future to use those protocols. Please do not point the finger but rather, thank me and thank Talon, for both of us, would never had been disclosed if not for it being discussed first (in chatrooms etc as you well know)...the day it was disclosed was the day it was found.there is NO connections between my channel/chatroom,and any idiots who go around stealing. You have still MUCH time to patch, please try to get this done. Considering that the gateway will add a @bigpond.com to your host, well it is rather huge incentive for scammers,to use legitimate systems, to compromise more. *TechniColor , is another huge company, again, i am glad the replys were made regarding this, and i dont submit anything to www.exploit-db.comrubbish sites. * I would be happy to work with Telstra anytime at NO fee just to secure my own systems. I hope i have cleared abit of why i went about things as i have... i do not want to become another 'cecil' , get my drift ? If i see PROPER protocols in place for people who disclose, i would use them. In the case of technicolor, I am just glad they are now able to get themselfs patched, and again, wopuld be happy to help. FOR Telstra/Bigpond and Iprimus (yes your also affected i believe) ; When i login to my email @home base ISP, i do not see 'security' in the page,clearly. Not last i looked, and this is ofcourse verymuch normal,its time things changed. Maybe it is time that there is some hard-coded (manner of speech) ,rules and protocol for this type of problems.Rather than sniffing routers and sneaking around, yo9u will only find the people who have 0 skills all sending you emails hoping to score a winner... specially after what has happened with cecil. I hope there is a much more visible security section and ebook/pdf wich confirms things in 'paper'. This is why Australia is still one of the biggest targets,and will remain so, unless ISP's start to SPEAK with people, rather than arrest them. In the case of cecil, I have NO pity, he was NO skilled looser,and will always be one.For those who are not though, I think almost every telstra user now at moment, is probably to scared to even do anything online regarding money or even erform some simple scanning/testing,this is thanks to the press coverage of one idiotic kid/truckie or whatever he thinks he was, and i see this just in 'chats', and worse, other countrys are now poking our systems. *This is wrong.* ISP/Companies here in AU,MJST start to setup visible,thorough line and method for those who DO wish to assist and in my case and another ,we both use Bigpond and id hate to be comprmised thru a gateway service. I hope this comes loud and clear, to ALL ISP within Australia ,and hopefully we can get things up-to-date like many countries have done now wich has led to MUCH better disclosure rates,and no arrests because the skilled people will shine through but those who are pathetic will not. Hence you would not get anything bad from this,to setup effective disclosure policy, is security,and should be treated as if it were on and offline,not just online being some cesspit where people are only NOW starting to catchup in AU,thanks to idiots, who do not disclose things like this. I can handle maybe a local kernel exploit,and sure, id even use to test my systems, you do not see those guys going to jail etc... instead, they get paid. This is lwhy most of the world except au,is behind and has been since 1991 thx to a lie tfrom
[Full-disclosure] LAME HACKER OF THE MONTH: OMKAR BELKHEDE
A 30 year old married guy, working in FLAIR TECHNOLOGIES PVT LTD, PUNE ( http://in.linkedin.com/pub/omkar-belkhede/b/23a/37b) is busy all day resetting passwords of other girls. http://www.facebook.com/people/Omkar-Belkhede/11794692629 http://www.facebook.com/people/Omkar-Belkhede/1583768678 HAVE A LOOK.. CHEERS!! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] APOLOGIES FOR MISTAKEN IDENTITY: OMKAR BELKHEDE
The content of the previous email is not true. It was posted by mistake from this account. I do not know this person and it was just a case of mistaken identity. OMKAR BELKHEDE, FLAIR TECHNOLOGIES PVT LTD, PUNE (http://in.linkedin.com/pub/omkar-belkhede/b/23a/37b http://www.facebook.com/people/Omkar-Belkhede/11794692629 http://www.facebook.com/people/Omkar-Belkhede/1583768678 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hacked data on open sale ?
