Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.

Below you will find a collection of files relevant to some of the research that I have conducted. I do not provide support for any of these files, and they are provided as is for educational purposes only. Use at your own risk.

 

phpBB2 "highlight" Remote Code Execution (Metasploit)

This is a new and improved version of the Metasploit PHPXMLRPC module contained within the Metasploit Framework. This version has been cleaned up a bit, and now uses the ARCH_PHP platform type so that PHP payloads can be used.

# - Added ARCH_PHP compatibility
# - Cleaned up , and commented code in order to help aid future development.
# - Added "check" method
# - Replaced "phpinfo()" test, as many hosts block requests
#   that contain the string "phpinfo()"
# - Changed the payload delivery to POST, as any overly long
#   GET requests can cause requests to exceed server limits

 

PHPXMLRPC Remote Code Execution (Metasploit)

This is a new and improved version of the Metasploit PHPXMLRPC module contained within the Metasploit Framework. This version has been cleaned up a bit, and now uses the ARCH_PHP platform type so that PHP payloads can be used.

# - Added ARCH_PHP compatibility
# - Cleaned up , and commented code in order to help aid future development.
# - Added original advisory reference
# - One small line change to comply with msftidy

 

vBulletin 4 <= 4.1.2 SQL Injection exploit (Metasploit)

vBulletin versions 4 <= 4.1.2 are vulnerable to a preauth SQL Injection issue that may be used by an attacker to extract user credentials, and potentially gain administrative access, potentially leading to remote PHP code execution. This Metasploit module will attempt to use a BENCHMARK() based blind SQL Injection attack in order to extract user credentials.

 

Joomla 1.6.0 SQL Injection -> PHP Code Execution (Metasploit)

A vulnerability was discovered by Aung Khant that allows for exploitable SQL Injection attacks against a Joomla 1.6.0 install. This exploit attempts to leverage the SQL Injection to extract admin credentials, and use those credentials to execute arbitrary PHP code against the target. The vulnerability is due to a validation issue in /components/com_content/models/category.php that erroneously uses the "string" type whenever filtering the user supplied input. This issue was fixed by performing a whitelist check of the user supplied order data against the allowed order types, and also escaping the input.

 

NINGA: A Social Network Worm

After finding a simple cross site scripting bug within the popular NING network, I was able to use the cross site scripting vulnerability to create a proof of concept NING worm/malware using their application framework. This issue was reported to NING and has since been fixed, but highlights the risk improper CSRF protection within popular application frameworks.

 

Eventum SQL Injection Exploit

A simple proof of concept SQL Injection exploit that I created for the MySQL Eventum SQL Injection vulnerability that I discovered. The exploit attempts to enumerate a targeted password hash one character at a time using the MID() functionality.

 

Pligg Remote Code Execution Exploit

Proof of Concept remote PHP code execution exploit for Pligg <= 9.9.0. The exploit will attempt to leverage an SQL Injection vulnerability in order to get the admin password hash, and then login with the extracted hash. Once access has been gained to the administrative interface, PHP code execution is possible via uploading a specially crafted template file.

 

WordPress Remote Code Execution Exploit

An exploit that I created for a vulnerability that I discovered in the WordPress XMLRPC interface. The exploit first uses single character enumeration to extract the admin password, and then uses the extracted credentials to gain access to the administrative interface. Once access has been gained to the administrative interface, PHP code execution is possible by installing a malicious plugin file.

 

Simple Machines Forum SQL Injection Exploit

This is a very simple, straight forward SQL Injection exploit that I created for an SQL Injection vulnerability that I discovered within Simple Machines Forum. The exploit requires a valid account, and the ability to edit your own posts in order to properly work.