Hello List, I stumbled upon a site selling the below services in January this year, it was in the news then and many (including me)blogged, tweeted about it. Hacking a military website $150 USD Hacking an Government website $99 USD Hacking Educational website $66 USD Hacking Online game website $55 USD Hacking forums, shopping carts $55 USD Immunity's CANVAS reliable exploit development framework LATEST VERSION! 2011! $66 USD Undetected Private Java Driveby Exploit $150 Source code and $30 for binary Fresh shopadmin/forums, USA, UK, AU, DE, Valid Email lists $10 per 1mb PHP mailers %100 inbox $5 USD per 1 Selling Edu/Gov database contain Firstnames, Lastnames, Email, Country, Address, Phone, Fax details$20 per 1k Selling fresh Emails for spam from Edu's websites and shop websites SQL Injection attacker bot (srb0tv2.0) Thought it'll go down in a day or so. However, today after nearly 7 months saw the same news in imperva blog, checked the site and found that it's not only still up and running but even updating frequently ! Apart from selling the services above, this guy also discloses SQL injection vulnerabilities in major websites including banks, universities, large corporations and Government organizations : https://www.playstation.ru/ http://www.playstation.ca/ http://www.hartford.edu/ http://armani.com/ http://www.parliament.gov.bw/ http://www.nbc.org.kh/ http://www.bot-tz.org/ http://www.na.gov.pk/ http://www.presidentofpakistan.gov.pk/ http://www.cbp.gov/ http://www.ad.gov.ir/ http://www.tacp.toshiba.com/ http://labs.oracle.com/ Check out the details here: http://esploit.blogspot.com/2011/08/open-sale-hacked-data-sqli.html Regards, Satyamhax http://esploit.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x03
Hello everyone and welcome to the glorious day three of MOHSEP. We have another three splendid photoshops for you today so please visit our blog and have a chuckle! The link is: http://mohsepblog.blogspot.com/2011/08/wednesday-august-3rd-2011.html(guaranteed free of spyware (maybe), guaranteed chock full of lulz (definitely)). Until tomorrow! -Herr E Balls ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Register Plus for WordPress
Hello list! I want to warn you about multiple Cross-Site Scripting vulnerabilities in plugin Register Plus for WordPress. - Affected products: - Vulnerable are versions of plugin Register Plus 3.5.1 and previous versions. -- Details: -- XSS (persistent) (WASC-08): At turned on options Enable Invitation Code(s) and Enable Invitation Tracking Dashboard Widget and set code scriptalert(document.cookie)/script in example of Invitation Code at plugin options page (http://site/wp-admin/options-general.php?page=register-plus), the code will execute at visiting of Dashboard page (http://site/wp-admin/index.php). The persistent XSS vulnerability itself exists in dash_widget.php. There are many persistent XSS vulnerabilities in plugin options (http://site/wp-admin/options-general.php?page=register-plus) in fields: Enable Password Strength Meter (Short, Bad, Good, Strong) Grace Period, Invitation Code, Disclaimer Title, Disclaimer Content, Agreement Text, License Title, License Content, Agreement Text, Privacy Policy Title, Privacy Policy Content, Agreement Text, Required Field Style Rules, Custom Field, Extra Options, Date Format, First Selectable Date, Default Year, Customize User Notification Email (From Email, From Name, Subject, User Message, Login Redirect URL), Customize Admin Notification Email (From Email, From Name, Subject, Admin Message), Custom Register CSS, Custom Login CSS. The code will execute at plugin options page and/or at registration page (http://site/wp-login.php?action=register). At that at plugin options page the protection against CSRF is used, so it needs to use reflected XSS for bypassing it and conducting of persistent XSS attack. Timeline: 2011.04.16 - announced at my site. 2011.04.18 - informed developer. 2011.08.03 - disclosed at my site. Taking into account, that this plugin is no more supported by developer, then users of the plugin need to fix these holes by themselves. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5086/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] new anon tool
have you heard much about the #RefRef tool? What so unique and hasnt been done or triedd before? -- been great, thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Security Tool - Video] INSECT Pro 2.6.1 available
On Tue, 02 Aug 2011 22:17:58 -0300, root said: Dude you just released INSECT Pro 2.7 less than a week ago. I swear to god I'm being serious. It's not unusual for commercial products with customers that demand product stability to release version 3.5 or whatever, then release 3.6, and after that release 3.5.1, 3.5.2, yadda yadda with just bugfixes so sites can get patched without having to make the 3.5-3.6 jump. The Linux kernel does this all the time - there were several 2.6.37.N releases after 2.6.38 came out, and several 2.6.38.N after 2.6.39. And 2.6.35 isn't dead yet. ;) pgpVeLthoR6sD.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new anon tool
nothing. On Wed, Aug 3, 2011 at 5:08 PM, RandallM randa...@fidmail.com wrote: have you heard much about the #RefRef tool? What so unique and hasnt been done or triedd before? -- been great, thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new anon tool
hello, - nothing ,is about the best explanation for this rubbish i have seen, and, I have atleast 4 other tools wich can atleast be modified,exploits added,and anything would b free ofc...why would i want to waste on something, wich could even contain , a backdoor. I know if someone backdoors a BIn on fdlist, would be VERY funny! well..not funny but, interesting to see how it would be handled. Anyhow, the tool is rubbish, even wireshark is kinda, better in capture, tcpdump,somany,. but ofc, I am a betas tester for nessus or nessus-X ,so, why even bother, when this is not updated by 'sigs' like an auto-update featuire, and, the code is NOT disclosed...why is this guy even allowed to do these... This is for OPEN src tools i weas led to believe, and sofar, this is ONLY one wich is just 'out-of-place'. I hope that this insect, gets a nice spray of Mortein! xd-- @ #HAXNET@EF -- 10001000100000 +1 = omg i just found oprah winfrey! On 4 August 2011 11:57, T Biehn tbi...@gmail.com wrote: nothing. On Wed, Aug 3, 2011 at 5:08 PM, RandallM randa...@fidmail.com wrote: have you heard much about the #RefRef tool? What so unique and hasnt been done or triedd before? -- been great, thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/